Encryption Forum presentation


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Encryption Forum presentation

  1. 1. Encryption Information Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services Enterprise Security Office
  2. 2. Agenda <ul><li>Encryption overview </li></ul><ul><li>Agency Panel </li></ul><ul><ul><li>Oregon Department of Transportation </li></ul></ul><ul><ul><li>Oregon Employment Department </li></ul></ul><ul><ul><li>Oregon Lottery </li></ul></ul><ul><li>Statewide Contracts </li></ul><ul><li>Q&A </li></ul>
  3. 3. Encryption Overview <ul><li>Richard Woodford, Security Analyst </li></ul><ul><li>Enterprise Security Office </li></ul><ul><li>Department of Administrative Services </li></ul>
  4. 4. What is encryption? <ul><li>“ In cryptography , encryption is the process of transforming information (referred to as plaintext ) using an algorithm (called a cipher ) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key .” </li></ul><ul><li>-Wikipedia (2008) </li></ul>
  5. 5. Need for Encryption … <ul><li>Keep confidential information safe </li></ul><ul><li>Prevent exposure of information while in transit across an unsecure medium </li></ul><ul><li>Prevent exposure of information when a storage device is lost or stolen </li></ul><ul><li>Oregon Identity Theft Protection Act (Senate Bill 583) “safe harbor” </li></ul><ul><li>Due care </li></ul>
  6. 6. Oregon Consumer Identity Theft Protection Act <ul><li>Senate Bill 583 (2007 Legislative session) </li></ul><ul><ul><li>“ … one or more of the following data elements, when the data elements are not rendered unusable through encryption” </li></ul></ul><ul><ul><ul><li>First name, last name </li></ul></ul></ul><ul><ul><ul><li>Social Security number, drivers license number, passport, financial account number, credit card number </li></ul></ul></ul>
  7. 7. “ Safe Harbor” <ul><li>What’s good enough? </li></ul><ul><li>VJKU KU GPETARVGF </li></ul><ul><ul><li>Cipher – alphabetically shifted </li></ul></ul><ul><ul><li>Key – +2 </li></ul></ul><ul><li>SB 583 does not specify strength </li></ul><ul><li>Reasonable care </li></ul><ul><ul><li>“ Strong encryption” – 128-bit </li></ul></ul><ul><ul><li>Common minimum standard is FIPS 140-2 (see http:// csrc.nist.gov ) </li></ul></ul>
  8. 8. Other Drivers <ul><li>All applicable regulations should be examined for requirements </li></ul><ul><ul><li>HIPAA </li></ul></ul><ul><ul><li>Payment Card Industry (PCI) requirements </li></ul></ul><ul><ul><li>Sarbanes-Oxley </li></ul></ul><ul><ul><li>Statewide policies </li></ul></ul><ul><ul><ul><li>Information Asset Classification </li></ul></ul></ul><ul><ul><ul><li>Transporting Information Assets </li></ul></ul></ul><ul><ul><ul><li>Controlling Portable and Removable Devices </li></ul></ul></ul><ul><ul><li>Department policies </li></ul></ul>
  9. 9. Other Drivers <ul><li>Other considerations </li></ul><ul><ul><li>Mitigation costs </li></ul></ul><ul><ul><li>Public trust </li></ul></ul>
  10. 10. When to Use Encryption <ul><li>In any case where data could be at risk from theft or eavesdropping </li></ul><ul><ul><li>Wireless networks </li></ul></ul><ul><ul><li>Transmitting data over public network (e.g. the Internet) </li></ul></ul><ul><ul><ul><li>Web pages (SSL) </li></ul></ul></ul><ul><ul><ul><li>E-mail </li></ul></ul></ul><ul><ul><li>Data at Rest </li></ul></ul><ul><ul><ul><li>Portable devices </li></ul></ul></ul><ul><ul><ul><ul><li>Laptops </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Thumb drives </li></ul></ul></ul></ul>
  11. 11. When to Use Encryption <ul><ul><li>Any device at risk of theft or exposure </li></ul></ul><ul><ul><li>Extra-sensitive data </li></ul></ul>
  12. 12. Data at Rest <ul><li>Hardware based </li></ul><ul><ul><li>Built in to the hardware device </li></ul></ul><ul><ul><li>Advantages </li></ul></ul><ul><ul><ul><li>Automatically encrypts data </li></ul></ul></ul><ul><ul><ul><li>Fast </li></ul></ul></ul><ul><ul><li>Disadvantages </li></ul></ul><ul><ul><ul><li>Proprietary </li></ul></ul></ul><ul><ul><ul><li>Lack of central management </li></ul></ul></ul>
