- Customer Profile: Media company; 97,000 employees
- Goals: Strategic protection of confidential data throughout the enterprise
- Solution: PGP® Desktop Email, PGP Universal™ Gateway Email, and PGP® Support Package for BlackBerry® secure emails; PGP® Whole Disk Encryption protects data on laptops; PGP® NetShare safeguards files on servers; PGP® Command Line secures file transfers; PGP Universal™ Server provides central management
- Deployment: Centrally planned, distributed deployment
- Benefits: Data security; low startup & operational costs
Bertelsmann AG strategically deploys the PGP® Encryption Platform to protect confidential data in emails as well as on laptops and file servers.
Bertelsmann is an international media company active in television (RTL Group), books (Random House), magazines (Gruner + Jahr), music (BMG), media services (Arvato), and media clubs (Direct Group) in more than 60 countries. With 97,000 employees, Bertelsmann's revenue reached €19.3 billion (US$25.5 billion) in 2006.
As a media company, Bertelsmann operates not only in a competitive market, but is also very much in the public eye. Information security was such a strategic concern to the company's CEO that he asked the issue be addressed at all major corporate sites—not an easy task because Bertelsmann is organized in 800 distributed profit centers. The enterprise's six large divisions run self-sufficiently and operate their own infrastructure.
Sensitive data. The company required confidentiality especially for internal, sensitive information such as data about customers and personnel or mergers and acquisitions.
International compliance. Compliance with German and international laws and regulations was a further incentive for introducing encryption. In Germany, compliance primarily concerns the Bundesdatenschutzgesetz (federal data protection law), while Bertelsmann's locations in the United States are subject to local legislation, especially various data breach notification acts. Even though the company is not publicly listed, Bertelsmann must also comply with the Sarbanes-Oxley Act because it provides outsourcing services to U.S. enterprises.
Distributed infrastructure. The Chief Information Officers (CIOs) of each of the six Bertelsmann divisions periodically meet at the CIO Council, where Tom Goschütz, chief technology officer (CTO) Corporate Center, presented the new project. His strategy: The earlier he informed his colleagues, the higher the chances the independent divisions would accept and implement his plans.
Protect the data. In the past, the focus of IT security had been on the network; now, protecting data had become more important. "Today, network security is an integral part of the basic IT infrastructure," says Goschütz. "From an enterprise perspective, the protection of the information itself has become much more important."
Risk analysis. Confidential data is everywhere, so Goschütz set his sights on the biggest threats: protecting email communication, both internal and with external partners, securing data on laptops, and safeguarding information on file servers from unauthorized access. Because Bertelsmann management communicates almost exclusively with BlackBerry® devices, securing that platform was particularly important.
Central administration. Some divisions already had small deployments of email or laptop encryption; however, none of these was suitable for a strategic solution. "I quickly came to the conclusion that central key management and common administration for all components would be important for the success of the project," says Goschütz.
PKIs not suitable. Although a classic public key infrastructure (PKI) would provide central key management, it was not an ideal solution because Bertelsmann operates an organically grown IT infrastructure with a distributed organization and often exchanges confidential information with external partners.
When searching for a suitable enterprise solution, Goschütz quickly came across PGP Corporation. "The PGP Encryption Platform was the best fit for our distributed organization and one of the few solutions that supported end-to-end encryption on BlackBerry devices," says Goschütz. "PGP Corporation offers the only product line that covers all our current requirements for enterprise data protection."
Low startup costs. The decision to select PGP Corporation as the vendor of choice was also a financial one. A classic PKI would have multiplied project costs. Bertelsmann had analyzed the cost of a PKI in 2003. The monthly costs for email encryption alone were about €100 (US$132) per user. The system would really only be functional once it had been deployed to at least 90 percent of internal users. "A PKI project can quickly produce startup costs of a million Euros, serving one email system," says Goschütz.
