News & Reviews


Keep up to date with Origin Storage

Tagged: Data protection Act RSS

  • Origin Storage 15:55 on 07/08/2012 Permalink | Reply
    Tags: breach, , Data protection Act,   

    Sensitive details of NHS staff published by Trust in Devon 

    News release: 6 August 2012

    A health trust in Torquay has been served with a £175,000 penalty after the sensitive details of over 1,000 employees were accidentally published on the Trust’s website, the Information Commissioner’s Office (ICO) announced today.

    Staff at Torbay Care Trust published the information in a spreadsheet on their website in April 2011 and only spotted the mistake when it was reported by a member of the public 19 weeks later. The data covered the equality and diversity responses of 1,373 staff and included individuals’ names, dates of birth and National Insurance numbers, along with sensitive information about the person’s religion and sexuality.

    The ICO’s investigation found that the Trust had no guidance for staff on what information shouldn’t be published online and had inadequate checks in place to identify potential problems.

    Stephen Eckersley, Head of Enforcement, said:

    “We regular speak with organisations across the health service to remind them of the need to look after people’s data. The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.

    “While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the Trust are now taking action to keep their employees’ details secure.”

    The Trust has now introduced a new web management policy to make sure personal data is not mistakenly published on their website in the future.

     

     

  • Origin Storage 12:08 on 24/05/2011 Permalink | Reply
    Tags: , , , , , , Data protection Act, , , , , , , , , , , , ,   

    Data Protection 

    Self-encrypting drive solutions based on TCG specifications enable integrated encryption and access control within the protected hardware of the drive. Self-encrypting drives provide the industry’s premier solution for full disk encryption, protecting data when the machines or drives are lost or stolen. TCG’s open standards provide multivendor interoperability.

    Self Encrypting Drive Benefits:
    Better Performance
    • Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation
    • Scalable solution – every drive contains encryption engine

    Stronger Security
    • Encryption always on – major compliance requirement
    • Keys for encryption are generated in the drive and never leave the drive
    • User authentication is performed by the drive before it will unlock, independent of the operating system

    Easier to Use
    • Encryption is transparent to both users and software.

    Lower Cost of Ownership
    • No need for complex infrastructure to manage encryption keys
    • Main processor cycles not used for encryption
    • No modifications to OS, applications or tools
    • Crypto-erase provides instant repurposing / decommissioning

    Self-Encrypting Drives in the Marketplace
    • Latest information on product availability and software support – (September 2010) and (August 2010)

    For more information on our Encryption product range, please click here.

     

  • Origin Storage 09:14 on 10/05/2011 Permalink | Reply
    Tags: , , , , , Data protection Act, , , , , , , , , , , , , , , , , , , , , , , , Survey   

    41 Percent of IT Professionals Carrying Sensitive Information on Mobile Devices – Unprotected 

    Basingstoke (UK), 10 May 2011: A study by Origin Storage – the secure storage specialist, has revealed that 41 percent of what should be a security savvy audience are carrying sensitive information on mobile devices unprotected. In fact, 19 percent revealed that their organisation had suffered a data breach following the loss of a portable device (i.e. laptop, USB, CD) with 54 percent confessing the device had not been encrypted – an offence under the Data Protection Act and subject to regulatory action by the ICO, were it made aware!

    With 70 percent of organisations making data encryption mandatory, 11 percent of those respondents carrying sensitive information unprotected are actually breaching their organisation’s data protection efforts while the other 30 percent are simply following their organisations woefully inadequate example. When digging a little deeper the study, amongst IT security professionals at this years Infosecurity Europe show, uncovered a staggering 37 percent of respondents who confessed that between 81 and 100 percent of all sensitive data stored on their device(s) was actually left unprotected – so not just one or two documents transferred in a hurry.

