All businesses rely on encryption and other cryptographic technologies to keep data safe, so it is critical to understand how to keep your crypto keys safe to prevent a data breach.
Using advanced security and data-protection featuresMariaDB plc
MariaDB has the most comprehensive set of security of features available in an enterprise open source database, rivaling those of proprietary databases. In this session, MariaDB's Anders Karlsson explores some advanced security capabilities, including the built-in database firewall and data masking, both needed to fully protect personally identifiable and/or sensitive personal information (PII/SPI). He then takes a look at the new security features in MariaDB Server 10.4, from client-side encryption to password-crack detection.
If you do not have a proper key management process for changing the keys, then it’s better to have no encryption at all. A look inside Key Management Techniques.
Using advanced security and data-protection featuresMariaDB plc
MariaDB has the most comprehensive set of security of features available in an enterprise open source database, rivaling those of proprietary databases. In this session, MariaDB's Anders Karlsson explores some advanced security capabilities, including the built-in database firewall and data masking, both needed to fully protect personally identifiable and/or sensitive personal information (PII/SPI). He then takes a look at the new security features in MariaDB Server 10.4, from client-side encryption to password-crack detection.
If you do not have a proper key management process for changing the keys, then it’s better to have no encryption at all. A look inside Key Management Techniques.
Encryption is widely used by companies to secure sensitive data. It comes in different varieties and purposes. There's symmetric vs asymmetric encryption, there's encryption at rest, in transit and in use, there's TDE vs record-level encryption vs column/field level encryption, and then there's key-encryption (wrapping). All of these varieties serve different purposes and use-cases that we review - from the point of view of an infosec person, a sysadmin, a developer and an architect.
Key Concepts for Protecting the Privacy of IBM i DataPrecisely
The continuous news of personal information stolen from major retailers and financial institutions have driven consumers and regulatory bodies to demand that more action be taken to ensure data protection and privacy. Regulations such as PCI DSS, HIPAA, GDPR, and FISMA require that personal data be protected against unauthorized access using technologies like encryption, tokenization, masking, secure file transfer and more.
With all the options available for securing IBM i data at rest and in motion, how do you know where to begin? View this webinar on-demand to get up to speed on the key concepts you need to know about assuring data privacy for your customers, business partners and employees. Topics include:
• Protecting data with encryption and the need for strong key management
• Use cases that are best for tokenization
• Options for permanently de-identifying data
• Securing data in motion across networks
We’ve all seen the recent news stories about companies whose data has been stolen by hackers. What was once a rare event has become all too common, and companies large and small are at risk. While it isn’t always possible to prevent intrusions, you can reduce the risk by encrypting your data. In this presentation, I’ll show you the four ways that SQL Server provides to encrypt data: hashes, cell-level encryption, database-level encryption (also known as transparent data encryption), and backup encryption. We’ll also discuss the keys required for each type of encryption and discuss how to protect the keys themselves.
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
Regulatory bodies and consumers demand that personal data be secured against unauthorized access. Personal data protection is, in fact, required by government and industry regulations such as PCI, HIPAA, GDPR, FISMA and more. With all the options available for securing IBM i data at rest, how do you know which will best suit your needs? View this webinar on-demand to learn the basics about data encryption, tokenization and anonymization and when each should be used.
Topics include:
• Differences between encryption, tokenization and anonymization
• Pros and cons for each form of data protection
• Tips for using the various protection methods
• How Syncsort can help
Slides with our notes can be found here:
http://www.josephwojowski.com/conference-presentations.html
#ATA58 LSC-10 presentation on data security for project managers by Alaina Brantner and Joseph Wojowski.
Sensitive data is vulnerable when it is stored insecurely and transmitted over open networks. The PCI Security Council takes a hard line on protecting cardholder data and describes specific methods to comply with its standards.
Attend this webinar to better understand methods that make data theft more difficult for attackers and render stolen data unusable.
Topics covered include:
• Properly protecting stored cardholder data - encryption, hashing, masking and truncation
• Securing data during transmission - using strong cipher suites, valid certificates, and strong TLS security
• How to identify and mitigate missing encryption
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
Regulatory bodies and consumers demand that personal data be secured against unauthorized access. Personal data protection is, in fact, required by government and industry regulations such as PCI, HIPAA, GDPR, FISMA and more. With all the options available for securing IBM i data at rest, how do you know which will best suit your needs? View this webinar on-demand to learn the basics about data encryption, tokenization and anonymization and when each should be used.
