• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
 

E5 rothke - deployment strategies for effective encryption

on

  • 388 views

Deployment Strategies for Effective Encryption

Deployment Strategies for Effective Encryption
InfoSec World conference 2012

Statistics

Views

Total Views
388
Views on SlideShare
388
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    E5   rothke - deployment strategies for effective encryption E5 rothke - deployment strategies for effective encryption Presentation Transcript

    • Deployment Strategies for Effective Encryption Session E5 Tuesday April 3, 2012 9:45AM - 10:45AM Ben Rothke, CISSP CISM Wyndham Worldwide - Manager - Information Security
    • MIS Training Institute Session E5 - Slide 2 About me  Ben Rothke, CISSP, CISM, CISA  Manager - Information Security - Wyndham Worldwide  All content in this presentation reflect my views exclusively and not that of Wyndham Worldwide  Author - Computer Security: 20 Things Every Employee Should Know (McGraw-Hill)  Write the Security Reading Room blog  https://365.rsaconference.com/blogs/securityreading
    • MIS Training Institute Session E5 - Slide 3 Overview  Encryption internals are built on complex mathematics and number theory  Your successful encryption program requires a CISSP, CISA and PMP, not necessarily a PhD  Effective encryption requires attention to detail, good design, combined with good project management and documentation  Your encryption strategy must reflect this
    • MIS Training Institute Session E5 - Slide 4 It’s 2012 – where’s the encryption?  Many roll-outs nothing more than stop-gap solutions  Getting it done often takes precedence over key management, documentation, processes, etc.  Many organizations lack required security expertise  These and more combine to obstruct encryption from being ubiquitous  Adds up to a significant need for encryption deployment strategies
    • MIS Training Institute Session E5 - Slide 5 Encryption strategy in 3 easy steps 1. Define your requirements 2. Know where your sensitive data resides 3. Create detailed implementation plans  When implementing your encryption strategy, remember that information security is a process, not a product.
    • MIS Training Institute Session E5 - Slide 6 Typical encryption nightmare scenario  Monday 9AM – Audit report released to CEO  Numerous failings, namely lack of strong encryption  Monday 11 AM – CEO screams at CIO  Monday Noon – CIO screams at CISO  Monday 2PM – CISO screams at staff  Tuesday – With blank check, CISO tells info security manager to order encryption equipment ASAP  Thursday - Security team spends two days and nights installing/configuring encryption hardware and software  Six months later – Complete disarray with regard to encryption key management. CEO screams at CIO, who fires the CISO. Next day – Interim CISO tells team to get encryption working by the weekend
    • MIS Training Institute Session E5 - Slide 7 Encryption nirvana scenario Strategy Data Mapping Risk Modeling Control Gaps Implementation Management Audit Deployment Define Drivers Data Classification Policy Definition Policy Initial Drivers • Business • Technical • Regulatory Effective Encryption
    • MIS Training Institute Session E5 - Slide 8 Encryption challenges  Operating systems and application vendors haven’t made it easy and seamless to implement encryption  Lack of legacy support  Laws often conflict or fail to provide effective guidance  Far too few companies have encryption policies and/or a formal encryption strategy  Costs / Performance  up-front and on-going maintenance costs  performance hit  added technical staff
    • MIS Training Institute Session E5 - Slide 9 Encryption – a double-edged sword No one, not even NSA, CIA, KGB, or evil hacker, can read your data No one, including you, can read your dataEffectiveEncryptionStrategy
    • MIS Training Institute Session E5 - Slide 10 Common deployment mistakes  Thinking encryption is plug and play  Hardware is PnP  making encryption work is not  Going to a vendor too early  vendors sell hardware/software  you need requirements, project plans, implementation guides, etc.
    • MIS Training Institute Session E5 - Slide 11 More common deployment mistakes  Not being transparent to end users  if it’s a pain to use, they will ignore/go around it.  Not giving enough time to design/test  effective encryption roll-outs take time  require significant details  you can’t rush this!
    • MIS Training Institute Session E5 - Slide 12 Dealing with vendors  When you drive the project  you define the requirements  you have chosen them  vendors provides best practices / assistance  vendor input can be invaluable  project succeeds  They are brought in as the experts  they are expected to put out a fire  they spec out their product  you don’t have internal expertise working with them  project fails