    Andy Cordial, Origin’s managing director, explains, “When you consider the level of knowledge this audience is assumed to have, working in IT and having some form of security remit, yet the lax protection used for sensitive data, it’s hardly surprising data breaches are increasing in frequency and especially recently in size. I’m astounded that 30 percent of organisations are still oblivious to the Data Protection Act and the recommendation from the Information Commissioner that encryption be used to protect sensitive information.”

    The problem of sensitive data isn’t restricted to any particular device as 67 percent use laptops, 52 percent USBs, 33 percent still rely on CDs with 52 percent using another form of portable storage device.

    A final startling revelation is that just 36 percent of visitors felt that FIPS certification is ‘a must’ for encryption technology.

    Andy concludes, “The ICO recommends any solution should meet FIPS 140-2 yet 31 percent of our sample flippantly state that it ‘doesn’t matter’. Certification is the only ‘proof’ that the product actually does what the company ‘claim’ it does. It’s not just me saying this because our products have the certification as there have been incidences where products have fundamental design problems, or even companies that have made false claims. My advice – don’t leave security to chance. Lock it down with something that’s actually proven to work or there is a strong possibility you’ll be crying over spilled data.”

    To explore our solutions for Data Security, click here.

     

  • Origin Storage 12:41 on 15/04/2011 Permalink | Reply
    Tags: , , , , Data protection Act, , , , , , , , , , , , , , , , , , , , , , , , , ,   

    Enigma SED Video Podcast 

    For more information on the Enigma SED – click here.

     

  • Origin Storage 11:42 on 18/03/2011 Permalink | Reply
    Tags: , , , , Data protection Act, , ,   

    Origin Storage says Canadian health data theft highlights case for multi-layered drive security 

    Reports from Canada about the theft of a hospital hard drive containing photos and videos of patients shows how easy it is for data drives to go missing in public areas, says Origin Storage.

    And, says Andy Cordial, the MD of the storage systems specialist, the drive theft incident at Misercordia Hospital in Edmonton, Alberta, shows that – no matter what security policies an organisation has in place surrounding data security – hard-pressed staff will often take the easy option and ignore procedure.

    “So what is the solution? Clearly security policies surrounding the security of patient data were in place at this hospital, but they just weren’t followed, so the answer has be to introduce multiple layers of security, which staff simply cannot circumvent, even if they want to,” he said.

    “Our own DataLocker range of PIN-protected portable hard drives (http://bit.ly/2vb6y9) is a good example of a multi-layered security system. Users can still have the benefit of AES encryption on the drive for security, but as an added measure, users must also know the passphrase of the security unit, without which they cannot access the data,” he added.

    According to Cordial, had the Edmonton hospital used such a device even if the thief walked off with the drive, the unit would have locked automatically, meaning that access to the data would have been prevented.

    Using this approach to data security, says the Origin Storage MD, is an ideal way of bolstering the existing data security defences in an organisation, in situations where existing IT security policies cannot be fully applied.

    Origin’s observations amongst its many customers, he says, is that data needs protecting whether it is at rest or in transit and, whilst encryption offers an excellent form of protection, adding extra layers of security in portable or back-up situations makes a lot of sense.

    “Had this incident happened in the UK, the Information Commissioners Office would have been on to the health body concerned very quickly indeed, and at the very least, publicly secured a written guarantee from managers that a change of security procedures – to prevent a recurrence – would take place,” he said.

    “That means that management heads will roll if an infringement of the Data Protection Act occurred again. This sort of incident – and the consequential publicity plus investigations that result – has a curious habit of significantly grabbing managerial attention,” he added.

    “Using multi-layered technology can not only avoid a data loss for whatever reason, it can also avoid dragging your organisation’s reputation through the mud, as has clearly happened with this hospital.”

    For more on Origin Storage: http://www.originstorage.com

    For more on Edmonton hospital patient data disk theft: http://bit.ly/fNb5IX

     

  • Origin Storage 14:43 on 14/02/2011 Permalink | Reply
    Tags: , , , , , , Data protection Act, , , , , , , , , , , , , ,   

    Self-encrypting drive sales on the up, claims Seagate 

    But total sales still modest
    Disk maker Seagate claims it is finally making some headway in its attempts to get businesses to start buying its self-encrypting drive (SED) products, with a tripling in sales in the last two quarters.

