Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Copyright 2007 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or providing feedbac on this documentation! you agree to the license agreement below.
"f you are using this documentation solely for non#commercial purposes internally within $%&' company or organi(ation! then this documentation is licensed to you under the Creative Commons Attribution# )onCommercial *icense. +o view a copy of this license! visit http,--creativecommons.org-licenses-by#nc-2..- or send a letter to Creative Commons! ./0 1oward 2treet! .th 3loor! 2an 3rancisco! California! 4/50.! &2A.
+his documentation is provided to you for informational purposes only! and is provided to you entirely 6A2 "26. $our use of the documentation cannot be understood as substituting for customi(ed service and information that might be developed by Microsoft Corporation for a particular user based upon that user7s particular environment. +o the e8tent permitted by law! M"C'%2%3+ MA9:2 )% ;A''A)+$ %3 A)$ 9")<! <"2C*A"M2 A** :=>':22! "M>*":< A)< 2+A+&+%'$ ;A''A)+":2! A)< A22&M:2 )% *"AB"*"+$ +% $%& 3%' A)$ <AMA?:2 %3 A)$ +$>: ") C%)):C+"%) ;"+1 +1:2: MA+:'"A*2 %' A)$ ")+:**:C+&A* >'%>:'+$ ") +1:M.
Microsoft may have patents! patent applications! trademar s! or other intellectual property rights covering sub@ect matter within this documentation. :8cept as provided in a separate agreement from Microsoft! your use of this document does not give you any license to these patents! trademar s or other intellectual property.
"nformation in this document! including &'* and other "nternet ;eb site references! is sub@ect to change without notice. &nless otherwise noted! the e8ample companies! organi(ations! products! domain names! e# mail addresses! logos! people! places and events depicted herein are fictitious.
Microsoft! Active <irectory! Bit*oc er! ;indows! and ;indows Aista are either registered trademar s or trademar s of Microsoft Corporation in the &nited 2tates and-or other countries.
+he names of actual companies and products mentioned herein may be the trademar s of their respective owners.
$ou have no obligation to give Microsoft any suggestions! comments or other feedbac B63eedbac 6C relating to the documentation. 1owever! if you do provide any 3eedbac to Microsoft then you provide to Microsoft! without charge! the right to use! share and commerciali(e your 3eedbac in any way and for any purpose. $ou also give to third parties! without charge! any patent rights needed for their products! technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the 3eedbac . $ou will not give 3eedbac that is sub@ect to a license that reDuires Microsoft to license its software or documentation to third parties because we include your 3eedbac in them..
Contents
Executive Overview - A Strategic Approach to Securing Mobile Data....1 Business 'is s.................................................................................5 'egulatory 'is s...............................................................................0 1elping to Mitigate 'is with the <ata :ncryption +ool it......................../ )e8t 2teps......................................................................................E
Business Risks
(usiness and technical mana!ers must understand their scenarios, the re!ulatory climate, and miti!ations for data e#posure ris&s. 9he Microsoft 4ata Ancryption 9ool&it for Mobile P3s focuses mainly on the issues of protectin! data that resides on mobile computers. ;o"e)er, the same concepts, concerns, and solutions also apply to des&top computers, "hich face similar ris&s because of the potential for theft and unrestricted access scenarios.
