Top Banner
SESSION ID: #RSAC The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin President JW Secure, Inc. @JWSdan
36

CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

Sep 03, 2018

Download

Documents

duongkiet
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

SESSION ID:

#RSAC

The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud

CDS-R02

Dan GriffinPresidentJW Secure, Inc.@JWSdan

Page 2: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

WWNSAD?

Intelligence agencies have been public about:o Inevitability of mobile computingo Support need for cloud-based services, even when using secret data

in the field

What works for them can work for you

Page 3: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Page 4: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Page 5: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Page 6: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Page 7: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Page 8: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Building blocks of security

What is a TPM? What is “measured boot”? What is “remote attestation”?

Page 9: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSACMeasured Boot + Remote Attestation

Page 10: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

What is measured boot?

Page 11: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

What is remote attestation?

Page 12: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

DEMO

Sample application #1: reduce fraud in mobile/consumer scenarios

12

Page 13: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Cloud services demand ID

Enterprise: BYOD

Consumero Targeted advertisingo eCommerce, mobile banking, etc.

Most user IDs are static & cached on a deviceo That only works for low-value purchaseso How do you improve ID for high-value purchases?

13

Page 14: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Low friction authentication

Each additional screen requires user inputo Slows down the process while user re-orientso Causes more users to abandon the web site

In contrast, progressive authenticationo Lets users investigate a site using just cookieso Defers questions until information is neededo Reduces user drop out from frustration

14

Page 15: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Splash screen

The screen a user sees when app launched

Similar data in the launch tile

15

Page 16: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

User sign in

User name can be taken from cookie

Account details are hidden until the

user enters a password

16

Page 17: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Enrollment: 1

The first time the app is used the user

must activate the app

When this button is pressed, an SMS

message is sent to the phone # on file

17

Page 18: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Enrollment: 2

After the user gets the pin from the SMS

message, it is entered

After this, the user proceeds as with a

normal sign-in procedure

18

Page 19: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

After sign in

The user sees all account information

19

Page 20: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

User tries to move money

When user goes to move $ out of account,

the health of the device is checked

20

Page 21: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Remediation needed

If the device is not healthy enough

to allow money transfer, the user is directed

to a site to fix the problem

21

Page 22: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Protecting cloud data with attestation

Data or access key is hardware encrypted

Key is bound to specific authenticated TPM

Device must be policy compliant for key to work

Otherwise data cannot be viewed and network resources cannot be accessed

Page 23: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

DEMO

Sample application #2: protect cloud data

23

Page 24: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Policy-enforced file access

BYOD

Download sensitive files from document repository

Leave laptop in back of taxi

24

Page 25: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Device authorization for SharePoint

25

Page 26: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Device authorization for SharePoint

26

Page 27: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Device authorization telemetry

27

Page 28: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Device authorization for SharePoint

Web Browser

Client Agent

Health Service

Client

Data Repository

Custom Attribute Store

ADFSSharePoint

54

6 2

3

Registration Portal

1

28

Page 29: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Device authorization for SharePoint

Web Browser

Client Agent

Registration Authority

Client

Certificate Authority

SharePoint

23

4

Registration Portal

1

29

Page 30: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Weaknesses of TPM remote platform attestation

Provisioningo Secure supply chain?o TPM EK databaseo Patching delay and whitelist maintenance (firmware and drivers)

Integrity of the TPM hardwareo Capping - electron microscopeso Migration trend from hardware to firmware

Page 31: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Attestation Data Flow Diagram

Page 32: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Recent developments

Measurement-bound keyso “Trusted Tamperproof Time on Mobile Devices”o See http://www.jwsecure.com/dan

Commercial availabilityo JW Secure StrongNeto Google Chromebooko Intel Trust Attestation Solutiono Microsoft TPM Key Attestation

Page 33: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Next steps

Audit current systems o How do you prevent stolen credentials?o Do you depend on encryption alone? o Who has admin access to critical systems? o Is your BYOD policy managed tightly, or is it increasing your risk?o Are you relying on static passwords and traditional antivirus

programs?o Do you authenticate computers as well as users?

Page 34: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

In summary, you can:

Continuously enforce security policy in hardware, firmware and software

Ensure that sensitive data is always encrypted—everywhere

Enable strong authentication of users and computers

Mitigate credential theft

Page 35: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Page 36: CDS-R02 The Secret Life of Data: Protecting Sensitive … · The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud CDS-R02 Dan Griffin. President. JW Secure,

#RSAC

Questions?

Call or email me with questions, or to request a demo of StrongNet:

[email protected]

+1 206 683 6551

@JWSdan

JW Secure provides custom security software development services.