Securing IoT Data with Pervasive Encryption

© 2019 IBM Corporation© 2019 IBM Corporation
Securing IoT Data with
Pervasive Encryption
Eysha Shirrine Powers
IBM, Enterprise Cryptography
eysha@us.ibm.com

© 2019 IBM Corporation
About me ☺
IBM Career (15 years)
▪ 2004: z/OS Resource Access Control Facility (RACF)
▪ 2006: z/OS Java Cryptography Extension (JCE)
▪ 2008: z/OS Integrated Cryptographic Services Facility (ICSF)
– A few cool projects:
• Elliptic Curve Cryptography (ECC)
• Enterprise PKCS #11 (EP11)
• Crypto-as-a-service (ACSP-REST)
• Regional Cryptographic Enablement (RCE)
• Field Level Encipher (FLE) for secure key tokens
• Crypto Usage Statistics (STATS)
Founded the IBM Crypto Education community:
https://www.ibm.com/developerworks/community/groups/community/crypto
“Crypto Nerd”
Current Role: Crypto SME, z/OS
ICSF Developer
Responsibilities: Crypto Software
Design & Development, Crypto
Code Samples, Crypto Education

B.S. Computer Science, UIUC
M.S. Information Technology, RPI

The Internet of Things (IoT)
IoT is made up of network-connected devices and appliances equipped
with digital sensors and microchips which are accessible through the
internet.
Heart
Monitors
Smart
Scales
Physical Activity
Trackers

Why Secure IoT Data?
Many types of data is subject to data privacy and security regulations.
For example, personal health information in the United States must be
protected in accordance with the Health Information Portability and
Accountability Act (HIPAA) of 1996 and the Health Information Technology
for Economic and Clinical Health Act (HITECH) of 2009.
Health Insurance
Portability and
Accountability
Act (HIPAA)

What is considered Personal
Health Information (PHI)?
▪ The individual’s past, present or future
physical or mental health condition
▪ The provision of health care to the individual
▪ The past, present, or future payment for the
provision of health care to the individual
Could IoT data
contain PHI?

Who does HIPAA and HITECH impact?
• Health insurance
companies
• Health management
organizations
(HMOs)
• Medicare
• Medicaid
• Doctors
• Clinics
• Dentists
• Psychologists
• Chiropractors
• Pharmacies
Business
associates
which handle
health data on
behalf of
covered entities
Covered entities include:

Data Protection Regulations
▪ Health Information Portability and
Accountability Act (HIPAA)
▪ Health Information Technology for Economic
and Clinical Health Act ( HITECH)
▪ Payment Card Industry Data Security
Standard (PCI-DSS)
▪ General Data Protection Regulations
(GDPR) for European Union (EU) citizens
▪ …

What is the risk? What is the impact?
Likelihood of an organization
having a data breach in the next
24 months 1
28%
14.7 Billion
4%
Of the
only
breached since 2013
were encrypted 3
records
$3.6M
Average cost of a data breach in
2017 2
“It’s no longer
a matter of if,
but when …”
1, 2 Source: 2017 Ponemon Cost of Data Breach Study: Global Overview -- http://www.ibm.com/security/data-breach/
3 Source: Breach Level Index -- http://breachlevelindex.com/

Extensive use of encryption is one of the most impactful
ways to help reduce the risks and financial losses of a data breach and
help meet complex compliance mandates.

