Perhaps like no other industry before it, the IT industry has come to thrive on continuous innovation coupled with rapid and widespread product introduction. In the competitive — at times mad — rush to be first or early to market key things are sometimes overlooked. When it comes to security, it is impossible to identify every vulnerability, much less foretell just how hackers will try to exploit them.
Preventing data loss has taken on even greater urgency in light of the proliferation of portable computing and storage devices — smartphones and USB flash drives prominent among them. Adding these new so-called endpoints to the stock of laptops, notebooks and lighter-weight handheld computing and communications devices in use means that more, possibly sensitive, data is traveling wider and with more frequency than ever before. Moreover, it is often carried across multiple, unsecured networks.
PGP and Lumension on Tuesday released PGP EndPoint, security software that integrates policy-based application control and data encryption. Based on PGP’s Whole Disk Encryption and Lumension Sanctuary, EndPoint enables organizations to establish policies to restrict unauthorized executables and control access and use of USB, CD/DVD, PS2 keyboards, smartphones, modems, MP3 players, Bluetooth, infrared remote (IR), and FireWire devices.
The Need to Encrypt
Thirty-six percent of data breaches in a UK sample were due to lost or stolen laptops or other portable devices, such as USB drives, according to a study of data breach costs by the Ponemon Institute in conjunction with PGP and Symantec. Encryption and data loss prevention solutions were the top two technological responses that followed in the wake of a breach, according to the report.
“The fact that more than a third of breaches result from data being shared with third parties in the normal course of business is a clear signal that organizations should examine how they are sharing their customers’ data with outsourcers, vendors and partners,” said Joseph Ansanelli, Symantec vice president of data loss prevention solutions.
Failing to encrypt stored data is one of the most egregious errors an organization can make, said Randy Abrams, ESET’s director of technical education.
“Consumer information should always be encrypted. If media is lost or stolen in transit it is not going to be used for identity theft or anything else if it is encrypted,” Abrams told TechNewsWorld. “Similarly, consumer information, student information, taxpayer information and the like must be encrypted anywhere it is stored. The only reason a stolen computer or hard drive can compromise personal information of thousands of people is because of gross incompetence.”
Data Loss, Modular and Portable Media
Designed to prevent data loss and leakage through unauthorized removable devices and unmanaged port access, PGP EndPoint is a centrally managed solution that securely encrypts “data-in-motion” and “data-at-rest” and prevents the running of unauthorized applications, including malware, which also entails deploying a management server for port control and device access policy management, explained John Dasher, PGP’s director of product management.
The product combines PGP’s disk encryption with the application and device control of Lumension’s Sanctuary, Dasher told TechNewsWorld.
Though EndPoint could be used by medium-sized businesses or any organization looking for a way to ensure static and dynamic data protection integrated with internal best-practices, security policies or external compliance and regulatory requirements, “the sweet spot will be enterprise accounts,” Dasher added.
Evaluating Alternatives
Total cost of ownership — including deployment, support, scalability, flexibility to account for varying user configurations, upgrade paths and robustness — are the main criteria organizations need to take into account when considering alternative data loss prevention options, according to Dasher.
In line with these considerations, PGP EndPoint is designed to provide advanced data protection, granular policy enforcement, complete encryption and audit trails of all actions, he said. “This way, businesses don’t have to purchase all these niche solutions that can do one or the other without fully providing end-to-end protection of business critical information. This saves them time, resources, costs and the headache of doing damage control after a data breach.”
The primary attraction PGP offers organizations “is the additional control provided over USB devices,” according to Eric Maiwald, vice president and service director of security and risk management strategies at the Burton Group. “Encryption of data on the computer system helps with the theft or loss of the computer. However, sensitive information could be placed on USB memory sticks where it is not encrypted.
Some enterprises have gone so far as using glue to prevent plugging USB Flash drives into computing devices, Maiwald noted. Another alternative “is encrypting USB sticks in conjunction with a product that disallows the use of memory sticks other than the allowed brand. There are also other products out there that can block the use of certain ports. Specific DLP (data loss prevention) and encryption products also have the ability to control the movement of data onto USB devices.”
At the end of the day, however, “I don’t think that the product features are the real key here,” Maiwald said. “I think that the enterprise must determine what policy it will enforce and educate its employees. Without that, I think any product of this type will fail.”