• No results found

Symantec Endpoint Encryption Deployment Best Practices and Roadmap

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Symantec Endpoint Encryption Deployment Best Practices and Roadmap"

Copied!
31
0
0

Loading.... (view fulltext now)

Download now ( 31 Page )

Full text

(1)

1

Symantec Endpoint Encryption

Deployment Best Practices and Roadmap

Jon Allen

Baylor University

Chief Information Security Officer &

Assistant Vice President

Whole Disk Encryption

Rene Kolga

Symantec

Principle Product Manager

Encryption

(2)

Baylor University

Waco, Texas

• Chartered in 1845

• Largest Baptist University in the

world

• 15,000 Students

• 2,500 Full Time Employees

• Over 7,000 Baylor owned

computers

(3)

1

2

3

4

Agenda

Background

Deployment Lessons Learned

The Future

(4)
(5)

Reasons for Encryption

• Offices have now become mobile

– Laptops are the standard

– Large percentage of data losses involve laptop theft/loss

• 46 states have enacted privacy legislation requiring

notification if breached data is not encrypted

• Migration from using SSN did not eliminate old stores

of information

0010101001010010011010101010110101010100100100001 0010010100101011001010100101001001101010101011010 1010100100100001001001010010101100101001001000 ENCRYPTION

(6)

2013 – The Year of the Mega Breach

The total number of breaches in 2013 was

62% greater than in 2012

8 of the breaches reported in 2013 exposed

over 10 Million Identities

Roughly

552 Million Identities

were breached in 2013

(7)

Types of Encryption: Overview

Manual

– Tools that allow users to manually encrypt and decrypt files and

folders

Automatic (Folder Level)

– Tools that allow users to define folders or virtual drives that are

automatically encrypted

Whole Disk

– Boot time software that provides real-time encryption/decryption

below the OS level. Encrypts the entire volume or disk

0010101001010010011010101010110101010100100100001 0010010100101011001010100101001001101010101011010 1010100100100001001001010010101100101001001000

(8)

Why Symantec Drive Encryption

• Cross Platform (Mac, Windows, Linux)

• Centralized platform

(9)
(10)

Implementation

0010101001010010011010101010110101010100100100001 0010010100101011001010100101001001101010101011010 1010100100100001001001010010101100101001001000

Installation

– Manual vs. Automatic

Setting up central server

– Backup to an SFTP server, offsite rotation for server backup

– Runs great as a VM (1 CPU core, 2 GM ram)

Internal Q/A procedure

– Working SED into our system workflow

(11)

Data We’re Concerned About

0010101001010010011010101010110101010100100100001001001010010101100101 0100101001001101010101011010101010010010000100100101001010110010100100 10001001010010011010101010010100100110101010100101001001101010100010

Texas Privacy Legislation

– SSN, CC#, Driver’s License, Bank Accounts

FERPA Records

PCI (Payment Card Industry)

Texas HB 300 and HIPAA

(12)

Risks to Success

Workstation Configuration

– Backups

– Screensavers

– Hibernation vs. Standby

Authentication Method

– Single Sign-on

– Unified authentication

– Separate Credentials

Administrative Tasks

– Handling forgotten

passphrases

– Updating SED versions

Forensics\E-Discovery

System deployment

0010101001010010011010101010110101010100100100001 0010010100101011001010100101001001101010101011010 1010100100100001001001010010101100101001001000

(13)

The Apple Challenge

• Apple will change the EFI in even minor patches

– Means patching must be managed to prevent bricking

• New hardware generally requires latest OS

• Security patches only available for latest major

release of an OS

0010101001010010011010101010110101010100100100001 0010010100101011001010100101001001101010101011010 1010100100100001001001010010101100101001001000

(14)

Public Relations

• Administration Buy-in

• Thorough testing to up front

• Respond quickly to concerns

• Exhaustively test new versions

– do not feel compelled to upgrade until testing

is complete

0010101001010010011010101010110101010100100100001 0010010100101011001010100101001001101010101011010 1010100100100001001001010010101100101001001000

(15)
(16)

0010101001010010011010101010110101010100100100001 0010010100101011001010100101001001101010101011010 1010100100100001001001010010101100101001001000

Today

• Over 1400 clients deployed

– Of those over 90% are laptops

• Require all faculty/staff laptops be encrypted

• Include both Mac and Linux installations

• ½ FTE dedicated to Symantec Drive Encryption

rollout and maintenance

(17)

In Retrospect

• Do we think we made the right choice?