    The company is now quoting total sales figures of “more than 1 million,” which is not much of advance of a similar figure offered informally in May last year, but Seagate can still point to numbers heading in an upward direction. Laptop shipments have, Seagate said, “doubled in each of the last three years.”

    Factors helping SED shipments in laptops and enterprise sectors will have included that the critical Momentus drive range first launched as far back as 2006 is now being qualified by partners as compliant with the Trusted Computing Group’s Opal specification. This offers a standard way for software to manage the drives compared to the previous proprietary approach.

    Partners include Dell, Lenovo and Panasonic in hardware and Credant, McAfee, Mobile Armor, Secude, Softex, Symantec, Wave Systems and WinMagic in software, which integrate with 24 separate Seagate SED products in the Savvio, Cheetah, and Constellation, and Momentus families.

    As impressive as the growth sounds, the figures are still miniscule when set against the 150 million drives the company might ship in a single quarter, which is where the challenge comes. SEDs are still a long way from being a mainstream sector, even in business despite attempts to push the technology since at least 2008.

    Last September, Seagate announced that its Momentus SED had become the first drive in the laptop encryption drive market to get the important FIPS 140-2 certification that matters so much to public sector organisations.

     

  • Origin Storage 09:35 on 09/02/2011 Permalink | Reply
    Tags: , , , , , , Data protection Act, , , , , , , , , , , , , , , ,   

    Origin Storage Launches Enigma FIPS Solution For Laptops 

    Origin Storage, a leading manufacturer and distributor of IT storage solutions, has today announced the launch of Enigma FIPS. The FIPS 140-2 solution is the latest in the Enigma range to provide companies of all sizes with a quick and cost effective way to secure laptops using the highest levels of hardware encryption. The Enigma FIPS will be on show at CES in Las Vegas 6-9 January 2011.

    The Enigma FIPS solution incorporates the Seagate Momentus ® Self-Encrypting Drive which has recently secured FIPS 140-2 certification from the U.S. National Institute of Standards and Technology (NIST). The Momentus drive provides hardware-based encryption without performance degradation.

    With remote working becoming an important part of modern day corporate environments, organisations are more likely to issue laptops over standard desktop PCs. Companies are risking the security of sensitive and confidential information as it leaves the physical confines of the traditional office environment. Origin Storage’s launch of Enigma FIPS can put corporate minds at ease, offering the highest levels of security and a competitive price.

    Andy Cordial, MD of Origin Storage comments, “More than 3,300 laptops are lost or go missing at the eight largest airports in Europe, the Middle East and Africa (EMEA) each week and according to new research, six out of ten of these are never claimed. More worryingly, nearly half of the professionals surveyed keep confidential information on their laptops, and over half take no steps to protect that data (research carried out by Ponemon Institute).

    “FIPS 140-2 certification exemplifies Seagate’s commitment to security standards that enable the widespread adoption of encrypting hard drives for laptops and other computers as the explosive growth of laptop PCs puts more sensitive personal and business information at risk,” said Mark Whitby, Seagate’s vice president of EMEA Sales and Marketing. “Certification gives solutions providers like Origin and end-user customers the peace of mind that Momentus ® Self-Encrypting Drives delivers the full power of government-grade security.

    Enigma FIPS is a compatible upgrade with all PC based SATA notebooks designed specifically for the corporate and SME market. Each Enigma hard drive is supplied with the correct fitting kit, pre-mounted and ready to fit straight into the laptop. Developed by WinMagic, MySecureDoc Express has a Pre-Boot Authentication system that allows the user to authenticate using a password. This removes the need for the drive to rely on the laptop’s BIOS, making it possible to upgrade SATA based systems to an Enigma SED.

