An insurance provider in Massachusetts had basic security measures in place, but these were not enough to be fully compliant with a strict, new state regulation, reports Greg Masters.
When Massachusetts passed what arguably is one of the most stringent data protection laws in the nation last March, Ray Pata, the manager of systems and programming at A.I.M. Mutual Insurance Cos., found himself particularly challenged with the encryption of laptops, required by the new law.
The legislation, 201 CMR 17.00, requires that all companies, no matter where they are based, must safeguard the paper or electronic records in their possession of any Massachusetts resident. Businesses that possess personally identifiable information (PII) of Bay State residents will now be required to encrypt all devices and transmissions.This legislation differentiates itself from other state disclosure bills because it forces businesses to become proactive in securing technology, insisting that organizations take measures to protect information, as opposed to other guidelines that only require companies alert customers should their data be compromised. In addition, it requires that businesses restrict access to company data to only those employees requiring access, have an employee dedicated to security efforts, regularly monitor enterprise security programs, and develop, implement and maintain a “comprehensive information security program.
While A.I.M. Mutual Insurance Cos. already had several basic security measures in place, such as anti-virus, firewalls, etc., these were not enough for the provider of worker's compensation in Massachusetts to be fully compliant with the new state regulation. The company is headquartered in Burlington, Mass., and also has satellite offices throughout the state, and in neighboring New Hampshire.To upgrade the company's defenses in order to bring it up to compliance with the new state requirement, Pata and his team – comprised of three developers and a network specialist – began a review of the standard offerings available. After an assessment and trial period, they chose a solution from BitArmor, recently acquired by Trustwave.
“As a small organization, deploying encryption can be hard, and this could have been a challenge for us. However, BitArmor Managed Encryption made it easy for us to be compliant.”
AIM uses BitArmor Managed Encryption across the internet to manage its encryption environment, after software has been deployed on vulnerable laptops in the company, says Patrick McGregor (left), CEO of BitArmor. The tool provides a single integrated solution for full-disk encryption, USB encryption and email attachment encryption.“This enables the customer to protect the most vulnerable points in their environment and helps them to be compliant with state data privacy laws and federal regulations, such as HIPAA,” McGregor says.
Most vendors, he points out, can't service small- and mid-sized organizations since they require dedicated management servers to be installed , which are managed inside the company. Or, if they provide a service from the cloud, they do not have multitenant server capabilities that completely and cryptographically separate one customer from another.
“Multitenancy is critical for solid data security and it provides economies of scale,” says McGregor. The lack of such a multitenant architecture will increase costs and therefore will not be affordable for smaller organizations.”McGregor also points out that it is often the case that key management and configuration are too complex for small organizations to address because they don't have dedicated security personnel.
“BitArmor Managed Encryption significantly reduces operational complexity – key management is automated, and because BitArmor hosts management servers in the cloud, the overhead of on-site hardware and maintenance is eliminated,” he says.And, data remains inside the organization, he adds. “All the encryption processing is done on customer devices and not in the cloud. This means that sensitive customer data never travels outside and customers have full control over their data at all times. BitArmor itself does not have any access to customer data.”
Further, BitArmor Managed Encryption is very easy to manage, says McGregor. “Administrators do not need to be cryptographic experts – that is, there no need to manage, rotate, or revoke cryptographic keys.”Optionally, BitArmor can synchronize with the organization's Active Directory environment. This allows administrators to work with a familiar environment of users, groups and machines. Configurations are set centrally and trickle down to the end points. There is no need to touch individual endpoints to make changes.
Deployment of the BitArmor tool went very smoothly at A.I.M., says Pata. The vendor provided immediate resolution to any questions Pata and his team had. “Once we went through the first implementation of BitArmor's encryption on the first laptop, the remaining installations went quickly.”
This was particularly important, he adds, because AIM has an obligation to provide the best means of protecting any personal information used in providing insurance services to its insureds.
“We especially liked the fact that we didn't have to maintain any additional hardware,” he says. “BitArmor support was great to work with. Pricing was extremely competitive and it was quick to deploy,” he says.Right now, AIM is deploying the BitArmor tool to all of its laptops, says Pata. “We have road warriors that live and die by their laptops and because of the mobility, we want to ensure that these devices are fully protected.”
He is pleased with the implementation because the encryption process is basically invisible to the users. “They have reported back to us that they experience no performance degradation as a result of installing the encryption product,” he says.
And, when asked if he is finding it easy to manage and operate, he responds without hesitation, “Absolutely. Installation is quick, and with just a few clicks of the mouse, we can check the status of any and all the laptops.”The implementation is meeting his expectations. “We were looking for something that would be easy to install and maintain and not be a budget-buster,” he says. “At the same time, we were looking to implement a level of security that would go beyond any regulatory requirements imposed on us.”
Further, BitArmor's encryption product isn't just designed for laptops, he says, and the fact that the tool's encryption process can be applied to email attachments and USB devices has led him to look into expanding the installation to specific desktop PCs as well.
“The personnel at BitArmor have been great to work with,” Pata says. “We haven't had much need to go to them with any issues, but whenever we've had a question, they've been very responsive.
Tech tools: Secure sharing
Patrick McGregor, CEO of BitArmor, says BitArmor Managed Encryption provides:
Laptop encryption: The complete drive is encrypted and the organization can be assured that a lost or stolen laptop will not be compromised.
USB encryption: All data moving to a USB device will be automatically encrypted, thereby ensuring that users can transport document securely while ensuring its security.
Email attachment encryption: This enables organizations to have two-way secure sharing of encrypted data with partners – this ensures that data is always protected when it travels across public networks.