• No results found

WHITEPAPER: Encryption and data protection. Encryption and data protection

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "WHITEPAPER: Encryption and data protection. Encryption and data protection"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

Encryption and data protection

Encryption, what does it mean and if it’s so important why isn’t everybody using it?

WHITEP

APER: Encr

yp

tion and data pro

(2)
(3)

Encryption and data protection

Contents

Synopsis . . . 1

The value of data . . . . . . 1

Data loss hurts . . . 2

Rules and regulations . . . 2

Policy led security . . . 3

Why don’t companies use encryption? . . . 3

The Symantec.cloud solution . . . 4 White Paper: Encryption and data protection

(4)

1

Synopsis

Barely a month goes by without a big data protection story in the media. But where is the real threat and what can you do to protect your business? How do you protect data ‘at rest’ and data ‘in transit’? If encryption is so important, why isn’t everyone using it? Is there a simpler, more efficient way to encrypt your data? This white paper aims to answer these questions.

Every day, around 294 billion emails fly around the internet1. Around three-quarters are spam2, so that

leaves 75 billion legitimate personal and business emails. Only a tiny fraction are encrypted. The rest are like postcards – anyone can read them between sender and recipient.

In addition, email gives every employee a way to send company secrets instantly to virtually anyone in the world.

Data at rest in your organisation is equally under threat from espionage, hacktivism, spyware and insider negligence or wrongdoing.

The value of data

According to Dale Zabriskie, Principal Technologist at Symantec, 75 percent of a company’s intellectual property can be found in emails, presentations and spreadsheets. This information is often stored and emailed without regard to its potential value and the risk of public disclosure, and usually without effective encryption.

As if losing data to hackers and thieves wasn’t embarrassing enough, the fallout from a data breach is highly toxic. Share prices fall, reputations are ruined and organisations suffer. With all these risks, regulations and problems, it seems extraordinary that companies are not encrypting their data and correspondence as a matter of course.

1 http://email.about.com/od/emailtrivia/f/emails_per_day.htm 2 Symantec.cloud MessageLabs May 2011 Intelligence report

(5)

2 Data loss hurts

Recently, data loss stories have hit the front pages. It’s a pressing issue for businesses and governments. Some recent examples underline the dangers:

• Hacktivism - WikiLeaks’ release of hundreds of thousands of unencrypted but confidential

documents, to the acute embarrassment of the US government and many others, should have alerted all CIOs to the threat posed by data leaks. Unfortunately, the message fell on deaf ears. Months later, the Anonymous and LulzSec hacktivist networks got into the computers of companies like strategic consultants Booz Allen Hamilton3 and security consultancy HBGary4.

• Identity theft - When Sony’s PlayStation Network was breached, as many as 77 million PlayStation

users saw their personal information stolen by hackers5. The BBC reports that the information

was stolen from an ”outdated database”, highlighting the need to protect data throughout its life and as it moves from one system to another.

• Accidental loss - In 2007, HMRC lost two CDs in transit, containing personal details about 25

million people6. This highlights several problems. First, the need for a secure way to transmit data

from one place to another. Sending those records by unencrypted email is just as risky as sending them by unencrypted CD. Second, it shows that employees will usually find a way to circumvent any security protocols or rules unless they can be implemented automatically. While the HMRC story is noteworthy, it is repeated thousands of times every day on a smaller scale. For example, by some estimates, 250,000 laptops are stolen in the UK every year and only a small percentage are encrypted7.

• Spyware - Symantec has a global network that manages email and related malware detection and

prevention services for client companies. In its June 2011 intelligence report8, it found that one

in 50 of Symantec’s UK customers were subject to a targeted malware attack, and one in 65 of its financial customers. One in every 130 emails contained a phishing attack, and one in every 131 emails contained malware of some kind.

