E5 rothke - deployment strategies for effective encryption

Deployment Strategies for
Effective Encryption
Session E5
Tuesday April 3, 2012
9:45AM - 10:45AM
Ben Rothke, CISSP CISM
Wyndham Worldwide - Manager - Information Security

MIS Training Institute Session E5 - Slide 2
About me
 Ben Rothke, CISSP, CISM, CISA
 Manager - Information Security - Wyndham Worldwide
 All content in this presentation reflect my views
exclusively and not that of Wyndham Worldwide
 Author - Computer Security: 20 Things Every Employee
Should Know (McGraw-Hill)
 Write the Security Reading Room blog
 https://365.rsaconference.com/blogs/securityreading

Overview
 Encryption internals are built on complex mathematics
and number theory
 Your successful encryption program requires a CISSP,
CISA and PMP, not necessarily a PhD
 Effective encryption requires attention to detail, good
design, combined with good project management and
documentation
 Your encryption strategy must reflect this

It’s 2012 – where’s the encryption?
 Many roll-outs nothing more than stop-gap solutions
 Getting it done often takes precedence over key
management, documentation, processes, etc.
 Many organizations lack required security expertise
 These and more combine to obstruct encryption from
being ubiquitous
 Adds up to a significant need for encryption
deployment strategies

Encryption strategy in 3 easy steps
1. Define your requirements
2. Know where your sensitive data resides
3. Create detailed implementation plans
 When implementing your encryption strategy,
remember that information security is a process, not
a product.

Typical encryption nightmare scenario
 Monday 9AM – Audit report released to CEO
 Numerous failings, namely lack of strong encryption
 Monday 11 AM – CEO screams at CIO
 Monday Noon – CIO screams at CISO
 Monday 2PM – CISO screams at staff
 Tuesday – With blank check, CISO tells info security manager to
order encryption equipment ASAP
 Thursday - Security team spends two days and nights
installing/configuring encryption hardware and software
 Six months later – Complete disarray with regard to encryption key
management. CEO screams at CIO, who fires the CISO. Next day –
Interim CISO tells team to get encryption working by the weekend

Encryption nirvana scenario
Strategy
 Data Mapping
 Risk Modeling
 Control Gaps
 Implementation
 Management
 Audit
Deployment
Define Drivers
 Data
Classification
 Policy Definition
Policy
Initial Drivers
• Business
• Technical
• Regulatory
Effective
Encryption

Encryption challenges
 Operating systems and application vendors haven’t
made it easy and seamless to implement encryption
 Lack of legacy support
 Laws often conflict or fail to provide effective guidance
 Far too few companies have encryption policies and/or
a formal encryption strategy
 Costs / Performance
 up-front and on-going maintenance costs
 performance hit
 added technical staff

Encryption – a double-edged sword
No one,
not even
NSA, CIA,
KGB, or evil
hacker, can
read your
data
No one,
including
you, can
read your
data
Effective
Encryption
Strategy

Common deployment mistakes
 Thinking encryption is plug and play
 Hardware is PnP
 making encryption work is not
 Going to a vendor too early
 vendors sell hardware/software
 you need requirements, project plans,
implementation guides, etc.

More common deployment mistakes
 Not being transparent to end users
 if it’s a pain to use, they will ignore/go around it.
 Not giving enough time to design/test
 effective encryption roll-outs take time
 require significant details
 you can’t rush this!

Dealing with vendors
 When you drive the
project
 you define the
requirements
 you have chosen them
 vendors provides best
practices / assistance
 vendor input can be
invaluable
 project succeeds
 They are brought in
as the experts
 they are expected to
put out a fire
 they spec out their
product
 you don’t have internal
expertise working with
them
 project fails

Technically advanced airplane paradox
 TAA in theory have more available safety, but without
proper training for their pilots, they could be less safe
than airplanes with less available safety
 FAA found that without proper training for the pilots
who fly them, technically advanced airplanes don’t
advance safety at all
 TAA presents challenges that under-prepared pilots
might not be equipped to handle
 Encryption is exactly like a TAA
 Your staff must be trained and prepared

Encryption Strategy
 Mathematics of cryptography is rocket science
 But most aspects of information security, compliance
and audit are not!
 Good computer security is attention to detail and good
design, combined with effective project management
 Enterprise encryption strategy must reflect this
 not everyone will need encryption across the board
 policies need to be determined first as to what requires
encryption

What should the strategy include?
 laptop encryption
 database encryption
 network encryption
 smart cards
 mobile encryption
 wireless encryption
 smart phones
 iPad/iPod/iPhone
 application encryption
 storage encryption
 PDAs
 USB
 floppies/CD-ROM/DVD
 emerging technologies

Strategy prioritization
 Prioritize based on specific requirements and
compensating controls
 start with assumption that data needn’t be encrypted
unless there’s specific requirement to encrypt or
 identify high-risk situation where encrypting data will
avert disaster
 false sense of security
 takes budget away from more pressing encryption
requirements
 increases administrative burden
 locked out of your own data

