- Customer Profile: Business process outsourcing; 62,000 employees support client operations in more than 100 countries
- Goals: Endpoint, messaging, and file transfer security to protect sensitive data
- Solution: PGP Universal™ Gateway Email; PGP® Whole Disk Encryption; PGP® NetShare; PGP® Command Line; PGP Universal™ Server; PGP® Desktop Email
- Deployment: Within budget; on schedule; multiple locations
- Benefits: Security; regulatory compliance; lower operational cost
ACS chose the PGP® Encryption Platform to protect corporate and customer information in storage and transit
Affiliated Computer Services, Inc. (ACS), a global Fortune® 500 company with more than 62,000 employees supporting client operations reaching more than 100 countries, provides business process outsourcing and information technology solutions to world-class commercial and government clients.
As a business process and information technology outsourcer, ACS handles high volumes of sensitive corporate and customer data.
Protect data in storage and in transit. ACS processes a lot of personally identifiable information (PII), protected health information (PHI), and other business-critical information, so the company wanted to protect data from interception during transit as well as from theft or loss when stored on a mobile system. Chris Leach, Chief Information Security Officer (CISO), and Wayne Scalf, Vice President of end user computing, are responsible for the company's strategic data protection project.
Safeguard reputation. ACS processes terabytes of data about its employees and customers. "Our employees and customers can be assured their data is in good hands. Enterprise data protection is simply the right thing to do," says Leach. His best-practice approach also helps ACS reduce the reputational risk of potentially losing the public's trust-and business-in the case of a data breach.
Rhonda Johnson, PGP Program Director at ACS, oversees the encryption services program. "PGP® solutions enable our employees to protect sensitive data and maintain our excellent industry reputation," she says.
Ensure compliance. To the CISO, ensuring compliance was a secondary consideration. "The best-practice approach was the main incentive for our initiative. Regulatory compliance was just the icing on the cake," Leach says. ACS needs to satisfy regulations as diverse as Sarbanes-Oxley, HIPAA, PCI, and various state breach notification acts.
Meet contractual obligations. According to Scalf, some ACS customers explicitly request a certain level of security. "Some of our outsourcing customers require us to encrypt data in storage and in transit," he explains. "ACS is very committed to establishing best practices for data security because it constitutes an additional differentiator, demonstrating our technology leadership."
Manage risk. Leach sees a benefit for the company in mitigating the risk of information theft. "ACS could face considerable costs as a result of data breach notification and litigation processes. We could also experience a negative impact in service level agreements, contract renewals, and lost business opportunities," he says. As Scalf points out, however, "Our comprehensive PGP solution has enabled us to become an industry leader in risk management and data protection."
Quantify risk. The company completed a cost/benefit analysis before introducing full disk encryption. Johnson quantified the risk of not deploying against the cost of deploying. She felt that the number of new privacy laws combined with the rise in identity theft increased the likelihood of an incident. Once she had determined the costs and benefits, the choice was easy. "Our entire encryption program is much cheaper than the consequences of a single data breach that would impact our own and our clients' reputation. To us, this decision was a no-brainer."
Win management support. Leach and Scalf were the main project sponsors, but the PGP project was also supported by many other offices: Marianne Bennett, Chief Privacy Officer, Tom Burlin, Chief Operating Officer, Derrell James, Senior Managing Director of IT Outsourcing Solutions, and Karen Wilson, Chief Compliance Officer. "The encryption project has been supported by every division and endorsed by our compliance, security, auditing, and management groups across ACS," says Scalf.
Scalf supports a very complex environment. "Depending on the department or project, systems are either the property of ACS or our customers, so all solutions need to be flexible," he explains. "We also need to communicate securely with any business partner, so we were looking for an industry-proven framework based on open standards."
Comprehensive solution. Johnson lays out the criteria for the solution: "We didn't want to install several unrelated endpoint security solutions because this approach would increase operational costs and further complicate the infrastructure. We needed one comprehensive solution that secures data in storage and in transit and allows us to provide a repeatable outsourcing solution."
Transparent and easy to use. Scalf was looking for transparent, easy-to-use software that would have little impact on the help desk. "Our infrastructure is very distributed, and many desktops and laptops are managed remotely," he says. "It wasn't practical to recall these systems just to install an encryption solution, so we looked for software we could install over the network with minimum user effort. To enforce corporate security guidelines and avoid costly training for thousands of users, we also needed centralized policy management."
