1

For your eyes only - Encryption and DLP

Erkko SkantzSymantec Finland

2

DATA CENTER SECURITY

INFORMATION MANAGEMENT

USER PRODUCTIVITY

3

Focus on information

4

Today's System-Centric Enterprise

Data Center

Point of Sale Field

Field Offices

Headquarters

5

Today's System-Centric Enterprise

Data Center

Point of Sale

Field Offices

Headquarters

1 in 10people have lost a laptop,

smart phone, or USB drive with corporate information on it

Field

12,000Laptops lost in United

States airports every week

6

Today's System-Centric Enterprise

Data Center

Point of Sale

Field Offices

Headquarters

1/2of corporate data resides

on mobile devices Field

7

Information is the most important asset you have

Data Center

Point of Sale Field

Field Offices

Headquarters

8

Where to get started?Where to implement encryption and DLP?

Recovey point- and time objective

9

CRASH

Last backup taken System up again

How much data can I afford to

lose?

How long does it take to get my

system up again?

1 Hour24 Hours 1/2 Hour 1 Hour

Impact of data loss?

The Mistakes that Companies Often Make

10

Disk Encryption

Deploy infrastructure

USB Encryption

Deploy infrastructure

Mobile Encryption

Deploy infrastructure

Find tactical solution Create keys

Find tactical solution Create keys

Find tactical solution Create keys

11

Pay attention

Encryption is Easy

12

1) Take a document2) Create a key and encrypt the document / file / disk

• Ask for management platform for encryption.

• Most customers think they are buying an encryption application. Don’t make this mistake.

Administration can be difficult

13

1) Encryption management is UNLIKE any other administrative responsibility

2) Normally, administrative responsibilities end when the user leaves / quits

3) You must manage an encryption key for as long as there is encrypted data!

Suggested roadmap

14

Full disk encryption

Encryption Management

Server

Device and media encryption

File/folder/shared server encryption

Smartphone solutions

End-2-end email encryption

Gateway email encryption

FTP, batch, backup transfer

15

Full disk encryption, the easy way

Symantec Full Disk Encryption• Encrypts desktops, laptops, and USB drives• Protects against

– Personal computer loss / theft / compromise / improper disposal

• Reduces risk of data loss• Protects against reputation damage• Enables business continuity without disrupting

user productivity• Demonstrates compliance to regulatory

standards• Common Criteria Evaluation Assurance Level

4+ (EAL4+) certification16

Symantec Full Disk Encryption Deployment

• Flexible .MSI and .PKG formats • Support for SMS, Zenworks, Altiris, AD GPO• Deploy to: Windows, (including Windows Server), Windows 8

(BIOS and UEFI), Mac OS X, Ubuntu, and Red Hat clients

17

Clients

Software Deployment Tool

LDAPEncryption Management

Server

18

Step 1Policy and

Provisioning

• Administrators configure policy on Symantec Encryption Management Server

• Deploy installation package(s) to Windows (or Mac OS X/Linux) laptops/desktops

Step 5Compliance

• Administrator views logs and reports on Symantec Encryption Management Server

Step 6Helpdesk

• Forgotten passwords

• Unavailable employee

• Machine recovery

Step 3Pre-Boot

Environment

• User is presented with modified pre-boot environment on reboot (or resume from hibernation)

Step 2Initial

Encryption

• Install Symantec Drive Encryption client

• System is encrypted, block-by-block

Step 4Authentication

• User logs in using passphrase or smart card

Full Disk Encryption How It Works

Product & Solution ResultSituation

19

Bag (+computer) lost at the airport or stolen from the car.

The laptop was encrypted and the data was inaccessible by unauthorized users. Because the data was encrypted, the company did not have to report the breach. The company did not suffer a public blackeye.

Symantec Drive Encryption

It is about the information

Symantec Drive Encryption: Encrypt all laptops and desktops.

Product & Solution ResultSituation

20

Employees are storing confidential documents in the cloud. They are doing this for collaboration purposes.

All data being stored in the cloud is encrypted prior to being sync’d into the cloud. Data is secure from 3rd party cloud companies as well as from compromise of account information to the cloud.

THEME: Cloud Storage

It is about the information

Symantec File Share Encryption: Encrypt data on internal file shares and data on cloud storage lockers.

ResultSituation Product & Solution

21

Email administrators are reading the email of the Executive staff

Emails are secured on the desktop. Email admins can still access the emails on the mail server, but cannot read them because they are encrypted. Backups of the emails remain encrypted and secured.

THEME: Email

It is about the information

Symantec Desktop Email Encryption: Encrypt and decrypt emails at the desktop level before leaving the desktop to the mail servers.

Information encrypted

22

ENDPOINT ENCRYPTION

Products

FILE AND SERVER ENCRYPTION

EMAILENCRYPTION

MANAGEMENT• Keep data secure

• Meet compliance objective

• Protect the business

• Control costs and liabilities

Objectives• Protect data

at rest

• Product data in motion

• Protect in use

Tasks

Complete Encryption Platform

23

Smartphone Solutions

Full Disk Encryption (FDE)

File/Folder/Shared Server Encryption

End-End Email Gateway Email Encryption

Management

Central Management of Encryption Applications

Symantec Encryption Management Server

Device and Media Encryption FTP/Batch and Backups

Key Management

PGP® Key Management Server (KMS)

24

The alternative option for encrypting everything

25

DISCOVER MONITOR PROTECT

Where is your confidential data?

How is it being used? How best to prevent its loss?

How Symantec DLP Works

26

DATA LOSS POLICY

Content

Credit Cards

SSNs

Intellectual Property

Context

Who?

What?

Where?

Action

Notify

Justify

Encrypt

Prevent

Notification

User

Manager

Security

Escalate

RESPONSEDETECTION

Find it. Fix it.

27

Symantec Data Loss Prevention

Symantec Data Loss Prevention Products

28

Management PlatformSymantec Data Loss Prevention Enforce Platform

STORAGE ENDPOINT

Network Discover

Data Insight

Network Protect

Endpoint Discover

Endpoint Prevent

Mobile Email Monitor

Network Monitor

Network Prevent for Email

Network Prevent for Web

NETWORK

Mobile Prevent

Symantec Data Loss Prevention Architecture

29

Secured Corporate LAN

SPAN Port or Tap

Network Discover - Data Insight - Network Protect

STORAGE

ENDPOINT

MGMT PLATFORM NETWORK

DMZ

Network Monitor - Network Prevent – Mobile Email Monitor – Mobile Prevent

MTA or Proxy

Enforce

Endpoint Discover - Endpoint Prevent

1000

800

600

400

200

0

Continuous Risk Reduction

30

Competitive TrapRisk Reduction Over Time

Inci

dent

s Pe

r Wee

k

Visibility

Remediation

Notification

Prevention

31

Putting it all together

32

Defense in Depth: DLP and Encryption

DLP: FIND ENCRYPTION: FIX

Gateway

Removable Storage

File-Based

33

Thank youQuestions? - erkko.skantz@symantec.com