PGP is a name any IT security person will know. You can safely argue and assume that most security-minded people, those in the security field or IT in general, will know what PGP does. The data security company has been around for years, and its products are used the world over. Recently, The Tech Herald spoke to Mark Bower of Voltage, and in his Q&A offered the same set of questions to any other data-centric security company. John Dasher from PGP Corporation took us up on the offer, too. His comments are below.
John Dasher of PGP Corporation takes time to talk to The Tech Herald (IMG:J.Anderson)
John Dasher is the Director of Product Management for PGP. Before PGP, he was the Director of Business Development & New Products for FileMaker, Inc., and before that, he spent twelve years at Apple Computer, taking a hand in the development of Apple’s PowerBook line. In addition, he owns a patent (USPTO #6055543) on multi-platform search.
[Note: The Tech Herald has neither met nor used PGP in the past as a source for any material. The questions answered here are taken from the original Q&A with Mark Bower of Voltage. The original Q&A was left open to comment for other vendors, and this invitation still stands. The original date for the Q&A was June 19, 2008. Questions posed then to Mr. Bower were related to the current news cycle but are still relevant to this day.]
The Tech Herald (TTH): In each of the three cases, Stanford University, East Tennessee State, and U of SC, there were over 85,000 records lost. "6,200 (Tennessee) to 72,000 (Stanford) -- the U. South Carolina breach falling in between with 7,000 affected." Why were these systems not encrypted? Who is at fault?
John Dasher (JD): While you'd have to ask the affected parties "why?," my personal observation — having talked with many who have suffered a breach — is that there is a mentality that the protections that they do have in place are sufficient. There's a firewall, a DMZ, ACLs, etc. The great "ah ha!" that we're trying to help folks understand and internalize is that the data itself, wherever it resides, needs to be protected with encryption.
Think of a corporate customer database, where the Personally Identifiable Information (PII) is protected with some form of column-level data encryption. Now an employee of the company, with legitimate access to this data, performs a database extract. How do they work with the data? More often than not, they work with it in a spreadsheet. So now there's a new instance of the PII data in the form of a spreadsheet file. This file is not encrypted, so now the data is in the clear. Maybe it's copied up to a file server, down to a laptop, off to a thumb drive. Now the data is "out of the zoo and into the wild." All of this even though the database itself was properly protected.
People who act as stewards for data in corporations need to take responsibility and make sure that the data itself is encrypted. When the data is encrypted, you are afforded protection when it’s at rest on a server, moving across a network or copied to a thumb drive.
TTH: "Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center." Here you have a careless driver, no encryption that is mentioned for the data. Isn’t this covered under HIPAA? What is the average cost to encrypt one backup tape of a typical size? You have clients in the medical and financial fields, what could have the hospital done to prevent this?
JD: Assuming the records that were stolen contained patient information, then yes, they would be covered explicitly by HIPAA.
The costs to provide enterprise data protection for a situation like this are very reasonable. Enterprise data protection is a comprehensive strategy for defending data, wherever it goes. This strategy has four components:
- Protect data itself with standards-based encryption- Detect and prevent data leakage- Access controls permit or deny access to data- Manage data throughout its lifecycle, from creation through archive for business continuity
The important part is to not just think about the one tape that was stolen, but rather, undergo an examination of the entire process that creates, transports, stores and destroys the tapes. If, for example, the data files that were on the tape were encrypted with a product like PGP NetShare, then no further explicit action would be needed to protect the tape. Certainly we have customers use PGP Command Line to encrypt data headed for backup as well. There are a number of cost effective ways to achieve appropriate protection.
TTH: Another data breach is related CottonTraders.co.uk. 38,000 card details were lost after a server hack. What is it with data and security? One side of the coin has people shouting 'secure the systems and the data is fine', while the other side says 'secure them both'. As a data security vendor I know where you stand. Tell me, in your opinion, what will it take before universities, financial, and medical sectors start to learn their lessons and encrypt personal and sensitive data?