    • MIS Training Institute Session E5 - Slide 13 Technically advanced airplane paradox  TAA in theory have more available safety, but without proper training for their pilots, they could be less safe than airplanes with less available safety  FAA found that without proper training for the pilots who fly them, technically advanced airplanes don’t advance safety at all  TAA presents challenges that under-prepared pilots might not be equipped to handle  Encryption is exactly like a TAA  Your staff must be trained and prepared
    • MIS Training Institute Session E5 - Slide 14 Encryption Strategy  Mathematics of cryptography is rocket science  But most aspects of information security, compliance and audit are not!  Good computer security is attention to detail and good design, combined with effective project management  Enterprise encryption strategy must reflect this  not everyone will need encryption across the board  policies need to be determined first as to what requires encryption
    • MIS Training Institute Session E5 - Slide 15 What should the strategy include?  laptop encryption  database encryption  network encryption  smart cards  mobile encryption  wireless encryption  smart phones  iPad/iPod/iPhone  application encryption  storage encryption  PDAs  USB  floppies/CD-ROM/DVD  emerging technologies
    • MIS Training Institute Session E5 - Slide 16 Strategy prioritization  Prioritize based on specific requirements and compensating controls  start with assumption that data needn’t be encrypted unless there’s specific requirement to encrypt or  identify high-risk situation where encrypting data will avert disaster  false sense of security  takes budget away from more pressing encryption requirements  increases administrative burden  locked out of your own data
    • MIS Training Institute Session E5 - Slide 17 Current state  Evaluate current encryption strategy and policy  In sync with industry security best practices?  Encryption framework in place?  Policies in place?  Define what regulations must be complied with  Document current encryption hardware / software environment Define Drivers Data Classification Policy Definition Policy
    • MIS Training Institute Session E5 - Slide 18 Current state  Evaluate current encryption strategy and policy  In sync with industry security best practices?  Encryption framework in place?  Policies in place?  Define what regulations must be complied with  Document current encryption hardware / software environment
    • MIS Training Institute Session E5 - Slide 19 Analyze your encryption needs  protect data from loss and exposure  prevent access to the system itself?  does software need to access the files after encryption?  data to be transported securely? By what means?  how much user burden is acceptable?  how strong does the encryption need to be?  do you need to match the solution to the hardware?  regulatory, contractual, organizational policy  ask a lot of questions at this point!
    • MIS Training Institute Session E5 - Slide 20 Encryption keys – where art thou?  VPN connections  SSL/TLS  PKI/IdM  user-generated keys  file system encryption  Third-parties  Trusted Platform Module (TPM)  built into news desktops and laptops
    • MIS Training Institute Session E5 - Slide 21 Drivers  Business  customer trust  intellectual property  Technical  AES, PGP, BitLocker, etc.  Increase in mobile devices  Regulatory  PCI / SoX / EU / ISO-17799  State data breach laws Define Drivers Data Classification Policy Definition Policy
    • MIS Training Institute Session E5 - Slide 22 Documentation and policies  Encryption must be supported by policies, documentation and a formal system and risk management program  Shows work adequately planned and supervised  Demonstrates internal controls studied and evaluated  Policy must be:  Endorsed by management  Communicated to end-users and business partners / 3rd-parties that handle sensitive data. If can’t meet company’s policies, don’t give access to your data  Encryption responsibility should be fixed with consequences for noncompliance Define Drivers Data Classification Policy Definition Policy
    • MIS Training Institute Session E5 - Slide 23 Encryption processes  Encryption is a process intensive  Must be well-defined and documented  If not implemented and configured properly, can cause system performance degradation or operational hurdles  Improperly configured encryption processes give false sense of security  Perception that confidentiality of sensitive information is protected when it’s not