Cost-effective solution. As Goschütz points out, "We have four large email systems, however, so we would have had to start four such projects." The cost of the PGP solution looked much better. "The PGP Encryption Platform is a financially attractive, scalable enterprise solution that requires a significantly lower initial investment, grows with our requirements, and costs a tenth of a classic PKI solution," says Goschütz.
The CTO wanted the system to be as transparent as possible for users and administrators. Goschütz decided not to automatically encrypt messages by content or recipient as a default. When users wants to encrypt a message, all they have to do is add the letters "PGP" to the subject line of an email, and the rest is taken care of automatically.
Comprehensive email solution. Although Bertelsmann primarily encrypts emails end-to-end from user to user, the company also uses PGP Universal Gateway Email. If no key can be found for an external recipient because there is no encryption software on the recipient's side, for example, the message can still be delivered securely with PGP Universal™ Web Messenger. Bertelsmann uses PGP Universal Gateway Email only for emails leaving the network, but not for incoming messages, which are decrypted on the desktop.
Secure BlackBerry devices. The PGP Support Package for BlackBerry seamlessly integrates with Bertelsmann's PGP® infrastructure, encrypting and decrypting emails on these mobile devices. Combined with the native BlackBerry password protection and device encryption, the company was able to secure the devices comprehensively, even dispelling concerns about carrier security.
Protecting laptops. Bertelsmann also chose PGP Corporation to supply hard disk encryption. "PGP Whole Disk Encryption is mandatory for all laptop users in the Corporate Center to protect data from theft if a laptop is lost or stolen," says Goschütz. "As a next step, access to the laptops will be protected with two-factor authentication using USB tokens, in the same way as our domain login."
File server security. Bertelsmann uses PGP NetShare to encrypt files of the supervisory board, board of directors, and human resource department on centrally hosted servers. This approach protects highly confidential data from being viewed by file server administrators with server access. The solution will soon be made available to other departments as well. "Encryption of files on servers is a strategic initiative because attachments contained in confidential emails often originate here," says Goschütz. "Consequently, we must apply the same criteria and exclude the administrators as a group. PGP NetShare fulfills this requirement very well."
Secure file transfer. The Bertelsmann subsidiary Bookspan, a book club in the U.S., uses PGP Command Line to protect its file transfers with partners.
Scalable solution. All PGP® components are centrally administered with PGP Universal Server. To simplify user management, the server is configured to access group information in the Microsoft Active Directory. The system, which includes PGP Universal Gateway Email, was set up in a four-server cluster, including two machines for email encryption and two for PGP Universal Web Messenger. This configuration, which covers a mail system with 35,000 inboxes, was repeated at the other three enterprise email systems. "All applications that comprise the PGP Encryption Platform are very scalable for our requirements," says Goschütz.
Low support effort. Instead of formal training, users receive only one page of instructions. "The users find the system very easy to use," says Goschütz. "We hardly receive any support requests."
Two years ago, Bertelsmann introduced a directive specifying that users not send confidential information by email. At the time, the company had no system for encrypting emails and also no definition of confidential information. Today, Bertelsmann runs a comprehensive enterprise system to protect confidential information during transit and in storage. As a next step, the company will introduce data classification guidelines so users know exactly which data must be safeguarded. This initiative will likely increase the need for encryption.
Global deployment. In addition to the Corporate Center in Gütersloh, Bertelsmann will provide the PGP solution to its large sites in Hamburg, New York, and Luxemburg. "As an internationally established vendor, PGP Corporation offers us a truly global service-an enormous advantage for our international deployments," says Goschütz.
Important milestone. Goschütz is especially proud of one aspect of the project: "According to my knowledge, the PGP solution is the first to be strategically and successfully deployed across the entire Bertelsmann group. This is a remarkable milestone."
|
 |
 | "The PGP Encryption Platform is a financially attractive, scalable enterprise solution that grows with our requirements and costs a tenth of a classic PKI solution." – Tom Goschütz, Chief Technology Officer Corporate Center, Bertelsmann AG
|  |
|
