counter free hit unique web
Home Company Solutions Markets Partners News and Events Client Login Knowledge Center Contact

Knowledge Center

Security Bulletins
The Perimeter EDGE

 

NewsLetter Sign Up button

Importance of Encrypting Data at Rest
Compliance Corner is a monthly column focused on addressing security trends and market changes that affect your regulatory compliance initiatives.  The topics discussed and questions answered in this column are intended to help guide the management of your compliance program and security risk management practices. If you would like to submit a compliance related question for consideration in next month’s newsletter, please email your question to marketing@perimeterusa.com .

In recent years there has been a significant increase in data thefts pertaining to data at rest on corporate owned equipment. Companies of all sizes are exploring encryption because of a real threat of losing data or having it stolen, and because of government regulations such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and HIPAA, which require protection of Social Security numbers, credit card data and other sensitive information.   

As companies become increasingly dependent on the mobile workforce, who needs access to information no matter where they travel, it is putting companies at risk of having a data breach if a laptop containing sensitive information is lost or stolen. A recent Ponemon Institute survey of 106 airports in 46 states found that as many as 637,000 laptops are reported lost each year. Overall, more than 12,000 laptops are reported lost at the airports every week, and most are never recovered.  Of the 864 business travelers surveyed, 53% said their laptops held confidential data that was not encrypted. However, 65% of these travelers admitted they do not take steps to protect or secure the information contained on their laptop. Concerns over data encryption are not only confined to laptops and mobile devices.  Last year there were several cases of data theft of backup tapes in transit to off-site facilities.  Security breaches of backup tapes belonging to Bank of America Corp., Time Warner Inc. and Citigroup Inc. put a spotlight on the need for encryption of backup media.

Some recent headlines concerning data theft in the last 2 months include:
  • Montgomery Ward, June 2008: Hackers extracted stolen information from an online database that held 51,000 credit card accounts.
  • Bank Atlantic, June 2008: Bank Atlantic confirms they had a data theft, involving their MasterCard debit cards.
  • Walter Reed Army Medical Center, June 2008: Sensitive information on 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach. 
  • Pfizer May, 2008: About 13,000 employees at Pfizer Inc. New York City, including about 5,000 from Connecticut, had their personal information compromised when a company laptop and flash drive were stolen.
  • University of Miami April 2008: Computer tapes containing confidential information of 2,100,000 Miami patients was stolen last month when thieves took a case out of a van used by a private off-site storage company.
  • Harley-Davidson, Inc. April 2008: A laptop computer containing 60,000 HOG members’ personal information was determined to be missing from their facilities.
More stories can be found at http://www.datatheft.org


Data Encryption Strategies

In light of all of the recent news and media events surrounding data encryption, organizations are slowly adopting enterprise wide encryption strategies. In the Ponemon Institute's 2005 National Encryption Survey, only 4.2% of the nearly 800 companies polled said they have enterprise wide encryption plans. In a follow-up study in 2007 that percentage grew to over 16% of respondents.  

As you set out to create your corporate data encryption strategy you should rely on the results of your corporate risk assessment to identify the critical assets requiring encryption. A few keys to creating a successful data encryption strategy involves identifying the right data to encrypt, choosing only the encryption technologies that your organization needs and having a process to manage encryption keys effectively.

At a minimum, your organization’s data encryption strategy should provide guidance for the following:
  • Encryption protection for data at rest, removable media (USB memory drives, CDs, backup tapes, etc.) and portable devices (laptops, PDAs, etc.)
  • Requirements for systems that store or transmit confidential data such as encryption methods, firewall rule requirements, antivirus/malware software, etc.
  • Encryption methods utilized for sending confidential information through a public network.  This may include Virtual Private Network (VPN) or Point-To-Point Protocols (PPTP) such as Secure Shells (SSH) and Secure Socket Layers (SSL).  
  • Standards for daily business activities such as:
    • sending emails containing confidential information
    • utilizing chat programs
    • utilizing wireless networks
  • Minimum encryption standards

In summary, do not take your encryption planning lightly because it may be the only thing that keeps your name out of the headlines.  
 


© 2008 Perimeter eSecurity™ All Rights Reserved. | Privacy Policy