Current state
 Evaluate current encryption strategy and
policy
 In sync with industry security best
practices?
 Encryption framework in place?
 Policies in place?
 Define what regulations must be
complied with
 Document current encryption hardware
/ software environment
 Define Drivers
 Data
Classification
Policy

Current state
 Evaluate current encryption strategy and policy
 In sync with industry security best practices?
 Encryption framework in place?
 Policies in place?
 Define what regulations must be complied with
 Document current encryption hardware / software
environment

Analyze your encryption needs
 protect data from loss and exposure
 prevent access to the system itself?
 does software need to access the files after encryption?
 data to be transported securely? By what means?
 how much user burden is acceptable?
 how strong does the encryption need to be?
 do you need to match the solution to the hardware?
 regulatory, contractual, organizational policy
 ask a lot of questions at this point!

Encryption keys – where art thou?
 VPN connections
 SSL/TLS
 PKI/IdM
 user-generated keys
 file system encryption
 Third-parties
 Trusted Platform Module (TPM)
 built into news desktops and laptops

Drivers
 Business
 customer trust
 intellectual property
 Technical
 AES, PGP, BitLocker, etc.
 Increase in mobile devices
 Regulatory
 PCI / SoX / EU / ISO-17799
 State data breach laws
 Define Drivers
 Data
Classification
Policy

Documentation and policies
 Encryption must be supported by policies,
documentation and a formal system and risk
management program
 Shows work adequately planned and supervised
 Demonstrates internal controls studied and evaluated
 Policy must be:
 Endorsed by management
 Communicated to end-users and business partners /
3rd-parties that handle sensitive data. If can’t meet
company’s policies, don’t give access to your data
 Encryption responsibility should be fixed with
consequences for noncompliance
Define Drivers
 Data
Classification
Policy

Encryption processes
 Encryption is a process intensive
 Must be well-defined and documented
 If not implemented and configured properly, can cause
system performance degradation or operational hurdles
 Improperly configured encryption processes give false
sense of security
 Perception that confidentiality of sensitive
information is protected when it’s not

Data classification
 Provides users with information to guide
security-related information handling
 process must align with business processes
 classification is dynamic
 changes as data objects move from one class
to another
 changes as business strategies, structures
and external forces change
 understand potential for change
 embed appropriate processes to manage it
 Define Drivers
 Data
Classification
Policy

Data classification drivers
 Compliance, discovery, archiving, never delete retention
policy, performance, availability, recovery attributes…
 Gartner: Organizations that do not have an effective
data classification program usually fail at their data
encryption projects.
Four Category Five Category
• Secret
• Confidential
• Private
• Unclassified
• Top Secret
• Highly Confidential
• Proprietary
• Internal Use Only
• Public

Encryption strategy
 Identify all methods of data input/output
 storage media
 business partners and other third parties
 applicable regulations and laws
 high-risk areas
 laptops
 wireless
 data backups
 others

Strategy
 Data Mapping
 Risk Modeling
 Control Gaps

Data discovery
 Identify precisely where data is stored and all data
flows
 System wide audit of all data repositories
 significant undertaking for large enterprises
 process can take months
 Required to comply with PCI?
 confirm you are not storing PCI-prohibited data
 manually review data flows within POS application to
find files where results of card swipe are written

Data-flow definition

Requirements analysis
 Define business, technical, and operational
requirements and objectives for encryption
 define policies, architecture, and scope of
encryption requirements
 conduct interviews, review policy documents,
analyze current and proposed encryption
strategy to identify possible security gaps
 determine liabilities
 better requirements definition directly
correlates to successful encryption program

Strategy
 Data Mapping
 Risk Modeling
 Control Gaps

Legacy systems
 Most legacy systems not designed for encryption
 Legacy encryption options
 retrofitting application so that encryption is built-in to
application functions
 using encryption appliance that sits between app and
database
 off-loading encryption to storage mechanism or database
 Hardest platform – AS/400

Full-disk / host-based encryption (at rest)
 Data encrypted at creation
 first possible level of data security
 little chance of encrypted data being intercepted,
accidentally or maliciously
 if intercepted, encryption renders it unreadable
 can significantly increase processing overhead
 requires additional processing power/expense
 highly secure and well-suited to active data files
 large-scale data encryption can be unwieldy and impact
performance
 Vendors: Microsoft, Check Point, PGP, TrueCrypt

Full-disk / host-based (at rest)
 Data encrypted at creation
 first possible level of data security
 little chance of encrypted data being intercepted,
accidentally or maliciously
 can significantly increase processing overhead
 requires additional processing power/expense
 highly secure and well-suited to active data files
 large-scale data encryption can be unwieldy and impact
performance
 Vendors: Microsoft, Check Point, PGP, TrueCrypt

Appliance-based encryption
 Data leaves host unencrypted, then goes to dedicated
appliance for encryption
 after encryption, data enters network or storage device
 quickest to implement, but can be costly
 can be easy to bypass
 good quick fix
 for extensive data storage encryption, cost and
management complexity of encrypting in-band can
increase significantly
 Vendors: NetApp, Thales/nCipher

