The Computer Forensics Show Conference April 19-20, 2010 New York, NY Deployment Strategies for Effective Deployment Strategies for Effective Encryption Encryption The Computer Forensics Encryption Encryption Ben Rothke, CISSP, CISM, PCI QSA Senior Security Consultant BT Global Services April 19, 2010
45
Embed
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective Encryption
Deployment Strategies for Effective Encryption - Presentation by Ben Rothke given at the Computer Forensics Show & Conference - April 19-20, 2010New York, NY
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The Computer Forensics Show
Conference
April 19-20, 2010
New York, NY
Deployment Strategies for Effective Deployment Strategies for Effective
EncryptionEncryption
The
Computer
Forensics
EncryptionEncryption
Ben Rothke, CISSP, CISM, PCI QSA
Senior Security Consultant
BT Global Services
April 19, 2010
About Me
• Ben Rothke, CISSP CISM QSA
• Senior Security Consultant – BT Global Services
• In IT sector since 1988 and information security since 1994
• Frequent writer and speaker• Frequent writer and speaker
• Author - Computer Security: 20 Things Every Employee Should Know
(McGraw-Hill)
2
Overview
• Encryption internals are built on complex mathematics and
number theory
• Your successful encryption program requires a CISSP, CISA
and/or PMP, not necessarily a PhD
• Effective encryption requires attention to detail, good design,
combined with good project management and documentation
• Your encryption strategy must reflect this
– This is not a monologue – ask a question, share a comment at any time.
3
It’s 2010 – Where’s the Encryption?
• Many roll-outs nothing more than stop-gap solutions
• Getting it done often takes precedence over key management,
documentation, processes, etc.
• Many organizations lack required security expertise
• These and more combine to obstruct encryption from being • These and more combine to obstruct encryption from being
ubiquitous
• Adds up to a significant need for encryption deployment
strategies
4
Encryption strategy in 3 easy steps
1. Define your requirements
2. Know where your sensitive data resides
3. Create detailed implementation plans
• When implementing your encryption strategy, remember that • When implementing your encryption strategy, remember that
information security is a process, not a product.
5
Typical encryption nightmare scenario
• Monday 9AM – Audit report released to CEO
– Numerous failings, namely lack of strong encryption
• Monday 11 AM – CEO screams at CIO
• Monday Noon – CIO screams at CISO
• Monday 2PM – CISO screams at staff
• Tuesday – With blank check, CISO tells info security manager to order • Tuesday – With blank check, CISO tells info security manager to order
encryption equipment ASAP
• Thursday - Security team spends two days and nights installing/configuring
encryption hardware and software
• Six months later – Complete disarray with regard to encryption key
management. CEO screams at CIO, who fires the CISO.
• Next day – Interim CISO tells team to get encryption working by the
weekend
6
Encryption nirvana scenario
Stra
tegy
Data Mapping Implementation
Deployment
Define Drivers
Data
Policy
Initial Drivers• Business
Effective
Stra
tegy
Risk Modeling
Control Gaps
Management
Audit
Deployment
Data
Classification
Policy Definition
Policy
• Business
• Technical
• Regulatory
Effective
Encryption
7
Encryption challenges
• Operating systems and application vendors haven’t made it
easy and seamless to implement encryption
– Lack of legacy support
• Laws/guidelines often conflict or fail to provide effective
guidance
• Far too few companies have encryption policies and/or a • Far too few companies have encryption policies and/or a
formal encryption strategy
• Costs / Performance
– Up-front and on-going maintenance costs
– Performance hit
– Added technical staff
8
No one, not
even NSA, CIA,
KGB, or evil
No one,
including
yourself,
Effective Encryption Strategy
Encryption – a double-edged sword
KGB, or evil
hacker, can
read your data
yourself,
can read
your dataEffective Encryption Strategy
9
Common encryption deployment mistakes
1. Thinking encryption is PnP
– Hardware is PnP
– Making encryption work is not
2. Going to a vendor too early
– Vendors sell hardware/software
– You need requirements– You need requirements
3. Not being transparent to end users
– If it’s a pain to use, they will ignore/go around it.
4. Not giving enough time to design/test
– Effective encryption roll-outs take time
– Require significant details
– You can’t rush this!
10
Dealing with vendors
• When you drive the project
– You define the requirements
– You have chosen them
– Vendors provides best practices / assistance
– Vendor input can be invaluable
– Project succeeds
• They are brought in as the experts
– They are expected to put out a fire
– They spec out their product
– You don’t have internal expertise working with them
– Project fails
11
Encryption and the technically advanced airplane paradox
• TAA in theory have more available safety, but without proper
training for their pilots, they could be less safe than airplanes
with less available safety
• FAA found that without proper training for the pilots who fly
them, technically advanced airplanes don’t advance safety at all
• TAA presents challenges that under-prepared pilots might not • TAA presents challenges that under-prepared pilots might not
be equipped to handle
• Encryption is exactly like a TAA
• Your staff must be trained and prepared.
12
Encryption Strategy
• Mathematics of cryptography is rocket science
– But most aspects of information security, compliance and audit are not!
• Good computer security is simply attention to detail and good
design, combined with effective project managementdesign, combined with effective project management
• Encryption strategy must reflect this
• Define what needs to be addressed in the enterprise encryption
strategy
– Not everyone will need encryption across the board
– Policies need to be determined first as to what requires encryption
– Any information going over the Internet or internal source code
13
• Laptop encryption
• Database encryption
• Network encryption
• Smart cards
� Application encryption
� Storage encryption
� PDAs
USB
What should the strategy include?
