Embed Size (px)
Citation preview
1
Metro Midrange Systems Association
September 18, 2008
Introduction to encryption and data security
2
Data security
Why we should protect sensitive information
What information do we need to protect
How do we go about securing it
What is encryption and how is it used
3
Why should we protect sensitive information?
Regulations require it (PCI, HIPAA, GLBA, Privacy notification)
Penalties are severe for not protecting it (PCI, Privacy notification)
Stakeholders want to protect their investments (Sarbanes-Oxley)
Customers expect it
4
Regulations
Payment Card Industry (PCI)
Privacy Notification (state laws requiring notification of data loss)
Health Insurance Portability and Accountability Act (HIPAA)
Gramm Leach Bliley Act (GLBA)
Sarbanes-Oxley (SOX)
… and more
5
The regulatory environment is evolving to include broader definitions of sensitive data, larger penalties for non-compliance, and more specific requirements for data security.
Expect new federal regulations, stronger PCI requirements, and more stringent state laws on privacy notification.
6
What information do we need to protect?
Credit card information for PCI data security
Personally identifiable information (PII) for Privacy Notification and other regulations
7
• Personally Identifiable Information or PII– First Name– Last Name– Former Name– Maiden Name– Address– Birth date– Drivers license number– Health insurance number– Checking account number– PIN codes– And a lot more!
8
Credit card information
Credit card number (encrypt or hash)
Track 1 and Track 2 data (do not store)
CVV, CVV2, CID security code (do not store)
Account name (encrypt or hash)
9
Personally identifiable information
Take a very broad view of what constitutes PII:
Any and all information that used alone, or combined with other information that you may not have, can be used to verify the identity of an individual.
10
Name, former name, maiden name, mother’s maiden name
Address, city, state, zip code
Social security number
Credit card, debit card, checking account, health insurance number
Driver’s license, identify card, military ID
Home phone number, work number
Favorite pet’s name
PIN codes, passwords, prompts
eBay and PayPal account numbers
11
Data security is disruptive technology.
We need to re-think how we design databases and application systems, how we process and store information, and how we monitor access to information.
Prepare executive management for the work ahead.
12
How do we go about securing credit card and PII?
Don’t panic
Start with an assessment
Avoid point solutions
Data moves across platforms
Data crosses Enterprise boundaries
Remove sensitive data where possible
Develop good data security partners
13
Start with an assessment
A formal assessment will be required to pass an audit.
A formal assessment is a necessary input to data security project plans.
Use self-assessment software and guides to start.
Engage application and data security partners.
An assessment will help you with future rounds of data security requirements.
14
Where does sensitive data live?
- Database and flat files- IFS / QNTC / NFS files- Backup tapes- Save files- On the network- In the air (WiFi)- Reports- Program memory- Laptops- PDAs, cell phones, thumb drives
15
Components of an assessment
Locate and document sensitive data.
Identify all internal servers and applications that use and store sensitive data.
Document data flows inside the organization.
Document data flows to and from vendors, customers, and employees.
Identify compliance monitoring and reporting points.
16
Avoid point solutions
Call Center
Query and BI
CRM
Laptop & PC
Tape
17
Point solutions:
Do not solve the problem of securing data at rest or in motion.
By themselves will not solve the regulatory requirements.
May make the overall implementation more complex.
However: Point solutions can provide immediate relief for specific problems.
18
Data flows inside the Enterprise
19
Data flows to vendors, customers, employees
Banks
Service Providers Partners
Customers
Employees
20
Engage with software vendors
Contact your software vendors to discuss PCI, Privacy Notification, etc.
Get a statement of strategic direction and planned release dates.
Understand their approach to encryption – does it meet basic criteria for strong encryption?
Your management should engage with software vendor management to convey the importance of the requirements.
21
Remove sensitive data where possible
If sensitive data is not needed in a file, remove it.
Review reports for unnecessary information and remove it.
Review data transfers and terminate when not needed.
Review query and business intelligence tools to remove sensitive data.
22
Purge historical data
When historical data is no longer needed, purge it from the system.
23
What is encryption and how is it used?
Encryption is the process of obscuring information to make it unreadable without special knowledge.
--- Wikipedia
In practice, encryption refers to well-established public algorithms that have undergone, and continue to undergo, extensive review by cryptography and data security specialists, and which meet certain accepted criteria.
24
1
2
3
4
AES
25
Symmetric and Asymmetric encryption
Symmetric encryption uses one shared secret (an encryption key) that is shared between two parties.
Asymmetric encryption uses two different, but related, encryption keys – one for encryption and one for decryption. This is sometimes called public/private key encryption.
26
Symmetric encryption for field security
Generally, symmetric key encryption is used for field level security in database systems because it is much more efficient.
Asymmetric encryption may be used to fetch a symmetric key but is almost never used for data encryption tasks.
(We’ll concentrate on Symmetric encryption because it is at the core of data security).
27
Asymmetric encryption for securing end point connections
Asymmetric encryption is most commonly used to secure physically separate end points. Examples include:
Web browser and web server (HTTPS) VPN client and server Secure FTP (SSL encrypted connection)
Often Symmetric and Asymmetric functions are combined to provide end point security and efficient encryption.
