20
Randy D Bishop General Manager Introduction to Guardtime and KSI Blockchain Randy D Bishop General Manager Electric Infrastructure

NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Randy D BishopGeneral Manager

Introduction to Guardtime and KSI Blockchain

Randy D BishopGeneral ManagerElectric Infrastructure

Page 2: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

• Systems engineering company, inventors of Keyless Signature Infrastructure (KSI) blockchain technology• Founded in 2007• 30+ patents

Technological Advantage: • PERMISSIONED Blockchain• Scales rapidly independent of the number of transactions.

Use CasesDigital and Physical Supply ChainSLA Attestation and TransparencyTransactive energyCross platform transactions, monitoring and verificationDigital contracts

Competitive Advantage: A battle-hardened blockchain stack, in production since 2008 with governments and enterprises relying on the platform today.• NIST Crypto Algorithm Validation Program • Common Criteria or NIAP Accreditation • USAF/Lockheed ATO on classified/sensitive networks and F-35 JSF

Guardtime KSI at a Glance

Page 3: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Guardtime Infrastructure3

Page 4: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Based on the lessons learned from the 2007 state sponsored cyber-attacks, our scientistswere given a challenge: re-think information governance by designing and building amassive scale signature system for electronic data which could prove the time, integrity andidentity (human or machine) without reliance on centralized trust authorities.

The ChallengeDATA

SIGNATURE

4

Page 5: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Information Security Model: C.I.A.

KSI Blockchain Introduction5

The root cause for ineffective cybersecurity is the lack of integrity of systems, networks, processes and data.

For the last 40 years security has come to mean confidentiality of data in motion.

Today with the opening of networks, IOT, and Cloud the integrity of systems becomes paramount.

The Absence of Compromise

AVAILABI-LITY INTEGRITY

CONFIDEN-TIALITY

SECURITY MODEL

Page 6: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Integrity Breach Confidentiality Breach

Your car Your braking system stops working Your braking patterns are exposed

Your flight Your plane’s instruments report that you are 1,000 feet lower than you actually are

Your flight plan is posted on Internet (note: it already is)

Your local power station Critical systems compromised leading to shutdown and catastrophic failure Your electricity bill is published online

Your pacemaker Shutdown and death Your heartbeat becomes public knowledge

Your home Your security system is remotely disabledYour smart TV is watching you…

The contents of your fridge are ‘leaked’. You drink how much beer?

Why Does Integrity Matter?

Page 7: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Solution to the Integrity Problem: Register Digital Assets (Metadata) in the Blockchain

7 Keyless Signature Infrastructure

KSI signatures, linked to the blockchain, enable the properties of data to be verified without the need for trusted third parties, keys or credentials that can be compromised.

Upon verification, KSI Signature proves:

• Signing time• Signing entity• Data integrity

Page 8: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

The Facts of KSI

Page 9: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Case Study: World’s Largest Smart Grid Platform AssuranceBackground:• Elering is a Estonian electricity infrastructure

provider that runs the biggest smart grid installation in the world – over 500,000 smart meters installed.

• Elering’s smart grid data exchange platform provides open API-s for various service providers to build their services based on gathered data.

• Challenge: How to establish the chain-of-custody for personal user data moving through multiple service providers?

Presentation title (Insert > Header & Footer)9

Page 10: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Case Study: World’s Largest Smart Grid Data Platform

10

500K smart meters

Big Data Platform

24 s

ervi

ce p

rovi

ders

Page 11: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Smart metering infrastructure Residential / commercial customer

Service provider

Case Study: World’s Largest Smart Grid Data Platform

11

Big data storage & analyticsIdentity management

API

API

Page 12: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Case Study: World’s Largest Smart Grid Platform Assurance

Service Provider Liability Management• End-to-end forensic audit trail for all

data and actions

• Pinpointing who did what when in case of a dispute arising from data usage is quick, irrefutable and final.

• Does not only provide reactive means for liability allocation, but also shapes Service Provider behavior prior to any incidents.

Presentation title (Insert > Header & Footer)12

Regulatory Compliance• Collects, stores and processes

sensitive personal information

• Natively able to independently prove to the regulators how the PII was handled

• Simplifies compliance with regulatory requirements considerably.

Data Integrity

• Real-time guarantee of the veracity status of the data collected, stored and processed in their data exchange platform.

