1 Encryption Encryption Information Forum Information Forum Theresa A. Masse, State Chief Theresa A. Masse, State Chief Information Security Officer Information Security Officer Department of Administrative Services Department of Administrative Services Enterprise Security Office Enterprise Security Office
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Encryption Encryption Information ForumInformation Forum
Theresa A. Masse, State Chief Information Theresa A. Masse, State Chief Information Security OfficerSecurity Officer
Department of Administrative ServicesDepartment of Administrative ServicesEnterprise Security OfficeEnterprise Security Office
Oregon Department of Transportation Oregon Department of Transportation Oregon Employment DepartmentOregon Employment Department Oregon LotteryOregon Lottery
Statewide ContractsStatewide Contracts Q&AQ&A
3
Encryption OverviewEncryption Overview
Richard Woodford, Security AnalystRichard Woodford, Security Analyst
Department of Administrative Department of Administrative ServicesServices
4
What is encryption? What is encryption? ““In In cryptography, encryptionencryption is the is the
process of transforming process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.”
-Wikipedia (2008)-Wikipedia (2008)
5
Need for Encryption … Need for Encryption … Keep confidential information safeKeep confidential information safe Prevent exposure of information while Prevent exposure of information while
in transit across an unsecure mediumin transit across an unsecure medium Prevent exposure of information when Prevent exposure of information when
a storage device is lost or stolena storage device is lost or stolen Oregon Identity Theft Protection Act Oregon Identity Theft Protection Act
(Senate Bill 583) “safe harbor”(Senate Bill 583) “safe harbor” Due careDue care
Protection Act Protection Act Senate Bill 583 (2007 Legislative Senate Bill 583 (2007 Legislative
session)session) “ … “ … one or more of the following data one or more of the following data
elements, when the data elements are elements, when the data elements are not rendered unusable through not rendered unusable through encryption”encryption”
First name, last nameFirst name, last name
Social Security number, drivers license Social Security number, drivers license number, passport, financial account number, number, passport, financial account number, credit card numbercredit card number
7
““Safe Harbor”Safe Harbor” What’s good enough?What’s good enough? VJKU KU GPETARVGFVJKU KU GPETARVGF
Information Asset ClassificationInformation Asset Classification Transporting Information AssetsTransporting Information Assets Controlling Portable and Removable DevicesControlling Portable and Removable Devices
Department policiesDepartment policies
9
Other DriversOther Drivers Other considerationsOther considerations
Mitigation costsMitigation costs Public trustPublic trust
10
When to Use EncryptionWhen to Use Encryption In any case where data could be at In any case where data could be at
risk from theft or eavesdroppingrisk from theft or eavesdropping Wireless networksWireless networks Transmitting data over public network Transmitting data over public network
(e.g. the Internet)(e.g. the Internet) Web pages (SSL)Web pages (SSL) E-mailE-mail
Data at RestData at Rest Portable devicesPortable devices
LaptopsLaptops Thumb drivesThumb drives
11
When to Use EncryptionWhen to Use Encryption Any device at risk of theft or exposureAny device at risk of theft or exposure Extra-sensitive dataExtra-sensitive data
12
Data at RestData at Rest Hardware basedHardware based
Built in to the hardware deviceBuilt in to the hardware device AdvantagesAdvantages
Automatically encrypts dataAutomatically encrypts data FastFast
DisadvantagesDisadvantages ProprietaryProprietary Lack of central managementLack of central management
13
Data at RestData at Rest Software basedSoftware based
AdvantagesAdvantages Lower costLower cost Does not require specific hardwareDoes not require specific hardware
DisadvantagesDisadvantages Need to install, activate and manage it, Need to install, activate and manage it,
make sure it’s being usedmake sure it’s being used
14
Software SolutionsSoftware Solutions File based (PGP, Winzip)File based (PGP, Winzip)
Done on a file-by-file basis (only protects Done on a file-by-file basis (only protects file)file)
Not automaticNot automatic Dependent on end-userDependent on end-user
Volume based (TrueCrypt)Volume based (TrueCrypt) An encrypted “virtual drive” is createdAn encrypted “virtual drive” is created All files written are encrypted automaticallyAll files written are encrypted automatically Does not necessarily encrypt all files – for Does not necessarily encrypt all files – for
example, Windows system files, security example, Windows system files, security files, temp files …files, temp files …
15
Software SolutionsSoftware Solutions Disk based (whole-disk encryption)Disk based (whole-disk encryption)
Encrypts entire drive (most secure)Encrypts entire drive (most secure) Automatic; transparent to the userAutomatic; transparent to the user But … if you lock yourself out, you’re in But … if you lock yourself out, you’re in
troubletrouble Need administrative controlNeed administrative control
16
Key ManagementKey Management Elephant in the room – the only other Elephant in the room – the only other
requirement set forth by the requirement set forth by the Department of Defense policyDepartment of Defense policy ““Mechanism to recover data if the primary Mechanism to recover data if the primary
encryption system fails”encryption system fails” Need for the organization to keep control Need for the organization to keep control
of the keys rather than individualsof the keys rather than individuals Lost passwordsLost passwords Lost individualsLost individuals Access control (control of data, investigations)Access control (control of data, investigations)
17
Bad PracticesBad Practices Data encrypted with a single-key Data encrypted with a single-key
system is a security risk to the system is a security risk to the organizationorganization
Added note…Added note… ““If I accidently leave my computer If I accidently leave my computer
unlocked and someone gets it, I don’t have unlocked and someone gets it, I don’t have to worry because the hard disk is to worry because the hard disk is encrypted…”encrypted…”
Risk of sleepingRisk of sleeping Full disk encryption vulnerabilityFull disk encryption vulnerability Turn systems offTurn systems off Bad practices trump good securityBad practices trump good security
18
ESO RecommendationsESO Recommendations Develop agency-wide strategy and Develop agency-wide strategy and
approach to encryptionapproach to encryption Centralize key management and Centralize key management and
recovery processesrecovery processes Do some research and planningDo some research and planning When justifying cost, consider cost of When justifying cost, consider cost of
data disclosures, lost data and data disclosures, lost data and reputationreputation
Look for group purchase opportunitiesLook for group purchase opportunities
19
Some Good ProductsSome Good Products http://www.guardianedge.com/http://www.guardianedge.com/
For further information For further information ……
Theresa Masse, DAS Enterprise Security Theresa Masse, DAS Enterprise Security OfficeOffice(503) 378-4896, [email protected](503) 378-4896, [email protected]
Richard Woodford, DAS Enterprise Richard Woodford, DAS Enterprise Security OfficeSecurity Office(503) 378-4518, [email protected](503) 378-4518, [email protected]
Cindy Slye, Department of TransportationCindy Slye, Department of Transportation(503) 986-3234, [email protected] (503) 986-3234, [email protected]