Data Security on Removable Media

utterlypanoramicSecurity

Nov 30, 2013 (3 years and 7 months ago)

66 views

Data Security on Removable Media

ISSA San Francisco

Jason Webster

jfwebster@imation.com


2

TABLE OF CONTENTS

Imation Overview

Market Situation

Secure Removable Storage Devices

Central Management Software

Data Center Tape Protection

1

2

3

4

5





3

IMATION CORP OVERVIEW


Leading global marketer and developer of branded products that enable people
to store, protect and enrich their experiences with digital information


Technology leadership, global distribution reach, and customer relationships
make us a preferred partner for leading companies worldwide


Broad portfolio of data storage products, consumer electronics and accessories


Global market share leader in recordable optical media and data storage tape


2010 revenue $1.46 billion, >1,000 employees, serving more than 100 countries

MARKET SITUATION

4

MARKET SITUATION
-

SUMMARY

5

DATA GROWTH

The growth of digital information has rapidly surpassed expectations.

By 2011 digital universe will be 10 times size of 2006

INCREASED DATA MOBILITY

The importance of data has increased its access and mobility
requirements making it more difficult to secure and protect

INCREASED DATA BREACHES

As data and its mobility grow, the amount of data breaches and data
exposure has also grown

REGULATIONS INCREASING

Increased data exposure has resulted in increased regulations and
reporting requirements globally

U.S. 2010

> 662 Breaches
2

COST OF DATA BREACHES GROWS

Increased reporting requirements and increased data breaches
results in increased breach costs

U.S. 2010

$7.2 Million
3

Average org. cost of data breach over 4 years

$214 per record
3

1
Source: IDC


The Diverse and Exploding Universe


March 2008

2
Source: Identity Theft Resource Center


2010 Data Breach Stats January 3, 2011

3
Source: Ponemon Institute


Fourth Annual U.S. Cost of Data Breach Study January 2009

1

412 (62%) Exposed Social Security Numbers

170 (26%) Exposed Credit or Debit Cards

Data Breach cost by
Industry

Legislation


46 States with Data Breach laws


33 new proposed laws in 2010


HITECH ACT of 2009
-

Mandatory new regulatory requirements


Encryption needed but not “
required”

on all DAR (data at rest) devices



severe penalties for an unsecured data breach!


Public notification for an unsecured data breach of > 500 individuals


Civil and federal penalties but safe harbor for encrypted data


Patient right to receive a copy of records electronically


15 million in Health Care, 60% touch Patient Healthcare Information


FTC Red Flag Statutes


All organizations subject to the legislation must develop and implement a formal, written and
revisable "Identity Theft Prevention Program" (Program) to detect, prevent and mitigate
identity theft.


All financial institutions (state or national bank, a state or federal savings and loan
association, a mutual savings bank, a state or federal credit union, or any other entity that
holds a “transaction account” belonging to a consumer)


Solutions include encryption and multiple factor authentication


12/29/2010 SEC Approves Amendments to
FINRA Rule 8210

to Require Encryption of Information
Provided Via Portable Media Device


Finance Industry Regulatory Authority is the largest independent regulator for all securities firms
doing business in the United States


Rule applies to all FINRA member firms (4,570 brokerage firms)




8

The Federal Information Processing Standardization (FIPS) 140
-
2 U.S. government
security standard that specifies requirements for cryptography modules



FIPS is required by law for U.S. government purchases


Strictly enforced in Canada


Gaining international recognition in Asia and Europe


Being adopted within regulated industries (e.g. Financial, Healthcare)



FIPS 140
-
2 Level 1


The lowest level, imposes very limited requirements; loosely,
all components must be "production
-
grade" and various
egregious kinds of insecurity must be absent


FIPS 140
-
2 Level 3


Adds requirements for physical
tamper
-
resistance

and
identity
-
based authentication, and for a physical or logical
separation between the interfaces by which "critical security
parameters" enter and leave the module, and its other
interfaces


FIPS 140
-
2 Level 2


Adds requirements for physical
tamper
-
evidence

and
role
-
based authentication.


