Of the 13 billion data records breached across IT systems since 2013, only 4 percent were encrypted. The Internet of Things (IoT) brings network connectivity to everyday devices, many of which may be handling sensitive data. Let's examine the flow of health information in an IoT environment and explore how pervasive encryption can protect IoT data in transit and data at rest at multiple layers of the computing environment. Join this session to learn how to:- interpret US regulations regarding the protection of health information- describe the process for encrypting sensitive data in transit and at rest- differentiate between several levels of encryption for data at rest- analyze various encryption technologies

1. © 2019 IBM Corporation© 2019 IBM Corporation
Securing IoT Data with
Pervasive Encryption
Eysha Shirrine Powers
IBM, Enterprise Cryptography
eysha@us.ibm.com

2. © 2019 IBM Corporation
About me ☺
IBM Career (15 years)
▪ 2004: z/OS Resource Access Control Facility (RACF)
▪ 2006: z/OS Java Cryptography Extension (JCE)
▪ 2008: z/OS Integrated Cryptographic Services Facility (ICSF)
– A few cool projects:
• Elliptic Curve Cryptography (ECC)
• Enterprise PKCS #11 (EP11)
• Crypto-as-a-service (ACSP-REST)
• Regional Cryptographic Enablement (RCE)
• Field Level Encipher (FLE) for secure key tokens
• Crypto Usage Statistics (STATS)
Founded the IBM Crypto Education community:
https://www.ibm.com/developerworks/community/groups/community/crypto
“Crypto Nerd”
Current Role: Crypto SME, z/OS
ICSF Developer
Responsibilities: Crypto Software
Design & Development, Crypto
Code Samples, Crypto Education

3. © 2019 IBM Corporation
B.S. Computer Science, UIUC
M.S. Information Technology, RPI

4. © 2019 IBM Corporation
The Internet of Things (IoT)
IoT is made up of network-connected devices and appliances equipped
with digital sensors and microchips which are accessible through the
internet.
Heart
Monitors
Smart
Scales
Physical Activity
Trackers

5. © 2019 IBM Corporation
Why Secure IoT Data?
Many types of data is subject to data privacy and security regulations.
For example, personal health information in the United States must be
protected in accordance with the Health Information Portability and
Accountability Act (HIPAA) of 1996 and the Health Information Technology
for Economic and Clinical Health Act (HITECH) of 2009.
Health Insurance
Portability and
Accountability
Act (HIPAA)

6. © 2019 IBM Corporation
What is considered Personal
Health Information (PHI)?
▪ The individual’s past, present or future
physical or mental health condition
▪ The provision of health care to the individual
▪ The past, present, or future payment for the
provision of health care to the individual
Could IoT data
contain PHI?

7. © 2019 IBM Corporation
Who does HIPAA and HITECH impact?
• Health insurance
companies
• Health management
organizations
(HMOs)
• Medicare
• Medicaid
• Doctors
• Clinics
• Dentists
• Psychologists
• Chiropractors
• Pharmacies
Business
associates
which handle
health data on
behalf of
covered entities
Covered entities include:

8. © 2019 IBM Corporation
Data Protection Regulations
▪ Health Information Portability and
Accountability Act (HIPAA)
▪ Health Information Technology for Economic
and Clinical Health Act ( HITECH)
▪ Payment Card Industry Data Security
Standard (PCI-DSS)
▪ General Data Protection Regulations
(GDPR) for European Union (EU) citizens
▪ …

9. © 2019 IBM Corporation
What is the risk? What is the impact?
Likelihood of an organization
having a data breach in the next
24 months 1
28%
14.7 Billion
4%
Of the
only
breached since 2013
were encrypted 3
records
$3.6M
Average cost of a data breach in
2017 2
“It’s no longer
a matter of if,
but when …”
1, 2 Source: 2017 Ponemon Cost of Data Breach Study: Global Overview -- http://www.ibm.com/security/data-breach/
3 Source: Breach Level Index -- http://breachlevelindex.com/

10. © 2019 IBM Corporation
Extensive use of encryption is one of the most impactful
ways to help reduce the risks and financial losses of a data breach and
help meet complex compliance mandates.