• Smart cards
• Mobile encryption
• Wireless encryption
• Smart phones
• iPad/iPod/iPhone
� USB
� Floppies/CD-ROM/DVD
� Emerging technologies
14
Strategy prioritization
• Prioritize based on specific requirements and compensating
controls
– Start with assumption that by default, data need not be encrypted unless there is a specific requirement to encrypt that data or
– Identify high-risk situation where encrypting data will avert disaster
• Unnecessary or poorly prioritized encryption deployments may • Unnecessary or poorly prioritized encryption deployments may
do more harm than good
– false sense of security
– takes budget away from more pressing encryption requirements
– increases administrative burden
– locked out of your own data
15
Current state
• Evaluate current encryption strategy and policy
– In sync with industry security best practices?
• Encryption framework in place?
• Policies in place?
• Define what regulations must be complied with
Define Drivers
Data
Classification
Policy
• Document current encryption hardware /
software environment
Classification
Policy Definition
Policy
16
Analyze your encryption needs
• Protect data from loss and exposure
• Prevent access to the system itself?
• Does software need to access the files after encryption?
• Data to be transported securely? By what means?
• How much user burden is acceptable?
• How strong does the encryption need to be?
• Do you need to match the solution to the hardware?
• Regulatory, contractual, organizational policy
• Ask a lot of questions at this point!
17
Where are your encryption keys from?
• VPN connections
• SSL/TLS
• PKI/IdM
• User-generated keys
• File system encryption• File system encryption
• Third parties
• Trusted Platform Module (TPM)
– Built into news desktops and laptops
18
• Business
– Customer trust
– Intellectual property
• Technical
– AES, PGP, BitLocker, etc.
Define Drivers
Data
Classification
Policy
Drivers
– Increase in mobile devices
• Regulatory
– PCI / SoX / EU Privacy directive / ISO-17799
– State data breach laws
• Note: Keep a wider picture in mind when complying with specific mandates
Classification
Policy Definition
Policy
19
Documentation and policies
• Encryption must be supported by policies,
documentation and a formal system and risk
management program
– Shows work adequately planned and supervised
– Demonstrates internal controls studied and evaluated
• Policy must be:
Define Drivers
Data
Classification
Policy • Policy must be:
– Endorsed by management
– Communicated to end-users and business partners / 3rd-parties that handle sensitive data. If can’t meet company’s policies, don’t give access to your data
• Encryption responsibility should be fixed with
consequences for noncompliance
Classification
Policy Definition
Policy
20
Encryption processes
• Encryption is a process intensive
• Must be well-defined and documented
• If not implemented and configured properly, can cause system performance degradation or operational hurdles
Define Drivers
Data
Classification
Policy operational hurdles
• Improperly configured encryption processes give false sense of security
– Perception that confidentiality of sensitive information is
protected when it’s not
Classification
Policy Definition
Policy
21
Data classification
• Provides users with information to guide security-
related information handling
• Process must align with business processes
• Classification is dynamic
– Changes as data objects move from one class to another
– Changes as business strategies, structures and external
Define Drivers
Data
Classification
Policy – Changes as business strategies, structures and external
forces change
– Understand potential for change
– Embed appropriate processes to manage it
• Gartner: Organizations that do not have an effective data
classification program usually fail at their data encryption
projects.
Policy Definition
Policy
22
Data classification drivers
Define Drivers
Data
Classification
Policy
Four Category
• Secret
• Confidential
Five Category
� Top Secret
Highly Confidential
� Compliance, discovery, archiving, never delete retention policy,
performance, availability, recovery attributes, etc.
Policy Definition
Policy • Confidential
• Private
• Unclassified
� Highly Confidential
� Proprietary
� Internal Use Only
� Public
23
Encryption strategy
• Identify all methods of data input/output
• Storage media
• Business partners and other third parties
• Applicable regulations and laws
• High-risk areas
Strateg
y
Data Mapping
Risk Modeling • High-risk areas
– Laptops
– Wireless
– Data backups
– Others
Strateg
y
Risk Modeling
Control Gaps
24
Data discovery
• Identify precisely where data is stored and all data flows
• System wide audit of all data repositories
– Significant undertaking for large enterprises
– Process can take months
• Required to comply with PCI?
– Confirm you are not storing PCI-prohibited data– Confirm you are not storing PCI-prohibited data
– Manually review data flows within POS application to find files where results of card swipe are written
– PCI compliance staff should view relevant data files and verify they are not storing full track data
– Many fail PCI since they have flat (non-partitioned) networks in which card databases aren’t segmented from rest of network
25
Data-flow definition
26
Requirements analysis
• Define business, technical, and operational
requirements and objectives for encryption
• Define policies, architecture, and scope of encryption
• Encryption Strategies: The Key to Controlling Data– www.sun.com/encryption/wp/encryption_strategies_wp.pdf
42
Books
43
Conclusions
• Organizations that do not have an effective dataclassification program usually fail at their data encryptionprojects
• Creating an effective deployment strategy is thedifference between strong encryption and an audit failuredifference between strong encryption and an audit failure
• Encryption is about attention to detail, good design andproject management