E5 rothke - deployment strategies for effective encryption

622 views

Published on

Deployment Strategies for Effective Encryption
InfoSec World conference 2012

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
622
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

E5 rothke - deployment strategies for effective encryption

  1. 1. Deployment Strategies for Effective Encryption Session E5 Tuesday April 3, 2012 9:45AM - 10:45AM Ben Rothke, CISSP CISM Wyndham Worldwide - Manager - Information Security
  2. 2. MIS Training Institute Session E5 - Slide 2 About me  Ben Rothke, CISSP, CISM, CISA  Manager - Information Security - Wyndham Worldwide  All content in this presentation reflect my views exclusively and not that of Wyndham Worldwide  Author - Computer Security: 20 Things Every Employee Should Know (McGraw-Hill)  Write the Security Reading Room blog  https://365.rsaconference.com/blogs/securityreading
  3. 3. MIS Training Institute Session E5 - Slide 3 Overview  Encryption internals are built on complex mathematics and number theory  Your successful encryption program requires a CISSP, CISA and PMP, not necessarily a PhD  Effective encryption requires attention to detail, good design, combined with good project management and documentation  Your encryption strategy must reflect this
  4. 4. MIS Training Institute Session E5 - Slide 4 It’s 2012 – where’s the encryption?  Many roll-outs nothing more than stop-gap solutions  Getting it done often takes precedence over key management, documentation, processes, etc.  Many organizations lack required security expertise  These and more combine to obstruct encryption from being ubiquitous  Adds up to a significant need for encryption deployment strategies
  5. 5. MIS Training Institute Session E5 - Slide 5 Encryption strategy in 3 easy steps 1. Define your requirements 2. Know where your sensitive data resides 3. Create detailed implementation plans  When implementing your encryption strategy, remember that information security is a process, not a product.
  6. 6. MIS Training Institute Session E5 - Slide 6 Typical encryption nightmare scenario  Monday 9AM – Audit report released to CEO  Numerous failings, namely lack of strong encryption  Monday 11 AM – CEO screams at CIO  Monday Noon – CIO screams at CISO  Monday 2PM – CISO screams at staff  Tuesday – With blank check, CISO tells info security manager to order encryption equipment ASAP  Thursday - Security team spends two days and nights installing/configuring encryption hardware and software  Six months later – Complete disarray with regard to encryption key management. CEO screams at CIO, who fires the CISO. Next day – Interim CISO tells team to get encryption working by the weekend
  7. 7. MIS Training Institute Session E5 - Slide 7 Encryption nirvana scenario Strategy Data Mapping Risk Modeling Control Gaps Implementation Management Audit Deployment Define Drivers Data Classification Policy Definition Policy Initial Drivers • Business • Technical • Regulatory Effective Encryption
  8. 8. MIS Training Institute Session E5 - Slide 8 Encryption challenges  Operating systems and application vendors haven’t made it easy and seamless to implement encryption  Lack of legacy support  Laws often conflict or fail to provide effective guidance  Far too few companies have encryption policies and/or a formal encryption strategy  Costs / Performance  up-front and on-going maintenance costs  performance hit  added technical staff
  9. 9. MIS Training Institute Session E5 - Slide 9 Encryption – a double-edged sword No one, not even NSA, CIA, KGB, or evil hacker, can read your data No one, including you, can read your dataEffectiveEncryptionStrategy
  10. 10. MIS Training Institute Session E5 - Slide 10 Common deployment mistakes  Thinking encryption is plug and play  Hardware is PnP  making encryption work is not  Going to a vendor too early  vendors sell hardware/software  you need requirements, project plans, implementation guides, etc.
  11. 11. MIS Training Institute Session E5 - Slide 11 More common deployment mistakes  Not being transparent to end users  if it’s a pain to use, they will ignore/go around it.  Not giving enough time to design/test  effective encryption roll-outs take time  require significant details  you can’t rush this!
  12. 12. MIS Training Institute Session E5 - Slide 12 Dealing with vendors  When you drive the project  you define the requirements  you have chosen them  vendors provides best practices / assistance  vendor input can be invaluable  project succeeds  They are brought in as the experts  they are expected to put out a fire  they spec out their product  you don’t have internal expertise working with them  project fails
