Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Joseph Webster, CISSPSenior Member IEEEBSEE Colorado State UniversitySoftware and Systems Security ArchitectFounding member of ShieldMyfiles
Encryption ≠ Protection
A proposed framework for thinking
about file security
June 9th, 2015
Introduction 1.0
HELLOmy name is
HELLOmy name is
HELLOmy name is
Alice Needs Bob’s File.
But…
Bob’s file is sensitive
and Bob doesn’t
want anyone but
Alice to see it.
Introduction 1.1
Bob fears for the Security
of his files in the cloud
After All Bob Doesn’t Control His
Cloud
Bob Has Some Concerns…
Introduction 1.1
Bob Doesn’t Want to Exchange Keys or
Certificates …
Login Vignette Production Slide
It Shouldn’t Take a Portal to Share a Single File!
Bob Doesn’t Have Time to Manage a
Million User Accounts!
Introduction 1.1
1234
1040
20
You Can’t Keep a Secret By Telling It!
A Framework For File Protection
There are 3 Tenets to this Framework:
1) Obfuscation
2) Access Controls
• Who
• How
• When
• Where
Files may be accessed
3) Auditability
Requiring Separation of Duties
Obfuscation
Obfuscation = Custody
Physical World
$
• Protection without Possession
• Bank
Digital World
• Encryption
• Enciphering
• Steganography
• Safety Deposit Box
Access Controls
Access Controls = Authorization
Physical World - Bank
• Hours of Operation
Digital World
• Signature Card
• Finger Print
• Physical Location
• Account Number
• Where – Geolocation
• When – Expiration
• Who – Biometrics
• Who – Password
• How – UserID
Section 3 – Transaction History
Time:
Signature Card: Finger Print:
Account:
Auditability
000-7-17-12-0-14-26 - Super Secret Bank - Zurich
Auditability = Auditability
Physical World – Bank Statement
• Account/User Information
Digital World
• Transaction History
• Transaction Information
• Identifying Information
• Transaction Information
• Transaction History
• Recreate a system state, and events
over time, for post facto
identification of problems
Alice’s Statement
Section 1 – Identifying Information
Section 2 – Transaction Information
Date: Not a Holiday, Not a Weekend.
Applying the Framework
TRUECRYPT
1. Obfuscation
2. Access Controls
3. Auditability
Separation of Duties
Obfuscation
~ Access Controls
X Auditability
• Uses Derived Key Cryptography
• Public/Private Key
1. Obfuscation
2. Access Controls
3. Auditability
Separation of Duties
• Uses Derived Key Cryptography
• Passphrase/Key Files
Obfuscation
~ Access Controls
X Auditability
Applying the Framework Cloud
1. Obfuscation
2. Access Controls
3. Auditability
Separation of Duties
~ Obfuscation
Access Controls
Auditability
• Yes, but not from Google
• Passphrase, Multifactor, Share
1. Obfuscation
2. Access Controls
3. Auditability
Separation of Duties
• AES256/TLS256
• Passphrase, Plugins, Sharing
~ Obfuscation
Access Controls
Auditability• Work Edition • Very Nice Dashboards
Meeting the Framework
1. Obfuscation
2. Access Controls
3. Auditability
Separation of Duties
• Deriving/Issuing keys can be dangerous
especially with cloud services
• Need multiple avenues for
authorization to fit security to need
• Chain of custody is essential
• Only works if keys are not
derived/issued by the Obfuscation,
Access Control and Auditability provider
• Protection WITHOUT Possession
TRUECRYPT
Joseph Webster, [email protected]
J. Max Romanik, J.D., [email protected]
Christopher S. Webster, J.D.
https://www.shieldmyfiles.com/
Contact Us Learn More