• Espionage - UK Defence Secretary Liam Fox told businesspeople recently that the Ministry

of Defence had blocked more than 1,000 attacks on its systems in 20109. This was twice the

number of attacks the year before. This comes on top of MI5’s warnings about the threats to UK businesses from Chinese hackers10. No one knows how many attacks get through. Detica, a

security consultancy, estimates that the British Aerospace and defence sector loses £1.6 billion a year to espionage and theft of intellectual property. This is almost as much as it spends on R&D11.

Rules and regulations

Data protection regulations apply to all businesses when it comes to personal information. The Information Commissioner’s Office, which is responsible for enforcing the UK’s Data Protection Act (DPA), reported12 in July that it had received more than 26,000 complaints under the DPA in 2010-11.

In many of these cases, effective encryption would have prevented the problem.

Anyone who loses data and hopes to get “lost in the DPA wash” is living in a fool’s paradise. The ICO has beefed up its complaint-handling procedures and, last year, the ICO won the power to levy fines up to £500,000 for violations of the DPA. This year, it started to use that power. For example, the ICO fined a company £60,000 for losing a laptop with unencrypted data on 24,000 people who were receiving legal aid.

White Paper: Encryption and data protection

3 http://www.boozallen.com/media-center/press-releases/48399320/49321746 4 http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars 5 http://www.bbc.co.uk/news/technology-13256817 6 http://news.bbc.co.uk/1/hi/7103566.stm 7 http://www.backupdirect.net/uk-laptops-stolen 8 http://www.symantec.com/about/news/release/article.jsp?prid=20110628_01 9 http://www.mod.uk/DefenceInternet/AboutDefence/People/Speeches/SofS/20110607CyberTheWarOfTheInvisibleEnemy.htm 10 http://www.pcpro.co.uk/news/143649/mi5-warns-of-cyber-threat-from-china 11 http://www.mod.uk/DefenceInternet/AboutDefence/People/Speeches/SofS/20110607CyberTheWarOfTheInvisibleEnemy.htm 12 http://www.ico.gov.uk/about_us/performance/~/media/documents/library/Corporate/Research_and_reports/annual_report_summary_2011.ashx

(6)

3

Policy-led security

Every company needs policies that set out how staff can access, use, store, transmit and email company information. A high-level information policy can drive and shape staff policies, training and technical decisions when it comes to encrypting data at rest and in transit.

The UK’s Centre for the Protection of the National Infrastructure (CPNI) offers the following general security advice13. Companies, it says, need constantly to ask themselves:

• Who would want access to our information and how could they acquire it? • How could they benefit from its use?

• Can they sell it, amend it or even prevent staff or customers from accessing it? • How damaging would the loss of data be?

• What would be the effect on our operations?

CPNI suggests the following principles should be central to any decisions:

1. It is not possible to protect everything, so one must prioritise what to protect. 2. The measures should be proportionate to the threat.

3. The cost should not exceed the value of the asset being protected.

Finally it notes, “Security is more cost-effective when incorporated into longer-term planning.”

The first step is to classify data, in particular email. As Zabriskie says, “When you classify information, then you’re also able to encrypt the right information at the right time and in the right place.”

Why don’t companies use encryption?

There is a perception, cultivated by Hollywood and law enforcement agencies, that encryption is impossibly complicated and only for use by people with really important secrets. Inside this myth, there is a grain of truth.

The mathematics than underpins modern cryptography is complex, but tools have evolved that make it easy, even completely transparent to use, while maintaining the security against unauthorised access. For example, voice conversations on Skype are encrypted and no one notices. Online stores use SSL encryption to protect credit card data and very few people notice. Most electronic banking transactions use encryption and many now use crypto devices for login authentication, and no one notices.

However, managing your own in-house encryption environment can be complex and potentially expensive. You have to secure it against hackers and accidents, you have to manage the keys used to encrypt and decrypt messages, you have to develop trusted relationships with those with whom you exchange encrypted correspondence, and you have to have robust enrolment, updating and end-of-service procedures for the people with access to keys and encrypted information.