Page 13: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Case Study: Industrial Infrastructure AssuranceZero-day Malware Mitigation in SCADA

Problems solved:

› Malware detection systems depend on known vulnerabilities and can’t protect against zero-day attacks, digital certificates that may or may not be authentic.

› The monitoring systems of infected industrial infrastructure can convey a tampered feedback that shouldn't be trusted.

Industrial assets are OK

Zero-day vulnerability

Integrty instrumented

control systemForged

certificateMalware source

Integrity instrumentedmonitoringData Centric Security

Page 14: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Case Study: DoD Identity and Access Management - IdAMCurrent Environment:

• Identities are created and distributed across many physical locations at different organizations, departments or agencies

• Identities are created and distributed across many disconnected or independent environments such as cloud or managed services infrastructures

• Disparate identity and access control identity data between facilities and segregated network or enterprise enclaves

• Identity and Credential Data can be distributed in a ”water fall” manner, allowing more accidental or malicious change

• Identity Data types and amount will grow as multifactor authentication schemes are enabled

• Data is not cryptographically immutable such as public / private keys

• Policy and Access Control Mechanisms suffer increased cyber threats and are becoming easier targets that centralized identity providers

Page 15: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Case Study: DoD Identity and Access Management - IdAM

The Challenge:• Create Tamper Proof evidence of key access control data such as biometric, attribute, and policy data upon

creation

• Provide KSI Signatures as distributable and highly available trust verification

• Identity Data Provenance, from vetting, proofing, distribution and maintenance can be cryptographically bound to any type of identity data

• Continuous verification of identity data across multiple storage zone or enclaves requires a single signature to independently verify

• No explicit trust required to verify stored or distributed identity data

• Full accountability and auditability of data using KSI Signatures

• System configuration, logs, policies, and other access control components can be signed as well, providing a fully trusted platform the identities will flow through

Page 16: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Case Study: DoD Identity and Access Management - IdAM

MFA leverages a combination of the following factors:

• Something You Know – password or PIN

• Something You Have – token or smart card (two-factor authentication)

• Something You Are – biometrics, such as a fingerprint , facial construct, voice, or heartbeat (three-factor authentication)

Secure IdAM platforms need a new factor:

• Something You Trust – independent proof of trust and real-time tamper detection for the IdAMplatform providing the MFA services

16

Guardtime Blockchain and KSI provide independent evidence that the platform

components and identity data have integrity and can be independently verified with various methods that support both connected and disconnected

systems

Page 17: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Case Study: DoD Identity and Access Management - IdAM

17

Characteristic Guardtime Solution

Support multiple server and host-based operating systems YES

Be immediately available and proven in a commercial environment YES

Demonstrate means for operation within latent or disconnected network environments

YES

Demonstrated in an operational environment integrated with industry standard network domain management such as Microsoft’s Active Directory Domain Services

YES

The Guardtime solution guarantees a scalable, interoperable authentication solution to reduce reliance on passwords and smart card-based authentication across myriad systems and applications

Page 18: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Keyless Infrastructure Security Solution (KISS)The Problem:

• EDS operating at the grid’s edge require unprecedented levels of security and trustworthiness to verify integrity of data and manage complex transactive and DER exchanges.

• Grid edge devices lack visibility, control and security to conduct real time energy transactions at the required speed and scale.

The Solution:

• Atomically verifiable cryptographic signed distributed ledger to increase the trustworthiness, integrity and resilience of energy delivery systems at the edge

• Verifies time, user, and transaction data protected with immutable crypto signed ledger

• Autonomous detection of data anomalies and reduces burden with normalized evidence across a unified timeline for incident analysis

• Real time response to unauthorized attempts to change critical EDS data, configurations, applications, and network appliance and sensor infrastructure

SWIFT18

Page 19: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Conclusion

• Guardtime’s KSI provides accessible, tamper proof evidence of data integrity for identity and access management platforms, credential and identity data

• KSI can be used to sign the configuration files, policies and log files of the various entities in the authentication system

• Depending on the implementation, KSI can be used to sign the credential database at various stages of authentication, thus providing a chain of custody

Page 20: NETWORKED SOCIETY - The future of telecom · 2019-07-23 · Presentation title (Insert > Header & Footer) Regulatory Compliance • Collects, ... • No explicit trust required to

Thank you!Randy D. BishopGeneral ManagerElectric Infrastructure