FIPS 140
-
2 Level 4


Makes the physical security requirements more
stringent, and requires
robustness against
environmental attacks
. Level 4 is currently not being
utilized in the market

Description of FIPS 140
-
2 Four Levels

FIPS BASICS


Currently, Level 3 is the Industry Standard.

Web Sites track reported
data breaches


May 6
th



3

May 5
th



2

May 4
th



9

May 3
rd



4

May 2
nd



5

May 1
st

-

0

Recent Major Data
Breaches


The Family Planning Council in Philadelphia reported a data
breach involving a flash drive theft, placing information on
70,000 patients at risk
, April 14, 2011




How Adrian Jones' Superstar IT Career Went Sideways
, April
28, 2011, (HP Executive allegedly downloaded confidential trade
secrets on a USB device that was not controlled)



Search on for memory stick missing from public school board
,
April 13
th
, 2011 (All the information from the computer,
including employee information such as direct deposit forms,
resumes, and other scanned documents, were put on the
unencrypted flash drive.)

Theft

Disgruntle

Employee

Honest Mistake

Recent Headlines


www
.
HealthcareInfoSecurity.com


2/24/11


Mass General HIPAA Penalty: $1 Million


Lost documents included information from infectious disease dept, including AIDS patients


Corrective Action plan “
Develop and implement a comprehensive set of policies and procedures that ensure patient
information is protected when removed from the hospital”


Mass General to take extra steps to encrypt laptops and USB drives



2/23/11


HIPAA Privacy Fine: $4.3 Million to Cignet Health


First civil monetary penalty to a healthcare organization


Cignet failed to provide 41 patients with access to medical records


Failed to cooperate with Federal investigators



2/14/11



New York City Health & Hospitals Corp breach affects 1.7 million


Largest incident reported under the HITECH Act breach notification rule


Information lost includes names, addresses, social security numbers, patient medical histories


Hospital Corp. offering 1 year free credit protection service to affected individuals (will cost them
Millions)


Per the HITECH ACT, if data was encrypted then public notification would not be required



"The U.S. Department of Health and Human Services is
serious about enforcing individual
rights guaranteed by the HIPAA Privacy Rule
," said HHS Secretary Kathleen Sebelius.






Secure Removable Storage
Devices

12

USB Devices


Over 2 Billion devices sold each year (PC World Jan 2009)


According to security firm Vontu


Over 50% of 480 surveyed tech professionals had USB devices
with unprotected confidential information


1 USB drive is lost at work each month


Unlike laptop, storage devices are small and cheap. Many
employees do not report them missing as they would a laptop.


According to Ponemon


Employees were less than 50% likely to report lost USB device
or Optical


Most employees would knowingly break corporate policies


Sharing passwords, downloading confidential data, taking
work home





14


Physical Security



Encryption



Authentication



Malware Protection



Management



USB Port Control

SECURITY ELEMENTS

Types of Security on USB
Devices and Optical


Encryption


128 bit vs 256 bit


FIPS validated only 256 bit


Hardware encryption vs Software encryption


Software uses host computer for authentication, hardware authentication occurs
in device


Software encryption typically slows down performance


Software encryption (FIPS Level 1) will get you compliant, Hardware Encryption
(FIPS Level 3) will give you top security


Software encryption typically Windows only


Authentication


Password


Biometrics


CAC/PIV card (upcoming)


Optical


Common method:


Encrypt files with third party software and burn onto optical media


New method:


Self
-
encrypting recordable CD/DVD/Blu
-
ray disc



128 bit vs 256 bit
encryption

1

1

0

1

0

1

1

0

1

1

1

0

0

0

1

1

1

1

1

1

0

1

0

1

Twice as long, twice as strong?