  13. 13. Data at Rest <ul><li>Software based </li></ul><ul><ul><li>Advantages </li></ul></ul><ul><ul><ul><li>Lower cost </li></ul></ul></ul><ul><ul><ul><li>Does not require specific hardware </li></ul></ul></ul><ul><ul><li>Disadvantages </li></ul></ul><ul><ul><ul><li>Need to install, activate and manage it, make sure it’s being used </li></ul></ul></ul>
  14. 14. Software Solutions <ul><li>File based (PGP, Winzip) </li></ul><ul><ul><li>Done on a file-by-file basis (only protects file) </li></ul></ul><ul><ul><li>Not automatic </li></ul></ul><ul><ul><li>Dependent on end-user </li></ul></ul><ul><li>Volume based (TrueCrypt) </li></ul><ul><ul><li>An encrypted “virtual drive” is created </li></ul></ul><ul><ul><li>All files written are encrypted automatically </li></ul></ul><ul><ul><li>Does not necessarily encrypt all files – for example, Windows system files, security files, temp files … </li></ul></ul>
  15. 15. Software Solutions <ul><li>Disk based (whole-disk encryption) </li></ul><ul><ul><li>Encrypts entire drive (most secure) </li></ul></ul><ul><ul><li>Automatic; transparent to the user </li></ul></ul><ul><ul><li>But … if you lock yourself out, you’re in trouble </li></ul></ul><ul><ul><ul><li>Need administrative control </li></ul></ul></ul>
  16. 16. Key Management <ul><li>Elephant in the room – the only other requirement set forth by the Department of Defense policy </li></ul><ul><ul><li>“ Mechanism to recover data if the primary encryption system fails” </li></ul></ul><ul><ul><li>Need for the organization to keep control of the keys rather than individuals </li></ul></ul><ul><ul><ul><li>Lost passwords </li></ul></ul></ul><ul><ul><ul><li>Lost individuals </li></ul></ul></ul><ul><ul><ul><li>Access control (control of data, investigations) </li></ul></ul></ul>
  17. 17. Bad Practices <ul><li>Data encrypted with a single-key system is a security risk to the organization </li></ul><ul><li>Added note… </li></ul><ul><ul><li>“ If I accidently leave my computer unlocked and someone gets it, I don’t have to worry because the hard disk is encrypted…” </li></ul></ul><ul><ul><li>Risk of sleeping </li></ul></ul><ul><ul><li>Full disk encryption vulnerability </li></ul></ul><ul><ul><li>Turn systems off </li></ul></ul><ul><ul><li>Bad practices trump good security </li></ul></ul>
  18. 18. ESO Recommendations <ul><li>Develop agency-wide strategy and approach to encryption </li></ul><ul><li>Centralize key management and recovery processes </li></ul><ul><li>Do some research and planning </li></ul><ul><li>When justifying cost, consider cost of data disclosures, lost data and reputation </li></ul><ul><li>Look for group purchase opportunities </li></ul>
  19. 19. Some Good Products <ul><li>http:// www.guardianedge.com/shared/sb_overview.pdf </li></ul><ul><li>http:// www.pgp.com/products/wholediskencryption/index.html </li></ul><ul><li>http://www.checkpoint.com/products/datasecurity/protector/index.html </li></ul><ul><li>http:// www.safeboot.com / </li></ul>
  20. 20. Agency Panel <ul><li>Cindy Slye, Oregon Department of Transportation </li></ul><ul><li>Marty Liddell, Oregon Employment Department </li></ul><ul><li>John McKean, Oregon Lottery </li></ul>
  21. 21. Agency Panel <ul><li>Cindy Slye, Project Manager </li></ul><ul><li>Oregon Department of Transportation </li></ul>
  22. 22. Business Drivers <ul><li>New DAS EIS Policies: </li></ul><ul><ul><li>Information Security </li></ul></ul><ul><ul><li>Employee Security </li></ul></ul><ul><ul><li>Controlling Portable and Removable Storage Devices </li></ul></ul><ul><ul><li>Transporting Confidential Information </li></ul></ul>
  23. 23. Business Drivers <ul><li>Compliance with: </li></ul><ul><ul><li>Regulated mandates – Federal Motor Carrier Safety Administration (FMCSA) </li></ul></ul><ul><ul><li>Senate Bill 583 </li></ul></ul><ul><ul><li>ODOT policies and guidelines </li></ul></ul>
  24. 24. Project Objective <ul><li>Find the best data encryption product that can protect sensitive data by: </li></ul><ul><ul><li>Securing information on mobile devices </li></ul></ul><ul><ul><li>Securing information on removable devices </li></ul></ul><ul><ul><li>Providing the best comprehensive solution to cover all areas </li></ul></ul><ul><ul><li>Simplifying deployment, maintenance and data backup </li></ul></ul>
