Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Randy D BishopGeneral Manager
Introduction to Guardtime and KSI Blockchain
Randy D BishopGeneral ManagerElectric Infrastructure
• Systems engineering company, inventors of Keyless Signature Infrastructure (KSI) blockchain technology• Founded in 2007• 30+ patents
Technological Advantage: • PERMISSIONED Blockchain• Scales rapidly independent of the number of transactions.
Use CasesDigital and Physical Supply ChainSLA Attestation and TransparencyTransactive energyCross platform transactions, monitoring and verificationDigital contracts
Competitive Advantage: A battle-hardened blockchain stack, in production since 2008 with governments and enterprises relying on the platform today.• NIST Crypto Algorithm Validation Program • Common Criteria or NIAP Accreditation • USAF/Lockheed ATO on classified/sensitive networks and F-35 JSF
Guardtime KSI at a Glance
Guardtime Infrastructure3
Based on the lessons learned from the 2007 state sponsored cyber-attacks, our scientistswere given a challenge: re-think information governance by designing and building amassive scale signature system for electronic data which could prove the time, integrity andidentity (human or machine) without reliance on centralized trust authorities.
The ChallengeDATA
SIGNATURE
4
Information Security Model: C.I.A.
KSI Blockchain Introduction5
The root cause for ineffective cybersecurity is the lack of integrity of systems, networks, processes and data.
For the last 40 years security has come to mean confidentiality of data in motion.
Today with the opening of networks, IOT, and Cloud the integrity of systems becomes paramount.
The Absence of Compromise
AVAILABI-LITY INTEGRITY
CONFIDEN-TIALITY
SECURITY MODEL
Integrity Breach Confidentiality Breach
Your car Your braking system stops working Your braking patterns are exposed
Your flight Your plane’s instruments report that you are 1,000 feet lower than you actually are
Your flight plan is posted on Internet (note: it already is)
Your local power station Critical systems compromised leading to shutdown and catastrophic failure Your electricity bill is published online
Your pacemaker Shutdown and death Your heartbeat becomes public knowledge
Your home Your security system is remotely disabledYour smart TV is watching you…
The contents of your fridge are ‘leaked’. You drink how much beer?
Why Does Integrity Matter?
Solution to the Integrity Problem: Register Digital Assets (Metadata) in the Blockchain
7 Keyless Signature Infrastructure
KSI signatures, linked to the blockchain, enable the properties of data to be verified without the need for trusted third parties, keys or credentials that can be compromised.
Upon verification, KSI Signature proves:
• Signing time• Signing entity• Data integrity
The Facts of KSI
Case Study: World’s Largest Smart Grid Platform AssuranceBackground:• Elering is a Estonian electricity infrastructure
provider that runs the biggest smart grid installation in the world – over 500,000 smart meters installed.
• Elering’s smart grid data exchange platform provides open API-s for various service providers to build their services based on gathered data.
• Challenge: How to establish the chain-of-custody for personal user data moving through multiple service providers?
Presentation title (Insert > Header & Footer)9
Case Study: World’s Largest Smart Grid Data Platform
10
500K smart meters
Big Data Platform
24 s
ervi
ce p
rovi
ders
Smart metering infrastructure Residential / commercial customer
Service provider
Case Study: World’s Largest Smart Grid Data Platform
11
Big data storage & analyticsIdentity management
API
API
Case Study: World’s Largest Smart Grid Platform Assurance
Service Provider Liability Management• End-to-end forensic audit trail for all
data and actions
• Pinpointing who did what when in case of a dispute arising from data usage is quick, irrefutable and final.
• Does not only provide reactive means for liability allocation, but also shapes Service Provider behavior prior to any incidents.
Presentation title (Insert > Header & Footer)12
Regulatory Compliance• Collects, stores and processes
sensitive personal information
• Natively able to independently prove to the regulators how the PII was handled
• Simplifies compliance with regulatory requirements considerably.
Data Integrity
• Real-time guarantee of the veracity status of the data collected, stored and processed in their data exchange platform.