(7)

4 The Symantec.cloud solution

We’ve seen that there is a clear and present threat to businesses from data loss, whether it is the result of accidents or deliberate attack. The consequences are severe and increased by regulations. It’s clear that classifying your data accordingly is essential, as are policies and processes that protect it.

An essential part of any data protection plan is encryption. However, we’ve seen that it can be difficult, expensive and time-consuming to use. Fortunately, there is an alternative: using internet-hosted, managed encryption systems.

Many companies already outsource much of their email system. When so much email carries spam and malicious content, running an email service is a costly overhead most companies sensibly prefer to leave to specialists such as Symantec.cloud. The same approach helps companies protect against data loss, and Symantec.cloud has several services that can help:

• Boundary encryption - Symantec’s Email Boundary Encryption.cloud allows clients to set up secure

private email networks that link up with their nominated partners. Every part of every email sent or received via these networks is fully and securely encrypted. As with Skype and mobile phone calls, both sender and recipient remain unaware that their messages are encrypted, unless you tell them. The service works seamlessly with leading email servers such as Microsoft Exchange, Lotus Domino and Sendmail. And of course, it works with other Symantec.cloud services such as Email Security and Endpoint Protection to scan all incoming and outgoing encrypted email for viruses, spam and other inappropriate content, thus preserving the integrity of both your IT systems and your information.

• Policy-based encryption - This lets you encrypt sensitive data using flexible rules to decide

what emails should be encrypted; for example, based on sender, recipient, words or attachments. Recipients can read encrypted emails easily and send encrypted replies without installing special software on their PC or smartphone.

• Content control - Symantec Email Content Control.cloud reduces the risk of data loss over email

by scanning outgoing emails and attachments for keywords, phrases, URL lists or particular wildcards (e.g. credit card numbers). Emails of concern can be blocked, redirected and deleted.

• Spyware prevention - Keeping your computers safe from spyware and intrusion is an essential

part of data loss prevention. Symantec Endpoint Protection.cloud does exactly this for endpoint PCs and other clients, while Symantec Security.cloud AntiVirus and AntiSpyware block spyware coming in via web browsers and Symantec Email Antivirus.cloud blocks malware – including targeted attacks – coming in via email. Because they are all hosted internet services, they can block most threats before they even reach your systems and they can do more checks (e.g. link inspection on web links embedded in emails) than most on-premise systems.

Although these services are hosted in the cloud, you still retain complete control over the security policies you wish to enforce via a web-based console.

When combined with sensible security policies, employee training and information classification, Symantec.cloud can help you keep your critical data away from prying eyes and protect it from accidental leaks. Easy-to-implement email encryption adds a further level of protection that protects a vital channel of communication. In a world where leaked emails, spyware and data theft can cost companies millions, it pays to have comprehensive protection.

For more information please visit our website at www.symanteccloud.com or contact us at [email protected]

(8)

5

EUROPE

HEADQUARTERS

1270 Lansdowne Court Gloucester Business Park Gloucester GL3 4AB United Kingdom Main +44 (0) 1452 627 627 Fax +44 (0) 1452 627 628 Freephone +44(0)800917 7733 DACH Wappenhalle, Konrad-Zuse-Platz 2-5, 81829 München, Deutschland Tel +49(0)89 94320 120 Support +44(0)870 8503014 NETHERLANDS WTC Amsterdam Zuidplein 36/H-Tower NL-1077 XV Amsterdam Netherlands Tel +31 (0) 20 799 7929 Fax +31 (0) 20 799 7801 LONDON 3rd Floor 40 Whitfield Street London, W1T 2RH United Kingdom Main +44 (0) 203 009 6500 Fax +44 (0) 203 009 6552 Freephone +44(0)800 917 7733 NORDICS

