PGP
®
White Paper
June 2007
Enterprise Data Protection
Table of Contents
EXECUTIVE SUMMARY ...3
PROTECTING DATA EVERYWHERE IT GOES ...4
THE EVOLUTION OF ENTERPRISE DATA PROTECTION ...4
EDPSTRATEGY:ABUSINESS ENABLER... 4
EDPARCHITECTURE:SECURING DATA WHEREVER IT GOES... 5
ENCRYPTION: THE CORE OF ENTERPRISE DATA PROTECTION...6
ENTERPRISE ENCRYPTION SOLUTIONS... 6
ENABLING A STRATEGIC APPROACH:PGPSOLUTIONS... 7
INTEGRATED APPLICATIONS... 7
Executive Summary
In today’s enterprise, data knows no boundaries. While data is consumed, transferred, and stored, however, it is also susceptible to compromise. The cost of a data breach can reach millions of dollars and permanently damage brand equity as well as customer trust1. That’s why protecting data in the modern enterprise requires a comprehensive approach. Enterprise Data Protection is a new evolutionary layer of technologies that manage data, control data access, detect data at risk, and protect data.
With Enterprise Data Protection, security is built in, starting with data creation and following data as it is modified, transferred, stored, and archived. At the core of this approach is the protection of data using encryption, everywhere it goes. This PGP White Paper examines how encryption provides the foundation for an Enterprise Data Protection strategy. Instead of erecting barriers to control data security, encryption enables authorized users to move, share, and store data throughout the enterprise and beyond.
This PGP White Paper is intended for IT and business managers responsible for developing strategy and implementing information security projects.
1
Protecting Data Everywhere it Goes
Data is everywhere: Corporate data, partner data, customer data, and employee data seem to increase exponentially every day. Data has spread out of data centers, databases, remote file servers, and extranets to new and even more vulnerable locations such as laptops and removable storage devices. Although ubiquitous data access enables new business models and relationships, it also presents a challenge. Data must be controlled and protected to maintain the privacy of
customers, the confidentiality of employees, and the business advantages of intellectual property. Any one piece left unprotected could lead to a significant data security breach, resulting in public embarrassment, customer satisfaction issues, and financial loss.
Adequately protecting business data requires an adaptive, built-in method of data security. IT organizations, service providers, and vendors have evolved a new approach known as Enterprise Data Protection (EDP). EDP is an always-on, data-state-independent approach to maintaining data security. Building on data management and access controls, EDP embeds data protection with the actual data and works to identify data at risk. For example, data can now be encrypted at its source, transferred throughout an organization and beyond, and automatically checked when necessary to ensure compliance and privacy.
With data security built in, IT is freed from developing new and redundant means of protecting data for each application or risk identified. Both end users and administrators become more productive as data access and security become more seamless and transparent. Most important, EDP also includes built-in validation of policy, improving the possibility of achieving comprehensive audit and regulatory compliance.
At the core of this approach is the use of encryption to protect data everywhere it goes. Encryption provides the most fundamental level of data security, substituting cryptographically secured data for unprotected data. By its nature, encryption therefore ensures that whether data is being transferred or stored, data access policies are constantly and consistently enforced.
The Evolution of Enterprise Data Protection
Today, data is as likely to be transferred via a $20 USB flash drive as a large virtual private network (VPN) concentrator. And when data is distributed across storage devices, laptops, databases, and email, it can become vulnerable to inadvertent or malicious compromise. IT organizations are busy adapting to this new reality by actively looking at ways to identify and protect data at risk while controlling access and managing the data lifecycle.
EDP Strategy: A Business Enabler
The following brief history illustrates why successful organizations increasingly believe an EDP strategy is a critical—and essential—business enabler.
The Early Days: Data Secure in Physical Location
Businesses have used some form of data protection since the first days of data processing in the mid-1960s with early mainframe computers. Whether controlling access to tapes, systems,
processed in one, data was usually available only as a representation: a green screen or daisy-wheel printout. Physical security—rooms, locks, and monitoring—provided a fort-like barrier to protect the data.
Breaking the Barriers: Data Moves to Multiple Locations
As networks and computing power advanced in the early 1990s, businesses leaped to enhance productivity, reduce costs, and enhance the customer experience. Bandwidth limitations, storage constraints, and the lack of standards continued to relegate most data to traditional data centers. To protect these data centers, enterprises erected firewalls and added VPNs to enable access, creating a digital fort to keep out unauthorized users and malicious code.
Anywhere, Anytime: Data Lives in Thousands of Locations
With the availability of broadband and inexpensive mass storage, data can no longer be controlled through a few pipes and gates. This new environment results in the customer database, current and forecasted financials, or complete patient records becoming immediately available on individual laptops or removable USB flash drives. Along with increased mobility and easier access, however, comes the heightened risk of data theft or loss. Organizations cannot afford to ignore the potential consequences of a data breach—significant remediation and legal costs, loss of customers, regulatory penalties, brand damage—and hope to remain competitive.
EDP Architecture: Securing Data Wherever It Goes
The need to manage and control access to data has led to an evolution in data security. Because data is increasingly transferred across multiple systems and networks, organizations must now detect when it is at risk or and secure it automatically using persistent protection that works both inside and outside the enterprise. The easiest way to meet this goal is with a centrally managed solution that controls policy and data access without requiring end users to make enforcement decisions or burdening administrations with complicated and resource-intensive tasks. This comprehensive approach ties security to the data. Built-in data protection separates how data is transferred, stored, and used from the security controls, reducing the risk incurred by human decision-making and increasing usability for
end users.