  13. 13. MIS Training Institute Session E5 - Slide 13 Technically advanced airplane paradox  TAA in theory have more available safety, but without proper training for their pilots, they could be less safe than airplanes with less available safety  FAA found that without proper training for the pilots who fly them, technically advanced airplanes don’t advance safety at all  TAA presents challenges that under-prepared pilots might not be equipped to handle  Encryption is exactly like a TAA  Your staff must be trained and prepared
  14. 14. MIS Training Institute Session E5 - Slide 14 Encryption Strategy  Mathematics of cryptography is rocket science  But most aspects of information security, compliance and audit are not!  Good computer security is attention to detail and good design, combined with effective project management  Enterprise encryption strategy must reflect this  not everyone will need encryption across the board  policies need to be determined first as to what requires encryption
  15. 15. MIS Training Institute Session E5 - Slide 15 What should the strategy include?  laptop encryption  database encryption  network encryption  smart cards  mobile encryption  wireless encryption  smart phones  iPad/iPod/iPhone  application encryption  storage encryption  PDAs  USB  floppies/CD-ROM/DVD  emerging technologies
  16. 16. MIS Training Institute Session E5 - Slide 16 Strategy prioritization  Prioritize based on specific requirements and compensating controls  start with assumption that data needn’t be encrypted unless there’s specific requirement to encrypt or  identify high-risk situation where encrypting data will avert disaster  false sense of security  takes budget away from more pressing encryption requirements  increases administrative burden  locked out of your own data
  17. 17. MIS Training Institute Session E5 - Slide 17 Current state  Evaluate current encryption strategy and policy  In sync with industry security best practices?  Encryption framework in place?  Policies in place?  Define what regulations must be complied with  Document current encryption hardware / software environment Define Drivers Data Classification Policy Definition Policy
  18. 18. MIS Training Institute Session E5 - Slide 18 Current state  Evaluate current encryption strategy and policy  In sync with industry security best practices?  Encryption framework in place?  Policies in place?  Define what regulations must be complied with  Document current encryption hardware / software environment
  19. 19. MIS Training Institute Session E5 - Slide 19 Analyze your encryption needs  protect data from loss and exposure  prevent access to the system itself?  does software need to access the files after encryption?  data to be transported securely? By what means?  how much user burden is acceptable?  how strong does the encryption need to be?  do you need to match the solution to the hardware?  regulatory, contractual, organizational policy  ask a lot of questions at this point!
  20. 20. MIS Training Institute Session E5 - Slide 20 Encryption keys – where art thou?  VPN connections  SSL/TLS  PKI/IdM  user-generated keys  file system encryption  Third-parties  Trusted Platform Module (TPM)  built into news desktops and laptops
  21. 21. MIS Training Institute Session E5 - Slide 21 Drivers  Business  customer trust  intellectual property  Technical  AES, PGP, BitLocker, etc.  Increase in mobile devices  Regulatory  PCI / SoX / EU / ISO-17799  State data breach laws Define Drivers Data Classification Policy Definition Policy
  22. 22. MIS Training Institute Session E5 - Slide 22 Documentation and policies  Encryption must be supported by policies, documentation and a formal system and risk management program  Shows work adequately planned and supervised  Demonstrates internal controls studied and evaluated  Policy must be:  Endorsed by management  Communicated to end-users and business partners / 3rd-parties that handle sensitive data. If can’t meet company’s policies, don’t give access to your data  Encryption responsibility should be fixed with consequences for noncompliance Define Drivers Data Classification Policy Definition Policy
  23. 23. MIS Training Institute Session E5 - Slide 23 Encryption processes  Encryption is a process intensive  Must be well-defined and documented  If not implemented and configured properly, can cause system performance degradation or operational hurdles  Improperly configured encryption processes give false sense of security  Perception that confidentiality of sensitive information is protected when it’s not
  24. 24. MIS Training Institute Session E5 - Slide 24 Data classification  Provides users with information to guide security-related information handling  process must align with business processes  classification is dynamic  changes as data objects move from one class to another  changes as business strategies, structures and external forces change  understand potential for change  embed appropriate processes to manage it Define Drivers Data Classification Policy Definition Policy