Light years stronger

340,282,366,920,938,000,000,000,000,000,000,000,000


Equivalent to all the grains of sand on the
planet or every known star in our galaxy




Authentication verifies a user’s identity


It’s what “unlocks” the device by validating you are who you say you are



Various methods:


Strong Password
-

A password is sent into the device, and the device
verifies it’s correct


Biometric
-

A finger is swiped across the sensor, another chip verifies it


RSA SecureID
-

digital identity


PIV
-

Personal Identity Verification


CAC
-

Computer Access Card


PKI
-

Public Key Infrastructure



Hardware Encrypted devices



authentication is done in
Hardware


The “boundary of trust” does
not

include the computer

Authentication

Our Portfolio Overview


Very Robust Device Management (Central Management)


Automatically registers user to devices and implements policies


Low System overhead and limited support staff required


Manages Multiple Device Types and Brands


Leverages existing investment


Provides Forensic Level Auditing


File level blocking by type and name


Manages Devices off the network


Remote Kill of Devices


Broadest Secure Portable Storage Portfolio
:


Optical Products
-

CD/DVD


USB Flash Drives


External Hard Disk Drives


Multiple Authentication Methods


Password (hardware rules)


Biometric + Password



Global Government
-
Validated Encryption



PORTFOLIO SUMMARY

SOHO/SMB

Enterprise

Large Enterprise

Government/Financial Services

TARGET MARKETS

Secure Storage

Managed

Secure Storage

Managed

Secure Storage

& Strong
Authentications

Managed

Secure Storage

& Strong
Authentications

with SmartCard

FUNCTIONALITY

Defender

F100 & F150

Features:

FIPS 140
-
2 L3

Cap design

Defender F50

Features:

FIPS 140
-
2 L1

Pivot design

Defender H100 &

H200 +Bio

Features:

FIPS 140
-
2 L3

Defender F200 +Bio

Features:

FIPS 140
-
2 L3

Defender Optical

Features:

FIPS 140
-
2 L1

Device

Management

Management Features


Remote Kill/revocation


Addition of encryption to non
-
encrypted devices


Time based policies vs event based


File Level Auditing


USB Port Control
-

Allow, Block, Read only


File level blocking


User group policies


Ability to manage third party devices


Remote Policy Updates


User self rescue


Password complexity and interval


Remote Password update


Data Recovery


Automatic registration of devices vs issuance



Why Wikileaks could have
been prevented


User could have been blocked from access to
removable storage devices


File types/names/contents could have blocked from
the Central Management Software


Block, alarm, monitor


Auditing of activity would have shown which files
were being downloaded by who from which
computer


Offline usage could have been disabled


Device could have been remotely killed/disabled


Auditing would have shown which files were saved
to which computer from which device

Device Management Software

F50 Pivot

Defender

Optical

Defender FIPS L1

F100/F150

H100/

H200 +Bio

F200 +Bio

Defender FIPS L3

Port Control

Laptop, Netbook, and

Desktop PC Ports

Legacy Removable Media

UFD

EHDD

Media

Players

Mobile

Devices

Cards

StealthZone (SPD)

Case Study:

US Army Base

Overview:

Army Support Activity supports and conducts Reserve Component
Training and Mobilization/Demobilization operations. The ASA plans and
executes other Army directed support missions, and, on order, establishes
and operates a Joint Mobilization site

Solution


Defender F150’s FIPS 140
-
2, level 3 drives


Each device was l
oaded with McAfee A/V

and Imation Device Control Applet


Central Management is performed through Imation Control Server software

Result


All USB devices can be managed and used securely in compliance with the
DoD CTO security requirements


DAR Approved Central Management
allows for remote kill, key management
and detailed forensic auditing/reporting.


Requirements:


The ability to access sensitive mission and combat training data on secure,
ruggedized and tamper
-
proof storage devices.


