PGP Corporation and Protegrity protect sensitive data
throughout its lifecycle, while enforcing and verifying policy
requirements for compliance.
Key Points
• Deploy end-to-endencryption for total data protection • Automate key
management
• Centralize reporting & administration for policy compliance • Use solutions from
PGP Corporation & Protegrity for total data protection
Page | 2
Executive Summary
The requirement to protect sensitive data is an important responsibility for managers of the modern enterprise. No one wants to lose control of sensitive information and empower competitors, threaten cash flow, or expose the organization to lawsuits or civil penalties due to non-compliance with laws, contractual obligations and/or regulations.
The points of risk are endless. Sensitive data can reside in enterprise databases, applications, files, and email; and moves from internal servers onto desktops, laptops and mobile endpoints. Devices may be owned by business partners, consultants, and anyone else with a legitimate need to use the information. Sensitive data can go anywhere, thus it is vital that it be secured. Once data has been created it is always at risk.
Using strong encryption is the most reliable, cost-effective way to ensure protection of sensitive data. The best solution is automated and applies encryption at the point where data is acquired. Automated key management ensures authorized use of the data. And encryption will continuously protect the data to the point of being archived or deleted. End-to-end encryption has become an important requirement for all sensitive data and helps meet ongoing obligations to verify compliance with business policies, industry rules, laws, and regulations.
This white paper presents a comprehensive solution for total data protection using products from PGP Corporation and Protegrity. This total data protection solution provides continuous end-to-end security of sensitive data throughout its lifecycle, and wherever it flows. In addition, your organization can tap leading security technologies to ensure data access is always governed by policy, along with the ability to verify compliance with policy to business auditors.
I. Identifying Risk Points for Sensitive Data
Protecting the sensitive data in your organization begins with the identification of data flow throughout its lifecycle. As illustrated in Fig. 1, standard business requirements may allow data to move between servers and to a variety of endpoint devices – not just within your enterprise, but also to computing devices owned and operated by business partners and other potential destinations. Thus, protecting this data is a big challenge.
A solution for total protection of sensitive data requires using security technology and processes that address all points of vulnerability. Protecting the confidentiality, integrity, and accessibility of sensitive data also requires identification of all employees, contractors, and other individuals who access this information, including the physical locations where access occurs. Moreover, the use of encryption should be governed by specific policies that are centrally managed for audit and compliance.
Page | 4
II. Setting Compliance Policy for Sensitive Data
Your organization’s policy for sensitive data protection defines what information must be protected and who has access to it. Policy affects the selection of technical and process controls used for enforcement. Policy also articulates requirements for protecting different sets of sensitive information. For instance, every organization needs to protect information that is critical to the enterprise, such as intellectual property, plans for product development or distribution, databases of customers or business partners, and competitive intelligence. Other requirements are defined by auditors, industry rules, government regulations, and state, federal, and international laws. Policies may require that enforcement be specifically applied to defined roles, departments, or physical locations within the enterprise. Policies may cover the entire enterprise, and include external business partners who require access to the data.
Examples of Sensitive Data Defined by Regulation
Personal health information is one type of sensitive data governed by the Health Insurance Portability and Accountability Act (HIPAA) and the “HITECH” provisions of the American Recovery and Reinvestment Act. These regulations require protection of Protected Health Information (PHI) stored in electronic and paper-based Personal Health Records. These laws define PHI based on section 160.103 of title 45, Code of Federal Regulations. Related policy must cover:
…information that is a subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Common Data
Protection Policy
Mandates
• PCI DSS • HIPAA / HITECH • Gramm-Leach-Bliley • Sarbanes-Oxley • Basel II • European Directive on Protection of Data • Privacy laws in the UK, Japan, Australia, and other nations • U.S. state dataprotection and breach notification laws
End-to-End
Encryption
• A function of cryptography • Transforms information (“plaintext”) with an algorithm (“cipher”) to render plaintext unreadable • Uses a “key” to de-cipher data into plaintext• Protects data wherever it flows
Credit or debit cardholder data is sensitive data defined by the PCI Data Security Standard. According to the PCI Security Standards Council (p.14) which oversees this standard:
Cardholder data refers to any information printed, processed, transmitted, or stored in any form on a payment card. Organizations accepting payment cards are expected to protect cardholder data and prevent their unauthorized use – whether the data is printed or stored locally, or transmitted over a public network to a remote server or service provider.
III. Using End-to-End Encryption for Protecting
Sensitive Data
There are many security technologies on the market that use a perimeter approach to securing sensitive data, but only a few that directly protect the data itself. Of these, strong encryption is the leading and most advanced technology for protecting sensitive data.
Using an encryption-based solution for protecting sensitive data used to be a daunting process. The technical challenges and practical hurdles of enforcing the use of encryption and decryption blocked widespread adoption of the technology. Key management was an overwhelming and expensive struggle. To address these impediments organizations should deploy a centralized and automated total data protection solution that enables and enforces encryption across the extended enterprise to provide maximum protection for sensitive data – without imposing major changes to normal user or administrative workflow.
Finally: True End-to-End Encryption
Page | 6
Reaping Benefits of End-to-End Encryption
End-to-end encryption solutions by PGP Corporation and Protegrity utilize platform and suite-based automation to provide a range of benefits: • Protects sensitive data with effective, standards-based technology • Uses strong key management • Segregates operational management between database and security administrators • Works virtually anywhere – storage devices, servers, databases, applications, email, files • Centralizes monitoring and reporting for compliance • Controls and/or restricts access to sensitive data • Defines and maintains a clear and robust security policy
Total Data Protection Supports Flexible Modes of Data Protection A total data protection solution should provide options for technical
implementations of encryption. Some mandates require strong encryption in an end-to-end solution such as payment card authentication and authorization (see Section V. Case Study: Retail). Other requirements, especially those stemming from legacy analytic applications and other circumstances may not need the strongest form of encryption or even an end-to-end solution. In those cases, a partial encryption solution will suffice, such as masking all but the last four digits of a payment card number when accessed by a customer service representative. Each mode of data protection brings unique performance and security trade-offs. Key evaluation factors are shown in Table 1. The total data protection solution from PGP Corporation and Protegrity supports all of these modes of protection.
