Protecting Personally Identifiable Information (PII)
I
n 2007, more than 79 million records were reported compromised in the U.S. according to the Identity Theft Resource Center. The scope and breath of data collected, stored, shared and/or disposed of by government agencies, is crucial and far-reaching. The highly interdependent nature of agencies within the Emergency Services Sector (ESS) necessitates the sharing of high-stakes information (often ladenwith personally identifiable information [PII]) across
multiple cooperating agencies in real-time, which makes cyber security a major concern. Although some similarities exist, each discipline uses electronic systems differently, which combined with widely varying standards and resources, adds an additional
layer of difficulty in securing data across the ESS.
This eBook will review the basics of data encryption;
data concerns specific to ESS; how data encryption
addresses the unique data security challenges facing ESS, and key points to consider when building the case for data encryption.
FOREWORD
FOREWORD
1
INTRODUCTION
2
CHALLENGES FACING THE EMERGENCY SERVICES SECTOR
3
PROTECTING SENSITIVE DATA ACROSS MULTIPLE PLATFORMS
3
COMPLYING WITH PRIVACY LAW AND FEDERAL REGULATIONS
4
ENABLING SECURE SHARING OF DATA
5
DATA ENCRYPTION DEFINED
6
BENEFITS OF DATA ENCRYPTION
7
TOTAL COST OF OWNERSHIP (ESS)
8
WHAT TO LOOK FOR
9
READY TO LEARN MORE?
13
INTRODUCTION
T
he Emergency Services Sector (ESS) includes fivedisciplines: Law Enforcement, Fire and Emergency Services, Emergency Management, Emergency Medical
Services (EMS), and Public Works. These disciplines,
and their personnel, work in close tandem with each other, with large numbers cross-trained to work in one or more other agencies. Data sharing is requisite to the sector, but variances in cyber usage are common from discipline to discipline.
Post-9/11 national directives to government agencies
consistently underscore the need to achieve and maintain high levels of cyber security. Cyber security
is defined by the 2009 U.S. National Infrastructure Protection Plan (NIPP) as: “prevention of damage
to, unauthorized use of, or exploitation of electronic information and communications systems and the
information contained therein to ensure confidentiality,
integrity, and availability”. That directive, taken
together with the vast amount of Personally Identifiable Information (PII) routinely collected by ESS, and the
inherent complexity of IT and cyber systems, makes data security a serious concern for the sector.
The very nature of the
information collected
by ESS agencies makes
it very attractive to
cyber criminals.
CHALLENGES FACING
THE EMERGENCY
SERVICES SECTOR
T
he ESS, the first-responder network ofFederal, State, local, tribal, territorial, and private partners, functions to prevent and
mitigate the risk from “physical and
cyber-attacks, and manmade and natural disasters” and provides life-safety and security services across the nation. In the course of normal operations, branches of the ESS come in contact
with, collect, and share, large quantities of PII, which can be defined as: information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc.
This information may be gathered as part of an ongoing criminal investigation, may involve zero data-breach subjects (i.e., witness protection candidates, victims of domestic violence or
child abuse, confidential patient information, informants, undercover officers, etc.), or contain
evidence that could be linked to a future criminal investigation. In some instances, a data breach could compromise an entire investigation, impair a rescue operation, or worse, put people’s lives
at risk. As such, the nature of the information collected by ESS mandates the strictest of data security controls.
The key challenges prompting the ESS to consider data protection solutions are the need to:
• Protect sensitive data and personal identifiable information (PII) on multiple
platforms and devices
• Comply with privacy law and Federal
regulations
• Enable secure sharing of data within ESS and
with other Federal agencies
PROTECTING SENSITIVE DATA ACROSS
MULTIPLE PLATFORMS
Core ESS activities, such as emergency operations communications, database management, biometric activities, telecommunications, and electronic systems (e.g., security systems), are conducted via at-rest and portable data systems and require vigorous data security controls. The ESS also operates in a highly mobile environment in which agents collect and disseminate highly-sensitive information through a variety of portable electronic devices (e.g., USB keys, tablets, mobile devices, etc.). This information,
however, can carry significantly higher stakes
than information collected by other industries. For the ESS in particular, data integrity is paramount, as it can inform the actions of a suite of ESS and other Federal agencies and carry
legal ramifications for a number of interested
parties.
If someone’s identity were
a whole pie, each piece of
PII would be a slice.