11. © 2019 IBM Corporation
The
Information
Life Cycle
Data creation, generation and/or copy
Reading and/or modifying data
Acquisition
Use
Archival
Disposal
Data is no longer in use but must be retained for
regulatory, backup and/or other reasons.
Data destruction

12. © 2019 IBM Corporation
Where might sensitive IoT Data reside?
▪ The physical IoT device
▪ The internet packet transmitted to the healthcare provider
▪ Memory of the receiving application on the healthcare
provider’s server
▪ A database which writes the data to a file or data set
▪ Active disk or tape storage
▪ Archived storage which may or may not be offsite
▪ A disaster recovery backup system

13. © 2019 IBM Corporation
Securing IoT Data with Pervasive Encryption

14. © 2019 IBM Corporation
How do you encrypt data in flight?
Network encryption provides a
means of ensuring data remains
secure as it travels over the network
to its destination.
A connection protocol can be used to
ensure that communications between
an IoT device and the server are
secure.
One example of a connection
protocol is a handshake.
Request secure
connection
Send server
certificate
Validate
certificate
Generate
session key
Encrypt session key
with server’s public key
Send encrypted
session key
Encrypt & decrypt
messages with shared
session key
Decrypt session key
with server’s private key

15. © 2019 IBM Corporation
Coverage
Complexity&SecurityControl
App
Encryption
hyper-sensitive data
Database Encryption
Provide protection for very sensitive in-
use (DB level), in-flight & at-rest data
File or Data Set Level Encryption
Provide broad coverage for sensitive data using encryption tied
to access control for in-flight & at-rest data protection
Full Disk & Tape Encryption
Provide 100% coverage for at-rest data with zero host CPU cost
Protection against
intrusion, tamper or
removal of physical
infrastructure
Broad protection & privacy managed
by OS… ability to eliminate storage
admins from compliance scope
Granular protection & privacy managed by
database… selective encryption & granular
key management control of sensitive data
Data protection & privacy provided and managed by
the application… encryption of sensitive data when
lower levels of encryption not available or suitable
How do you encrypt data at rest? It depends…

16. © 2019 IBM Corporation
How do you generate encryption keys?
Symmetric keys are simply a sequence of bits
of a precise length (i.e. key size) intended for
use in a cryptographic operation.
▪ DES = 56 bits (i.e. 8 bytes)
▪ TDES = 56, 112, or 168 bits (i.e. 8, 16 or 24 bytes)
▪ AES = 128, 192, or 256 bits (i.e. 16, 24 or 32 bytes)
Where do symmetric key bytes come from?
▪ Random number generators
– True random number generation requires:
• An entropy source of randomness to
• Produce true random bytes
– Pseudo Random number generation requires:
• An entropy source of randomness PLUS
• A deterministic mathematical algorithm to
• Produce pseudo random bytes
Why does the key length matter?
▪ Short key lengths, specifically for symmetric
keys, can be brute force attacked, especially
with today’s computing speeds
– The NIST standards body recommends
symmetric keys of 24 bytes or larger.
For a 64-byte random number request, a
Crypto Express adapter was measured to
perform ~1,128,283 operations per second

17. 17
Encryption Keys
Inadvertent or malicious deletion or
modification of encryption keys will
result in data loss!
Robust key management and key
protection is a must for all organizations
– Large
– Medium
– Small
Avoid self-inflicted RANSOMWARE!
Deploy enterprise key
management system
Policy based key gen
Key rotation
Key usage tracking
Key backup & recovery
Implement multiple
levels of backup and
recovery
Physical backup
Logical backup
Offline backup

18. © 2019 IBM Corporation
How do you choose your encryption engine?
Consider:
▪ Software vs Hardware
▪ Reliability, Availability,
Serviceability
▪ Industry Certifications
▪ Performance & Security
▪ Memory Requirements
▪ Algorithm Requirements
▪ Operating Systems
▪ APIs & Libraries
Crypto Express6S
Crypto Express adapters provide tamper
sensing and responding protection for
cryptographic operations.
Processor Unit SCM
Each Processor Unit is
capable of Central
Processor Assisted
Cryptographic Function
(CPACF)
CPC Drawer
With 64 bytes of input using 256-bit AES-CBC
encryption, a Crypto Express adapter was
measured to perform ~10,569 operations per
second
With 64 bytes of input using 256-bit AES-CBC
encryption, CPACF was measured to perform
~327,891 operations per second
IBM z14

19. © 2019 IBM Corporation
Securing IoT Data with Pervasive Encryption

20. © 2019 IBM Corporation
New Cryptographic Technologies on the Horizon

21. © 2019 IBM Corporation© 2019 IBM Corporation
Thank you
• Eysha Shirrine Powers
• IBM, Enterprise Cryptography