ACS: Securing sensitive data in business process outsourcing

• Customer Profile: Business process and information technology outsourcing; 74,000 employees support client operations in more than 100 countries
• Goals: Endpoint, messaging, and file transfer security to protect sensitive data
• Solution: PGP Universal™ Gateway Email; PGP® Whole Disk Encryption; PGP® NetShare; PGP® Command Line; PGP Universal™ Server; PGP® Desktop Email
• Deployment: Within budget; on schedule; multiple locations
• Benefits: Security; regulatory compliance; lower operational cost

ACS chose the PGP® Encryption Platform to protect corporate and customer information in storage and transit.

Affiliated Computer Services, Inc. (ACS), a global Fortune® 500 company with more than 74,000 employees supporting client operations reaching more than 100 countries, provides business process outsourcing and information technology solutions to world-class commercial and government clients.

The Challenge

As a business process and information technology outsourcer, ACS stores, accesses and transmits a very large amount of sensitive data for its clients daily. A complete global solution needed to be provided that would address the following areas: sensitive data stored locally on workstations and network drives, removable data storage, data protection for e-mailed sensitive data and data is that is transmitted across the internet (for example, FTP) as well as a solution for data that has possibly been compromised.

Protect data in storage and in transit. ACS processes large volumes of personally identifiable information (PII), protected health information (PHI), and other business-critical information, so the company wanted to protect data from interception during transit as well as from theft or loss when stored on a mobile system. Chris Leach, Chief Information Security Officer (CISO) is responsible for the company’s strategic data protection project.

Safeguard reputation. ACS processes terabytes of data about its employees and customers. “Our employees and customers can be assured their data is in good hands. “Enterprise data protection is simply the right thing to do,” says Leach. His best-practice approach also helps ACS reduce the reputational risk of potentially losing the public’s trust—and business—in the case of a data breach.

Ensure compliance. To the CISO, ensuring compliance was a secondary consideration. “The best-practice approach was the main incentive for our initiative. Regulatory compliance was just the icing on the cake,” Leach says. ACS needs to satisfy regulations as diverse as Sarbanes-Oxley, HIPAA, PCI, and various state breach notification acts.

Manage risk. Leach sees a benefit for the company in mitigating the risk of information theft. “ACS could face considerable costs as a result of data breach notification and litigation processes. We could also experience a negative impact in service level agreements, contract renewals, and lost business opportunities,” he says.

Meet contractual obligations. According to Scalf, some ACS customers explicitly request a certain level of security. "Some of our outsourcing customers require us to encrypt data in storage and in transit," he explains. "ACS is very committed to establishing best practices for data security because it constitutes an additional differentiator, demonstrating our technology leadership."

Quantify risk. The company completed a cost/benefit analysis before introducing full disk encryption. Johnson quantified the risk of not deploying against the cost of deploying. She felt that the number of new privacy laws combined with the rise in identity theft increased the likelihood of an incident. Once she had determined the costs and benefits, the choice was easy. “Our entire encryption program is much cheaper than the consequences of a single data breach that would impact our own and our clients’ reputation. To us, this decision was a no-brainer.”

Win management support. The PGP project was supported by many offices outside of the CISO: Lynn Blodgett, President and CEO, Tom Burlin, Chief Operating Officer, Tom Blodgett, President, BPS, Ann Vezina, EVP & CSG Group President, Joe Doherty, EVP/Group President/Government Solutions and Derrell James, Senior Managing Director of IT Outsourcing Solutions.

The Solution

Johnson lays out the criteria for the solution: “We didn’t want to install several unrelated endpoint security solutions because this approach would increase operational costs and further complicate the infrastructure. We needed one comprehensive solution that secures data in storage and in transit and allows us to provide a repeatable outsourcing solution.”

Full disk encryption. Senior Management prefers encrypting the entire hard disk to alternative approaches. They found that full disk encryption is the best method to secure data on desktops and laptops because it’s fully transparent, easy to use, and doesn’t interrupt the user’s work. Because ACS is a global company, the software’s international language and keyboard support indispensable.