Topics include:
• Differences between encryption, tokenization and anonymization
• Pros and cons for each form of data protection
• Tips for using the various protection methods
• How Syncsort can help
Security and safety is very important part of E-Commerce nowadays, explained above is the various issues of security issues and steps to counter it.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/Sldeshareecoomercewelearn
Join us on Facebook: http://www.facebook.com/welearnindia
Follow us on Twitter: https://twitter.com/WeLearnIndia
Read our latest blog at: http://welearnindia.wordpress.com
Subscribe to our Slideshare Channel: http://www.slideshare.net/welingkarDLP
Security Considerations for Microservices and Multi cloudNeelkamal Gaharwar
These slides contains my notes on what are the security consideration w.r.t Micro services and Multi Cloud. I am still working on this part. It is just a comprehension of whatever I have studied so far.
Encryption is widely used by companies to secure sensitive data. It comes in different varieties and purposes. There's symmetric vs asymmetric encryption, there's encryption at rest, in transit and in use, there's TDE vs record-level encryption vs column/field level encryption, and then there's key-encryption (wrapping). All of these varieties serve different purposes and use-cases that we review - from the point of view of an infosec person, a sysadmin, a developer and an architect.
Key Concepts for Protecting the Privacy of IBM i DataPrecisely
The continuous news of personal information stolen from major retailers and financial institutions have driven consumers and regulatory bodies to demand that more action be taken to ensure data protection and privacy. Regulations such as PCI DSS, HIPAA, GDPR, and FISMA require that personal data be protected against unauthorized access using technologies like encryption, tokenization, masking, secure file transfer and more.
With all the options available for securing IBM i data at rest and in motion, how do you know where to begin? View this webinar on-demand to get up to speed on the key concepts you need to know about assuring data privacy for your customers, business partners and employees. Topics include:
• Protecting data with encryption and the need for strong key management
• Use cases that are best for tokenization
• Options for permanently de-identifying data
• Securing data in motion across networks
We’ve all seen the recent news stories about companies whose data has been stolen by hackers. What was once a rare event has become all too common, and companies large and small are at risk. While it isn’t always possible to prevent intrusions, you can reduce the risk by encrypting your data. In this presentation, I’ll show you the four ways that SQL Server provides to encrypt data: hashes, cell-level encryption, database-level encryption (also known as transparent data encryption), and backup encryption. We’ll also discuss the keys required for each type of encryption and discuss how to protect the keys themselves.
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
Regulatory bodies and consumers demand that personal data be secured against unauthorized access. Personal data protection is, in fact, required by government and industry regulations such as PCI, HIPAA, GDPR, FISMA and more. With all the options available for securing IBM i data at rest, how do you know which will best suit your needs? View this webinar on-demand to learn the basics about data encryption, tokenization and anonymization and when each should be used.
Topics include:
• Differences between encryption, tokenization and anonymization
• Pros and cons for each form of data protection
• Tips for using the various protection methods
• How Syncsort can help
Slides with our notes can be found here:
http://www.josephwojowski.com/conference-presentations.html
#ATA58 LSC-10 presentation on data security for project managers by Alaina Brantner and Joseph Wojowski.
Sensitive data is vulnerable when it is stored insecurely and transmitted over open networks. The PCI Security Council takes a hard line on protecting cardholder data and describes specific methods to comply with its standards.
Attend this webinar to better understand methods that make data theft more difficult for attackers and render stolen data unusable.
Topics covered include:
• Properly protecting stored cardholder data - encryption, hashing, masking and truncation
• Securing data during transmission - using strong cipher suites, valid certificates, and strong TLS security
• How to identify and mitigate missing encryption
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
Regulatory bodies and consumers demand that personal data be secured against unauthorized access. Personal data protection is, in fact, required by government and industry regulations such as PCI, HIPAA, GDPR, FISMA and more. With all the options available for securing IBM i data at rest, how do you know which will best suit your needs? View this webinar on-demand to learn the basics about data encryption, tokenization and anonymization and when each should be used.