Single solution. The company chose the PGP Encryption Platform as the best solution. "We wanted one platform for all our needs," Johnson says. "PGP solutions allowed us to leverage our existing infrastructure. The PGP Encryption Platform also provides a greater degree of consistency because it is a standard framework, making it the best fit for our requirements."
Full disk encryption. Scalf prefers encrypting the entire hard disk to alternative approaches. "Full disk encryption is the best method to secure data on desktops and laptops because it's fully transparent, easy to use, and doesn't interrupt the user's work, even during the initial encryption process. We found PGP Whole Disk Encryption to be an excellent solution," he says. Because ACS is a global company, he also found the software's international language and keyboard support indispensable.
Gateway encryption. ACS chose PGP Universal Gateway Email to encrypt emails at the server. "This method was the most transparent to users and allowed us to install the software in one central location rather than having to distribute it to each desktop system," says Johnson. "The most appealing feature was that ACS could use the solution with customers and business partners across the world, whether or not they use a standards-based product. PGP Universal Gateway Email has become the accepted, proven enterprise solution."
Server-to-server communication. File transfer communication between servers also required additional security. "We've purchased licenses of PGP Command Line for 150 servers to secure communication between the systems," explains Johnson. "Especially when it comes to heterogeneous or legacy systems, file transfer is still the easiest method for exchanging data. However, the protocols used for file transfer were developed before security became such a critical issue, so it's important to add that extra layer of security."
Central reporting. The heart of the PGP Encryption Platform is PGP Universal Server, which manages users, keys, and policies for multiple encryption applications. "A feature we've learned to love is the central reporting capability of PGP Universal Server across all our encryption applications," Scalf adds.
"The PGP Encryption Platform is solid technology with an open architecture that has been scrutinized by industry experts," Leach summarizes. "It has a very good reputation and fulfills all our requirements."
A reliable partner. "PGP Corporation offers a broad enterprise solution with very robust central key management," Scalf says. "We see PGP Corporation as a flexible, reliable partner able to provide solutions for us and our clients that fit every industry. It was also important that PGP Corporation has a solid financial background because some of our outsourcing contracts run for 10 years."
Smooth deployment. To date, ACS has completed the rollout of PGP Whole Disk Encryption to 35,000 laptops and desktops and is in the process of encrypting an additional 15,000, bringing the total to 50,000. ”Everything went very smoothly and on schedule. We’re now deploying PGP Universal Gateway Email to 60,000 end users and have begun to pilot PGP Command Line for secure file transfers,” says Johnson. “We are consolidating our 28 distributed, clustered PGP Universal Servers to a centralized cluster with 15 servers, enabling us to manage more than 50,000 systems at ACS and thousands at our clients.” Leveraging the flexibility of the PGP Encryption Platform, Johnson integrated ACS administration tools with the PGP solution, enhancing her ability to rollout and track the deployment.
Great team effort. Scalf appreciates the strong teamwork that led to the successful completion of the project. "The key factor to success in this project was cooperation," he says. "I greatly value the outstanding work of the project management team, desktop and messaging groups, help desk staff, and PGP® Professional Services, all of whom communicated with each other and worked together to deploy the solution across the enterprise."
Excellent performance. "The performance of both PGP Universal Gateway Email and PGP Whole Disk Encryption has been very good. The integrated reports are very helpful, and management of the software is simple," says Johnson.
Few help desk calls. Scalf measured the number of help desk calls: "We saw a slight increase in help desk calls immediately after the rollout, but they mainly concerned forgotten passwords, which are easy to handle. We've had few calls since then."
Accurate forecast. PGP field engineers estimated the number of days required to roll out the solution. "The PGP Professional Services plan contained the right amount of detail, and there was no difference between the estimates and our actual expenses," Johnson says.
Low operational cost. Scalf values the cost-effectiveness of the PGP Encryption Platform: "The scalability and TCO of PGP solutions make deployment and long-term maintenance very attractive."
Content-based encryption. In the near future, Johnson will make encrypting emails even simpler. "At the moment, users have to actively flag emails that should be encrypted," she explains. "Soon, we'll activate automatic encryption for certain recipient domains and enable secure delivery of messages as password-protected PDFs. As the next step, we want to integrate our IronPort email content filter with PGP Universal Gateway Email so sensitive emails are automatically recognized and encrypted. This process will enforce our security guidelines more effectively and improve user comfort."
Customer input is valued. According to Scalf, PGP senior leadership places great importance on listening and responding to client concerns and involving its partners in strategic planning processes. "Our experience so far has been excellent, and our decision to choose PGP Corporation was definitely the correct path for our company," he concludes. |