The
Information
Life Cycle
Data creation, generation and/or copy
Reading and/or modifying data
Acquisition
Use
Archival
Disposal
Data is no longer in use but must be retained for
regulatory, backup and/or other reasons.
Data destruction

Where might sensitive IoT Data reside?
▪ The physical IoT device
▪ The internet packet transmitted to the healthcare provider
▪ Memory of the receiving application on the healthcare
provider’s server
▪ A database which writes the data to a file or data set
▪ Active disk or tape storage
▪ Archived storage which may or may not be offsite
▪ A disaster recovery backup system

Securing IoT Data with Pervasive Encryption

How do you encrypt data in flight?
Network encryption provides a
means of ensuring data remains
secure as it travels over the network
to its destination.
A connection protocol can be used to
ensure that communications between
an IoT device and the server are
secure.
One example of a connection
protocol is a handshake.
Request secure
connection
Send server
certificate
Validate
certificate
Generate
session key
Encrypt session key
with server’s public key
Send encrypted
session key
Encrypt & decrypt
messages with shared
session key
Decrypt session key
with server’s private key

Coverage
Complexity&SecurityControl
App
Encryption
hyper-sensitive data
Database Encryption
Provide protection for very sensitive in-
use (DB level), in-flight & at-rest data
File or Data Set Level Encryption
Provide broad coverage for sensitive data using encryption tied
to access control for in-flight & at-rest data protection
Full Disk & Tape Encryption
Provide 100% coverage for at-rest data with zero host CPU cost
Protection against
intrusion, tamper or
removal of physical
infrastructure
Broad protection & privacy managed
by OS… ability to eliminate storage
admins from compliance scope
Granular protection & privacy managed by
database… selective encryption & granular
key management control of sensitive data
Data protection & privacy provided and managed by
the application… encryption of sensitive data when
lower levels of encryption not available or suitable
How do you encrypt data at rest? It depends…

How do you generate encryption keys?
Symmetric keys are simply a sequence of bits
of a precise length (i.e. key size) intended for
use in a cryptographic operation.
▪ DES = 56 bits (i.e. 8 bytes)
▪ TDES = 56, 112, or 168 bits (i.e. 8, 16 or 24 bytes)
▪ AES = 128, 192, or 256 bits (i.e. 16, 24 or 32 bytes)
Where do symmetric key bytes come from?
▪ Random number generators
– True random number generation requires:
• An entropy source of randomness to
• Produce true random bytes
– Pseudo Random number generation requires:
• An entropy source of randomness PLUS
• A deterministic mathematical algorithm to
• Produce pseudo random bytes
Why does the key length matter?
▪ Short key lengths, specifically for symmetric
keys, can be brute force attacked, especially
with today’s computing speeds
– The NIST standards body recommends
symmetric keys of 24 bytes or larger.
For a 64-byte random number request, a
Crypto Express adapter was measured to
perform ~1,128,283 operations per second

17
Encryption Keys
Inadvertent or malicious deletion or
modification of encryption keys will
result in data loss!
Robust key management and key
protection is a must for all organizations
– Large
– Medium
– Small
Avoid self-inflicted RANSOMWARE!
Deploy enterprise key
management system
Policy based key gen
Key rotation
Key usage tracking
Key backup & recovery
Implement multiple
levels of backup and
recovery
Physical backup
Logical backup
Offline backup

How do you choose your encryption engine?
Consider:
▪ Software vs Hardware
▪ Reliability, Availability,
Serviceability
▪ Industry Certifications
▪ Performance & Security
▪ Memory Requirements
▪ Algorithm Requirements
▪ Operating Systems
▪ APIs & Libraries
Crypto Express6S
Crypto Express adapters provide tamper
sensing and responding protection for
cryptographic operations.
Processor Unit SCM
Each Processor Unit is
capable of Central
Processor Assisted
Cryptographic Function
(CPACF)
CPC Drawer
With 64 bytes of input using 256-bit AES-CBC
encryption, a Crypto Express adapter was
measured to perform ~10,569 operations per
second
With 64 bytes of input using 256-bit AES-CBC
encryption, CPACF was measured to perform
~327,891 operations per second
IBM z14

New Cryptographic Technologies on the Horizon

Securing IoT Data with Pervasive Encryption

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Securing IoT Data with Pervasive Encryption

Similar to Securing IoT Data with Pervasive Encryption (20)

More from Data Con LA

More from Data Con LA (20)

Recently uploaded

Recently uploaded (20)

Securing IoT Data with Pervasive Encryption