Continental Corporation: Protecting business-critical data on laptops in the automotive industry

• Customer Profile: Automotive industry; 87,000 employees;
• Goals: Security best practice; protection of critical information on laptops
• Solution: PGP® Whole Disk Encryption encrypts laptops
• Alternatives: Did not meet security requirements or were not suitable for enterprise deployment
• Benefits: Proprietary data protection

Continental chose the PGP® Encryption Platform to protect sensitive information on laptops.

The Continental Corporation is a leading supplier of brake systems, chassis components, vehicle electronics, tires, and technical elastomers. In 2006, the corporation realized sales of €14.8 billion (US$ 19.5 billion) and employed about 87,000 people.

The Challenge

Continental, a leading automotive supplier headquartered in Germany, reviewed its security guidelines as part of a project to upgrade the operating system for 24,000 users.

OS and security update. Thomas Ullrich is the chief security officer (CSO) at Continental and heads its Competence Center Security Internet/Intranet. Ullrich recalls how the laptop encryption project started: "When we planned the Windows XP rollout, we also thought about the threat of stolen or lost notebooks and the risk if business-critical data resident on those machines was disclosed. Today's notebooks are small, are taken outside the company's perimeters, and potentially contain sensitive data such as financial reports, personnel information, or technical blueprints. We decided we needed to protect all 6,000 laptops in the global enterprise."

Encryption is best practice. Ullrich explains the drivers behind the decision: "Regulations in Europe and the United States differ significantly, so compliance was not really a strong driver for encryption. We simply believe it is a corporate security best practice to encrypt laptops to protect critical business data."

Installed base of PGP® technology users. Ullrich already had an installed based of PGP® Desktop users: "Continental has had about 800 seats of PGP Desktop for several years, primarily in the Automotive Systems division, to enable secure communications with auto manufacturers that required we encrypt communications."

The Solution

Integrated OS features not suitable. Ullrich explored the possibility of using operating system functionality to secure laptops: "We looked at the Encrypting File System (EFS) that ships with Windows XP, but found that it only encrypts certain files on the hard disk and requires a complex public key infrastructure (PKI) for enterprise deployments. Those limitations made us decide EFS wasn't a suitable solution to protect our laptops."

Alternative technologies. Ullrich recalls the other technologies he considered: "If you want to protect data on a laptop, you can either encrypt individual files, parts of the hard disk using a 'container' approach, or the entire hard disk. Encryption that encrypts individual files or containers isn't suitable for securing a laptop hard disk because it doesn't protect temporary and page files. Users also need to ensure they put sensitive files in protected areas. We wanted to make the user experience as simple as possible and decided full disk encryption would be the best solution."

Other vendors disqualified. Ullrich compared several vendors before making a decision: "We evaluated several solutions and disqualified one of the vendors immediately because its product didn't work with our backup solution. Even the final solution we considered wasn't suitable for enterprise deployment: We had to have physical access to laptops to install the software. To recover a disk, it required a floppy drive, which is anachronistic because most new laptops don't even have one. In addition, the vendor's local reseller didn't have detailed security or product expertise. These drawbacks weren't acceptable, and we thought we'd reached a dead end. That's when PGP Corporation announced PGP Whole Disk Encryption, and we decided to pilot the software."

Integrated platform desired. Ullrich explains why the breadth of available PGP solutions was important: "We already used PGP Desktop for email encryption, so PGP Whole Disk Encryption was an obvious candidate for evaluation. The fewer point solutions we use, the more integrated our IT management becomes. The platform approach simplifies administration, training, and deployment significantly, which results in a lower cost of ownership."

A trusted partner. Ullrich felt comfortable using an established technology: "The global security community recognized PGP Corporation's expertise for encryption solutions a long time ago. We see PGP Corporation as a trusted partner, which is an important factor when it comes to encryption. Plus, we've had excellent experiences with the PGP® Sales, Field Engineering, and Support teams."

The Results

Pioneering the product. Ullrich recalls his experience using the new product: "PGP Corporation listened to our concerns and helped us to solve our issues with the new software. We essentially shaped the product together. The PGP Field Engineering and Support teams were immensely helpful in providing solutions, and today, I'm very satisfied with the maturity of the solution."

Remote installation. Ullrich appreciates that laptops don't have to be physically available for administrators to install full disk encryption: "It is important that we can install PGP Whole Disk Encryption remotely without needing physical access to the hardware. Continental has about 6,000 users in about 200 locations, and it would be impossible to collect all laptops to update them. Instead, we use our standard software distribution solution to install the PGP® software and to encrypt the hard disk."

No user interruption. Disrupting the employees' work to encrypt the disk would not have been an option for the automotive supplier. According to Ullrich, "It is important that users can continue working normally during initial encryption and that it doesn't matter if they shut down or rebooted while the process is running. For many users, their laptop is their only system. Our laptop users are often on the road, so they can't ask a colleague in the next office to print a document. It's critical to the enterprise that their systems are always available and running."

No hardware upgrades necessary. Ullrich admits having some initial concerns: "Before we introduced PGP Whole Disk Encryption, we didn't know whether it would slow down the notebooks or if we'd have to upgrade the hardware on older systems. We discussed this topic a lot before rolling out the solution. Our concerns turned out to be unfounded, and to this day, I haven't received any performance complaints from our users."

No changes to performance. "I was one of the first users and tested the performance of my laptop with and without PGP Whole Disk Encryption," Ullrich says. "I was surprised that there was no noticeable difference."

Scalability almost infinite. Ullrich values the architecture of the PGP Encryption Platform: "The scalability of PGP Whole Disk Encryption is almost infinite. The only thing required to encrypt more than 6,000 laptops would be to buy more licensed seats of the software. It's that simple."

Low impact on infrastructure. Continental had to make very few changes to its existing infrastructure to introduce PGP Whole Disk Encryption. As Ullrich explains, "All we had to do was to prepare the PGP Whole Disk Encryption installation packages for distribution."

Support for critical application. The CSO explains why Continental chose a high level of support services: "PGP Whole Disk Encryption is a critical application on our systems. We have to assume a worst-case scenario where the CEO is in a remote location, cannot authenticate, and the recovery token doesn't work. In such a case, we have to be able to analyze the problem quickly and have a competent partner to help us solve it, which is why we chose the highest support level including an assigned engineer. So far, there haven't been many support calls, and PGP® Support has handled the few we've had quickly and accurately. Support contracts are like insurance: you hope you never need it, but it's good to have it when you do."

High level of expertise. Continental invited a PGP® engineer to install the solution: "We were highly satisfied with their level of expertise. Whenever we had a question, the PGP® Deployment Engineer was able to provide a solid answer and solution."

Useful training videos. Ullrich also received PGP® training videos to prepare for the deployment. "The PGP training videos were very useful because they provided a good technical overview of the product," he says. "After the training, I found it much easier to look up a specific topic in the written manual."

Summary

Continental is rolling out full disk encryption to a large portion of its laptop users, and the CSO is pleased with the outcome of the project.

Encryption is like a seatbelt. Ullrich uses an analogy from the automotive industry to describe how Continental uses the PGP solution: "We like the ease of use and transparency of PGP Whole Disk Encryption. If users don't have to do much to ensure security, they can't make many mistakes. PGP Whole Disk Encryption is so transparent to users it's like the seat belt in a car: you put it on and then don't have to think about it again."

Encryption protects the business. Ullrich believes that security is an important business component: "I think full disk encryption for notebooks should have the same status as anti-virus software."