First Advantage: Protecting sensitive data in business services communications

• Customer Profile: Risk mitigation & business process solutions; more than 4,700 employees worldwide
• Goals: Comply with business & regulatory requirements related to data management; secure communications with business partners, customers, & employees
  
• Solution: PGP® Desktop Enterprise: PGP® Whole Disk Encryption secures laptops & desktops; PGP® NetShare secures network files; PGP® Desktop Email and PGP Universal™ Gateway Email secure communications; PGP Universal™ Server provides central administration
• Deployment: Within budget and on schedule by PGP® Professional Services
• Benefits: Scalable solution; greater efficiencies; centralized management

The PGP® Encryption Platform enables First Advantage to secure communications with customers while protecting stored sensitive information.

First Advantage Corporation (NASDAQ: FADV) is a leading global provider of risk mitigation and business solutions. The company's service portfolio ranges from consumer and business credit reporting and lead generation services to supply chain security consulting, talent acquisition solutions, computer forensics and data recovery, and due diligence reporting. Headquartered in St. Petersburg, Florida, First Advantage has more than 4,700 employees in its U.S. and international offices.

The Challenge

First Advantage processes a large amount of sensitive data on behalf of its customers, and the company must be able to verify the security of this data. That responsibility falls on the Security Risk Management department, which provides corporate-wide IT infrastructure security, application security, and compliance and risk management. "Encryption addresses data at rest, data in motion, and anything in between," says Kam Golpariani, director of security operations at First Advantage. "So, when we kicked off our encryption initiative, we wanted to take a holistic approach and look at all the different components from a business perspective."

Compliance with customer and regulatory requirements. Prospective and current customers increasingly wanted assurance that First Advantage would protect their sensitive data. In addition, the need to comply with regulatory requirements related to data management such as Gramm-Leach-Bliley, the Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley prompted First Advantage to pursue encryption solutions to protect sensitive data.

Protect data on laptops. "Our goal is to make sure information on portable devices, such as laptops, are protected both inside and outside the company," Golpariani says.

Secure external communications. Many of First Advantage's partners and customers also require a secure communications channel for releasing certain documents. To accommodate them, First Advantage wanted an external-facing encryption component. Choosing an email encryption solution that supported open standards, such as OpenPGP and S/MIME, was an important factor. "I didn't want to force a specific standard or product on our partners or customers," Golpariani says. "However, I wanted to ensure that if they already had a solution, it would interoperate with whatever we chose so we wouldn't have to double our efforts or go through additional hurdles to exchange information."

Limit internal access. Certain departments at First Advantage require higher levels of confidentiality, even restricting file access between departments in some cases. That requirement led the security director to investigate a solution for encrypting network files. "In the past 4 years, First Advantage has averaged acquisitions every 60 to 90 days," Golpariani explains. "Many documents are very sensitive, and we must ensure that only a small number of people have access to these documents." Golpariani also researched the possibility of tying email encryption to the company's Active Directory infastructure. Encrypting that channel would then allow approved departments to use a secure mechanism to communicate confidential information.

The Solution

"After we identified the business need for data security and recognized the benefit of rolling out a company-wide solution, I started looking at different aspects of encryption," Golpariani says. The encryption initiative at First Advantage includes PGP Desktop Enterprise, a bundled offering that includes PGP Desktop Email to secure communications, PGP Whole Disk Encryption for laptop security, and PGP NetShare for secure network files. In addition, PGP Universal Gateway Email protects email at the gateway and provides centralized management of all solutions with PGP Universal Server. The security director also chose to have PGP Professional Services deploy the solutions.

As Golpariani explains, "I liked being able to incorporate network file encryption, secure email, and laptop encryption-and centrally manage everything through granular policies set on PGP Universal Server. The integration with Active Directory was another plus."

Executive sponsorship. The company's Chief Security Officer (CSO) and business segment executives were the biggest sponsors of the encryption initiative. "Because of the amount and type of data we handle on behalf of large customers, our inside sponsors understood the need for encryption," says Golpariani. "Our CSO really drove that point home with all the business units, helping them understand the importance of the encryption project," he explains.