– Whole disk

– Symantec Drive Encryption

• What would we have done differently

– More resources

• QA resources

• Deployment resources

– More realistic timelines

– Make sure users understand the why of encryption

0010101001010010011010101010110101010100100100001 0010010100101011001010100101001001101010101011010 1010100100100001001001010010101100101001001000

(18)

The Future

• Encryption included with software

– OS (FileVault v2, BitLocker)

– Databases ( Oracle and MSSQL)

• Federal Privacy Legislation

• Opal v2 for managing hardware encryption

0010101001010010011010101010110101010100100100001 0010010100101011001010100101001001101010101011010 1010100100100001001001010010101100101001001000

(19)

Symantec Encryption Portfolio Update

Rene Kolga

Principle Product Manager

(20)

SYMANTEC VISION 2014

Current Portfolio

1

Encryption Trends

2

Symantec’s Encryption Strategy

3

What’s Coming

4

A Sneak Peak

5

Agenda

20

(21)

SYMANTEC VISION 2014

Safe Harbor Statement

21

Any information regarding pre-release Symantec

offerings, future updates or other planned modifications

is subject to ongoing evaluation by Symantec and

therefore subject to change. This information is provided

without warranty of any kind, express or

implied. Customers who purchase Symantec offerings

should make their purchase decision based upon features

that are currently available.

21

(22)

SYMANTEC VISION 2014

Protects individual files

in transit and at-rest from

unauthorized parties, allowing

secure collaboration

Protects email in transit

and at-rest from

unauthorized parties

Renders data-at-rest inaccessible

to unauthorized parties on devices

such as laptops, removable media,

desktops

Email Encryption

File & Folder Encryption

Endpoint Encryption

@

Renders data-at-rest inaccessible to unauthorized parties

on devices such as laptops, removable media, desktops

Endpoint Management

22

Symantec Encryption Portfolio

Whole Disk Encryption

(23)

SYMANTEC VISION 2014

Encryption Trends

Whole Disk Encryption

Tablets

Convergence of

Endpoint Security Solutions

Tablets

Self-Encrypting Drives

E N C R Y P T I O N

Native OS Encryption

E N C R Y P T I O N

E N C R Y P T I O N E N C R Y P T I O N

(24)

SYMANTEC VISION 2014

Single Endpoint

Encryption

Offering

3rd Party

Encryption

Management

Encryption

Center of

Excellence

Next

Generation

Encryption

Encryption Strategy

Enable customers to seamlessly protect sensitive

information,

wherever

it resides, with Symantec Encryption

24

Whole Disk Encryption

E N C R Y P T I O N

E N C R Y P T I O N E N C R Y P T I O N

(25)

SYMANTEC VISION 2014

Darwin 2

nd

Half CY14

(P

rojected)

The endpoint combination you’ve been waiting for…

Drive Encryption

Drive Encryption

Removable Storage

Encryption Management

Endpoint Encryption v11

Removable Storage

Encryption Management

25

(26)

SYMANTEC VISION 2014

More Anticipated Highlights from Darwin

• Robust customizable reporting and

extensive out-of-box reporting

• A simpler user experience by

eliminating the need for enrollment

• Support for multi-user endpoints

and non-AD environments

• Roughly doubling endpoint

scalability

• Removable media encryption

support

• Streamlined server architecture to

allow faster innovation and

engineering

26

(27)

SYMANTEC VISION 2014

A Glance at Reporting

27

Whole Disk Encryption

Out of the box

reports

And

customizable

reporting

(28)

SYMANTEC VISION 2014

Hercules 1

st

Half of CY15

(Projected)

More robust management capabilities and easy migrations…

FileVault

Opal v2

BitLocker

Old

Client

New

Client

No need to decrypt and re-encrypt systems

(29)

SYMANTEC VISION 2014

More Anticipated Highlights from Hercules

• Managing Self-encrypting Drives

(Opal v2)

• Managing Windows BitLocker and

Mac OSX FileVault

• Policy-based pre-boot bypass

• Tablet support w/out keyboard

• Additional PIV/CAC card support

29

(30)

SYMANTEC VISION 2014

A Sneak Peak

• Demo

30

(31)

Thank you!

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in

the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

--Symantec Encryption Team--

31

References

Download now ( PDF - 31 Page - 2.19 MB )

Related documents

GuardianEdge Data Protection Framework with GuardianEdge Hard Disk Encryption and GuardianEdge Removable Storage Encryption 3.0.

The data protection security function uses the TOE’s FIPS 140-2 certified cryptographic functions (see below) to ensure all data on encrypted partitions on the hard disk and

Calibration Failure

This is performed during the diagnostic tests for a daily and an initial calibration before the peak spectrum is displayed, and often displays "Retrying'... All XR46 and

Community heating serves luxury private apartments

Barratt Southampton (part of Barratt Homes the national house-builders) has connected Park View, a new development of luxury apartments, to the Southampton District Energy

Plm322 en Col62 Fv Part a4

1. In the Project Builder, use a template to create a project with the identification K.100## and description Shutdown/Turnaround - Power Boiler Gr.##. Use the standard project

Airline Reservation System

The most important future scope of this project is “to clear the concept of using control statement and to record the

Power Plant Engineering

energy per second in the wind hitting a wind turbine with a certain swept area is given by simply inserting the mass per second calculation into the standard kinetic energy

NHS Safety Thermometer. Measuring harm at the point of care

Point of care surveys Incident Reporting Administ rative Data Point of Care Surveys Case Note Review Advantages Composite Harm ‘free’ Data & charts immediate

Understanding Northwestern University s contract with Symantec. Symantec Solutions for Cost Reduction & Optimization

•Audit clients with Symantec Endpoint Encryption Client Monitor •Establish Symantec Endpoint Encryption Client