Integrated anti
-
malware defenses, remote kill and key management


The solution must meet DoD DAR CTO requirements

How to be Complaint and
Secure


For non
-
criminal intent Data Breaches (Lost Devices


Honest Mistake)


Use AES 256 Bit Encrypted Devices


For Stolen Devices


Use AES 256 Bit Encrypted Devices with embedded Security Policies


Extra insurance


2 factor
Authentication


Remote Kill


Fips Level 3 Encryption


For Disgruntle employee


Central Management of Devices with stringent Security policies


USB Port Control


File Level Auditing capability


Blocking of files


Remote Kill


Proactive Enforcement of Policies


Central Management of devices to ensure 100% compliance to Company Security
Policies to protect critical company data eg. Financials, IP, Employee or Customer
information. You also will have auditing and reporting capability


Digital Rights Management


Prevent printing, copying, emailing


Timebomb files


Smart Card Integration


Common Access Card (CAC) or Personal
Identity Verification (PIV)


Strong two and three
-
factor authentication


No new password required
--

card PIN is
used


Secure portable desktop


allows you to boot directly from your USB
drive.


Turn any host computer into the user’s
computer


Boots directly into Windows environment


“Generic mode” allows use on unknown
PCs



Upcoming Imation


technologies

Securing Traditional Storage

28

Understand the Need


More data is being backed up today than ever before


More data is stored per individual cartridge


Cartridge capacities have reached 1 terabyte native


More cartridges are moving to and from more locations


Additional data centers, vault sites


More regulations on data protection and preservation exist
today than ever before


Non
-
compliance can be
very

expensive


Encryption of Tape


AES* 256
-
bit encryption available with LTO4/5, Oracle T10000 and

IBM 3592 (TS1130) drives


Drive level encryption enables compression before encryption


LTO offers possibility of 3rd party key management system


<1% impact on drive performance

*Advanced Encryption Standard


LTO CM holds diagnostic information




eg. Error rates, data
-
sets written, drive utilization, number of mounts


Analyzed to determine drive/media performance trends for failure prediction


LTO CM info captured within seconds


Scan of CM does not compromise security of data

LTO RFID CM Chip

Locking Features

Users can choose to “Lock” their cartridges for added transport or storage
security.


When locked, the cartridge cannot be read from, or written to,

by any LTO drive.

RFID Asset Tracking

33

What Customers Say


“I need to know…”


I am compliant with regulations


Where my tapes are


Within my library


In other data centers


At my vaulter



I am being as efficient as possible in my operations


If I need a tape, I will be able to find it quickly


If an auditor asks about a tape, I will be able to demonstrate
chain of custody

IT Asset Lifecycle Management


Established a corporate risk
mitigation strategy to protect
corporate and consumer

ƒ
Greatly curtailed asset loss
and ensured end of life
assets were destroyed


ƒ
Improved employee
awareness and automated
the tracking of laptops
leaving a facility

ƒ
Lowered corporate risk
profile

ƒ
Developed special use
passive RFID tags to place on
all hard drives and laptops

ƒ
Deployed Asset Management
solution to track the lifecycle
of the corporate assets

ƒ
Installed special use readers
at various entry / exit choke
points

ƒ
Automated feedback from
crushing to end
-
of
-
life assets

ƒ
Thousands of IT hard drives
and tapes containing highly
sensitive customer and
corporate information

ƒ
No ability to control or monitor
removal of laptops from
facilities


Inability to ensure end of life
drives were properly destroyed
created


5 high profile breeches in 2
years, consumer outra
ge

Customer Case Study

Customer Case Study


Exiting the Secure Facility

Employee
approaches exit,
where the employee
badge and laptop tag
are identified.

Employee
association to laptop
is verified by the
application and an
image is quickly
loaded on the Exit
Security Monitor for
visual confirmation

Security elects may
enlarge the view and
may elect to review
the association
details .

Case Study

An audible sound and visual
queue is given to security
indicating the Employee
badge is not assigned to this
laptop.

Employee badge and Laptop
tag match.

Picture Shown for additional
visual security.

Secure Destruction of
Media


Companies will buy back tape media


Claim they recertify media and rewrite over all of the
date


In truth, most write over the header or table of
contents, and the rest of the data is still live


South Shore Hospital Data breach was caused by
company taking media to be recertified, and tape
was lost


800,000 patients at risk


Third party was not responsible for Data
-

South Shore
was

41

Thank You