Choosing the Right Solution for Strategic Deployment of Encryption

Transcription

1 Choosing the Right Solution for Strategic Deployment of Encryption

2

3 White Paper: Enterprise Encryption Protection Buyer s Guide Choosing the Right Solution for Strategic Deployment of Encryption Contents Executive Summary I. Assessing Encryption Products Define business strategy for encryption Use Operational Best Practices for Encryption Provide automatic encryption of and attachments without requiring user action Use automation for deployment and management Centrally manage encryption policy Ensure interoperability by using an open system Automate logging and reporting for policy compliance Deploy solutions that scale with ease II. Checklist for Encryption Technical Specifications III. Guidelines for Choosing a Vendor Appendix I: Using Encryption for Regulatory Compliance Appendix II: Symantec Encryption Solutions

4 Executive Summary is an essential business tool that helps organizations to efficiently communicate both internally with colleagues and externally with customers, clients, and partners. Yet with this vital tool comes the specter of sensitive data exposure caused by sending unprotected . The risk goes wherever unprotected is transmitted or is stored including the Internet, cloud-based services, servers, desktop PCs, laptops, and mobile smartphones. The exposure of customer data, intellectual property, or legally protected data such as financial or personal health information can trigger penalties, lawsuits, damage to an organization s brand, and loss of business. Every organization should address these risks by protecting sensitive , and the most effective way to do that is with encryption. This buyer s guide presents selection criteria to help technical buyers of information technology choose the right solution for strategic deployment of encryption. The guide presumes that you already understand the basics of encryption and how this security control can eliminate unauthorized access to sensitive and attachments wherever they may go. It begins with six ideas for defining your organization s business strategy for encryption and presents six operational best practices for using this technology. These elements are mandatory to ensure that your choice is cost effective, that it complies with relevant laws and regulations, and can scale with future requirements of your business. A checklist frames 11 important technical requirements in choosing a strategic solution. It also presents seven guidelines for choosing a vendor for your encryption solution. Appendix I summarizes eight common regulatory categories or laws related to encryption. Appendix II briefly describes features and benefits of five PGP from Symantec encryption solutions. The guide minimizes technical jargon, which makes it appropriate as backup documentation for non- IT managers who may need to approve the purchase requisition. I. Assessing Encryption Products Choosing the right solution for strategic deployment of encryption entails understanding points of risk, business requirements, and types of solution options. In conjunction with these, understanding operational best practices associated with encryption helps an organization to assess the degree of effort associated with deployment and management of a particular solution. Define business strategy for encryption Business strategy should drive the reasons for adopting a particular encryption solution. Strategic deployment of encryption will enable scalability while controlling costs of deployment and ongoing operational management. Considerations include: Points of Risk. Data transmitted through can be vulnerable at many points. Sensitive data in or an attachment can be read from an endpoint including desktop, laptop, notebook, mobile smartphone, or other mobile computing device. It can also be downloaded from an server, or other storage or backup device. It may be purposely or accidentally sent to a malicious or inappropriate user. It also can be sniffed from a network transmission or cloud-based application. Points of risk existing within your organization include trusted employees and administrators of and network systems. They may include other points in the supply chain such as business partners, suppliers, service providers, customers, and any other place where 1

5 can go. Your encryption solution must address all points of risk to control unauthorized exposure of sensitive data. Interoperability. An open, standards-based encryption solution will work with virtually any client, endpoint operating system, and server. A proprietary solution provides restricted options. Choose an encryption solution that meets current requirements, but provides flexibility should other needs arise. Business processes. Some solutions require users to manually execute multiple steps to initiate encryption and decryption of . At the other end of the spectrum, a solution can fully automate all encryption and decryption without any user intervention. Some organizations require encryption for a specific department handling sensitive information, such as legal, finance, and human resources. Other organizations prefer to encrypt all . Determine what your organization needs to provide acceptable protection of sensitive data in . Enterprise integration. Your organization might require other types of encryption, such as for individual files, all storage for a laptop or portable device, tape backup systems, or a database server. Implementing a point encryption solution may bring complexity to key management if it does not integrate with other encryption solutions. All of these must also work with existing antivirus, antispam, content filtering, data loss prevention, and archiving applications. Lack of integration will substantially drive up costs of deployment and ongoing management of enterprise encryption solutions. Compliance. Determine specific regulatory compliance requirements that affect your organization, such as encryption laws in U.S. States such as Massachusetts and Nevada, encryption mandated for cardholder data by the PCI Data Security Standard, the European Union s directive to protect personal information transmitted over networks, directives to protect personal privacy in Australia and Japan, and other global requirements for using encryption and digital signatures to protect personal information and financial reporting systems. 2