    • MIS Training Institute Session E5 - Slide 24 Data classification  Provides users with information to guide security-related information handling  process must align with business processes  classification is dynamic  changes as data objects move from one class to another  changes as business strategies, structures and external forces change  understand potential for change  embed appropriate processes to manage it Define Drivers Data Classification Policy Definition Policy
    • MIS Training Institute Session E5 - Slide 25 Data classification drivers  Compliance, discovery, archiving, never delete retention policy, performance, availability, recovery attributes…  Gartner: Organizations that do not have an effective data classification program usually fail at their data encryption projects. Four Category Five Category • Secret • Confidential • Private • Unclassified • Top Secret • Highly Confidential • Proprietary • Internal Use Only • Public
    • MIS Training Institute Session E5 - Slide 26 Encryption strategy  Identify all methods of data input/output  storage media  business partners and other third parties  applicable regulations and laws  high-risk areas  laptops  wireless  data backups  others Strategy Data Mapping Risk Modeling Control Gaps
    • MIS Training Institute Session E5 - Slide 27 Data discovery  Identify precisely where data is stored and all data flows  System wide audit of all data repositories  significant undertaking for large enterprises  process can take months  Required to comply with PCI?  confirm you are not storing PCI-prohibited data  manually review data flows within POS application to find files where results of card swipe are written
    • MIS Training Institute Session E5 - Slide 28 Data-flow definition
    • MIS Training Institute Session E5 - Slide 29 Requirements analysis  Define business, technical, and operational requirements and objectives for encryption  define policies, architecture, and scope of encryption requirements  conduct interviews, review policy documents, analyze current and proposed encryption strategy to identify possible security gaps  determine liabilities  better requirements definition directly correlates to successful encryption program Strategy Data Mapping Risk Modeling Control Gaps
    • MIS Training Institute Session E5 - Slide 30 Legacy systems  Most legacy systems not designed for encryption  Legacy encryption options  retrofitting application so that encryption is built-in to application functions  using encryption appliance that sits between app and database  off-loading encryption to storage mechanism or database  Hardest platform – AS/400
    • MIS Training Institute Session E5 - Slide 31 Full-disk / host-based encryption (at rest)  Data encrypted at creation  first possible level of data security  little chance of encrypted data being intercepted, accidentally or maliciously  if intercepted, encryption renders it unreadable  can significantly increase processing overhead  requires additional processing power/expense  highly secure and well-suited to active data files  large-scale data encryption can be unwieldy and impact performance  Vendors: Microsoft, Check Point, PGP, TrueCrypt
    • MIS Training Institute Session E5 - Slide 32 Full-disk / host-based (at rest)  Data encrypted at creation  first possible level of data security  little chance of encrypted data being intercepted, accidentally or maliciously  can significantly increase processing overhead  requires additional processing power/expense  highly secure and well-suited to active data files  large-scale data encryption can be unwieldy and impact performance  Vendors: Microsoft, Check Point, PGP, TrueCrypt
    • MIS Training Institute Session E5 - Slide 33 Appliance-based encryption  Data leaves host unencrypted, then goes to dedicated appliance for encryption  after encryption, data enters network or storage device  quickest to implement, but can be costly  can be easy to bypass  good quick fix  for extensive data storage encryption, cost and management complexity of encrypting in-band can increase significantly  Vendors: NetApp, Thales/nCipher
    • MIS Training Institute Session E5 - Slide 34 Storage device encryption  Data transmitted unencrypted to storage device  easiest integration into existing backup environments  supports in-device key management  easy to export encrypted data to tape  easy to implement and cost-effective  best suited to static and archived data or encrypting large quantities of data for transport  large numbers of devices can be managed from single key management platform  Vendors: EMC, IBM, Hitachi
    • MIS Training Institute Session E5 - Slide 35 Tape-based encryption  Data can be encrypted on tape drive  most secure solution  no performance penalty  easy to implement  provides protection from both offsite and on-premise information loss  enables secure shipment of data  allows secure reuse of tapes  Vendors: Thales, HP, CA, Brocade, NetApp