  25. 25. How Does It Align With Our Goals? ODOT IT Strategic Plan Senate Bill 583 DAS Policy Controlling Portable and Removable Storage Devices Federal Motor Carrier Safety Administration ODOT Security Fabric Initiative Protect , Manage Protect , Manage Protect , Manage
  26. 26. Consequences <ul><li>What are the consequences of compromising sensitive information? </li></ul><ul><ul><li>Negative publicity </li></ul></ul><ul><ul><li>Loss of customer confidence </li></ul></ul><ul><ul><li>Damaged reputation </li></ul></ul><ul><ul><li>Financial loss </li></ul></ul>
  27. 27. Safe Harbor Provision <ul><li>Data encryption is the most effective solution for safeguarding sensitive electronic data </li></ul><ul><li>Data encryption is identified as an acceptable “Safe Harbor” approach in providing privacy assurances </li></ul><ul><ul><li>If the information is properly encrypted: </li></ul></ul><ul><ul><ul><li>No further duty </li></ul></ul></ul><ul><ul><ul><li>It may be assumed that no privacy breach has occurred </li></ul></ul></ul><ul><ul><ul><li>Risk mitigation approach that limits agency liability </li></ul></ul></ul><ul><ul><ul><li>Enhances trust in the event of a security breach </li></ul></ul></ul>
  28. 28. Candidates We Considered
  29. 29. Why Guardian Edge? <ul><li>Guardian Edge clearly met ODOT business requirements: </li></ul><ul><ul><li>Strong Active Directory Integration </li></ul></ul><ul><ul><li>Ease of Use </li></ul></ul><ul><ul><li>Robust Management Console (MMC) </li></ul></ul><ul><ul><li>Facilitates Compliance with DAS and ODOT Security Policies </li></ul></ul>
  30. 30. Magic Quadrant for Mobile Data Protection
  31. 31. Project Timeline Date Milestone January 2007 Project Kick-off June 2007 Opportunity Evaluation approval July 2007 Product evaluations and pilot September 2007 Product selection October 2007 ICOI presentation, ADM approvals December 2007 ODOT and DAS CIO approval, IRR approval April 2008 ASAP Order Confirmation May 2008 First Phase Motor Carrier Pilot Deployment TBD Remaining Motor Carrier Deployments TBD Financial Services Deployment
  32. 32. Lessons Learned <ul><li>Things to consider: </li></ul><ul><ul><li>What value (strategic and operational) should this project create? </li></ul></ul><ul><ul><li>Organize the work and follow a process </li></ul></ul><ul><ul><li>Understand the priority given other work </li></ul></ul><ul><ul><li>Plan for risk – how to avoid and prepare for it </li></ul></ul><ul><ul><li>What will motivate people to adopt this change? </li></ul></ul><ul><ul><ul><li>Set expectations </li></ul></ul></ul><ul><ul><ul><li>Communication </li></ul></ul></ul><ul><ul><ul><li>Training </li></ul></ul></ul>
  33. 33. Agency Panel <ul><li>Marty Liddell, Infrastructure Architect </li></ul><ul><li>Oregon Employment Department </li></ul>
  34. 34. What made OED encrypt <ul><li>Response to Senate Bill 583 </li></ul><ul><li>Significant amount of personally identifiable information including ssn, name, address, dob </li></ul><ul><li>Information collected is required to provide services </li></ul><ul><li>Many staff use mobile computing devices including laptops to collect information </li></ul><ul><li>ITS is committed to protecting the information assets of the agency </li></ul>
  35. 35. Requirements <ul><li>Ability to encrypt full hard drive </li></ul><ul><li>Ease of internal support </li></ul><ul><li>Key management </li></ul><ul><li>Recoverable Keys when agents are in field </li></ul><ul><li>Ability to easily integrate into existing architecture </li></ul><ul><li>Ease of use by end user </li></ul>
  36. 36. Process of choosing product <ul><li>Researched products </li></ul><ul><ul><li>Guardian Edge </li></ul></ul><ul><ul><li>Pointsec </li></ul></ul><ul><ul><ul><li>Demo products </li></ul></ul></ul><ul><ul><ul><li>Pilot product </li></ul></ul></ul>
  37. 37. Decision points <ul><li>Integration into Active Directory </li></ul><ul><li>Single sign-on Capability </li></ul><ul><li>Familiarity with administration toolset </li></ul><ul><li>Key management </li></ul><ul><ul><li>Security questions </li></ul></ul><ul><ul><li>One-time password reset </li></ul></ul><ul><ul><li>Recoverable hard drive in case of investigation </li></ul></ul>