Encrypt data on laptops and desktops. First Advantage dedicated the first phase of its encryption initiative to laptops because of the critical information such devices can contain. The next phase will address desktop systems as well. "What we deploy will depend on the type of information each desktop has, how accessible it is from a physical perspective, and also its function," says Golpariani. "If it's just a basic desktop and the user stores everything in a network file share, we probably wouldn't spend a lot of effort encrypting that disk."

Encrypt email. First Advantage will soon be able to encrypt emails at the individual client level with PGP Desktop Email and at the server level with PGP Universal Gateway Email, providing secure communications with all business partners and customers. Recipients without encryption solutions have two options: they can use either PGP Universal™ Satellite to encrypt incoming and outgoing email or use PGP Universal™ Web Messenger to access secure email via a Web email interface.

Secure internal communications. Specific departments within First Advantage can secure their communications channels for internal information-sharing. "The internal capability is the icing on the cake," says Golpariani. "It's an additional bonus that we can leverage for confidential communications."

Facilitate ease of use. The centralized management of encryption solutions via the PGP Encryption Platform architecture rolled out with the first PGP® application provides the holistic approach to security Golpariani was seeking. "I wanted to make sure the solution would be easy to roll out to the IT groups. They'll be managing this tool on a day-to-day basis, so I wanted to make it as seamless as possible. An easy way to gain their buy-in was to explain that the low daily level of effort required wouldn't over-burden them."

Educate user. Educating the IT group, customers, and end users about the new encryption products prior to deployment was important to the success of the project. For example, First Advantage provided a customized FAQ that explained the need for implementing encryption, what would happen once the solution was deployed, how it would impact them and where to find additional information and resources.

The Results

First Advantage engaged PGP Professional Services to work on the encryption initiative. "They've been extremely helpful in documenting the process, which is one of the key deliverables I was looking for," Golpariani says. "I wanted to make sure the implementation process was repeatable. Being able to provide full documentation to other people in IT or other departments will enable them to do the same thing easily in their environments." The implementation is underway and will be repeated in several locations using the same documentation. "That will be a true test of how the documentation works," Golpariani says. "So far, everything seems to be going pretty well. In addition, PGP® Support has been very responsive and knowledgeable."

Greater efficiencies. In addition to coming in on budget and on schedule, the project also prompted Golpariani to make some long-needed upgrades to the company's systems. By reviewing the existing email infrastructure with the PGP Professional Services team, First Advantage's security officer found ways to consolidate and to make the infrastructure more efficient.

Scalable solution for increased availability. According to Golpariani, PGP Universal Server is scaling easily to meet First Advantage's requirements. "Our approach has been to virtualize an environment, so we'll set up the four PGP servers in a virtual environment," Golpariani explains. Clustering the servers will provide several other advantages. "Although they're separate, those four environments communicate with the other Exchange servers and because 'trust exists within the forest' through Active Directory, so to speak, there's communication there as well," Golpariani says. "Clustering also is important from a failover and availability perspective to ensure users can access that server environment at any time. As those environments become more centralized moving forward, it will make it even easier to transition users to one of those servers."

Improved ease of administration. Golpariani has found that integration of PGP® products with Active Directory improves administration. "Standardizing on directories throughout the company provides leverage when we're setting up policies to encrypt certain types of information from one group to another," he says. "The Help Desk also has been pretty happy about the results, especially the centralized management."

Favorable feedback from users. End users reacted favorably to the implementation of PGP Whole Disk Encryption. Depending on policy, PGP Whole Disk Encryption's single sign-on functionality improves the user experience. "They just boot up with one password to gain access to the machine and to Windows, which makes it easier for them to use the product," Golpariani explains. "Other than the login process, they didn't really notice much change, and they've been very satisfied with the results." In addition, he says managers were relieved to learn about the new laptop encryption solution.

Summary

First Advantage's security director recommends carefully defining project requirements so the final goal is clear. He feels the company's successful deployment was the result of understanding the current architecture, how the PGP solutions fit in, and knowing what future plans might change the architecture and how it would affect the solution. "Planning and data-gathering were really key to starting this project, as well as having the right people available to get answers to questions," Golpariani says.

After First Advantage completes its current deployment, the security director will evaluate the implementation and determine whether to expand the solutions to other locations or other users. Thanks to the extensibility of the PGP Encryption Platform architecture, Golpariani is also considering whether to add PGP® Support Package for BlackBerry®, which provides email encryption for handheld users, to the current line of PGP solutions.