Business Center Nord Lyngbyvej 20 2100 Copenhagen Denmark Tel +45 33 32 37 18 Fax +45 33 32 37 06 Support +45 88 71 22 22 FRANCE 17 avenue de l’Arche Tour Egée 92671 Courbevoie France Tel +33 (0) 6 8089 8886 Support +44 (0) 870 850 3014 AMERICAS UNITED STATES 512 Seventh Avenue 6th Floor New York, NY 10018 USA Toll-Free +1 866 460 0000 ASIA PACIFIC HONG KONG

Room 3006, Central Plaza 18 Harbour Road Tower II Wanchai Hong Kong Main: +852 2528 6206 Fax: +852 2526 2646 Support: +852 6902 1130 AUSTRALIA Level 14 207 Kent Street Sydney NSW 2000 Australia Main: +61 2 8220 7000 Fax: +61 2 8220 7075 Support: 1800 088 099 CANADA 170 University Avenue Toronto ON M5H 3B3 Canada Toll-Free +1 866 460 0000 SINGAPORE 6 Temasek Boulevard #11-01 Suntec Tower 4 Singapore 038986 Main: +65 6333 6366 Fax: +65 6235 8885 Support: +800 120 4415 JAPAN Akasaka Intercity 1-11-44 Akasaka Minato-ku Tokyo 107-0052 Japan Main: + 81 3 5114 4540 Fax: + 81 3 5114 4020 Support: +531 121917 Office locations

(9)
(10)

More than 55,000 organisations ranging from small businesses to the Fortune 500 across 100 countries use Symantec.cloud’s MessageLabs services to administer, monitor and protect their information resources more effectively. Organisations can choose from 14 pre-integrated applications to help secure and manage their business even as new technologies and devices are introduced and traditional boundaries of the workplace disappear. Services are delivered on a highly scalable, reliable and energy-efficient global infrastructure built on 15 data centers around the globe. A division within Symantec Corporation, Symantec.cloud offers customers the ability to work more productively in a connected world.

For specific country offices and contact numbers, please visit our website:

www.symanteccloud.com

World Headquarters MessageLabs

1270 Lansdowne Court Gloucester Business Park Gloucester, GL3 4AB United Kingdom +44 (0) 1452 627 627

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 2/2011 21167338

References

Download now ( PDF - 10 Page - 121.86 KB )

Related documents

Data Protection and Data security Policy

The Station Manager has overall responsibility for ensuring that all personal information is handled in compliance with the law and has appointed the Production & Systems

The Dope Game Activation Code [cheat] Download ->>> About This Game

It's a good game with some interesting mechanics but it can be a bit buggy and the end game gear is too expensive which can make it a bit grindy to get into the last few story

Assessment of degradation rate constants for quantitative predictions of drug-drug interactions arising from CYP450 drug metabolising enzymes

Primary human hepatocytes were treated with CYP3A4- specific siRNA to suppress mRNA translation, followed by the tracking of enzyme activity and protein loss over

Export fluxes in a naturally iron-fertilized area of the Southern Ocean – Part 1: Seasonal dynamics of particulate organic carbon export from a moored sediment trap

Export fluxes in a naturally iron-fertilized area of the Southern Ocean – Part 1: Seasonal dynamics of particulate organic carbon export from a moored sediment trap.. The documents

Delay

Hence Hence to to consider consider growth of the construction industry in terms of  growth of the construction industry in terms of  its contribution to GDP in isolation

Did security go out the door with your mobile workforce? Help protect your data and brand, and maintain compliance from the outside

protection, from a proven security expert; strong authentication and full disk encryption designed to help organizations protect data, the brand and maintain compliance..

Data Encryption and Network Security

 Assignment Reports: to assess technical report writing abilities.  Discussion Groups: to assess interactive and communication abilities.. Digital Communications Fundamentals

Medidas in vivo de la fluorescencia fotosintética estacional en el coral Mediterráneo Cladocora caespitosa (L.).

SUMMARY: In situ photosynthetic fluorescence of the zooxanthellate Mediterranean coral Cladocora caespitosa (L.) was measured seasonally on colonies from 5 to 27 m depth using