28
Symmetric encryption for data
Cust Name: ABC ConsCust Num: 499513Prod Num: 212 Qty: 3Visa 4882 6332 1452 6890
Encrypt
Cust Name: ABC ConsCust Num: 499513Prod Num: 212 Qty: 3F2500C015G06518
Securing Data at its source is the core competency for Data Security Compliance
Field LevelEncryption
29
Symmetric decryption for data
Cust Name: ABC ConsCust Num: 499513Prod Num: 212 Qty: 3F2500C015G06518
Decrypt
Cust Name: ABC ConsCust Num: 499513Prod Num: 212 Qty: 3Visa 4882 6332 1452 6890
Securing Data at its source is the core competency for Data Security Compliance
Field LevelDecryption
30
Which symmetric algorithm to use?
Advanced Encryption Standard (AES) is the accepted standard of the National Institute of Standards and Technology (NIST). It undergoes regular review by cryptographers and data security specialists, and provides a mechanism for independent certification.
See FIPS-197 for technical documentation.
www.nist.gov
31
Modes of encryption
AES encryption always involves some data to be encrypted, an encryption key, and possibly an initialization vector. The five NIST-approved modes of encryption provide different ways of using these elements. The modes of encryption are:
ECB – Electronic code bookCBC – Cipher block chainingCTR – CounterOFB – Output feed backCFB – Cipher feed back
32
Why modes of encryption matterSome modes of encryption add extra randomness to the encryption process. With these modes you can encrypt the same credit card number with the same key, but you will get different results. This is very important in database applications where fields may be small or predictable, and exist in many records.
CBC, CTR and other modes are appropriate for securing fields in database files.
ECB is not appropriate because it lacks this randomness.
33
What are encryption keys?
Encryption keys are the secret part of encryption. The most commonly used key sizes:
128-bit (16 bytes)192-bit (24 bytes)256-bit (32 bytes)
The larger the key the more secure the encrypted information, and the more processing is used during encryption.
34
Key management strategies:
Store in source code (very bad)
Store in files without encryption (still bad)
Store in Key Management facility on same system (better)
Store in external key management facility (better still)
Store in external key management facility with FIPS-140 certification (best)
35
How are encryption keys managed?
Because encryption keys are the primary secret, special applications are used to protect the encryption key.
These are referred to as Key Management systems.
36
Key Management systems:
- Enforce Key Manager access rules.- Create and destroy encryption keys.- Securely store and retrieve keys.- Escrow unused keys.- Authenticate requests for keys.- Provide a mechanism for retreiving keys.- Provide compliance reporting on key use.
Often provide a level of physical separation between key use and key storage.
37
Recommended practices
Modularize data security code to allow future changes with minimal disruption.
Use appropriate encryption algorithms and modes.
Know the usage rules for encryption modes.
Use appropriate key management and key distribution practices.
Monitor and report inappropriate access to encryption keys and sensitive information.
38
Technology considerations
Certifications are important – document the independent certifications and tests of your vendors and solutions.
Plan for cross platform support – how will you encrypt in Windows and decrypt in i5/OS? Linux? UNIX? Mainframe?
Use best programming practices with encryption – remove observability, initialize variables, optimize.
Have a key management strategy – know where you are today and where you will be in the future.
39
Certifications AES Validation is an NIST defined certification process for AES encryption. Normally applied to data security applications.
FIPS-140-2 is an NIST defined certification process for cryptographic modules. Normally applied to key management systems.
ISO 17799 is a European standard for security practices. Covers security policies.
Certifications help insure compatibility, manage loss investigations, and help limit legal liability.
40
Why certification is important
Confidence: It is how you will know that encryption is being done the right way.
Compatibility: It is how you will know that you can encrypt and decrypt across server, vendor, and customer boundaries.
Risk management: It is how you will defend yourself in the event of a loss.
IT investment protection: It is how you will avoid re-engineering applications.
41
Cross-platform issuesComputer manufacturers and software vendors use incompatible and proprietary interfaces:
- Microsoft .NET and SQL Server- Oracle database- IBM DB2- Java - Sun Solaris- Open SSL
Using a common cross-platform encryption library will reduce data exposure and minimize development resources.
42
Performance
Encryption will impact:
CPU utilization Total job run times Interactive response time
Be sure to profile your applications and create Proof-Of-Concept tests. Ask your software vendor for performance information.
43
Compliance logging
Log access to sensitive data
Log user access and authentication denials
Log application access denials
Log database / field level access denials
Log access to configurations (key management, user controls, system options)
System logs should be secure from modification or deletion.
44
Securing data in motion
Transfer data that is already encrypted.
Use secure protocols like HTTPS, SSL FTP and SFTP
Use secure VPN networks.
Use file encryption technology such as Pretty Good Privacy (PGP).
45
Pitfalls
- Thinking “It won’t happen to us”- Bypassing assessment- Not using standard encryption- Not using certified software- Not using the correct encryption mode- Not using Key Management- Not securing data in motion- Not using cross-platform technologies- Not implementing compliance monitoring- Not securing query and BI tools
46
Thank you
Patrick TownsendPatrick Townsend & Associates, Inc.Email: [email protected](800) 357-1019www.patownsend.com
47
Notes:
