Encryption Strategy Matures Security Posture for National Insurer
In this case study
Data is one of the most important components of a company's success, uniqueness and day-to-day operations.
Attackers are constantly chasing enterprise data, meaning that encrypting data at rest can protect a company's most valuable asset.
Most people are familiar with encryption, however the processes and strategies to implement it can be challenging. It can be difficult for organizations with large amounts of data to create a strategy for encryption, and the changing regulatory and compliance landscape offers constant challenges in properly protecting data at rest.
A large insurer was facing these issues, while housing data consisting of healthcare information, consumer personal identifiable information (PII), banking and loan data.
The organization's original goal was to encrypt all structured and unstructured data to reduce risk, but they didn't know how to accomplish this or manage the cost associated with encryption. They needed to increase security compliance and regulations through strategic cross-team collaboration to reduce the amount of risk associated with data.
They turned to WWT for help creating a mature security posture that would last well into the future.
Organizing key and certificate management
WWT conducted a comprehensive consultation of the key management and encryption practices to observe the current state of their processes and provide recommendations based on the findings. This engagement was conducted using a variety of information-gathering and analysis techniques that included on-site interviews with senior management and key staff members.
WWT found that there were keys and certificates spread across the entire organization managed by separate processes, with multiple teams handling internal and external workflows. This causes a lot of overhead, no way of tracking or knowing how many keys they have nor the ability to provide any reports for reactive or proactive maintenance.
They first needed a centralized platform for key management. With multiple processes in place to request a key/certificate that spanned across multiple technologies, WWT recommended they consolidate to one request portal, leveraging their ServiceNow implementation. This provides them with trending data on top departments and the ability to be proactive on renewals, which in turn will allow them to use data to make informed decisions on proper headcount and consolidation in the future.
Aligning data classification objectives
The organization employs a mixed technology stack that consists of SQL, Oracle and DB2, covering over 1.5 petabytes. This amount of data is a challenge for both the business and IT.
WWT observed that privacy, governance and security departments within the company all had initiatives and goals around reviewing and protecting data at rest, but they were not collaborating. Based on this assessment, the organization needed a unified approach to assess classification, retention and access in order to determine a data encryption strategy.
WWT provided them with a methodology in which all departments could work together to classify data governance around retention and control access, while touching the data only once. Validating the classification level of data assists with providing a risk assessment, leading to encryption priorities. This lowered the impact for the data owners and sped up solution delivery time.
Using threat analysis to validate the recommended encryption strategy, WWT presented the organization with real-world examples on how attackers would try to compromise data within their infrastructure. Doing this added another mechanism of determining and weighing risk, while assisting with prioritizing efforts.
Steps towards a mature security posture
One thing the customer specifically asked for was a standard on encryption that could last them into the future, without having to always up the standard every couple of years. WWT was able to provide them with standards on encryption parameters that met this request, while also complying with frameworks like NIST and PCI for the next 20 years.
By reviewing their current key management and encryption plans around people, process and technology, WWT provided this organization with a tactful strategy they could move forward with by using internal resources and technology. When necessary, they can turn to specific areas of focus to obtain funding and leverage those dollars to mature their program.
WWT provided a roadmap with a timeline, areas to focus on and specific items to address in order to increase the organization's security posture with key management and data encryption.