  25. 25. MIS Training Institute Session E5 - Slide 25 Data classification drivers  Compliance, discovery, archiving, never delete retention policy, performance, availability, recovery attributes…  Gartner: Organizations that do not have an effective data classification program usually fail at their data encryption projects. Four Category Five Category • Secret • Confidential • Private • Unclassified • Top Secret • Highly Confidential • Proprietary • Internal Use Only • Public
  26. 26. MIS Training Institute Session E5 - Slide 26 Encryption strategy  Identify all methods of data input/output  storage media  business partners and other third parties  applicable regulations and laws  high-risk areas  laptops  wireless  data backups  others Strategy Data Mapping Risk Modeling Control Gaps
  27. 27. MIS Training Institute Session E5 - Slide 27 Data discovery  Identify precisely where data is stored and all data flows  System wide audit of all data repositories  significant undertaking for large enterprises  process can take months  Required to comply with PCI?  confirm you are not storing PCI-prohibited data  manually review data flows within POS application to find files where results of card swipe are written
  28. 28. MIS Training Institute Session E5 - Slide 28 Data-flow definition
  29. 29. MIS Training Institute Session E5 - Slide 29 Requirements analysis  Define business, technical, and operational requirements and objectives for encryption  define policies, architecture, and scope of encryption requirements  conduct interviews, review policy documents, analyze current and proposed encryption strategy to identify possible security gaps  determine liabilities  better requirements definition directly correlates to successful encryption program Strategy Data Mapping Risk Modeling Control Gaps
  30. 30. MIS Training Institute Session E5 - Slide 30 Legacy systems  Most legacy systems not designed for encryption  Legacy encryption options  retrofitting application so that encryption is built-in to application functions  using encryption appliance that sits between app and database  off-loading encryption to storage mechanism or database  Hardest platform – AS/400
  31. 31. MIS Training Institute Session E5 - Slide 31 Full-disk / host-based encryption (at rest)  Data encrypted at creation  first possible level of data security  little chance of encrypted data being intercepted, accidentally or maliciously  if intercepted, encryption renders it unreadable  can significantly increase processing overhead  requires additional processing power/expense  highly secure and well-suited to active data files  large-scale data encryption can be unwieldy and impact performance  Vendors: Microsoft, Check Point, PGP, TrueCrypt
  32. 32. MIS Training Institute Session E5 - Slide 32 Full-disk / host-based (at rest)  Data encrypted at creation  first possible level of data security  little chance of encrypted data being intercepted, accidentally or maliciously  can significantly increase processing overhead  requires additional processing power/expense  highly secure and well-suited to active data files  large-scale data encryption can be unwieldy and impact performance  Vendors: Microsoft, Check Point, PGP, TrueCrypt
  33. 33. MIS Training Institute Session E5 - Slide 33 Appliance-based encryption  Data leaves host unencrypted, then goes to dedicated appliance for encryption  after encryption, data enters network or storage device  quickest to implement, but can be costly  can be easy to bypass  good quick fix  for extensive data storage encryption, cost and management complexity of encrypting in-band can increase significantly  Vendors: NetApp, Thales/nCipher
  34. 34. MIS Training Institute Session E5 - Slide 34 Storage device encryption  Data transmitted unencrypted to storage device  easiest integration into existing backup environments  supports in-device key management  easy to export encrypted data to tape  easy to implement and cost-effective  best suited to static and archived data or encrypting large quantities of data for transport  large numbers of devices can be managed from single key management platform  Vendors: EMC, IBM, Hitachi
  35. 35. MIS Training Institute Session E5 - Slide 35 Tape-based encryption  Data can be encrypted on tape drive  most secure solution  no performance penalty  easy to implement  provides protection from both offsite and on-premise information loss  enables secure shipment of data  allows secure reuse of tapes  Vendors: Thales, HP, CA, Brocade, NetApp