6 Architecture. Specity the encryption architecture to satisfy your organizations's businesss requirements. There are five architecutural options, detailed by Osterman Research, Inc. These include: Endpoint-to-endpoint. Encrypts from sender to recipient; cannot decrypt protected during transmission of the message. Gateway-to-gateway. Uses an encryption gateway. This eliminates a need for client software, which simplifies administration. It encrypts between gateways, but not within the sender s or recipient s organizations. Gateway-to-web. Only secures between the gateway and a web portal. Useful for external destinations not on your organization s encryption system. Gateway-to-endpoint. For encryption inside the firewall, but still leaves originating messages in plain text before reaching the gateway. Secure managed file transfer. Useful for transmitting secure content without requiring a full-blown encryption solution, which minimizes storage and bandwidth requirements. Use Operational Best t Practices for Encryption Provide automatic encryption of and attachments without requiring user action Use automation for deployment and management 3

7 Centrally manage encryption policy Ensure interoperability by using an open system Automate logging ging and reporting for policy compliance Deploy solutions that scale with ease 4

8 II. Checklist for Encryption Technical Specifications III. Guidelines for Choosing a Vendor Many organizations select a vendor and purchase a solution, yet later find that the solution did not quite fulfill requirements as planned. Deployments are often stalled by product limitations and exceptions that are not explicitly clarified prior to purchase. To ensure a successful solution selection and deployment, your organization should strive for clear and detailed proposals framed by precise needs and requirements. Following are vendor selection guidelines to help ensure successful solution acquisition and deployment. Choose a leader. Look for an encryption solution provider with an established track record and experienced management team. You will be betting the security of your organization s data on the provider of the encryption solution, so make sure the provider s reputation, business practices, and product line provide a solid foundation for your decision. Look at the vendor s market share and financial stability. Look for industry awards and expert accolades to support the company s story. Vet the solution. Ensure the product has passed public scrutiny and does what the vendor says it will do. Study independent testing reports of product performance. Observe the product running in the vendor s demonstration lab. If possible, run your own test bed to verify features and performance before committing to purchase and deployment. 5

9 Query references. Have the vendor provide as many user references as possible and talk to your peers about their purchases. Make sure references are for companies with successful large-scale deployments equal to or larger than the one you are planning. Formally survey their experiences and rank responses with an objective measurement system. Verify their satisfaction with the purchase decision. Seek depth of product line. Your organization s immediate goal may be encryption alone, but most organizations eventually will require a comprehensive encryption strategy and solution set. For example, operational and regulatory requirements may also require encryption capability for individual files or endpoints. Look for an encryption vendor that can fulfill a broad range of messaging security solution requirements. Get familiar with the vendor s product roadmap to understand where your solution options will be in one, three and five years. Explore licensing options. Business requirements change constantly, so look for an encryption provider that offers multiple options for licensing. Options may include a perpetual license with annual technical support, a subscription license, and hosted or managed offerings. Specify your requirements. Use the suggestions described in this Buyer s Guide to specify exactly what your organization needs in an encryption solution. Put all specifications into a written plan covering business strategy, compliance requirements for security, operational best practices, and technical requirements. Set timelines for each phase of your organization s deployment with performance and service level benchmarks. Be clear and specific for each requirement. Create a Request for Proposal. The Request for Proposal (RFP) will allow your organization to present its requirements with precision and objectively compare offerings from each vendor. A typical RFP will include these sections: RFP planning and schedule Administrative requirements Documentation of existing enterprise architecture Technical requirements of an encryption solution Support and professional services requirements Project management requirements Qualifications and references Project plan Pricing, including detailed component and per-seat metrics Appendices of diagrams Appendix I: Using Encryption for Regulatory Compliance Compliance is a major driver for deployment of encryption. Some laws and industry regulations explicitly require encryption of protected information transmitted over networks. Others are less explicit and rely on the guidance of auditors, who usually prescribe implementation of a standard security framework like the Control Objectives for Information and related Technology (COBIT) produced by the Information Systems Audit and Control Association. The table below includes typical laws and regulations where deployment of encryption can help with compliance. Consult your organization s legal counsel and audit committee for requirements. 6

10 7 Protection Buyer s Guide

11 Appendix II: Symantec Encryption Solutions Symantec provides targeted, flexible encryption solutions that enable your organization to meet current and future data protection needs. The table below summarizes highlights from the portfolio of PGP encryption solutions. Consult the PGP website at for descriptions of other PGP encryption solutions, or ask your PGP sales representative for guidance on specific requirements. 8

12 9 Protection Buyer s Guide

13

14 About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA USA +1 (650) (800) Symantec helps organizations secure and manage their information-driven world with security management, endpoint security, messaging security, and application security solutions. Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 11/