BAE Systems: Protecting sensitive information in a defense environment

• Customer Profile: Defense & aerospace technology; 100,000 employees worldwide
• Goals: Protect sensitive commercial emails; provide audit trail for release of project information
• Solution: PGP® Desktop Email encrypts emails, files, & volumes
• Deployment: Low investment; minimal impact in infrastructure
• Benefits: Business enabler in defense industry; low operating cost; extensible solution

BAE Systems uses email encryption to protect highly sensitive commercial data and to allow for controlled, auditable release of project information.

BAE Systems is the premier transatlantic defense and aerospace company delivering a full range of products and services for air, land and naval forces as well as advanced electronics, information technology solutions and customer support services. With more than 100,000 employees worldwide, BAE Systems’s sales exceeded GB£15.4 billion (US$28 billion) in 2005.

The Challenge

BAE Systems is a long-term user of PGP solutions that protect data at rest and in motion. Hugh Fraser, head of IT security at BAE Systems, is responsible for the security of BAE Systems’s networks and systems. In this role, he faced two key challenges: encrypting email that traveled over the Internet and securing the release of project information.

Encryption of email over the Internet. First, highly sensitive commercial information had to be emailed across company boundaries over the Internet. Fraser explains: “We needed to use email to effectively take part in project bidding pools; however, we’d also established a policy specifying that if you were dealing with a certain level of sensitive information and wanted to send it over the Internet, you had to use encryption. We’re well-aware of the external threats and want to minimize any potential damage to the business, so today it is company policy to protect our intellectual property and other highly sensitive information from prying eyes.”

Release of Project information. Second, IT Security needed to provide an audit trail for the release of information from a project network onto the corporate network. “Our release management capability solves a very specific business problem for one of our business groups: they had created an engineering design environment on a tightly controlled project network but needed to go and build the product,” says Fraser. “In other words, they needed to release the build information from the project environment in a controlled manner with an audit trail.”

The Solution

BAE Systems set out to look for a solution that addressed these challenges. “At the time, PKI was available, but we felt it was not a mature enough solution, at least not for email and file encryption. As far as we’re concerned, PGP encryption is still often the simplest way to establish a secure communications path,” Fraser says.

Easy to secure external communications. According to Fraser, “We also looked at how information exchanges developed and at the ease of use of potential solutions. For example, we regularly need our commercial teams to exchange information with third parties over the Internet. The easiest way to accomplish this exchange safely is with PGP encryption. After we implemented the PGP solution, most organizations said they had no problems because it was easy to establish a secure exchange very quickly.”

Need to protect internal email. BAE Systems decided that some of the information it handled was also  sensitive enough to be encrypted inside the corporate network. Fraser elaborates: “Our IT is outsourced, so in some cases it is important to secure email internally on a routine basis. This requirement was recognized fairly early in the decision-making process.”

Business enabler for defense business. Fraser says that BAE Systems also solved the information release challenge by using PGP Desktop Email: “We created a process whereby a release manager digitally signs the files to confirm that the information could be released from a project environment. It was important that the signature provided a non-refutable audit trail. In this case, PGP Desktop Email proved a real business enabler for a defense-specific information management problem."

Risks recognized. To introduce the encryption solution, Fraser had to garner support from business units by outlining clear requirements; however, he still encountered some resistance: “At the time, I needed to demonstrate that there were clear risks that needed to be managed. Today, we have an established business requirement for secure email.”

The Results

It was also the low investment and minimal impact on the infrastructure that convinced the business units at BAE Systems that the PGP® Encryption Platform was the best choice. “The startup costs are very modest, especially compared to other standards-based solutions,” says Fraser. “Unless you already have a PKI most encryption solutions require you to make a major investment in infrastructure. The beauty of PGP technology is that this is not a requirement. You can install a keyserver if you wish, but even that is not a massive investment. PGP encryption is an easy, cost-effective solution that we deployed within budget and on schedule.”

Low operating costs. BAE Systems appreciates the minimal operating costs of the PGP solution: “It is very low-maintenance, very much a part-time job,” Fraser points out. “Since implementation, administration involves just a handful of keys being revoked or created each month. For us the solution requires about 2 hours per week for maintenance.”

Scalable and robust. Fraser says PGP Universal Server has been very reliable, and he hasn’t had any problems on his desktop or laptop. “PGP Universal has always done exactly what’s needed. In fact, it’s a testament to PGP Corporation that we’ve managed to keep everything going over the past couple of years with very little training—principally because we’ve had so few problems.”

Improved ease of use. Fraser says there are basically two types of users in a PGP community: “First, there are the enthusiasts who think this is the best invention since sliced bread and are capable of immediately using the product. Second, there are those who use encryption so infrequently they can’t remember how to do it and normally dismiss it as being too difficult. The automated, policy-based encryption in PGP Desktop Email helps these casual users enormously. Their response has been very enthusiastic because they’ve found it so easy to use.”

One sensitive email is enough. ”We regularly poll our users about the continuing requirement to use PGP Desktop Email. At the moment, I know there is a demand,” he relates. “Users have to justify why they need it, and they’ve all had valid reasons for using it. So far, we haven’t measured how many emails they encrypt, but even if it is only a few sensitive emails per year, it is a price worth paying.”

Summary

Fraser summarizes: “We felt PGP email encryption was the best solution in the marketplace at the time to meet our requirements. Having used it for a number of years now we are comfortable using PGP encryption and the process is now so much easier from a user perspective because PGP Corporation has eliminated a lot of the complexity-of-use issues. Overall, it’s a first-rate product.”

Solution will grow. Fraser is expecting to expand the solution dynamically over the next few years, thanks to the scalability and flexibility of the PGP Encryption Platform. For example, BAE Systems is phasing out a secure fax network and will replace it with PGP Desktop to secure scanned documents sent via email. “This is only one area that’s going to generate demand. The fact that PGP solutions are more usable generates a bigger demand in its own right,” he predicts. “Strategically, we’re looking at implementing a PKI-based identity management system for external collaboration that includes secure email. Although this strategy is still in development, what’s important is that I have a solution that works and that I can use today. When we do introduce an identity management solution, we can also integrate PGP encryption easily with it if we need to.”

The PGP Encryption Platform. The PGP Encryption Platform reduces the complexities of protecting business data by enabling organizations to deploy and manage multiple encryption applications cost-effectively from a single management console. Deployed with the first encryption application, the PGP Encryption Platform makes installing a separate or additional infrastructure unnecessary when the organization needs other encryption applications. The PGP Encryption Platform supports the broadest range of integrated applications to secure email, laptops, desktops, instant messaging (IM), PDAs, network storage, FTP or bulk data transfers, and backups.