  36. 36. MIS Training Institute Session E5 - Slide 36 Database encryption  DBMS-based encryption vulnerable when encryption key used to encrypt data stored in DB table inside the DB, protected by native DBMS access controls  users who have access rights to encrypted data often have access rights to encryption key  creates security vulnerability because encrypted text not separated from means to decrypt it  also doesn’t provide adequate tracking or monitoring of suspicious activities
  37. 37. MIS Training Institute Session E5 - Slide 37 Database encryption Inside DBMS Outside DBMS • Least impact on app • Security vulnerability- encryption key stored in database table • Performance degradation • To separate keys, additional hardware required, e.g., HSM • Remove computational overhead from DBMS and application servers • Separate encrypted data from encrypted key • Communication overhead • Must administer more servers
  38. 38. MIS Training Institute Session E5 - Slide 38 Key Management (KM)  Generation, distribution, storage, recovery and destruction of encryption keys  encryption is 90% management and policy, 10% technology  most encryption failures due to ineffective KM processes  80% of 22 SAP testing procedures related to encryption are about KM  effective KM policy and design requires significant time and effort
  39. 39. MIS Training Institute Session E5 - Slide 39 The n2 Problem  With symmetric cryptography, as number of users increases, number of keys required increases rapidly  For group of n users, there needs to be 1/2 (n2 - n) keys for total communications  As number of parties (n) increases, number of symmetric keys becomes unreasonably large for practical use Users 1/2 (n2 - n) Shared key pairs required 2 ½ (4 - 2) 1 3 ½ (9 – 3) 3 10 ½ (100 – 10) 45 100 ½ (10,000 – 100) 4,950 1000 ½ (1,000,000 – 1,000) 499,500
  40. 40. MIS Training Institute Session E5 - Slide 40 Key management questions  how many keys do you need?  where are keys stored?  who has access to keys?  how will you manage keys?  how will you protect access to encryption keys?  how often should keys change?  what if key is lost or damaged?  how much key management training will we need?  how about disaster recovery?
  41. 41. MIS Training Institute Session E5 - Slide 41 PCI DSS key management requirements  PCI DSS v2.0 requirement 3.6  generation of strong keys  secure key distribution  periodic key changes  destruction of old keys  dual control of keys  replacement of compromised keys  key revocation
  42. 42. MIS Training Institute Session E5 - Slide 42 Key Management  Keys must be accessible for the data to be accessible  If too accessible, higher risk of compromise  Reliability  Outage in the system will prevent business from functioning  Centralized key management  Can help simplify key management for multiple applications
  43. 43. MIS Training Institute Session E5 - Slide 43 Key generation and destruction Generation Destruction • FIPS 140-2 validated cryptographic module • distribution • manual • electronic • backup/restore • split knowledge • Getting rid of keys is just as detailed as creating them • Processes must deal with keys stored on: • hard drives • USB • EPROM • Third parties • facilities must exist to destroy hard-copies of key, both on paper and in hardware
  44. 44. MIS Training Institute Session E5 - Slide 44 OASIS Enterprise Key Management Infrastructure (EKMI)  Focused on standardizing management of symmetric encryption cryptographic keys across the enterprise within a symmetric KM system  Working on creation of:  Symmetric Key Services Markup Language (SKSML) protocol  Implementation and operations guidelines for an SKMS  Audit guidelines for auditing an SKMS  Interoperability test-suite for SKSML implementations  www.oasis-open.org/committees/ekmi
  45. 45. MIS Training Institute Session E5 - Slide 45 For more information  Guideline for Implementing Cryptography in the Federal Government  http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-1_Dec2005.pdf  Cryptographic Toolkit  http://csrc.nist.gov/groups/ST/toolkit/index.html  Recommendation for Key Management  http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf  Encryption Strategies: The Key to Controlling Data  www.oracle.com/encryption/wp/encryption_strategies_wp.pdf
  46. 46. MIS Training Institute Session E5 - Slide 46 Books
  47. 47. MIS Training Institute Session E5 - Slide 47  Organizations that do not have an effective data classification program usually fail at their data encryption projects  Creating an effective deployment strategy is the difference between strong encryption and an audit failure  Encryption is about attention to detail, good design and project management Summary
  48. 48. MIS Training Institute Session E5 - Slide 48 Contact info  Ben Rothke, CISSP CISA Manager – Information Security Wyndham Worldwide Corporation www.linkedin.com/in/benrothke www.twitter.com/benrothke www.slideshare.net/benrothke

×