    “Seagate’s FIPS 140 compliant drive and WinMagic’s MySecureDoc Express self-encrypting drive (SED) management software combine to provide the complete solution for customers that want to upgrade their existing computing systems with the latest government approved encryption technology to protect their sensitive data.”

    “We continue to work closely with Seagate and other SED manufacturers to provide individuals with security tools that are easy to configure, use, and manage at an affordable price. We recognise that SEDs require software to activate the hard drive pre-boot authentication and provide other value added services. These include self-help password recovery and local administration that combine to allow users to take advantage of the latest certified security technology shipping today.” said Garry McCracken, Vice President of Technology Partnerships, WinMagic Inc.

    The Enigma FIPS solution also includes a data transfer cable and Acronis hard drive cloning software, providing a quick and simple way to move existing data from the laptops non-encrypted hard drive to the fully encrypted Enigma solution. Using a high speed USB2 or eSATA connection a full mirror image clone of the existing drive including the Operating System, Applications and all user data is made which limits the downtime required to upgrade the ,mobile worker’s laptop.

    Key Features
    • FIPS 140-2 validated (Level 2)
    • Supports Windows 7 (32 and 64 bit)
    • No BIOS Limitations
    • Password Pre-Boot Authentication
    • 100% Compatible Matched Solution
    • Fits PC Based SATA Laptops
    • Tamper evident coatings
    • Transfer Existing Data With Ease
    • No Speed Degradation
    • Capacities Up To 500GB and Rising

    Benefits
    • Government security standard achieved
    • Always On Entire Disk Encryption Protects All Data On The Drive
    • On The Fly Hardware Encryption Means No Additional System Resource Usage
    • Local administrative role manageability
    • Self-help password recovery options
    • Activation of drive into encrypted state is instantaneous versus the unavoidable “conversion” time needed with standard hard drives
    • Data encryption key does not leave the drive, hence helps prevent cooled-RAM attack and simplifies key management
    • Read Only PBA ( Pre-Boot Authentication) area supports password authentication using drive’s secure partition
    • Crypto erase enables instant secure disposal and repurposing of self encrypting-drive, rendering all existing data unintelligible, and returning it to manufactured state
    • Complete Matched Solution Makes Fitting Quick And Provides 100% Compatibility
    • Included Transfer Kit Clones Existing data Via USB2 or eSATA To Minimise Downtime

     

  • Origin Storage 10:26 on 14/10/2010 Permalink | Reply
    Tags: , , , , , , , Data protection Act, , , , , , , , , , , , , ,   

    Enigma: The single solution to protect the data on your notebook 

    It is clear that attitudes are changing. It is now very common to work out of a home Office to save time during travel or even simply because today’s professionals have not necessarily got a physical office. As more people have made their laptop their virtual office containing all data critical and essential to their professional activities, the loss or theft of the computer has become a very stressful issue and can lead to serious consequences for companies if data falls into the wrong hands.

    Origin Storage, not satisfied to offer just the external encrypted hard drives, known as the Data Locker, have gone one step further by offering secure internal hard drive solutions for your notebook.

    Encryption to secure all of your data
    The proposed solution is to change the laptop hard drive and replace it with an Enigma SED (self encrypting drive). Thus the new data saved on your laptop will be encrypted (256-bit AES) on-the-fly and no loss of speed is noticeable, on read or write, thanks to a system of hardware encryption and not software, as seen by some manufacturers.

    Ease of deployment and installation
    Enigma disks are delivered with a mounting kit designed to perfectly fit the brand and model of laptop. A cable and cloning software are included with all Enigma drives for facilitating the transfer of your data on your current hard disk to the Enigma solution, which guarantees a maximum level of security for all the stored data. Acronis Cloning software makes a copy of your data and operating system to the new Enigma SED, taking around an hour for 120Gb’s, therefore providing minimum downtime to encrypt your data.

    Once the Enigma SED is installed, Winmagic will ask you to enter an administrator password for each start-up of the notebook; this is what is called PBA (pre boot authentication). If the password entered is correct, then the PC launches the BIOS initialisation phase and then launches the OS.