CHALLENGES FACING
THE EMERGENCY
SERVICES SECTOR
COMPLYING WITH PRIVACY LAW AND FEDERAL REGULATIONS
Information data breaches (the viewing, leaking, or accessing of data by anyone not the individual or authorized to have access to this information as part of his/her duties) have now become commonplace. In lieu of the elevated risks involved in a data breach for all government agencies, including the ESS, strict guidance and laws
have been proposed and/or enacted. One example would be the existing U.S. Privacy Act of 1974, which has undergone revisions to ensure compliance with the emerging technology capabilities. U.S. Privacy law impacts records creation, file management for both active and inactive records, records protection, records access, and
records retention and disposition. As an example, US ESS organizations have two privacy laws they must comply
with which are The Privacy Act of 1974 and The E-Government Act of 2002. The Privacy Act of 1974 (U.S.) specifically provides
strict limits on the maintenance and disclosure by any Federal agency of information both outside
and under the rubric of PII, such as: “education, financial transactions, medical history, and criminal or employment history and that contains [the] name, or
the identifying number, symbol, or other identifying particular assigned to the individual, such as a
finger or voice print or a photograph.” The limited
exceptions to this law still require strict recordkeeping on any disclosure. One common application of privacy
law is the medical profession’s adherence to HIPAA (the Health Insurance Portability and Accountability
Act, which also applies to EMS), whose principal focus
is protecting a patient’s PII.
The E-Government Act of 2002 (U.S.) was enacted to ensure public trust in electronic government services, in response to the increased use of computers and the Internet to process government
information. The E-Government Act also directed the Office of Management and Budget (OMB) to
issue implementation guidance to Federal agencies. OMB continually provides privacy such guidance to
Federal agencies on “many PII protection topics such as remote access to PII, encryption of PII on mobile devices, and breach notification.”
CHALLENGES FACING
THE EMERGENCY
SERVICES SECTOR
Another data security challenge specific to ESSis the highly mobile platform of its personnel:
fire and emergency services, law enforcement,
public works, emergency medical services, and emergency management personnel, are
perpetually “in the field”. As such, data they
collect, share and store has a greater chance of unauthorized access and or disclosure through being lost or stolen than if it were within the physical boundaries of the organization. The interrelated nature of each division of the sector, and the sharing of information throughout , creates strong ties of collaboration and cooperation, but carries
a significant drawback: the more people and systems that access PII, the more opportunities
for it to be compromised.
While every piece of data ESS collects may not be classifiable as PII, even partially identifying data can be sufficient to identify an individual, due to the versatility of current re-identification algorithms.
These algorithms can take a piece of data and combine it with other data elements to complete the puzzle, making any and all data collected and shared by ESS highly sensitive. Ironically, to
operate at peak efficiency, ESS must be able to
share sensitive data across all divisions, rapidly and continuously, which consequently makes that data even more vulnerable to unauthorized access.
For example, in the U.S. Department of Homeland Security’s (DHS) Emergency Services
Sector-Specific Plan, An Annex to the National Infrastructure Protection Plan 2010, the
DHS recognized that each ESS division has, and works to address, its own
sector-specific cyber-related issues,
but also indicated that an integrated cross-sector
cyber-security perspective is needed to address mutual concerns and issues all agencies within ESS share. The DHS argued that such a cross-functional approach would facilitate greater implementation of best practices in data security. Another example of such an initiative is the U.S.
National Institute of Standards and Technology’s (NIST) Guide to Protecting the Confidentiality
of Personally Identifiable Information (PII), an
exhaustive survey of data security best practices (including Federal guidance, regulations, and privacy law) for Federal agencies, of which data encryption for at-rest and mobile data storage
devices, is a recurring component. The NIST’s method for protecting PII, The Cryptographic Module Validation Program (CMVP), is operated jointly by the NIST
Computer Security Division and the Communications Security
Establishment (CSE) of the Government
of Canada. The use of validated cryptographic modules is required by
the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments. Each country has their own Privacy and Data Protection policies that local ESS organizations
need to adhere to. As a result many have turned to data encryption as one of the prime methods
of securing critical PII data across their networks.
The interrelated nature
of ESS agencies
necessitates
greater controls
to
ensure data integrity.
DATA ENCRYPTION
DEFINED
D
ata encryption refers to the process of transforming electronic information into a coded form that can only be read by those authorized to access it. To readan encrypted file, a user must have access to a secret
key or password that enables them to decrypt it. The way in which an organization can protect their data encompasses a variety of options. The foundation or core group of options typically start with:
• Full Disk Encryption (FDE): Protects the entire
hard disk (all sectors and volumes) and can only be accessed with a secure key.