Topics include:
• Differences between encryption, tokenization and anonymization
• Pros and cons for each form of data protection
• Tips for using the various protection methods
• How Syncsort can help
Security and safety is very important part of E-Commerce nowadays, explained above is the various issues of security issues and steps to counter it.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/Sldeshareecoomercewelearn
Join us on Facebook: http://www.facebook.com/welearnindia
Follow us on Twitter: https://twitter.com/WeLearnIndia
Read our latest blog at: http://welearnindia.wordpress.com
Subscribe to our Slideshare Channel: http://www.slideshare.net/welingkarDLP
Security Considerations for Microservices and Multi cloudNeelkamal Gaharwar
These slides contains my notes on what are the security consideration w.r.t Micro services and Multi Cloud. I am still working on this part. It is just a comprehension of whatever I have studied so far.
The world of search engine optimization (SEO) is buzzing with discussions after Google confirmed that around 2,500 leaked internal documents related to its Search feature are indeed authentic. The revelation has sparked significant concerns within the SEO community. The leaked documents were initially reported by SEO experts Rand Fishkin and Mike King, igniting widespread analysis and discourse. For More Info:- https://news.arihantwebtech.com/search-disrupted-googles-leaked-documents-rock-the-seo-world/
B2B payments are rapidly changing. Find out the 5 key questions you need to be asking yourself to be sure you are mastering B2B payments today. Learn more at www.BlueSnap.com.
Cracking the Workplace Discipline Code Main.pptxWorkforce Group
Cultivating and maintaining discipline within teams is a critical differentiator for successful organisations.
Forward-thinking leaders and business managers understand the impact that discipline has on organisational success. A disciplined workforce operates with clarity, focus, and a shared understanding of expectations, ultimately driving better results, optimising productivity, and facilitating seamless collaboration.
Although discipline is not a one-size-fits-all approach, it can help create a work environment that encourages personal growth and accountability rather than solely relying on punitive measures.
In this deck, you will learn the significance of workplace discipline for organisational success. You’ll also learn
• Four (4) workplace discipline methods you should consider
• The best and most practical approach to implementing workplace discipline.
• Three (3) key tips to maintain a disciplined workplace.
Premium MEAN Stack Development Solutions for Modern BusinessesSynapseIndia
Stay ahead of the curve with our premium MEAN Stack Development Solutions. Our expert developers utilize MongoDB, Express.js, AngularJS, and Node.js to create modern and responsive web applications. Trust us for cutting-edge solutions that drive your business growth and success.
Know more: https://www.synapseindia.com/technology/mean-stack-development-company.html
Company Valuation webinar series - Tuesday, 4 June 2024FelixPerez547899
This session provided an update as to the latest valuation data in the UK and then delved into a discussion on the upcoming election and the impacts on valuation. We finished, as always with a Q&A
Digital Transformation and IT Strategy Toolkit and TemplatesAurelien Domont, MBA
This Digital Transformation and IT Strategy Toolkit was created by ex-McKinsey, Deloitte and BCG Management Consultants, after more than 5,000 hours of work. It is considered the world's best & most comprehensive Digital Transformation and IT Strategy Toolkit. It includes all the Frameworks, Best Practices & Templates required to successfully undertake the Digital Transformation of your organization and define a robust IT Strategy.
Editable Toolkit to help you reuse our content: 700 Powerpoint slides | 35 Excel sheets | 84 minutes of Video training
This PowerPoint presentation is only a small preview of our Toolkits. For more details, visit www.domontconsulting.com
An introduction to the cryptocurrency investment platform Binance Savings.Any kyc Account
Learn how to use Binance Savings to expand your bitcoin holdings. Discover how to maximize your earnings on one of the most reliable cryptocurrency exchange platforms, as well as how to earn interest on your cryptocurrency holdings and the various savings choices available.
VAT Registration Outlined In UAE: Benefits and Requirementsuae taxgpt
Vat Registration is a legal obligation for businesses meeting the threshold requirement, helping companies avoid fines and ramifications. Contact now!
https://viralsocialtrends.com/vat-registration-outlined-in-uae/
Personal Brand Statement:
As an Army veteran dedicated to lifelong learning, I bring a disciplined, strategic mindset to my pursuits. I am constantly expanding my knowledge to innovate and lead effectively. My journey is driven by a commitment to excellence, and to make a meaningful impact in the world.