Storage device encryption
 Data transmitted unencrypted to storage device
 easiest integration into existing backup environments
 supports in-device key management
 easy to export encrypted data to tape
 easy to implement and cost-effective
 best suited to static and archived data or encrypting
large quantities of data for transport
 large numbers of devices can be managed from single
key management platform
 Vendors: EMC, IBM, Hitachi

Tape-based encryption
 Data can be encrypted on tape drive
 most secure solution
 no performance penalty
 easy to implement
 provides protection from both offsite and on-premise
information loss
 enables secure shipment of data
 allows secure reuse of tapes
 Vendors: Thales, HP, CA, Brocade, NetApp

Database encryption
 DBMS-based encryption vulnerable when encryption
key used to encrypt data stored in DB table inside the
DB, protected by native DBMS access controls
 users who have access rights to encrypted data often
have access rights to encryption key
 creates security vulnerability because encrypted text
not separated from means to decrypt it
 also doesn’t provide adequate tracking or monitoring of
suspicious activities

Database encryption
Inside DBMS Outside DBMS
• Least impact on app
• Security
vulnerability-
encryption key
stored in database
table
• Performance
degradation
• To separate keys,
additional hardware
required, e.g., HSM
• Remove
computational
overhead from
DBMS and
application servers
• Separate encrypted
data from encrypted
key
• Communication
overhead
• Must administer
more servers

Key Management (KM)
 Generation, distribution, storage, recovery and
destruction of encryption keys
 encryption is 90% management and policy, 10%
technology
 most encryption failures due to ineffective KM
processes
 80% of 22 SAP testing procedures related to encryption
are about KM
 effective KM policy and design requires significant time
and effort

The n2 Problem
 With symmetric cryptography, as number of users
increases, number of keys required increases rapidly
 For group of n users, there needs to be 1/2 (n2 - n) keys
for total communications
 As number of parties (n) increases, number of symmetric
keys becomes unreasonably large for practical use
Users 1/2 (n2
- n) Shared key pairs
required
2 ½ (4 - 2) 1
3 ½ (9 – 3) 3
10 ½ (100 – 10) 45
100 ½ (10,000 – 100) 4,950
1000 ½ (1,000,000 –
1,000)
499,500

Key management questions
 how many keys do you need?
 where are keys stored?
 who has access to keys?
 how will you manage keys?
 how will you protect access to encryption keys?
 how often should keys change?
 what if key is lost or damaged?
 how much key management training will we need?
 how about disaster recovery?

PCI DSS key management requirements
 PCI DSS v2.0 requirement 3.6
 generation of strong keys
 secure key distribution
 periodic key changes
 destruction of old keys
 dual control of keys
 replacement of compromised keys
 key revocation

Key Management
 Keys must be accessible for the data to be accessible
 If too accessible, higher risk of compromise
 Reliability
 Outage in the system will prevent business from
functioning
 Centralized key management
 Can help simplify key management for multiple
applications

Key generation and destruction
Generation Destruction
• FIPS 140-2
validated
cryptographic
module
• distribution
• manual
• electronic
• backup/restore
• split knowledge
• Getting rid of keys is
just as detailed as
creating them
• Processes must deal
with keys stored on:
• hard drives
• USB
• EPROM
• Third parties
• facilities must exist to
destroy hard-copies of
key, both on paper
and in hardware

OASIS Enterprise Key Management
Infrastructure (EKMI)
 Focused on standardizing management of symmetric
encryption cryptographic keys across the enterprise
within a symmetric KM system
 Working on creation of:
 Symmetric Key Services Markup Language (SKSML)
protocol
 Implementation and operations guidelines for an SKMS
 Audit guidelines for auditing an SKMS
 Interoperability test-suite for SKSML implementations
 www.oasis-open.org/committees/ekmi

For more information
 Guideline for Implementing Cryptography in the Federal
Government
 http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-1_Dec2005.pdf
 Cryptographic Toolkit
 http://csrc.nist.gov/groups/ST/toolkit/index.html
 Recommendation for Key Management
 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
 Encryption Strategies: The Key to Controlling Data
 www.oracle.com/encryption/wp/encryption_strategies_wp.pdf

Books

 Organizations that do not have an effective data
classification program usually fail at their data
encryption projects
 Creating an effective deployment strategy is the
difference between strong encryption and an audit
failure
 Encryption is about attention to detail, good design
and project management
Summary

Contact info
 Ben Rothke, CISSP CISA
Manager – Information Security
Wyndham Worldwide Corporation
www.linkedin.com/in/benrothke
www.twitter.com/benrothke
www.slideshare.net/benrothke

E5 rothke - deployment strategies for effective encryption

More Related Content

What's hot

Similar to E5 rothke - deployment strategies for effective encryption

More from Ben Rothke

Recently uploaded

E5 rothke - deployment strategies for effective encryption

Editor's Notes