Encryption will help to protect data against unauthorized access by outsiders from lost or stolen devices such as laptops, thumb drives, and other removable media. But it does not protect against the insider threat-employees and contractors with authorized access to data who mistakenly or maliciously leak your most valuable assets.
When Encryption Isn't Enough
Trend Micro, Incorporated
T TTrend Micro LeakProof Stops Data Leaks Where They Start
A Trend Micro White Paper I December 2008When Encryption Isn't Enough: T TTrend Micro LeakProof Stops Data Leaks Where They Start
Table of CONTENTs
I. protecting sensitive information: is encryption enough? . . . . . . . . . . . . . . .3
II. What true protection looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
T TIII. Trend Micro leakproof data leak prevention solution . . . . . . . . . . . . . . . .7
IV. leakproof 3.x features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
V. summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Vi. additional resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
T T2 White Paper | Trend Micro LeakProof Stops Data Leaks Where They StartWhen Encryption Isn't Enough: T TTrend Micro LeakProof Stops Data Leaks Where They Start
i. Protecting Sensitive Information: Is Encryption Enough?
It seems as though every week there are several highly publicized and embarrassing disclosures and reports of breaches of private information such as customer records, employee records, and intellectual property.
In response to these threats from data leaks, many enterprises have successfully deployed or are in the process of deploying an encryption solution. For example, hard-drive encryption uses sophisticated mathematical functions to transform the data stored on a hard drive so that it can be read by an authorized user only with the corresponding key or password. The algorithm decrypts files while they are being read from the drive, so that it is transparent to authorized users.
But does encryption provide enough protection against the various data leak scenarios that are playing out again and again across the world?
Beyond the sizable loss of profits, data leaks also can lead to bad publicity, public distrust, damage to brand image, and weaker competitive positions. The following are three recent examples of typical data thefts:
Boeing Breach "Police reported [of a Boeing employee stealing data by] finding a thumb drive that was connected to his computer terminal via a USB cord that ran along the back of the terminal to the storage device that was 1 'hidden in a drawer' in his desk." Clearly, with the proliferation of removable storage devices and mobile systems, it is becoming more difficult to prevent the leak of sensitive data.
Fidelity NIS Theft "To avoid detection, [an administrator committing data theft] appears to have downloaded the data 2to a storage device rather than transmit it electronically." This theft, at Certegy Check Services, a subsidiary of Fidelity National Information Services, illustrates how employees are becoming increasingly sophisticated in their attempts to steal data. In this case, the administrator assumed that the company had email and network filtering solutions in place, and sought other means to get data out.
1. Information Week, 7/11/072. CSO Magazine, 7/03/07
T T3 White Paper | Trend Micro LeakProof Stops Data Leaks Where They StartWhen Encryption Isn't Enough: T TTrend Micro LeakProof Stops Data Leaks Where They Start
Pfizer Employee Information LeakIn July 2007, a Pfizer employee removed files exposing 34,000 people to potential identity fraud, according to the company, and was the third data breach to occur in three months. The breach disclosed the names and Social Security numbers of affected employees and also included home addresses, telephone numbers, fax numbers, email addresses, credit card numbers, bank account numbers, passport numbers, driver's license numbers, military identification numbers, birth dates, signatures, and reasons for 3employment termination.
As with many of the cases reported every week, the thefts above were perpetrated by "insiders" who had access to sensitive data. Encrypting the files, hard disk, or removable USB drive might have protected the data if it was lost or stolen, but would not have thwarted these insiders, since employees generally receive encryp... [download for more]