[Note: This is a partial preview. To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
Sustainability has become an increasingly critical topic as the world recognizes the need to protect our planet and its resources for future generations. Sustainability means meeting our current needs without compromising the ability of future generations to meet theirs. It involves long-term planning and consideration of the consequences of our actions. The goal is to create strategies that ensure the long-term viability of People, Planet, and Profit.
Leading companies such as Nike, Toyota, and Siemens are prioritizing sustainable innovation in their business models, setting an example for others to follow. In this Sustainability training presentation, you will learn key concepts, principles, and practices of sustainability applicable across industries. This training aims to create awareness and educate employees, senior executives, consultants, and other key stakeholders, including investors, policymakers, and supply chain partners, on the importance and implementation of sustainability.
LEARNING OBJECTIVES
1. Develop a comprehensive understanding of the fundamental principles and concepts that form the foundation of sustainability within corporate environments.
2. Explore the sustainability implementation model, focusing on effective measures and reporting strategies to track and communicate sustainability efforts.
3. Identify and define best practices and critical success factors essential for achieving sustainability goals within organizations.
CONTENTS
1. Introduction and Key Concepts of Sustainability
2. Principles and Practices of Sustainability
3. Measures and Reporting in Sustainability
4. Sustainability Implementation & Best Practices
To download the complete presentation, visit: https://www.oeconsulting.com.sg/training-presentations
"𝑩𝑬𝑮𝑼𝑵 𝑾𝑰𝑻𝑯 𝑻𝑱 𝑰𝑺 𝑯𝑨𝑳𝑭 𝑫𝑶𝑵𝑬"
𝐓𝐉 𝐂𝐨𝐦𝐬 (𝐓𝐉 𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬) is a professional event agency that includes experts in the event-organizing market in Vietnam, Korea, and ASEAN countries. We provide unlimited types of events from Music concerts, Fan meetings, and Culture festivals to Corporate events, Internal company events, Golf tournaments, MICE events, and Exhibitions.
𝐓𝐉 𝐂𝐨𝐦𝐬 provides unlimited package services including such as Event organizing, Event planning, Event production, Manpower, PR marketing, Design 2D/3D, VIP protocols, Interpreter agency, etc.
Sports events - Golf competitions/billiards competitions/company sports events: dynamic and challenging
⭐ 𝐅𝐞𝐚𝐭𝐮𝐫𝐞𝐝 𝐩𝐫𝐨𝐣𝐞𝐜𝐭𝐬:
➢ 2024 BAEKHYUN [Lonsdaleite] IN HO CHI MINH
➢ SUPER JUNIOR-L.S.S. THE SHOW : Th3ee Guys in HO CHI MINH
➢FreenBecky 1st Fan Meeting in Vietnam
➢CHILDREN ART EXHIBITION 2024: BEYOND BARRIERS
➢ WOW K-Music Festival 2023
➢ Winner [CROSS] Tour in HCM
➢ Super Show 9 in HCM with Super Junior
➢ HCMC - Gyeongsangbuk-do Culture and Tourism Festival
➢ Korean Vietnam Partnership - Fair with LG
➢ Korean President visits Samsung Electronics R&D Center
➢ Vietnam Food Expo with Lotte Wellfood
"𝐄𝐯𝐞𝐫𝐲 𝐞𝐯𝐞𝐧𝐭 𝐢𝐬 𝐚 𝐬𝐭𝐨𝐫𝐲, 𝐚 𝐬𝐩𝐞𝐜𝐢𝐚𝐥 𝐣𝐨𝐮𝐫𝐧𝐞𝐲. 𝐖𝐞 𝐚𝐥𝐰𝐚𝐲𝐬 𝐛𝐞𝐥𝐢𝐞𝐯𝐞 𝐭𝐡𝐚𝐭 𝐬𝐡𝐨𝐫𝐭𝐥𝐲 𝐲𝐨𝐮 𝐰𝐢𝐥𝐥 𝐛𝐞 𝐚 𝐩𝐚𝐫𝐭 𝐨𝐟 𝐨𝐮𝐫 𝐬𝐭𝐨𝐫𝐢𝐞𝐬."
