Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
E5 rothke - deployment strategies for effective encryption
1. Deployment Strategies for
Effective Encryption
Session E5
Tuesday April 3, 2012
9:45AM - 10:45AM
Ben Rothke, CISSP CISM
Wyndham Worldwide - Manager - Information Security
2. MIS Training Institute Session E5 - Slide 2
About me
Ben Rothke, CISSP, CISM, CISA
Manager - Information Security - Wyndham Worldwide
All content in this presentation reflect my views
exclusively and not that of Wyndham Worldwide
Author - Computer Security: 20 Things Every Employee
Should Know (McGraw-Hill)
Write the Security Reading Room blog
https://365.rsaconference.com/blogs/securityreading
3. MIS Training Institute Session E5 - Slide 3
Overview
Encryption internals are built on complex mathematics
and number theory
Your successful encryption program requires a CISSP,
CISA and PMP, not necessarily a PhD
Effective encryption requires attention to detail, good
design, combined with good project management and
documentation
Your encryption strategy must reflect this
4. MIS Training Institute Session E5 - Slide 4
It’s 2012 – where’s the encryption?
Many roll-outs nothing more than stop-gap solutions
Getting it done often takes precedence over key
management, documentation, processes, etc.
Many organizations lack required security expertise
These and more combine to obstruct encryption from
being ubiquitous
Adds up to a significant need for encryption
deployment strategies
5. MIS Training Institute Session E5 - Slide 5
Encryption strategy in 3 easy steps
1. Define your requirements
2. Know where your sensitive data resides
3. Create detailed implementation plans
When implementing your encryption strategy,
remember that information security is a process, not
a product.
6. MIS Training Institute Session E5 - Slide 6
Typical encryption nightmare scenario
Monday 9AM – Audit report released to CEO
Numerous failings, namely lack of strong encryption
Monday 11 AM – CEO screams at CIO
Monday Noon – CIO screams at CISO
Monday 2PM – CISO screams at staff
Tuesday – With blank check, CISO tells info security manager to
order encryption equipment ASAP
Thursday - Security team spends two days and nights
installing/configuring encryption hardware and software
Six months later – Complete disarray with regard to encryption key
management. CEO screams at CIO, who fires the CISO. Next day –
Interim CISO tells team to get encryption working by the weekend
7. MIS Training Institute Session E5 - Slide 7
Encryption nirvana scenario
Strategy
Data Mapping
Risk Modeling
Control Gaps
Implementation
Management
Audit
Deployment
Define Drivers
Data
Classification
Policy Definition
Policy
Initial Drivers
• Business
• Technical
• Regulatory
Effective
Encryption
8. MIS Training Institute Session E5 - Slide 8
Encryption challenges
Operating systems and application vendors haven’t
made it easy and seamless to implement encryption
Lack of legacy support
Laws often conflict or fail to provide effective guidance
Far too few companies have encryption policies and/or
a formal encryption strategy
Costs / Performance
up-front and on-going maintenance costs
performance hit
added technical staff
9. MIS Training Institute Session E5 - Slide 9
Encryption – a double-edged sword
No one,
not even
NSA, CIA,
KGB, or evil
hacker, can
read your
data
No one,
including
you, can
read your
data
Effective
Encryption
Strategy
10. MIS Training Institute Session E5 - Slide 10
Common deployment mistakes
Thinking encryption is plug and play
Hardware is PnP
making encryption work is not
Going to a vendor too early
vendors sell hardware/software
you need requirements, project plans,
implementation guides, etc.
11. MIS Training Institute Session E5 - Slide 11
More common deployment mistakes
Not being transparent to end users
if it’s a pain to use, they will ignore/go around it.
Not giving enough time to design/test
effective encryption roll-outs take time
require significant details
you can’t rush this!