IV. Components of a Total Data Protection Solution
Solutions from PGP Corporation and Protegrity protect an organization’s data throughout its lifecycle. Tenants of total data protection are based on three pillars: (1) flexible end-to-end encryption for any kind of sensitive data in any location; (2) automated key management; and (3) centralized administration and reporting to address policy compliance. Technology components of the total data protection solution are shown in Fig. 2.
Fig. 2. Technology Components of the Total Data Protection Solution
The technology components blend strengths from both partners – PGP Corporation for desktop data protection and Protegrity for server data
protection – and meld all the technologies with centralized and automated key management, policy management, and administration.
Total Data Protection Solution from Protegrity and PGP Corporation
Key Management Policy Administration Desktop Data Pr otection Reporting Server Data Pr otection Endpoint Database Email File File Application Management Storage
Page | 8
This is why regulations such as PCI DSS require proper key management based on approved industry standards.
The total data protection solution from PGP Corporation and Protegrity achieves this result by centralizing all key management tasks and automating their administration. Additional benefits include operational efficiency and reduced administrative costs. Ultimately, solutions from PGP Corporation and Protegrity ensure your organization’s sensitive data stays safe, without excuses or exceptions. The product portfolio for the total data protection solution is shown in Table 2.
Table 2. Product Portfolio for the Total Data Protection Solution from PGP Corporation and Protegrity
Protegrity PGP Corporation
• Enterprise Security Administrator – central security policy
management, key management, alerting, reporting, and auditing for data security events
organization-wide
• Data Protection System (for File, Database, and Application) – encryption for applications, databases, storage, and files • Tokenization Server – central
management of tokenization across the enterprise, including data in applications, databases, and files
• PGP® Key Management Server – manages cryptographic keys throughout the enterprise • PGP® Whole Disk Encryption
– high-performance full disk encryption for desktops, laptops, and USB devices
• PGP® NetShare – policy-enforced file and folder encryption for team collaboration
• PGP® Command Line – centrally-managed file encryption for server protection and file transfer
• PGP Universal™ Gateway Email – secure email communications without client software
• PGP® Desktop Email – email encryption for desktops and laptops
V. Case Study: Retail
The PCI Data Security Standard prescribes requirements for protecting
cardholder data throughout their lifecycle and handling by retailers and business partners. The process flows in Table 3 show where an end-to-end encryption solution provides total protection for cardholder data at each of the points that potentially expose sensitive data. Note that strong encryption always protects the sensitive data, wherever it is accessed.
Cardholder Data Flows PCI Security Control
(a) Card is swiped at a retail register, entered electronically through an online payment system, or entered manually by a clerk
q
Transaction data automatically encrypted at POS or payment processing system(b) Credit approval is executed by
the payment processor
q
Encryption by payment processor (c) Transaction data is encrypted atthe POS
q
Encryption by Protegrity(d) Transaction is sent to the home
office for processing
q
Encryption by Protegrity (e) Transaction is moved into themerchant operational and analytical systems
q
Encryption and/or tokenization by Protegrity (f) Transaction moves into the payment processor network again for settlementq
Encryption by payment processor (g) As part of analysis, sensitive datais placed into office documents in a file share for collaboration
q
Encryption by PGP Corporation (h) As part of analysis, sensitive datamoves into a merchant analyst’s
q
Encryption by PGP Corporationa
a
a
a
a
a
a
a
Page | 10
Key to Data
Security
“Encryption is a vital security control for protecting sensitive data throughout the enterprise and beyond. For this reason, it is important for your solution to provide encryption deployment options that enable automated coverage of both new and legacy systems.”
Eric Ouellet
Research VP, Gartner
VI. Learn More About Our Solutions for
Total Data Protection
Solutions from PGP Corporation and Protegrity will protect your organization’s sensitive data at all times, anywhere the data may flow. This total data
protection solution is flexible and comprehensive since it is built on: (1) end-to-end encryption for any kind of sensitive data in any location; (2) automated key management; and (3) centralized administration and reporting to address policy compliance. By using this new solution for total data protection, your organization will achieve true protection only offered by strong end-to-end encryption, and the ability to effectively enforce and verify compliance with any type of data protection policy. To learn more about total data protection solutions available from PGP Corporation and Protegrity, please contact learntdp@protegrity.com.
About
Protegrity USA, Inc.
Protegrity is the leading global security software company providing high performance, infinitely scalable, end-to-end data security solutions. Protegrity customers centrally develop, manage and control data security policy that protects sensitive information across the enterprise in databases, applications and file systems from the point of acquisition to deletion. Protegrity’s solutions give corporations the ability to implement a variety of data protection methods, including strong encryption, scalable tokenization, masking and monitoring to ensure the protection of their sensitive data and enable compliance for PCI-DSS, HIPAA and other data security requirements.
To learn more visit www.protegrity.com or call 203.326.7200. PGP Corporation
PGP Corporation is a global leader in email and data encryption software. PGP® solutions are used by more than 110,000 enterprises, businesses, and governments worldwide, helping to protect confidential information, secure customer data, achieve regulatory and audit compliance, and safeguard companies’ brands and reputations. For more information, please visit www.pgp.com.