Case Study: Industrial Infrastructure AssuranceZero-day Malware Mitigation in SCADA
Problems solved:
› Malware detection systems depend on known vulnerabilities and can’t protect against zero-day attacks, digital certificates that may or may not be authentic.
› The monitoring systems of infected industrial infrastructure can convey a tampered feedback that shouldn't be trusted.
Industrial assets are OK
Zero-day vulnerability
Integrty instrumented
control systemForged
certificateMalware source
Integrity instrumentedmonitoringData Centric Security
Case Study: DoD Identity and Access Management - IdAMCurrent Environment:
• Identities are created and distributed across many physical locations at different organizations, departments or agencies
• Identities are created and distributed across many disconnected or independent environments such as cloud or managed services infrastructures
• Disparate identity and access control identity data between facilities and segregated network or enterprise enclaves
• Identity and Credential Data can be distributed in a ”water fall” manner, allowing more accidental or malicious change
• Identity Data types and amount will grow as multifactor authentication schemes are enabled
• Data is not cryptographically immutable such as public / private keys
• Policy and Access Control Mechanisms suffer increased cyber threats and are becoming easier targets that centralized identity providers
Case Study: DoD Identity and Access Management - IdAM
The Challenge:• Create Tamper Proof evidence of key access control data such as biometric, attribute, and policy data upon
creation
• Provide KSI Signatures as distributable and highly available trust verification
• Identity Data Provenance, from vetting, proofing, distribution and maintenance can be cryptographically bound to any type of identity data
• Continuous verification of identity data across multiple storage zone or enclaves requires a single signature to independently verify
• No explicit trust required to verify stored or distributed identity data
• Full accountability and auditability of data using KSI Signatures
• System configuration, logs, policies, and other access control components can be signed as well, providing a fully trusted platform the identities will flow through
Case Study: DoD Identity and Access Management - IdAM
MFA leverages a combination of the following factors:
• Something You Know – password or PIN
• Something You Have – token or smart card (two-factor authentication)
• Something You Are – biometrics, such as a fingerprint , facial construct, voice, or heartbeat (three-factor authentication)
Secure IdAM platforms need a new factor:
• Something You Trust – independent proof of trust and real-time tamper detection for the IdAMplatform providing the MFA services
16
Guardtime Blockchain and KSI provide independent evidence that the platform
components and identity data have integrity and can be independently verified with various methods that support both connected and disconnected
systems
Case Study: DoD Identity and Access Management - IdAM
17
Characteristic Guardtime Solution
Support multiple server and host-based operating systems YES
Be immediately available and proven in a commercial environment YES
Demonstrate means for operation within latent or disconnected network environments
YES
Demonstrated in an operational environment integrated with industry standard network domain management such as Microsoft’s Active Directory Domain Services
YES
The Guardtime solution guarantees a scalable, interoperable authentication solution to reduce reliance on passwords and smart card-based authentication across myriad systems and applications
Keyless Infrastructure Security Solution (KISS)The Problem:
• EDS operating at the grid’s edge require unprecedented levels of security and trustworthiness to verify integrity of data and manage complex transactive and DER exchanges.
• Grid edge devices lack visibility, control and security to conduct real time energy transactions at the required speed and scale.
The Solution:
• Atomically verifiable cryptographic signed distributed ledger to increase the trustworthiness, integrity and resilience of energy delivery systems at the edge
• Verifies time, user, and transaction data protected with immutable crypto signed ledger
• Autonomous detection of data anomalies and reduces burden with normalized evidence across a unified timeline for incident analysis
• Real time response to unauthorized attempts to change critical EDS data, configurations, applications, and network appliance and sensor infrastructure
SWIFT18
Conclusion
• Guardtime’s KSI provides accessible, tamper proof evidence of data integrity for identity and access management platforms, credential and identity data
• KSI can be used to sign the configuration files, policies and log files of the various entities in the authentication system
• Depending on the implementation, KSI can be used to sign the credential database at various stages of authentication, thus providing a chain of custody
Thank you!Randy D. BishopGeneral ManagerElectric Infrastructure