12. MIS Training Institute Session E5 - Slide 12
Dealing with vendors
When you drive the
project
you define the
requirements
you have chosen them
vendors provides best
practices / assistance
vendor input can be
invaluable
project succeeds
They are brought in
as the experts
they are expected to
put out a fire
they spec out their
product
you don’t have internal
expertise working with
them
project fails
13. MIS Training Institute Session E5 - Slide 13
Technically advanced airplane paradox
TAA in theory have more available safety, but without
proper training for their pilots, they could be less safe
than airplanes with less available safety
FAA found that without proper training for the pilots
who fly them, technically advanced airplanes don’t
advance safety at all
TAA presents challenges that under-prepared pilots
might not be equipped to handle
Encryption is exactly like a TAA
Your staff must be trained and prepared
14. MIS Training Institute Session E5 - Slide 14
Encryption Strategy
Mathematics of cryptography is rocket science
But most aspects of information security, compliance
and audit are not!
Good computer security is attention to detail and good
design, combined with effective project management
Enterprise encryption strategy must reflect this
not everyone will need encryption across the board
policies need to be determined first as to what requires
encryption
15. MIS Training Institute Session E5 - Slide 15
What should the strategy include?
laptop encryption
database encryption
network encryption
smart cards
mobile encryption
wireless encryption
smart phones
iPad/iPod/iPhone
application encryption
storage encryption
PDAs
USB
floppies/CD-ROM/DVD
emerging technologies
16. MIS Training Institute Session E5 - Slide 16
Strategy prioritization
Prioritize based on specific requirements and
compensating controls
start with assumption that data needn’t be encrypted
unless there’s specific requirement to encrypt or
identify high-risk situation where encrypting data will
avert disaster
false sense of security
takes budget away from more pressing encryption
requirements
increases administrative burden
locked out of your own data
17. MIS Training Institute Session E5 - Slide 17
Current state
Evaluate current encryption strategy and
policy
In sync with industry security best
practices?
Encryption framework in place?
Policies in place?
Define what regulations must be
complied with
Document current encryption hardware
/ software environment
Define Drivers
Data
Classification
Policy Definition
Policy
18. MIS Training Institute Session E5 - Slide 18
Current state
Evaluate current encryption strategy and policy
In sync with industry security best practices?
Encryption framework in place?
Policies in place?
Define what regulations must be complied with
Document current encryption hardware / software
environment
19. MIS Training Institute Session E5 - Slide 19
Analyze your encryption needs
protect data from loss and exposure
prevent access to the system itself?
does software need to access the files after encryption?
data to be transported securely? By what means?
how much user burden is acceptable?
how strong does the encryption need to be?
do you need to match the solution to the hardware?
regulatory, contractual, organizational policy
ask a lot of questions at this point!
20. MIS Training Institute Session E5 - Slide 20
Encryption keys – where art thou?
VPN connections
SSL/TLS
PKI/IdM
user-generated keys
file system encryption
Third-parties
Trusted Platform Module (TPM)
built into news desktops and laptops
21. MIS Training Institute Session E5 - Slide 21
Drivers
Business
customer trust
intellectual property
Technical
AES, PGP, BitLocker, etc.
Increase in mobile devices
Regulatory
PCI / SoX / EU / ISO-17799
State data breach laws
Define Drivers
Data
Classification
Policy Definition
Policy
22. MIS Training Institute Session E5 - Slide 22
Documentation and policies
Encryption must be supported by policies,
documentation and a formal system and risk
management program
Shows work adequately planned and supervised
Demonstrates internal controls studied and evaluated
Policy must be:
Endorsed by management
Communicated to end-users and business partners /
3rd-parties that handle sensitive data. If can’t meet
company’s policies, don’t give access to your data
Encryption responsibility should be fixed with
consequences for noncompliance
Define Drivers
Data
Classification
Policy Definition
Policy
23. MIS Training Institute Session E5 - Slide 23
Encryption processes
Encryption is a process intensive
Must be well-defined and documented
If not implemented and configured properly, can cause
system performance degradation or operational hurdles
Improperly configured encryption processes give false
sense of security
Perception that confidentiality of sensitive
information is protected when it’s not
24. MIS Training Institute Session E5 - Slide 24
Data classification
Provides users with information to guide
security-related information handling
process must align with business processes
classification is dynamic
changes as data objects move from one class
to another
changes as business strategies, structures
and external forces change
understand potential for change
embed appropriate processes to manage it
Define Drivers
Data
Classification
Policy Definition
Policy
25. MIS Training Institute Session E5 - Slide 25
Data classification drivers
Compliance, discovery, archiving, never delete retention
policy, performance, availability, recovery attributes…
Gartner: Organizations that do not have an effective
data classification program usually fail at their data
encryption projects.