Putting the SPARK into Virtual Training.pptxCynthia Clay
This 60-minute webinar, sponsored by Adobe, was delivered for the Training Mag Network. It explored the five elements of SPARK: Storytelling, Purpose, Action, Relationships, and Kudos. Knowing how to tell a well-structured story is key to building long-term memory. Stating a clear purpose that doesn't take away from the discovery learning process is critical. Ensuring that people move from theory to practical application is imperative. Creating strong social learning is the key to commitment and engagement. Validating and affirming participants' comments is the way to create a positive learning environment.
1. My Keys are Safe – Aren’t They?
Mitigating Risks and Achieving Compliance
Rob Stubbs
Sales Director, EMEA
Cryptomathic Ltd.
The Gold Standard of Security Since 1986
2. Who are Cryptomathic?
• A leading provider of cryptographic solutions
- CKMS - crypto key management system
- CSG - crypto service gateway
- Signer - eIDAS digital signatures
- CardInk - EMV card data preparation
• Founded in Denmark in 1986
• A trusted partner of many leading banks
Find us at Cryptomathic.com
3. This Seminar will Cover …
1. The nature and lifecycle of cryptographic keys
2. How keys can be compromised
3. The impact of a key compromise
4. How to mitigate risks and comply with PCI-DSS
4. Uses of Cryptography
• Cryptography is used within many applications
… from smart toasters to core banking systems
- Data encryption
- PKI
- EMV transactions
- Digital signatures
- Code signing
- Digital rights management
- Blockchain
- etc., etc., etc.
5. Cryptographic Keys
• Kerckhoffs's principle
- A cryptographic system should be secure even if everything
about the system, except the key, is public knowledge
• Key = random number -----BEGIN RSA PRIVATE KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADC
BiQKBgQDOSnsipAcr6fUg5IfuxyauuM
QSxc+lU3wuiQ9clhM0CVK0oeZFr+pj9
WnflWLA3T98eXsffN1Inl84DwMdmSf8
vxi/gq0edx/eeg7byID1AN4QHzw2zQu
aDso2oIPZ+J+W1uugR1Gh8mbyV7fiaj
NHSdrlhyC5GYC/dDehF+QA0wIDAQAB
-----END RSA PRIVATE KEY-----
£(key) = £(data)
6. Cryptographic Keys
• Secret keys
- Commonly used for symmetric encryption (e.g. DES, AES)
• Private/public key pairs
- Commonly used for signing and authentication (e.g. RSA, ECDSA)
- May also be used for encryption
7. What Makes a Good Key?
• Unguessable
- Highly random
- Long enough (depending on algorithm and protection required)
• Unique
- Generate a fresh key every time
• Changed periodically
- Depending on algorithm and usage
9. NIST SP 800-57: Recommendation for Key Management
“The security of information protected by cryptography
directly depends on:
- the strength of the keys
- the effectiveness of the mechanisms and protocols associated
with the keys, and
- the protection afforded the keys”
Source: NIST (US National Institute of Standards and Technology)
10. PCI Data Security Standard – Protecting and Managing Keys
• Requirement 3.5 (guidance)
- “Cryptographic keys must be strongly protected because those who
obtain access will be able to decrypt data.”
• Requirement 3.6 (guidance)
- “The manner in which cryptographic keys are managed is a critical
part of the continued security of the encryption solution.”
Source: PCI SSC (Payment Card Industry Security Standards Council)
12. How can Keys be Compromised?
• Weak keys • Use a strong RNG
- Preferably hardware-based
- Ideally certified to FIPS 140-2
• Real-world horror stories*
- Predictable Netscape seed
- Microsoft Windows 2000/XP RNG
- Possible Backdoor in Elliptical Curve DRBG
- MIFARE Crypto-1
- Debian OpenSSL
- PlayStation 3
- RSA public key factoring
- Java nonce collision
[* Source: https://en.wikipedia.org/wiki/Random_
number_generator_attack#Prominent_examples]
13. Examples
• PlayStation 3 (2010)
- Sony’s ECDSA private software signing key was compromised
- Due to re-using the same random “nonce” when signing software
• RSA public key factoring (2012)