    Our Enigma drives are already available for many brands of laptops with capacities of 250GB at the price of £232.00 and 500GB at the price of £259.00. Unlike competitors, it is important to note that the Enigma solution requires no annual license or update fees of any kind. The selling price includes the use of the licenses for different software provided throughout the life of your laptop.

    To find the appropriate solution, you can visit the Enigma website (http://www.enigmased.com).

    Enigma disks should be destined for every notebook owner wishing to see data protected under any circumstance (governmental agencies, financial services, healthcare, insurance, military, and many others…). Now, companies with a large park of laptops equipped with traditional hard drives will be forced to change them for a secure solution in order to protect data and ensure compliancy as defined by the ICO.

    The Enigma solution is simple to implement and provides a level of security for all embedded data. If you lose your computer or it is stolen, do not panic. Your data is protected to the highest level of encryption available in the commercial world.

     

  • Origin Storage 10:56 on 14/09/2010 Permalink | Reply
    Tags: , , , , , , Data protection Act, , , , , , , , , , , , , , ,   

    Seagate’s encrypted hard drive gets security boost 

    Seagate’s Momentus Self-Encrypting Drive (SED) has become the first encrypted laptop hard drive to get the critical FIPS 140-2 certification that the company hopes will finally help boost its sales to US and Canadian government organisations.

    Normally, FIPS 140-2 is just another important check box for security products that want a slice of the government market, but right now the stakes seem higher for the Momentus.

    As the company itself admits, sales of self-encrypting laptop hard drives have been modest at around 1 million units since the drive’s release in 2006. That sounds like a lot of drives, but the equivalent of barely quarter of a million drives per year is a miniscule number when set against sales of non-encrypted hard drives, which number hundreds of millions in a year.

    “The low-hanging fruit will be the military,” said Seagate’s Momentus SED product marketing manager, Joni Clark. Having NIST-approved certification was essential for procurement in this space, she said.

    Achieving FIPS 140-2 after a three-year process would also help the SED in business markets as well as with foreign governments and public sector organisations, fired by an increased interest in self-encrypting drives for insecure devices such as laptops.

    “There is work to do in the sector but adoption is coming,” she said.

    Seagate has been pushing hard with self-encrypting hard drives, forging a partnership with Dell in 2009 to help shift self-encrypting hard drives for more mainstream use, including by business laptop users.

    NIST FIPS 140-2 won’t be enough on its own; the company also needs other drive vendors to embrace the self-encryption technology.

    Despite being a hard drive with onboard encryption, one complication that might have helped slow take-up by rival vendors is the need to integrate third-party management systems with the drive firmware. Seagate’s environment for doing this is called DriveTrust.

    Things have improved on the front since the drive’s 2006 launch – there are now several competing management systems to choose from – but the real boost will come when other hardware vendors offer a separate path for buying drives themselves.

    “When you are a sole source some see this as a weakness,” admitted Clark.

     

  • Origin Storage 14:42 on 21/06/2010 Permalink | Reply
    Tags: , , , , , , Data protection Act, , , , , , , , , , , , , ,   

    If A Product Hasn’t Got The Right Certification Can It Be Trusted? 

    Let’s pretend that it’s time to elect a world leader. Here are some revealing facts about the three candidates:- Candidate A associates with crooked politicians, and consults with astrologists; he’s had two mistresses; chain smokes and drinks 8 to 10 martinis a day. Candidate B was kicked out of office, twice; sleeps until noon; used opium in college and drinks a quart of whiskey every evening. Finally, Candidate C is a decorated war hero; a vegetarian who doesn’t smoke and only drinks an occasional beer and he has never had ANY extramarital affairs. Who gets your vote? Would it surprise you to discover that Candidate A is Franklin D. Roosevelt; Candidate B is Winston Churchill and Candidate C is Adolph Hitler? All very interesting but what has this got to do with FIPS, encryption or security generally? It proves the point you shouldn’t judge a book by its cover.