Four Category Five Category
• Secret
• Confidential
• Private
• Unclassified
• Top Secret
• Highly Confidential
• Proprietary
• Internal Use Only
• Public
26. MIS Training Institute Session E5 - Slide 26
Encryption strategy
Identify all methods of data input/output
storage media
business partners and other third parties
applicable regulations and laws
high-risk areas
laptops
wireless
data backups
others
Strategy
Data Mapping
Risk Modeling
Control Gaps
27. MIS Training Institute Session E5 - Slide 27
Data discovery
Identify precisely where data is stored and all data
flows
System wide audit of all data repositories
significant undertaking for large enterprises
process can take months
Required to comply with PCI?
confirm you are not storing PCI-prohibited data
manually review data flows within POS application to
find files where results of card swipe are written
29. MIS Training Institute Session E5 - Slide 29
Requirements analysis
Define business, technical, and operational
requirements and objectives for encryption
define policies, architecture, and scope of
encryption requirements
conduct interviews, review policy documents,
analyze current and proposed encryption
strategy to identify possible security gaps
determine liabilities
better requirements definition directly
correlates to successful encryption program
Strategy
Data Mapping
Risk Modeling
Control Gaps
30. MIS Training Institute Session E5 - Slide 30
Legacy systems
Most legacy systems not designed for encryption
Legacy encryption options
retrofitting application so that encryption is built-in to
application functions
using encryption appliance that sits between app and
database
off-loading encryption to storage mechanism or database
Hardest platform – AS/400
31. MIS Training Institute Session E5 - Slide 31
Full-disk / host-based encryption (at rest)
Data encrypted at creation
first possible level of data security
little chance of encrypted data being intercepted,
accidentally or maliciously
if intercepted, encryption renders it unreadable
can significantly increase processing overhead
requires additional processing power/expense
highly secure and well-suited to active data files
large-scale data encryption can be unwieldy and impact
performance
Vendors: Microsoft, Check Point, PGP, TrueCrypt
32. MIS Training Institute Session E5 - Slide 32
Full-disk / host-based (at rest)
Data encrypted at creation
first possible level of data security
little chance of encrypted data being intercepted,
accidentally or maliciously
can significantly increase processing overhead
requires additional processing power/expense
highly secure and well-suited to active data files
large-scale data encryption can be unwieldy and impact
performance
Vendors: Microsoft, Check Point, PGP, TrueCrypt
33. MIS Training Institute Session E5 - Slide 33
Appliance-based encryption
Data leaves host unencrypted, then goes to dedicated
appliance for encryption
after encryption, data enters network or storage device
quickest to implement, but can be costly
can be easy to bypass
good quick fix
for extensive data storage encryption, cost and
management complexity of encrypting in-band can
increase significantly
Vendors: NetApp, Thales/nCipher
34. MIS Training Institute Session E5 - Slide 34
Storage device encryption
Data transmitted unencrypted to storage device
easiest integration into existing backup environments
supports in-device key management
easy to export encrypted data to tape
easy to implement and cost-effective
best suited to static and archived data or encrypting
large quantities of data for transport
large numbers of devices can be managed from single
key management platform
Vendors: EMC, IBM, Hitachi
35. MIS Training Institute Session E5 - Slide 35
Tape-based encryption
Data can be encrypted on tape drive
most secure solution
no performance penalty
easy to implement
provides protection from both offsite and on-premise
information loss
enables secure shipment of data
allows secure reuse of tapes
Vendors: Thales, HP, CA, Brocade, NetApp
36. MIS Training Institute Session E5 - Slide 36
Database encryption
DBMS-based encryption vulnerable when encryption
key used to encrypt data stored in DB table inside the
DB, protected by native DBMS access controls
users who have access rights to encrypted data often
have access rights to encryption key
creates security vulnerability because encrypted text