  38. 38. Deployment <ul><li>Created security groups in Active Directory </li></ul><ul><li>Automatically installed software client on PC when customer logged in </li></ul><ul><li>Monitor progress </li></ul><ul><li>Don’t forget helpdesk and end user training! </li></ul>
  39. 39. Lessons learned <ul><li>Do NOT double encrypt a computer </li></ul><ul><ul><li>Very bad (total loss of data) </li></ul></ul><ul><ul><li>Angry user  </li></ul></ul><ul><li>Provide good documentation to the end user </li></ul><ul><li>Define a process for shared computer resources </li></ul>
  40. 40. Moving forward <ul><li>GE Removable Storage Encryption </li></ul><ul><li>GE Device Control </li></ul><ul><li>Remote file server encryption </li></ul><ul><li>Desktop encryption </li></ul><ul><li>Email encryption </li></ul>
  41. 41. Agency Panel <ul><li>John McKean, Sr. Systems Security Admin. </li></ul><ul><li>Oregon Lottery </li></ul>
  42. 42. PGP Universal Server <ul><li>Key Management </li></ul><ul><li>Centralized Policy Enforcement </li></ul><ul><li>Whole Disk Encryption (deployed) </li></ul><ul><li>Desktop Email Encryption (future) </li></ul><ul><li>Gateway Email (Future) </li></ul><ul><ul><li>Transparent to user </li></ul></ul><ul><ul><li>Encrypts automatically at the gateway </li></ul></ul><ul><ul><li>Requires recipient to have similar technology </li></ul></ul>
  43. 43. The “USB Problem” <ul><li>Easily lost or stolen </li></ul><ul><li>Lottery USB’s have onboard encryption </li></ul><ul><li>Non-Lottery USB’s not allowed! </li></ul><ul><li>TriGeo SIM (Security Information Manager) </li></ul><ul><ul><li>Logs all USB access </li></ul></ul><ul><ul><li>Enforces Lottery USB Policy </li></ul></ul>
  44. 44. Electronic Rights Management Defined <ul><li>Secures content with strong encryption </li></ul><ul><li>Protection cannot be removed </li></ul><ul><li>Controls and audits data access: </li></ul><ul><li>Users work normally using their existing applications </li></ul><ul><li>Defines authorized uses through workflows, directory groups, and user </li></ul>Read Modify Print Screen Capture Paste Copy E-Mail Network transfer
  45. 45. Where ERM Fits In Data at Rest Data in Motion Data in Use Secure Transport/Delivery SSL, Postx, PGP PKI Products Entrust, PGP, Voltage Enterprise Content Management DCTM, LiveLink, SharePoint Content Filtering and Monitoring Vericept, Vontu, Orchestria, Verdasys Enterprise Rights Management Liquid Machines, Microsoft RMS, Others Granularity of Controls Usage Access Full Disk Encryption EFS, Pointsec Network Security Tools Firewalls, VPNs, ACLs
  46. 46. Considerations when selecting an ERM <ul><li>User Experience </li></ul><ul><li>User adoption is the most important factor </li></ul><ul><li>Expect resistance if difficult to use </li></ul><ul><li>Protection goals must be enforced automatically </li></ul><ul><li>Users must be aware protection is in effect </li></ul><ul><li>Users want to work normally </li></ul>
  47. 47. How ERM Works Content protected at rest or in transit ERM Server Content encrypted and usage rights applied 1 Read Only Read & Print Read, Edit, Print, & Offline enabled with expiration 2 3 Connection required for offline renewal Content protected in use ECM System LOB App File server
  48. 48. Statewide Contracts <ul><li>Price Agreement #2257 – ASAP Software Express </li></ul><ul><li>Mandatory for state agency purchase of shrink-wrapped (out of the box) desktop software </li></ul><ul><li>SPO Contact: Chris Mahoney, (503) 378-2998, [email_address] </li></ul><ul><li>ASAP Contact: Brad Hickey, (888) 883-1025, [email_address] </li></ul>
  49. 49. For further information … <ul><li>Theresa Masse, DAS Enterprise Security Office (503) 378-4896, [email_address] </li></ul><ul><li>Richard Woodford, DAS Enterprise Security Office (503) 378-4518, [email_address] </li></ul><ul><li>Cindy Slye, Department of Transportation (503) 986-3234, [email_address] </li></ul><ul><li>Marty Liddell, Employment Department (503) 947-1627, [email_address] </li></ul><ul><li>John McKean, Oregon Lottery (503) , [email_address] </li></ul>
  50. 50. Next Forum … <ul><li>Information Security Plans </li></ul><ul><li>Tools and Techniques </li></ul><ul><li>Panel Presentation </li></ul><ul><li>June 23, 2008 </li></ul>