- Researchers were able to break 0.2% of Internet RSA public keys
- This was because multiple keys shared a common prime factor,
due to poor initial seeding of pseudo-random number generators
14. How can Keys be Compromised?
• Weak keys
• Incorrect use of keys
• Always consider the intended
application and algorithm
15. How can Keys be Compromised?
• Weak keys
• Incorrect use of keys
• Re-use of keys
• Don’t use the same key for
multiple purposes
16. How can Keys be Compromised?
• Weak keys
• Incorrect use of keys
• Re-use of keys
• Non-rotation of keys
• Keys should be rotated
periodically
• Older symmetric algorithms are
a particular concern
- Vulnerable to “Sweet32” (aka
“Birthday”) attack
17. How can Keys be Compromised?
• Weak keys
• Incorrect use of keys
• Re-use of keys
• Non-rotation of keys
• Inappropriate storage of keys
• Always store keys separately from
the encrypted data
18. How can Keys be Compromised?
• Weak keys
• Incorrect use of keys
• Re-use of keys
• Non-rotation of keys
• Inappropriate storage of keys
• Inadequate protection of keys
• Avoid storing keys locally on servers
in plaintext
- Even keys in server memory are
potentially vulnerable - recent
attacks include Heartbleed, Flip Feng
Shui, Meltdown, Spectre and TLBleed
• High-value keys should be stored
inside hardware security modules
- Ideally use the HSM for performing
all crypto operations with the key, so
it never needs to leave the HSM
- If you must export or store a key
outside the HSM, always encrypt it
19. How can Keys be Compromised?
• Weak keys
• Incorrect use of keys
• Re-use of keys
• Non-rotation of keys
• Inappropriate storage of keys
• Inadequate protection of keys
• Insecure movement of keys
• Keys should be transported in
one of two ways:
- As multiple “key components” (aka
“key shares”), each handled by a
different person
- Encrypted under a pre-shared “key
encryption key” or KEK (aka
“transport key”)
20. How can Keys be Compromised?
• Weak keys
• Incorrect use of keys
• Re-use of keys
• Non-rotation of keys
• Inappropriate storage of keys
• Inadequate protection of keys
• Insecure movement of keys
• Non-destruction of keys
• Keys that are no longer required
should be destroyed
- Erased fully and permanently
- Removes risk of accidental
compromise in the future
21. How can Keys be Compromised?
• Weak keys
• Incorrect use of keys
• Re-use of keys
• Non-rotation of keys
• Inappropriate storage of keys
• Inadequate protection of keys
• Insecure movement of keys
• Non-destruction of keys
• Insider threats
• Key access should be controlled
- Specific individuals
- Strong authentication
- Segregation of duties
- Dual control
22. How can Keys be Compromised?
• Weak keys
• Incorrect use of keys
• Re-use of keys
• Non-rotation of keys
• Inappropriate storage of keys
• Inadequate protection of keys
• Insecure movement of keys
• Non-destruction of keys
• Insider threats
• Lack of resilience
• High availability
- If a key is not available when
required, business applications will
fail
• Business continuity
- If a key is irretrievably lost, any
associated data may also be lost
23. How can Keys be Compromised?
• Weak keys
• Incorrect use of keys
• Re-use of keys
• Non-rotation of keys
• Inappropriate storage of keys
• Inadequate protection of keys
• Insecure movement of keys
• Non-destruction of keys
• Insider threats
• Lack of resilience
• Lack of audit logging
• Monitoring and audit logging can
help detect a compromise before
any great harm is done
• A lack of audit logs will hamper
any forensic investigation after a
compromise
24. How can Keys be Compromised?
• Weak keys
• Incorrect use of keys
• Re-use of keys
• Non-rotation of keys
• Inappropriate storage of keys
• Inadequate protection of keys
• Insecure movement of keys
• Non-destruction of keys
• Insider threats
• Lack of resilience
• Lack of audit logging
• Manual key management processes
• Poor protection of keys
• High risk of human error
• Difficult to avert insider threats
25. Potential Consequences of Key Compromise
• Fraudulent transactions
• Data breaches
• Theft of intellectual property / trade secrets
… leading to:
- Financial losses, fines, compensation claims, legal costs
- Diminished reputation, loss of competitive advantage
- Reduction in share price, lower credit rating, customer churn
26. The Challenge …
• More keys to manage
• More zero-day vulnerabilities
• More sophisticated & well-funded attackers
• More and tougher regulations
• More consequences
27. How to Assess the Risks
• Understand the value of your keys
- Equivalent to the value of the data they protect
• Understand the threats
- Who might want to compromise them? How?