EDP comprises four integral technology solutions working together:
• Protect – At the core of EDP is the
need to Protect the data itself. Industry experts agree that
standards-based encryption enables a data-centric approach to security.2 Encryption locks down and follows data wherever it goes, making it accessible only to authorized users. For EDP to scale effectively, enterprise encryption must be managed centrally with automated
2
key and policy management. This approach makes encryption interoperable, transparent to users, and flexible enough to respond as new data security needs emerge and evolve.
• Detect – As data moves in and out of the enterprise and is stored on servers or
workstations, data leakage prevention solutions search for data at risk, enabling the Detect layer. They identify risks and then help IT executives evolve their EDP strategies to include remedies that mitigate exposure. These solutions can also enforce policy, such as requiring encryption at the Protect layer.
• Access – Authentication, including hardware tokens/smart cards and identity management,
ensures only authorized credentials are allowed, controlling Access to data. Strong authentication plays an important role through to the Protect layer, enabling authorized encryption users to access data. For example: a cryptographic smart card with a private key and encryption provides both access and protection controls.
• Manage – Ensuring business continuity requires that data is available and redundant
throughout its lifecycle, from creation to archive. Storage management, backup, and archive solutions provide a layer to Manage data, making efficient use of storage and accessible even in the event of a disaster or system malfunction.
Encryption: the Core of Enterprise Data Protection
Regardless of the business driver, encryption is becoming widely recognized as the solution to protect data wherever it goes. At the core of EDP, encryption serves to provide the encompassing Protect layer that obscures data from unauthorized access. If encrypted data is somehow lost or stolen, it remains useless. Even if someone violates access controls, encrypted data will still be protected. This level of critical protection is why more than 30 U.S. states provide safe harbor from mandated consumer notification in the event of a data breach involving encrypted data. In countries such as the U.K. where the need for breach mitigation is just emerging, protecting their brand and reputation is the major reason enterprises adopt encryption solutions.3 Encryption also serves to segment access as needed, helping to maintain separation of duties and roles. This separation means confidential information in emails cannot be read by an IT administrator, for example.
Enterprise Encryption Solutions
Today, the process of protecting data with encryption is automated and operates in the background, transparent to end users. Encryption is enforced by centrally managed policy while corporate access to data is always maintained. Most important, key management is integrated and automated, enabling administrators to focus on user and policy management instead of key maintenance. Point encryption solutions that protect only one type of data or one locale are rapidly being replaced by a platform that scales to provide a range of security options, depending on where data is stored, how it is shared, and who needs access. This approach provides operational and management efficiencies as well as consistent data security that can scale to meet new needs as they emerge and evolve.
Examples of today’s enterprise encryption solutions include full disk encryption, USB storage policy-enforced encryption, network file encryption, and transparent email encryption performed at the
3
desktop or email gateway. True enterprise encryption removes the barriers of complexity, performance, and cost once associated with encryption.4
Enabling a Strategic Approach: PGP Solutions
Recognizing the critical business need to protect data while controlling costs, PGP Corporation developed the PGP® Encryption Platform with encryption applications for enterprises. The PGP Encryption Platform is deployed with the first encryption application, making installation of a separate or additional infrastructure unnecessary. As a result, the PGP Encryption Platform lowers operational costs and accelerates time to deployment of new encryption applications. Most
important, the PGP Encryption Platform provides the automated services, centralized management, consistent policy enforcement, and extensible framework needed to develop and deliver a robust EDP strategy.
Figure 1: The PGP Encryption Platform and Encryption Applications
Integrated Applications
PGP Corporation and its partners deliver integrated applications that automatically provide and use the management, policies, provisioning, and other services delivered with the PGP Encryption Platform architecture.
Key management, policy enforcement, provisioning, and reporting and logging for the PGP Encryption Platform architecture are provided by PGP Universal™ Server. As the foundation of the PGP Encryption Platform architecture, PGP Universal Server provides an extensible framework that supports scalable, centralized gateway and desktop encryption management, deployment
automation, and policy enforcement across PGP Encryption Platform–enabled applications.
PGP Corporation develops applications that include and deploy the PGP Encryption Platform when first installed. Subsequent applications then leverage this framework, speeding deployment and preserving administrative resources:
4
• PGP® Whole Disk Encryption – Provides comprehensive, nonstop encryption for securing
all files on desktops, laptops, and removable media, transparently securing all disk contents, including system and temporary files, and enabling quick, cost-effective protection for sensitive data.
• PGP® NetShare – Enables teams to securely share documents on file servers by
automatically and transparently encrypting the files for fine-grained group access.
• PGP® Desktop Email – Secures email communications from the sender’s email client to
the recipient’s—and all points in between—automatically, using centrally defined, policy-based encryption.
• PGP Universal™ Gateway Email – Delivers standards-based enterprise email encryption
and digital signatures without client software.
Rest Secured.™
The Enterprise Data Protection approach now allows IT to execute on business needs without making security a separate project or an afterthought. Instead, security is already built in: protecting, detecting risk, controlling access, and managing data. As part of a comprehensive, strategic EDP solution, PGP® encryption can provide the core level of data protection. PGP encryption products build security into the most commonly used applications, protecting data wherever it exists—from outbound email, to file servers, to removable storage devices such as USB flash drives.
PGP Corporation
3460 West Bayshore Road Palo Alto, CA 94303 USA Tel: +1 650 319 9000 Fax: +1 650 319 9001 Sales: +1 877 228 9747 Support: support.pgp.com Website: www.pgp.com © 2007 PGP Corporation
All rights reserved. No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form by any means without the prior written approval of PGP Corporation.
The information described in this document may be protected by one or more U.S. patents, foreign patents, or pending applications.
PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners.
The information in this document is provided “as is” without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
This document could include technical inaccuracies or typographical errors.
All strategic and product statements in this document are subject to change at PGP Corporation's sole discretion, including the right to alter or cancel features, functionality, or release dates.