Single solution. The company chose the PGP Encryption Platform as the best solution. “We wanted one platform for all our needs,” Johnson says. “PGP solutions allowed us to leverage our existing infrastructure. The PGP Encryption Platform also provides a greater degree of consistency because it is a standard framework, making it the best fit for our requirements.”

Gateway encryption. ACS chose PGP Universal Gateway Email to encrypt emails at the server. “This method was the most transparent to users and allowed us to install the software in one central location rather than having to distribute it to each desktop system,” says Johnson. “The most appealing feature was that ACS could use the solution with customers and business partners across the world, whether or not they use a standards-based product. PGP Universal Gateway Email has become the accepted, proven enterprise solution.”

Secure File Transfers. Designed using PGP Command Line as the encryption engine, ACS architected Secure Large File Transfer (SLFT) service which allows senders to upload a file using SSL encryption to a secure server, and specify the recipient within a web GUI. SLFT automatically queues the job and encrypts the data using a PGP Command Line Self Decrypting Archive (SDA). Following encryption, the recipient can retrieve the file through a secure web interface.

The management of user accounts to the web site is automatic in nature and encrypted files are automatically expired. When added to the protections already offered by PGP, SLFT provides unparalleled security.

Central reporting. The heart of the PGP Encryption Platform is PGP Universal Server, which manages users, keys, and policies for multiple encryption applications. The central reporting capability of PGP Universal Server across all our encryption applications has been very beneficial. Also, ACS designed the Data Protection Agent (DPA) to track user activity and migration status in real time, thus giving its administrators the ability to solve migration issues as they occur. This system’s service runs on end-users systems to collect and report on critical data to a centralized database than can be viewed over the web. The DPA ensures that corporate data is protected by monitoring and reporting to a centralized database.

The Results

“The PGP Encryption Platform is solid technology with an open architecture that has been scrutinized by industry experts,” Leach summarizes. “It has a very good reputation and fulfills all our requirements.”

Smooth deployment. To date, ACS has completed the rollout of PGP Whole Disk Encryption to 50,000 laptops and desktops. User feedback from all of the PGP Desktop Solutions has been overwhelmingly positive and they have seen an increase in the addition of new clients and new client infrastructures. We're now deploying PGP Universal Gateway Email to 170,000 end users and have successfully deployed Secure Large File Transfer (SLFT) service using PGP Command Line, transferring 17,000 files,” says Johnson. Leveraging the flexibility of the PGP Encryption Platform, Johnson integrated ACS administration tools with the PGP solution, enhancing her ability to rollout and track the deployment. The DPA tool is currently tracking over 40,000 assets.

Excellent performance. “The performance of both PGP Universal Gateway Email and PGP Whole Disk Encryption has been very good. The integrated reports are very helpful, and management of the software is simple,” says Johnson.

Accurate forecast. PGP field engineers estimated the number of days required to roll out the solution. “The PGP Professional Services plan contained the right amount of detail, and there was no difference between the estimates and our actual expenses,” Johnson says.

Content-based encryption. “In the past, users had to actively flag emails that should be encrypted,” she explains. “Currently, we’ve activated automatic encryption for certain recipient domains and enabled secure delivery of messages as password-protected PDFs. We have also integrated our IronPort email content filter with PGP Universal Gateway Email so sensitive emails are automatically recognized and encrypted. This process will enforce our security guidelines more effectively and improve user comfort.”

About the PGP Encryption Platform

The PGP Encryption Platform reduces the complexities of protecting business data by enabling organizations to deploy and manage multiple encryption applications cost-effectively from a single management console. Deployed with the first encryption application, the PGP Encryption Platform makes installing a separate or additional infrastructure unnecessary when the organization needs other encryption applications. The PGP Encryption Platform supports the broadest range of integrated applications to secure email, laptops, desktops, instant messaging (IM), PDAs, network storage, file transfer, automated processes, and backups.