• Determine the risk
- Likelihood & impact of each threat
• Consider possible mitigations to reduce the risk
28. How to Mitigate the Risks
• Follow good key management practices
- Use high-quality keys
- Provide strong physical and logical security for keys
- Enforce access control, key usage and governance policies
- Utilise secure key distribution
- Ensure high availability & business continuity
- Maintain high-integrity audit logs
29. Key Management – the Good, the Bad and the Ugly
The Good
• Centralised system
• Full life cycle
• Strong controls
• Secure distribution
• Protected audit log
• HSM root of trust
• Simple audits
The Bad
• Multiple systems
• Multiple owners
• Inadequate controls
• Weak distribution
• Vulnerable logs
• No root of trust
• Complex audits
The Ugly
• Manual processes
• No clear ownership
• Weak controls
• Weak distribution
• Paper logs
• Spreadsheets
• Failed audits
Maturity
30. Other Benefits of a Centralised Key Management System
• Scales easily
• Increased efficiency
• Fewer skilled resources
• Fewer errors
• Enables automation
• Simplifies compliance
• Supports digital transformation
31. Key Trends
• Keys are increasingly at risk
- New vulnerabilities every week; network perimeter defences no longer effective
- Attackers are smarter, better funded, and going where the money is
• Key growth driven by increasing use of cryptography, also regulations
• Applications and data are migrating to the cloud
- BYOK (Bring Your Own Key) for AWS, Office 365, Salesforce, etc.
• Quantum technologies are on the horizon
- Quantum computing “quantum-resistant” algorithms
- Quantum key distribution (QKD)
34. Summary
• Keys are as valuable as the data/transactions they protect
• Keys are easily compromised, and the impact can be massive
• This is a challenge that is growing in scale and importance
• Thus keys should be protected and managed appropriately
• A centralised key management system helps mitigate the risks
Welcome!
I’m going to talk today about cryptographic keys, why they’re important and what you need to do to protect them and ensure compliance with standards like PCI-DSS.
Firstly, I’d just like to introduce Cryptomathic, in case you haven’t heard of us.
We are a … A leading provider of cryptographic solutions … for mission critical environments, including banking and financial services – you can see some of our solutions here.
We were … Founded in Denmark … over 30 years ago by a group of prominent cryptographers, and we are still headquartered there.
We are … A trusted partner of many leading banks … and other large enterprises around the world.
Let’s start off by looking at the uses of cryptography … smart toasters – yes, they do exist! …
This is just a small sample of the things that cryptography can be used for.
Data encryption is used to protect both data-at-rest (e.g. TDE) and data-in-motion (e.g. SSL/TLS) – and, of course, I hope you’re all using TLS 1.2 now!
Blockchain is, as I’m sure you all know, the underlying technology behind cryptocurrencies (like Bitcoin) and distributed ledger technology.
Kerckhoffs's principle … This means that, even though the complete workings of algorithms such as AES and RSA are known publicly, they remain safe from attack as long as the key is kept safe. The key is the only thing that needs to be kept secret.
So – what is a key?
A key is basically just a random number that is used by cryptographic algorithms.
The important takeaway here is that the value of a key is equivalent to the value of the data or transaction that it protects, because compromising the key means compromising the data.
- The simplest example of this is Bitcoin, where the Bitcoin wallet is protected by a secret key – whoever has the key can spend all the Bitcoins in the wallet.
DES = Data Encryption Standard
AES = Advanced Encryption Standard
RSA = Rivest-Shamir-Adleman (named after its inventors)
ECDSA = Elliptic Curve Digital Signature Algorithm
It is important to consider the entire life cycle of a key. This diagram applies to long-term static keys, as opposed to ephemeral keys (which are created on-the-fly for encrypting SSL/TLS communication sessions, for example).
- Once keys are created, they should always be backed up prior to deployment.
- Key usage should be monitored for audit purposes and to detect possible compromise.
- In general, it is good practice to “rotate” (i.e. change) keys regularly to avoid over-use.
- In any case, keys should have an expiry date, at which point they may be archived in case they are needed again (for example, to decrypt old data).
- Finally, once is key is no longer needed, all traces of it should be destroyed.
The NIST special publication on recommendations for key management is a widely-respected repository of good key management practices …
PCI-DSS also recognizes the important of protecting and managing keys.
… If you’re interested in the relationship between PCI-DSS and key management, Cryptomathic has a useful white paper on the subject, including a compliance checklist.