not separated from means to decrypt it
also doesn’t provide adequate tracking or monitoring of
suspicious activities
37. MIS Training Institute Session E5 - Slide 37
Database encryption
Inside DBMS Outside DBMS
• Least impact on app
• Security
vulnerability-
encryption key
stored in database
table
• Performance
degradation
• To separate keys,
additional hardware
required, e.g., HSM
• Remove
computational
overhead from
DBMS and
application servers
• Separate encrypted
data from encrypted
key
• Communication
overhead
• Must administer
more servers
38. MIS Training Institute Session E5 - Slide 38
Key Management (KM)
Generation, distribution, storage, recovery and
destruction of encryption keys
encryption is 90% management and policy, 10%
technology
most encryption failures due to ineffective KM
processes
80% of 22 SAP testing procedures related to encryption
are about KM
effective KM policy and design requires significant time
and effort
39. MIS Training Institute Session E5 - Slide 39
The n2 Problem
With symmetric cryptography, as number of users
increases, number of keys required increases rapidly
For group of n users, there needs to be 1/2 (n2 - n) keys
for total communications
As number of parties (n) increases, number of symmetric
keys becomes unreasonably large for practical use
Users 1/2 (n2
- n) Shared key pairs
required
2 ½ (4 - 2) 1
3 ½ (9 – 3) 3
10 ½ (100 – 10) 45
100 ½ (10,000 – 100) 4,950
1000 ½ (1,000,000 –
1,000)
499,500
40. MIS Training Institute Session E5 - Slide 40
Key management questions
how many keys do you need?
where are keys stored?
who has access to keys?
how will you manage keys?
how will you protect access to encryption keys?
how often should keys change?
what if key is lost or damaged?
how much key management training will we need?
how about disaster recovery?
41. MIS Training Institute Session E5 - Slide 41
PCI DSS key management requirements
PCI DSS v2.0 requirement 3.6
generation of strong keys
secure key distribution
periodic key changes
destruction of old keys
dual control of keys
replacement of compromised keys
key revocation
42. MIS Training Institute Session E5 - Slide 42
Key Management
Keys must be accessible for the data to be accessible
If too accessible, higher risk of compromise
Reliability
Outage in the system will prevent business from
functioning
Centralized key management
Can help simplify key management for multiple
applications
43. MIS Training Institute Session E5 - Slide 43
Key generation and destruction
Generation Destruction
• FIPS 140-2
validated
cryptographic
module
• distribution
• manual
• electronic
• backup/restore
• split knowledge
• Getting rid of keys is
just as detailed as
creating them
• Processes must deal
with keys stored on:
• hard drives
• USB
• EPROM
• Third parties
• facilities must exist to
destroy hard-copies of
key, both on paper
and in hardware
44. MIS Training Institute Session E5 - Slide 44
OASIS Enterprise Key Management
Infrastructure (EKMI)
Focused on standardizing management of symmetric
encryption cryptographic keys across the enterprise
within a symmetric KM system
Working on creation of:
Symmetric Key Services Markup Language (SKSML)
protocol
Implementation and operations guidelines for an SKMS
Audit guidelines for auditing an SKMS
Interoperability test-suite for SKSML implementations
www.oasis-open.org/committees/ekmi
45. MIS Training Institute Session E5 - Slide 45
For more information
Guideline for Implementing Cryptography in the Federal
Government
http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-1_Dec2005.pdf
Cryptographic Toolkit
http://csrc.nist.gov/groups/ST/toolkit/index.html
Recommendation for Key Management
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
Encryption Strategies: The Key to Controlling Data
www.oracle.com/encryption/wp/encryption_strategies_wp.pdf
47. MIS Training Institute Session E5 - Slide 47
Organizations that do not have an effective data
classification program usually fail at their data
encryption projects
Creating an effective deployment strategy is the
difference between strong encryption and an audit
failure
Encryption is about attention to detail, good design
and project management
Summary
48. MIS Training Institute Session E5 - Slide 48
Contact info
Ben Rothke, CISSP CISA
Manager – Information Security
Wyndham Worldwide Corporation
www.linkedin.com/in/benrothke
www.twitter.com/benrothke
www.slideshare.net/benrothke