• Removable Media Encryption (RME): The protection of all or a portion of a USB key, external hard drive, or similar removable media.
• File and Folder Encryption (FFE): Protection is associated with specific folder or files where they are encrypted with specific user access permissions,
much like network permissions.
There are a number of solutions available to fulfill
virtually any data protection requirement, so before embarking on any new project, it’s important to research and understand the options that work best for your unique situation.
BENEFITS OF DATA
ENCRYPTION
REGULATORY COMPLIANCE
• Data encryption enables organizations to better adhere to numerous local, state, federal and global
privacy laws and regulations.
DATA SECURITY
• Encrypting data provides protection for sensitive information whether it’s stored on a desktop or
laptop, a smartphone, tablet, removable storage media, an email server or even the network, so in the event the device is lost or stolen, the information is protected.
TRANSPARENCY
• Data encryption solutions enable agencies to run at their normal pace while the encryption solution
silently secures critical data in the background. Some of the best data encryption options perform without the user even being aware.
PEACE OF MIND
• Despite best efforts, data breaches can occur. Laptops and removable storage devices are prone to
theft and loss. Data encryption protects critical assets if it falls into the wrong hands, and protects the integrity and credibility of your organization.
• The use of encryption provides a “safe harbor” in the event of a data breach.
The US Privacy Act,
PIPEDA, FERPA, and
the Data Protection Acts
of the United Kingdom
and European Union
have all defined the
way that data can be
used and the penalties
for its mishandling.
PASSWORD RESET - SAVINGS
Times per user per annum
Value of Tech and User Time for reset
Total cost of password reset for
user/tech per annum
Savings with Pre-Boot Network
Authentication
Total Cost Saving in Password resets
per organization of 5,000 devices
3.3
$8.10
$26.70
$20.04
$100,200
STAGING AN FDE COMPUTER - SAVINGS
Time to stage a computer
with FDE
Time to stage computer using
Pre-Boot Network Authentication
Value of Tech time to
stage machine
Value Saved with Pre-Boot
Network Authentication
Size of Organization
Total Cost Saving to stage a
computer per organization
20 mins
per machine5 mins
per machine$12.00
$9.00
5,000
$45,000
TOTAL COST OF
OWNERSHIP (ESS)
T
he challenge with data security solutions for most organizations is trying to balance the expense of the solution against the productivity of the users. Maximizing that total cost of ownership (TCO) of the solution is critical. A recent study from the Ponemon Institute looked into what an encryption solutionwould cost an average organization per year. The results were shocking. What
became apparent was that with features like pre-boot network authentication
(WinMagic’s PBConnex), data encryption solutions could help reduce TCO by not only managing encryption and security but improving the efficiency of other
processes for IT Administrators such as support.
Looking at typical costs associated with Password resets and device staging alone,
the savings were staggering.
Cost of Password Reset WITHOUT Pre-Boot Network Authentication Cost of Password Reset WITH Pre-Boot Network Authentication
Cost Savings with Pre-Boot Network Authentication
2
3
1
WHAT TO LOOK FOR
IN A BEST-IN-CLASS
DATA ENCRYPTION
PROVIDER
INTEGRATION
Look for a provider that has proven third party integration with hardware and software companies for optimal security offerings and increased functionality. Be sure they offer services for different operating systems and hardware, and mobile device management for devices like tablets and smart phones.
PRE-BOOT NETWORK BASED
AUTHENTICATION
Pre-boot network authentication (wired or
wireless) utilizes network based resources to authenticate users, enforce access controls, and manage end point devices before the operating system loads. This approach to FDE
management also results in significant cost
savings for organizations by streamlining the time and cost associated with things such as password resets and device staging. This capability truly separates the best from the rest.
MULTI-PLATFORM/MULTI DEVICE
MANAGEMENT
76 percent of employees today use more than one mobile device and cyber usage varies widely with the ESS sector. Ensure the provider you select can offer central management for systems running any
operating system, whether it’s Windows, Mac
OS X or variants of Linux, Android, iOS. Mobile device management offers the ‘proof’ that
information security officers require to ensure
compliance with key sector regulations.
B
efore embarking on a data encryption initiative, you’ll need to determine which provider can offer you the protection that best suits your needs. Obviously, there’s a lot to think about, but by taking the time to select theright provider, you’ll be poised for success as you move forward with your deployment. These are some key things to look for when seeking out a ‘best-in-class’ data encryption solution.