3onsider the follo"in! account of a fictitious company.s data disclosure e)ent, "hich illustrates the problem and possible ramifications. 13ontoso, a midsi/e technolo!y company located in 3anada, produced a "id!et that customers ordered throu!h its +eb site. Personally identifiable information in the 3ontoso database included customer names, credit card numbers, addresses, and telephone numbers. 3ustomers "ere from 3anada, the United 2tates, the United Ein!dom, and France. ,t 3ontoso, a hard'"or&in! 0unior analyst named Ficolas fre:uently too& his "or& home "ith him. (efore he left "or& one day, Ficolas copied a spreadsheet of customer information to his laptop so he could run reports a!ainst it. 9hat same ni!ht, his laptop "as stolen from his car "hile he "as shoppin!. Ficolas immediately reported his loss to his mana!er and the police. Ficolas and his mana!er discussed the incident "ith the company.s le!al department as "ell as "ith outside counsel. Ficolas and his mana!er learned throu!h these discussions that all of their customers "ould need to be notified of the possible disclosure of their personal information. 9hey immediately produced an e#planatory letter to send to customers and set up a hotline to ans"er customer :uestions. -n addition, they offered one year of credit monitorin! for e)ery customer in the database to help pre)ent identity theft. Unfortunately, these efforts did not end their problems. A)en thou!h there "as no indication that the lost data had been used for illicit purposes, se)eral class action la"suits "ere filed on behalf of customers in the United 2tates, France, and the United Ein!dom that accused 3ontoso of !ross )iolations of consumer pri)acy ri!hts. 9he story "as soon pic&ed up by ma0or media outlets, and culminated in a pa!e 2 story in 9he +all 2treet Journal. +ithin "ee&s of the loss of the laptop, the company.s stoc& had lost 7G of its )alue because of the li&ely effect on the sale of their "id!et product. -n addition, the hard costs of the incident totaled some HI00,000.1 , reasonable summary of the costs associated "ith the precedin! story is sho"n in the follo"in! table. Cost ite$ Personnel costs related to the loss, includin! data reco)ery and customer notification costs. ,dditional costs, such as public and in)estor relations and additional call center calls. ,ffected customer costs Bcredit trac&in! for affected customersC. De!al dama!es, includin! fines, le!al fees, and costs related to one ci)il la"suit. Dost customer re)enue B2J0 lost customers at H700 eachC 9otal A$ount H6J,000 H8KJ,000 H70,000 H8IJ,000 H87J,000 HI00,000
Unfortunately, laptops are easy theft tar!ets. Fe"s stories appear "ith increasin! re!ularity about companies that ha)e accidentally lost or had stolen laptops "ith sensiti)e personal or customer information. ,lthou!h the precedin! story is fictitious, an increasin! number of real or!ani/ations are learnin! that the costs of such a disclosure are enormous<sometimes orders of ma!nitude !reater than those referenced in the storyL Many calculators are a)ailable that can help you compute the true cost of a pri)acy breach, includin! the Pri)acy (reach -mpact 3alculator a)ailable on the +eb site of -nformation 2hield, a !lobal pro)ider of information security leadin! practices.
Da$age Control
$r!ani/ations that e#perience a data'disclosure incident face immediate direct operational costs. A#amples include internal in)esti!ations, consumer hotlines, trainin! and support documentation for call center personnel, direct mail notices to customers, credit card monitorin! ser)ices, and ad)ertisin! and mar&etin! to address customer concerns. -n addition, a strate!ic -9 initiati)e "ill li&ely be established to pre)ent such an incident from e)er happenin! a!ain. ,ll of these acti)ities re:uire countless hours of mana!ement o)ersi!ht and distract or!ani/ations from their true business.
Regulatory Risks
-n addition to business ris&s, many !o)ernment a!encies around the "orld are respondin! to their citi/ens% pri)acy concerns by establishin! si!nificant ci)il and e)en criminal penalties for failin! to protect pri)ate data.
data reco)ery. 9he 9ool&it "ill also include the AF2 ,ssistant, "hich "ill be released in the first half of 2007 to help automate the deployment and confi!uration of AF2 on protected computers. 9ool&it features include the follo"in!: 'ow ac*uisition costs. AF2 and (itDoc&er are already included in certain )ersions of the Microsoft +indo"s operatin! system. Fo additional e#penditures are needed to ac:uire them. 'ow operations costs. AF2 and (itDoc&er are robust but simple and re:uire little or no operational maintenance. Ease of &eploy$ent. 9he 9ool&it deploys easily in en)ironments that use soft"are distribution technolo!ies such as the ,cti)e 4irectory? directory ser)ice and Microsoft 2ystems Mana!ement 2er)er. )obust security. AF2 and (itDoc&er are based on industry standards and certified encryption al!orithms. Mini$al user i$pact. +hen effecti)ely confi!ured, the 9ool&it is almost completely transparent to users. Minimal technical trainin! "ill be re:uired Balthou!h !ood data handlin! and stora!e trainin! "ill al"ays be necessaryC. Central $anage$ent an& exten&e& control. -mplementation of the 9ool&it can help -9 or!ani/ations e#tend control to all mobile P3s from a central mana!ement infrastructure, "hich can help ensure uniform compliance. +nifor$ solution. 9he 9ool&it is applicable to des&top computers and mobile computers.
!ext Steps
+e recommend that you consider your options for protectin! confidential data on mobile P3s by readin! the Microsoft 4ata Ancryption 9ool&it for Mobile P3s Security Analysis. 9his document "ill help you understand the special ris&s presented by laptops, as "ell as ho" (itDoc&er and AF2 can help address these ris&s. ou can also use the Planning and Implementation Guide to help !uide you throu!h the process of deployin! (itDoc&er and AF2. Finally, if you "ant to use AF2 to protect data on your mobile P3s, you should in)esti!ate the AF2 ,ssistant as a "ay to centrally control AF2 in your en)ironment.