JD: For many companies and institutions, ease of deployment and management have been the historical barriers to adoptions of encryption. Since the introduction of the PGP Encryption Platform, that all changed.
Encrypting the data is crucial, of course, but from a corporate perspective, it is just as important to ensure that all corporate data assets are accessible throughout the data lifecycle without sacrificing security or employee workflow. For example, when an employee leaves the company or loses a password, there must be a way for the data to be accessed that does not create a security exposure of its own.
While we are already seeing the education, financial services, and health sectors begin to deploy enterprise data protection solutions, there is still much work to be done. There are many drivers to the adoption of encryption. Certainly the risk and cost of embarrassing brand damage, compliance and regulatory, and competitive factors all play a role. For example, as more and more states/countries have data breach notification laws like CA SB1386, we'll see more adoption. It's unfortunate that some companies are waiting, but, in many cases, it still takes a negative event for them to act.
TTH: Do you think we need more regulation to fix this issue?
JD: I personally don't believe more regulations will fix the issue, but certainly the right regulations can help. Best practices have been and will continue to play an important role here as well. It's important that companies know that the encryption of data is that best practice, and regulations should recognize this as well. We'll eventually see a U.S. Federal Data Breach Notification law, and it's highly likely that the European Union will as well. This can be done in such a way as to not force companies to worry about following different laws dealing with the same thing for every geographic region in which they do business.
TTH: What do you say to the company that says data security is a concern, but there is no budget for adding it?
JD: Is there budget to respond to the breach after it happens? Available reports say that those companies that are failing to protect data will have a breach. The Ponemon Institute does a great job in their annual study to quantify the cost of a data breach, and it's risen to about $200 per record lost. Providing proper protection of the data in the first place is far cheaper.
Data breaches affect corporate departments beyond the purview of the CIO and CSO. We're seeing Legal and Marketing affected as well. This means that the topic of enterprise data protection has been getting broad coverage around the executive meeting table. The importance of enterprise data protection must be a shared understanding within the corporation if it is to succeed.
TTH: I am not sure if you know the details of the recent Verizon Business survey. Here are some points for your comment:
In 59 percent of data breaches, the organization had security policies and procedures established for the system, but these measures were never implemented. With 66 percent of all breaches involving data that a company did not even know was on its system, Verizon said it's critical that an organization knows where data flows and where it resides. How often do you see this when you visit a potential client?
JD: Many companies have a security policy that they have created. However, without the appropriate systems in place to ensure that these policies are consistently and automatically enforced, they have nothing more than a security recommendation.
Data has a very organic life cycle. Predicting where it will end up is extraordinarily difficult, if not impossible. As a result, the only sensible conclusion is to protect the data itself rather than the infrastructure. By doing so, it matters far less where it travels.
TTH: Finally, I know you have something up your sleeve with data protection, so what is new, and how will it help?
JD: We're always working on new products and technologies. Most recently, we introduced PGP Endpoint, which offers a solution for data protection in an environment where removable storage and mobile devices are proliferating at an alarming rate. Along with this mobility comes increased exposure, so being able to enforce policy regarding the use of these devices and the data that is stored on them is crucial.
Additionally, we will shortly be shipping PGP Whole Disk Encryption for Mac OS X. We are seeing Macs proliferate in educational environments as well throughout the enterprise – in mission critical areas and with a great deal of IP on them. PGP Universal Server arms IS/IT departments with a single, integrated console for the management and deployment of full disk encryption on their mobile devices across both the Windows and Mac OS X platforms. PGP Whole Disk Encryption for the Mac protects built-in disk drives, USB flash drives, and external USB and FireWire hard drives. Of course, the PGP Encryption Platform provides management capabilities for all of their encryption applications, not just whole disk encryption, so the solution really grows with the customer and their particular environment and business needs.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)