5
6
4
WHAT TO LOOK FOR
IN A BEST-IN-CLASS
DATA ENCRYPTION
PROVIDER
SINGLE MANAGEMENT CONSOLE
Monitoring and tracking devices from a single console supports the information system security division of each ESS agency in their operations, enables easy integration into accounts with laptops, desktops, tablets, smart phones, and SED devices, and supports full mobile device management. A central view of all devices reduces the need for desk side support calls because administrators can determine if a device is in a secure, compliant state, and if not, quickly contact the user to rectify the situation.
SUPPORT FOR SELF ENCRYPTING
DRIVES (SEDS)
While SED technology has improved the
security of laptops and workstations, it does
not require specific authentication during boot up, leaving data at risk. Providers on your
short list should have the capability to centrally support users with SED devices and employ a pre boot authentication to ensure the drive is encrypted, compliant and functioning properly, while taking advantage of the transparency, performance and security that a SED offers.
FILEVAULT MANAGEMENT OR FULL
DISK ENCRYPTION FOR MAC OS
Some organizations prefer to leverage the native encryption and security offered by Mac OS X’s FileVault 2. Using a solution that supports FileVault 2 and offers centralized management to oversee all devices ensures you’ve got the best of both worlds.
WE’LL PROTECT YOU...
WinMagic understands the data security
challenges and changing needs of the ESS. In order to help effectively meet and adapt to the changing needs of the sector and the expectations
of the public, WinMagic works closely with the
ESS and other critical infrastructure and key resources (CIKR) sectors, such as the Department of Homeland Security (DOHS) and Department of Defense (DOD), to develop and deliver the most secure data encryption protection.
When you consider the
relatively tiny cost of protecting
each laptop to the potentially
high cost associated with a
single user losing their data,
it is remarkable to think that
every organization is not
protecting information in this
fashion. Installing encryption
software makes perfect sense
from both a data security and
an ROI perspective.
Andrew Labbo,
Privacy and Data Security Officer and Information Security Manager, The Children’s Hospital, Denver, Colorado
“
“
SECUREDOC™
SecureDoc is a comprehensive disk encryption and data security solution that secures data at rest. It has two main components: the client software used to encrypt and protect data and the server software (SecureDoc Enterprise
Server or SES) used to configure, deploy, and
manage encryption for an entire organization.
SecureDoc is FIPS 140-2 validated, meeting U.S. NIST and Canadian CSE requirements and
PBCONNEX™
SecureDoc with PBConnex is
the only data encryption and management solution that allows for pre-boot network authentication either wired or wirelessly.
PBConnex utilizes network based
resources to authenticate users, enforce access controls, and manage end point devices before the operating system loads. This unique and ground-breaking approach to FDE management also
results in significant cost savings
for organizations by streamlining the time and cost associated with things such as password resets and device staging. In addition, multiple users can safely use the same device without ever putting
confidential data at risk.
SES WEB CONSOLE
The SES web console provides a web-based interface for SecureDoc
Enterprise Server, WinMagic’s
solution for centrally managing encrypted devices in an enterprise environment. The SES web console supports many of the daily administration features provided by the SecureDoc Enterprise Server, including user management, administrator management, device management and recovery, password management, and report management. It also includes a Mobile Device Management (MDM) server component.
MOBILE DEVICE
MANAGEMENT (MDM)
SecureDoc’s MDM feature is a key
component of the SES Web console,
offering government agencies a holistic view to their status of their mobile devices, allowing them to manage the deployment of Android® and iOS® devices and
also to ensure that the appropriate security and password policies are enforced. SecureDoc MDM offers the ‘proof’ that IT administrators require to ensure compliance with key sector regulations while at the same time offering a strong solution for BYOD environments.
FILEVAULT 2 SUPPORT
SecureDoc offers one of the strongest Mac OS X FDE solutions available on the market today. For customers that prefer to leverage the native encryption and security offered by Mac OS X’s FileVault 2 solution, SecureDoc can manage that as well. FileVault 2 enterprise management gives agencies the
flexibility to choose how they want
to encrypt and manage their Apple devices yes still have the ability to have all their devices managed by SES’s central management console.
READY TO
LEARN MORE?
W
inMagic provides the world’s most secure, manageable and easy-to-use data encryptionsolutions. With a full complement of professional and customer services, WinMagic supports over five million SecureDoc users in approximately 84 countries. We can
protect you too.
For more information on SecureDoc Enterprise Server contact sales@winmagic.com or visit our website to access a number of valuable resources: