By acquiring PGP and GuardianEdge, Symantec is completing its information-centric security vision by adding encryption to its portfolio of products that secure and manage confidential data wherever it’s stored or used.
Why is encryption such a hot topic inside today’s enterprises? Consider these recent developments:
- Frequency of a data loss. Last year, 498 breaches exposed the records of at least 16 million individuals. According to the Symantec 2010 State of Enterprise Security Report, 100% of enterprises experienced some type of cyber loss in 2009.
- Cost of a data loss. PGP Corporation and the Ponemon Institute estimate the average cost of a breach in the U.S. in 2009 was $6.8 million.
- Stricter regulations. The HITECH Act, the Massachusetts Data Security Law 201 CMR 17.00, and the UK Data Protection Act, to name just a few, open companies up to growing penalties and notification requirements.
- Increased worker mobility. Gartner Inc. estimates that 200 million laptops, 174 million smart phones, and 250 million flash drives were sold in 2009.
“Nowadays, data is the lifeblood of organizations, data is the oxygen of organizations,” says Eric Domage, Program Manager for Security Products and Solutions at IDC. “No data means no business, no information sharing. If you can’t send an email with data in it, you can’t work, you can’t create value anymore. You need to have encrypted data.”
Continue reading to learn why pervasive encryption is an essential element of an information-centric approach to security.
Consequences of a data breach
Data has always played an important role in business. But the accelerating pace of business today means that data is transferred faster than ever, stored on more devices, and shared more often. It also means that data is more susceptible to a breach than ever before. According to the recently released Symantec State of Enterprise Security Report 2010, 75% of enterprises surveyed experienced some form of breach last year.
Think about it. Laptops, USB flash drives, and mobile phones routinely carry confidential data out of the office. Emails transmit sensitive business information daily. Data stored on file servers is accessed and shared across offices and business units. And outsourcing is more common, which puts more confidential information in the hands of third parties, which are a major source of breaches, according to Ponemon.
Personally identifiable information (which refers to information that can be used to uniquely identify, contact, or locate a single person) and protected health information are the two highly regulated classes of sensitive data that organizations need to protect, along with financial data, intellectual property, trade secrets, and other sensitive corporate information. Once data is stored locally (also known as “data at rest”), there is often little protection beyond domain authentication and operating system access controls to ensure only authorized access to data. Data is also frequently copied automatically within a system and stored in multiple temporary and system files without the knowledge of users. These files can remain accessible indefinitely, are not removed until deleted by direct user intervention, and can be recovered if a drive is improperly erased.
According to the Ponemon Institute, the direct hard costs of data breaches continue to increase. However, the long-term effects of data breaches—lost business, a tarnished reputation, brand equity damage, and resulting legal expenses—go far beyond the immediate costs resulting from a breach. Just as the means of a security breach can range from a stolen laptop to a CD left in a taxi, the subsequent consequences are varied as well.
In general, the consequences of a security breach can be divided into five categories:
- Regulatory. An organization may be compelled by law or corporate governance to take actions, including remediation, paying fines, and discontinuing services.
- Legal. A variety of parties including government prosecutors or agencies, shareholders, and affected individuals may seek criminal or civil action.
- Remediation. An organization may be compelled to take corrective actions including fixing the breach vulnerability, notifying and supporting affected individuals or organizations, and mounting a public relations campaign.
- Lost business. Because of the breach or the resulting publicity, both affected and unaffected customers may end their relationships, and the organization may find it more difficult to acquire new customers.
- Reputation. Loss in reputation may subsequently lead to a reduction in pricing power, diminished marketing effectiveness, and other competitive disadvantages.
Protecting data at rest, in use, and in motion
Protecting laptops and PCs is just the beginning. Only by protecting the data itself—no matter where it’s stored or used or how it’s transferred—can organizations secure all their information and their business.
Only encryption protects the data itself. Encryption turns a sensitive information
file into a cryptographically secure file that can be read only by designated parties.
That means the data can be stored safely, transmitted safely, and carried out of
the office on any type of device.
According to the 2009 Annual Study: U.S. Enterprise Encryption Trends, encryption is increasingly recognized by leading IT organizations as the business standard for enterprise data protection.
“As organizations continue to increase the level of strategic planning for encryption via effective enterprise data protection programs, there will be an impact in the reduction of data breaches,” the study observed. “These organizations will not only be able to better defend their data by the strategic platform approach, but will reduce the risk of data breaches and also improve their operational cost efficiencies.”
An encryption platform reduces the complexity of protecting business data by enabling organizations to deploy and manage multiple encryption applications from a single console. A platform-based solution also allows organizations to quickly deploy encryption for new applications as needed.
A platform approach enables an organization to centrally manage and deploy multiple encryption applications — such as email, laptop, or backup tape encryption — with consistent and centralized policy enforcement, including key management.
That stands in contrast to the silo approach of acquiring, deploying, and managing
multiple and disparate encryption applications. With each new application, an organization must perform installation, setup, configuration, management, training, and ongoing maintenance separately.
According to the Enterprise Encryption Trends study, an overwhelming 87% of respondents who use the platform approach say that it increases the effectiveness and efficiency of their IT security program.
PGP and GuardianEdge
With its recent acquisition of PGP and GuardianEdge Technologies Inc., Symantec gains strong capabilities in email, file, and server encryption; full-disk and file/folder encryption; and enterprise key management. These capabilities are expected to enhance Symantec’s ability to make data protection more intelligent, policy-driven, and easier to manage, according to industry analysts.
“We are already seeing an evolution toward ubiquitous encryption of sensitive data in applications, servers, databases, storage, and networks,” said Jon Oltsik, principal analyst at Enterprise Strategy Group. “This will certainly protect data confidentiality, but encryption and key management could quickly overwhelm IT organizations with new tasks and tools. With the combination of GuardianEdge and PGP, Symantec can address these issues as a one-stop-shop for enterprise encryption and key management.”
Symantec officials have said they intend to bring together key features and functionality from each company’s offerings and standardize on the PGP key management platform to deliver centralized policy and key management capabilities across the entire suite of encryption solutions.
Encryption technology has become an essential element of an information-centric security solution, as critical information is increasingly on mobile devices and in the cloud. The increased costs and frequency of data breaches are also driving the adoption of encryption. At the same time, state and national governments are enacting more stringent compliance mandates.
In the past, organizations have experimented with many different encryption solutions, resulting in a silo approach of acquiring, deploying, and managing multiple and disparate encryption solutions. In contrast, research shows that organizations that implement a centralized, enterprise-wide encryption strategy significantly reduce the risk of a data breach. 1
By acquiring PGP and GuardianEdge, Symantec is strengthening its information-centric security vision by adding encryption to its portfolio of products that secure and manage confidential data wherever it is stored or used. In particular, PGP and GuardianEdge solutions complement Symantec’s endpoint security and data loss prevention solutions as well as benefit the company’s mobile and cloud initiatives.
To learn more about Symantec’s acquisition of PGP and GuardianEdge, click here.
1 2009 Annual Study: U.S. Enterprise Encryption Trends, Ponemon Institute, July 2009