The CDO Agenda - Data Security and Encryption
 

The CDO Agenda - Data Security and Encryption

on

  • 283 views

If you're not terrified, you're not paying attention. ...

If you're not terrified, you're not paying attention.

Every organization in the world, large and small, should be concerned about Data Security. Virtually every week there’s a well-publicized and embarrassing data breach that serves to remind how important it is to protect both customer and enterprise information.

Tools and techniques exist to help, for managing identity, authentication, and authorization. Encryption is also an effective way of making it harder for people to steal your secrets. But it isn't magical, it isn't fool proof and, depending on how you are using it, may be completely useless. You don't have to understand the math (although that will help), but you do have to understand what encryption will and won't do for you.

Data and web security today
Protecting data in transit
Protecting data at rest
What advantage does Encryption provide?
How can you build encrypted data protection into your software and systems?
Are there business trade-offs?
Implications for specific industries (financial, health)

Statistics

Views

Total Views
283
Views on SlideShare
235
Embed Views
48

Actions

Likes
0
Downloads
13
Comments
0

3 Embeds 48

http://www.dataversity.net 40
http://feedly.com 6
http://www.feedspot.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

The CDO Agenda - Data Security and Encryption The CDO Agenda - Data Security and Encryption Presentation Transcript

  • www.cdovision.com Moderator: Tony Shaw CEO, DATAVERSITY Speaker: Brian Sletten President Bosatsu Consulting, Inc. #CDOVision Sponsored today by:
  • CDO Agenda DataSecurityandEncryption Brian Sletten ! @bsletten 07/01/2014
  • Speaker Qualifications Specialize in next-generation technologies Author of "Resource-Oriented Architecture Patterns for Webs of Data" Speaks internationally about REST, Semantic Web, Security, Visualization, Architecture Worked in Defense, Finance, Retail, Hospitality, Video Game, Health Care and Publishing Industries One of Top 100 Semantic Web People · · · · · 2/55
  • Agenda Intro Encryption The World We Live In Secure Systems · · · · 3/55
  • Intro
  • Whoever thinks his problem can be solved using cryptography, doesn't understand his problem and doesn't understand cryptography. “ ” Roger Needham/Butler Lampson
  • CC BY-SA 3.0 (http://en.wikipedia.org/wiki/Scytale) 6/55
  • Shift Cipher Et tu, Brute? PLAIN TEXT Rg gh, Oehgr? CIPHER TEXT (ROT13) 7/55
  • Shift Cipher Rg gh, Oehgr? CIPHER TEXT Et tu, Brute? PLAIN TEXT (ROT 13) 8/55
  • CC BY-SA 3.0 (http://en.wikipedia.org/wiki/Caesar_cipher) 9/55
  • Effective Cryptography Confusion Diffusion · · 10/55
  • CC BY-SA 3.0 (http://en.wikipedia.org/wiki/Enigma_machine) 11/55
  • Recent Crypto Developments 1970s: Data Encryption System (DES) 1970s: Diffie-Hellman(-Merkle) Key Exchange 1980s: RSA 1990s: Attacking DES 2000s: Advanced Encryption System (AES) · · · · · 12/55
  • Attacking Cryptography Cryptanalysis Social Engineering Side Channel Attacks · · · 13/55
  • A cryptosystem should be secure even if the attacker knows all details about the system, with the exception of the secret key. In particular, the system should be secure when the attacker knows the encryption and decryption algorithms. “ ” Auguste Kerckhoffs (1883)
  • Bulletproof SSL and TLS 15/55
  • Encryption
  • Understanding Cryptography: A Textbook for Students and Practitioners 17/55
  • Understanding Cryptography: A Textbook for Students and Practitioners 18/55
  • http://legacy.kingston.com/secure/XTSmostsecureencryption.asp 19/55
  • Symmetric Encryption By Bananenfalter (Own work) [CC0], via Wikimedia Commons 20/55
  • Data Encryption Standard (DES) http://en.wikipedia.org/wiki/Feistel_cipher 21/55
  • 22/55
  • Triple DES 23/55
  • Advanced Encryption Standard (AES) 24/55
  • Asymmetric Encryption By Bananenfalter (Own work) [CC0], via Wikimedia Commons 25/55
  • Diffie-Helman Key Exchange (DHKE) First published asymmetric crypto scheme (1976) Influenced by work of Ralph Merkle Discovered earlier at GCHQ but was classified Allows derivation of a secret key over public channels Based upon the Discrete Logarithm Problem · · · · · 26/55
  • http://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange 27/55
  • DHKE Uses SSH TLS IPSec · · · 28/55
  • 29/55
  • 30/55
  • 31/55
  • 32/55
  • 33/55
  • 34/55
  • 35/55
  • Data at Rest and Encryption Context Regulatory Compliance Querying Key rotation Archival quality · · · · · 36/55
  • The World We Live In
  • Known TLS Hacks BEAST CRIME BREACH Lucky Thirteen Heartbleed · · · · · 38/55
  • Dual_EC_DRBG Dual Elliptic Curve Deterministic Random Bit Generator PRNG algorithm (ISO 18031 and NIST Standard) In 2007, concern about a backdoor Required for FIPS 140-2 BULLRUN revelations implicated Dual_EC_DRBG NIST recommends against use NSA reportedly paid RSA to make Dual_EC_DRBG default PRNG NSA requested RSA add TLS extension to expose more PRNG data · · · · · · · · 39/55
  • RdRand Intel instruction for returning random numbers from on-chip RNG with its own source of entropy Compliant with NIST SP 800-90A, FIPS 140-2 and ANSI X9.82 SP 800-90 requires CTR DRBG, Hash DRBG, HMAC DRBG and Dual_EC_DRBG Not pulled from Linux Pulled from FreeBSD · · · · · 40/55
  • Secure Systems
  • The main objective of secure system design is to make breaking the system more costly than the value of the protected assets , where the 'cost' should be measured in monetary value but also in more abstract terms such as effort or reputation . “ ” Christof Paar and Jan Pelzl Understanding Cryptography: A Textbook for Students and Practitioners
  • [Security Engineering] is about building systems to remain dependable in the face of malice, error, or mischance. “ ” Ross J. Anderson Security Engineering
  • Solutions Principle of Least Privilege Defense in Depth Build Security In · · · 44/55
  • Security is an emergent property of your system. “ ” Gary McGraw
  • Approach Risk Management Touchpoints Knowledge · · · 46/55
  • Requirements and Use Cases Architecture and Design Test Plans Code Tests and Test Results Feedback from Deployed Systems External Review 47/55
  • Requirements and Use Cases Architecture and Design Test Plans Code Tests and Test Results Feedback from Deployed Systems Code Review Risk Analysis Penetration Testing Security Operations Risk-based Security Tests External Review Risk Analysis Security Requirements Abuse Cases 1 2 2 3 4 5 6 7 48/55
  • Books
  • 50/55
  • 51/55
  • https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ 52/55
  • http://www.crypto-textbook.com 53/55
  • 54/55
  • Questions? " brian@bosatsu.net ! @bsletten + http://tinyurl.com/bjs-gplus $ bsletten