    • MIS Training Institute Session E5 - Slide 36 Database encryption  DBMS-based encryption vulnerable when encryption key used to encrypt data stored in DB table inside the DB, protected by native DBMS access controls  users who have access rights to encrypted data often have access rights to encryption key  creates security vulnerability because encrypted text not separated from means to decrypt it  also doesn’t provide adequate tracking or monitoring of suspicious activities
    • MIS Training Institute Session E5 - Slide 37 Database encryption Inside DBMS Outside DBMS • Least impact on app • Security vulnerability- encryption key stored in database table • Performance degradation • To separate keys, additional hardware required, e.g., HSM • Remove computational overhead from DBMS and application servers • Separate encrypted data from encrypted key • Communication overhead • Must administer more servers
    • MIS Training Institute Session E5 - Slide 38 Key Management (KM)  Generation, distribution, storage, recovery and destruction of encryption keys  encryption is 90% management and policy, 10% technology  most encryption failures due to ineffective KM processes  80% of 22 SAP testing procedures related to encryption are about KM  effective KM policy and design requires significant time and effort
    • MIS Training Institute Session E5 - Slide 39 The n2 Problem  With symmetric cryptography, as number of users increases, number of keys required increases rapidly  For group of n users, there needs to be 1/2 (n2 - n) keys for total communications  As number of parties (n) increases, number of symmetric keys becomes unreasonably large for practical use Users 1/2 (n2 - n) Shared key pairs required 2 ½ (4 - 2) 1 3 ½ (9 – 3) 3 10 ½ (100 – 10) 45 100 ½ (10,000 – 100) 4,950 1000 ½ (1,000,000 – 1,000) 499,500
    • MIS Training Institute Session E5 - Slide 40 Key management questions  how many keys do you need?  where are keys stored?  who has access to keys?  how will you manage keys?  how will you protect access to encryption keys?  how often should keys change?  what if key is lost or damaged?  how much key management training will we need?  how about disaster recovery?
    • MIS Training Institute Session E5 - Slide 41 PCI DSS key management requirements  PCI DSS v2.0 requirement 3.6  generation of strong keys  secure key distribution  periodic key changes  destruction of old keys  dual control of keys  replacement of compromised keys  key revocation
    • MIS Training Institute Session E5 - Slide 42 Key Management  Keys must be accessible for the data to be accessible  If too accessible, higher risk of compromise  Reliability  Outage in the system will prevent business from functioning  Centralized key management  Can help simplify key management for multiple applications
    • MIS Training Institute Session E5 - Slide 43 Key generation and destruction Generation Destruction • FIPS 140-2 validated cryptographic module • distribution • manual • electronic • backup/restore • split knowledge • Getting rid of keys is just as detailed as creating them • Processes must deal with keys stored on: • hard drives • USB • EPROM • Third parties • facilities must exist to destroy hard-copies of key, both on paper and in hardware
    • MIS Training Institute Session E5 - Slide 44 OASIS Enterprise Key Management Infrastructure (EKMI)  Focused on standardizing management of symmetric encryption cryptographic keys across the enterprise within a symmetric KM system  Working on creation of:  Symmetric Key Services Markup Language (SKSML) protocol  Implementation and operations guidelines for an SKMS  Audit guidelines for auditing an SKMS  Interoperability test-suite for SKSML implementations  www.oasis-open.org/committees/ekmi
    • MIS Training Institute Session E5 - Slide 45 For more information  Guideline for Implementing Cryptography in the Federal Government  http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-1_Dec2005.pdf  Cryptographic Toolkit  http://csrc.nist.gov/groups/ST/toolkit/index.html  Recommendation for Key Management  http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf  Encryption Strategies: The Key to Controlling Data  www.oracle.com/encryption/wp/encryption_strategies_wp.pdf
    • MIS Training Institute Session E5 - Slide 46 Books
    • MIS Training Institute Session E5 - Slide 47  Organizations that do not have an effective data classification program usually fail at their data encryption projects  Creating an effective deployment strategy is the difference between strong encryption and an audit failure  Encryption is about attention to detail, good design and project management Summary
    • MIS Training Institute Session E5 - Slide 48 Contact info  Ben Rothke, CISSP CISA Manager – Information Security Wyndham Worldwide Corporation www.linkedin.com/in/benrothke www.twitter.com/benrothke www.slideshare.net/benrothke