This is where the CIA comes in – no, not that CIA! I’m talking about …
There are plenty of real-world horror stories detailed in the Wikipedia article on random number generator attacks. These typically come down to:
Using a poor source of entropy (or randomness)
Weak or badly-implemented RNG algorithms
There’s even one RNG algorithm that many people think has an NSA backdoor
Just to pick a couple of examples …
… this will dictate things like key length and key expiry.
… this can make the key easier to crack.
… over-using a key can make it easier to crack; it also exposes more sensitive data if/when the key is cracked.
… don’t encrypt more than 32 GB of data with the same key.
… for obvious reasons – if the encrypted data is exfiltrated, the key is all the attacker needs to decrypt it.
Even keys in server memory are potentially vulnerable …
FOR THAT REASON …
High-value keys should be stored inside hardware security modules …
Using manual key management processes is a risk on many levels.
Firstly, keys are often poorly protected – maybe written on pieces of paper or held in a spreadsheet!
Manual processes are inherently prone to human error.
Without proper security controls, it is easy for an internal bad actor to compromise a key and go undetected.
… leading to:
- Financial costs
- Reputational costs
- and ultimately undermine the on-going viability of the business
Organisations have to manage more keys today than ever before.
There is no let-up in the rate of new IT system vulnerabilities – mostly in software, but we have also seen vulnerabilities in CPUs and even memory chips.
Organised crime is an increasingly significant source of cyber attacks, with the profits ploughed back into developing new attacks.
New regulations such as GDPR continue to raise the bar in terms of protecting sensitive data.
As a result, the consequences of failing to protect your keys are higher than ever.
If the impact is very high then, even if the likelihood is low, you should try to mitigate the risk.
Mitigating the risks fundamentally boils down to …
following good key management practices …
across the entire life cycle.
For example, …
When it comes to key management, there are many ways to do it, but they essentially boil down to these – the good, the bad and the ugly.
It’s worth taking a moment to consider where your organization sits on this scale of maturity.
A centralized key management system also provides other benefits …
- Scales to address growth in number of keys
- Eliminates inefficient manual/paper-based processes
- Consolidates operations to optimise use of skills/resources
- Reduces errors
- Allows certain processes to be automated (such as key renewal and distribution)
- Reduces time spent on audits and compliance
- Enables the business to be more agile in its use of cryptography in support of a digital transformation agenda
(forgive the pun) Keeping attackers out of your network is increasingly difficult, as we see in the press every day. They will get through eventually. Therefore it is important that keys are given every protection possible.
This is increasingly important as the number of keys you have to manage increases. For example, as a result of GDPR, organizations are now encrypting more data, and therefore have more keys to look after.
We are seeing increasing adoption of cloud technology, albeit perhaps somewhat slower within the financial industry due to security and regulatory concerns. Managing your keys is just as important, if not more so, within the cloud.
And finally, we need to consider the impact of quantum technology.
Quantum computing threatens to undermine public key algorithms within the next 10 years, so it is important to consider crypto agility – how quickly could you migrate to new, “quantum-resistant” algorithms?
Quantum key distribution promises to provide the ultimate in provably-secure key distribution, and ironically may be part of the solution to defeating the threat of quantum computing
For those of you who wish to dive deeper into the topic of key management, here are a couple of documents that I mentioned are:
… NIST Special Publication 800-57 goes into immense detail about key management
… there’s also the PCI-DSS standard, which I’m sure you’re all familiar with – requirements 3.5 and 3.6 relate to key management
Cryptomathic also has a couple of white papers on the topic – if you’re interested in obtaining copies of these, then please come and speak to me afterwards.
I can also recommend our blog, which has many educational articles about key management.
To summarise:
- Many people don’t realize that cryptographic keys are actually one of the most valuable things in any business.
- As we have seen, they can be compromised in many different ways, and the impact can be catastrophic.
- Organizations are using an ever-increasing number of keys, the threats are increasing, and the consequences of compromise are also getting higher.
- So please assess the risks and ensure you protect and manage your keys appropriately.
- Above all, if you don’t have a centralized key management system in place, look at implementing one – it really helps to mitigate the risks
Thank you for listening – I hope you found this useful.
If you have any questions, I’m happy to take them now, or you can find me on the Cryptomathic stand for the rest of the day.