    There are numerous organisations who, when looking for a new solution, will draw up a list of attributes products must have to proceed to the evaluation phase. FIPS accreditation, CAPS and CESG all appear regularly on this list of must haves, especially for government bodies. They’re obviously very important but do you know what these acronyms really mean?

    Federal Information Processing Standards (FIPS), according to Whatis.com, are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies. The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government. FIPS 140-2 defines four levels of security, simply named “Level 1″ to “Level 4″. It does not specify in detail what level of security is required by any particular application. A word of warning, FIPS 140 does not purport to provide sufficient conditions to guarantee that a module conforming to its requirements is secure, still less that a system built using such modules is secure.

    CESG is the Information Assurance (IA) arm of GCHQ and is the Government’s National Technical Authority for IA responsible for enabling secure and trusted knowledge sharing, which helps its customers achieve their aims. CESG aims to protect and promote the vital interests of the UK by providing advice and assistance on the security of communications and electronic data. CAPS helps private sector companies to develop cryptographic products for use by HMG and other appropriate organisations. CAPS links the cryptographic knowledge of CESG (the national technical authority for information assurance) with the private sector’s expertise and resources.

    However, a product that doesn’t have accreditation does not automatically mean that it isn’t capable of achieving it. In fact, by its own admission, NIST states that FIPS accreditation should not solely be relied upon suggesting that even if a product is certified, it may not actually be secure. In fact, this was proven in January when a flaw was unearthed in certain hardware-encrypted USB flash drives although it is true that the certification earned by the device in question never claimed it capable of doing what many perceived it should – be impenetrable.

    So just what should organisations examine when drawing up a shortlist of solutions?

    Below are six key factors to consider when evaluating security solutions :

    Accreditation : FIPS, CESG and CAPS have a place, but should not be considered the be all and end all to product selection. While a useful tool in assessing the security of encryption products, it is not a guarantee that a product is secure, the onus is on the end user to understand what they’re using. What they do provide is a benchmark for comparing and contrasting products against. Another solution that meets these criteria, but without the certification, can still be included in the evaluation if you want to make sure you are looking at ALL the options.

    Cryptography : the Advanced Encryption Standard (AES) is a symmetric-key encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256. It will depend on the sensitivity of the data whether you need 256 or if 128 would be adequate.

    Data : The United Kingdom currently uses five levels of classification — from lowest to highest, they are: protect, restricted, confidential, secret and top secret. It stands to reason that it depends on the level of sensitivity that is being stored on the device that will determine what standards they would need to have or what kite marks are in place to ensure the level of protection.

    Device : Considering where sensitive data resides will help determine the type of product you need and the standard it should have. If you’re looking to protect mobile devices a central management policy will be required.

    Cost : A number of factors will influence just how much you spend on protecting the data. There is the argument that you can’t put a price on security but it has to make commercial sense. There’s no point having a top of the range encryption solution if the data its protecting is the lunch time sandwich order! By the same token a minimal encryption solution would not be deemed adequate by the ICO should the device contain personal health records transported by a GP. The solution should be appropriate for the data it is protecting.

    Company : A key element, and occasionally forgotten when checking products have the right acronyms, is the credibility of the company you are buying from. It’s products might have all the certifications money can buy but if, it’s been making headlines for being breached, do you want to find out if they’ve got it ‘all sorted’.

    Accreditation does not just happen, organisations have to invest vast sums of money to ensure its products jump through the relative hoops to attain certification. Rather than being blinded by a set of acronyms, you should be steered by your own security policy to determine: what you’re protecting, where it is and how it might get there. Once you’ve collated this data you’ll be in a position to evaluate solutions which will meet these needs. Can you afford to discount the most appropriate technology in the marketplace simply because it hasn’t earened its badge yet!

     

← Older posts

c
compose new post
j
next post/next comment
k
previous post/previous comment
r
reply
e
edit
o
show/hide comments
t
go to top
l
go to login
h
show/hide help
esc
cancel