The Next Generation in Enterprise Security Presented by William Tabor and Howard Hellman (954) 970-9828 [email protected] [email protected]

The Next Generation in Enterprise SecurityThe Next Generation in Enterprise SecurityPresented by William Tabor and Howard HellmanPresented by William Tabor and Howard Hellman

(954) 970-9828(954) [email protected]

[email protected]

Agenda

● Problems with Clear Text CommunicationProblems with Clear Text Communication● Virtual Security Network (VSN)Virtual Security Network (VSN)™™● Public/Private Key InfrastructurePublic/Private Key Infrastructure● Digital Right ManagementDigital Right Management● User IdentificationUser Identification● Certificate AuthorityCertificate Authority● ServicesServices

CASTLE TECHNOLOGYCASTLE TECHNOLOGY

• Walls (Firewalls)Walls (Firewalls)

• Draw Bridge (Tunnels)Draw Bridge (Tunnels)

• Moats (DMZs)Moats (DMZs)

HISTORYHISTORY

HISTORYHISTORY

The battle for TroyThe battle for Troy

proved thatproved that

this this does notdoes not work work

HISTORYHISTORY

80% of all theft80% of all theft

occurs from theoccurs from the

insideinside

INTERNALINTERNAL COMMUNICATIONCOMMUNICATION

Is data clear text?Is data clear text?

INTERNAL COMMUNICATIONINTERNAL COMMUNICATION

PROBLEMS WITH CLEAR TEXT COMMUNICATIONPROBLEMS WITH CLEAR TEXT COMMUNICATION

• Instant messagingInstant messaging

• EmailEmail

• Accounting informationAccounting information

INTERNAL COMM – INSTANT MESSAGINGINTERNAL COMM – INSTANT MESSAGING

EXAMPLE #1EXAMPLE #1

The CEO and personnel director of a medium-sized company were messaging The CEO and personnel director of a medium-sized company were messaging each other about potential layoffs.each other about potential layoffs.

This information exchange was detected by individuals within the IT department, This information exchange was detected by individuals within the IT department, and news of the discussion spread through the enterprise unchecked, well before and news of the discussion spread through the enterprise unchecked, well before any decisions could be made.any decisions could be made.

INTERNAL COMM – INSTANT MESSAGINGINTERNAL COMM – INSTANT MESSAGING


Two writers for a well-known daytime drama were messaging each other regarding Two writers for a well-known daytime drama were messaging each other regarding a significant plot change.a significant plot change.

A tabloid reporter intercepted their conversation and printed his scoop.A tabloid reporter intercepted their conversation and printed his scoop.

The show subsequently dropped 15 ratings points. Each point translates into The show subsequently dropped 15 ratings points. Each point translates into advertising revenue of between $10 and $15 million. advertising revenue of between $10 and $15 million.

INTERNAL COMM – EMAILINTERNAL COMM – EMAIL


A car manufacturer spent $240 million on researching and developing an A car manufacturer spent $240 million on researching and developing an innovative, advanced engine design.innovative, advanced engine design.

The company emailed the design to production plant, but the email was intercepted The company emailed the design to production plant, but the email was intercepted by a competing manufacturer. by a competing manufacturer.

The competitor promptly put the new engine design into production, beating the The competitor promptly put the new engine design into production, beating the developer to market – without having to pay a single euro into R&D!developer to market – without having to pay a single euro into R&D!

PKIPKI

Public/Private Key InfrastructurePublic/Private Key Infrastructure

idTRUST – PKI INFRASTRUCTUREidTRUST – PKI INFRASTRUCTURE

WHY IS A PKI INFRASTRUCTURE NECESSARY?WHY IS A PKI INFRASTRUCTURE NECESSARY?• Optional key generationOptional key generation

• Validate initial identitiesValidate initial identities

• Issuance, renewal and termination of certificatesIssuance, renewal and termination of certificates

• Certificate validationCertificate validation

• Distribution of certificatesDistribution of certificates

• Secure archival and key recoverySecure archival and key recovery

• Generation of signatures and timestampsGeneration of signatures and timestamps

• Establish and manage trust relationshipsEstablish and manage trust relationships

WHAT HAS BLOCKED PKI FROM GLOBAL USE?WHAT HAS BLOCKED PKI FROM GLOBAL USE?

• CostCost

• PKI Integration with vertical application basePKI Integration with vertical application base

• CA portability and interoperabilityCA portability and interoperability

idTRUST – PKI INFRASTRUCTUREidTRUST – PKI INFRASTRUCTURE

PUBLIC/PRIVATE KEY GENERATIONPUBLIC/PRIVATE KEY GENERATION

LOCAL APPLICATIONLOCAL APPLICATION

• ERP, CRM, SCM….ERP, CRM, SCM….

BROWSERBROWSER

• WebSphere PortalWebSphere Portal

• Linux (PHP)Linux (PHP)

REMOTE SERVER COMMUNICATIONSREMOTE SERVER COMMUNICATIONS

Generate aPublic/Private

Key Pair

WHY USE CRYPTOGRAPHY?WHY USE CRYPTOGRAPHY?

Cryptography can be applied to the following information categories:Cryptography can be applied to the following information categories:

• Information at restInformation at rest

• Information in transitInformation in transit

Cryptography is used to enable information:Cryptography is used to enable information:

• Privacy – information cannot be readPrivacy – information cannot be read

• Integrity – information cannot be modifiedIntegrity – information cannot be modified

• Authentication – information proof of ownershipAuthentication – information proof of ownership

• Non-repudiation – cannot deny involvement in transactionNon-repudiation – cannot deny involvement in transaction

ASYMETTRIC KEY CRYPTOGRAPHYASYMETTRIC KEY CRYPTOGRAPHY

Different keys (secrets) are used for both the encryption and decryption processes:

Public KeyCipher Ciphertext

information

CleartextPrivate Key

CipherJ9%B8^cBt

Ciphertext

Asymmetric key“public key”

Asymmetric key“private key”

Decryption ProcessEncryption Process

Asymmetric key cryptography is characterized by the use of two independent but mathematically related keys

J9%B8^cBt

Digital Rights

Digital Rights ManagementDigital Rights Management

DIGITAL RIGHTSDIGITAL RIGHTS

WHAT IS DIGITAL RIGHTS?WHAT IS DIGITAL RIGHTS?

Gives us the ability to . . . Gives us the ability to . . .

• Assign ownership to documents or dataAssign ownership to documents or data

• Ensure that data has not been altered during transferEnsure that data has not been altered during transfer

• Provide authenticationProvide authentication

CURRENT METHODCURRENT METHOD

• Username and passwordUsername and password

• Card and PINCard and PIN

• RSA TokenRSA Token

• BiometricsBiometrics

USER IDENTIFICATIONUSER IDENTIFICATION

TOMORROW’S SECURITY TODAYTOMORROW’S SECURITY TODAY

• Secure user authenticationSecure user authentication

• PKIPKI

• Application firewallsApplication firewalls

• Dynamic TunnelsDynamic Tunnels

NEXT GENERATION SECURITYNEXT GENERATION SECURITY

PROVIDER OF SECURE SYSTEM SOLUTIONSPROVIDER OF SECURE SYSTEM SOLUTIONS

• Public Key Infrastructure (PKI) ServicesPublic Key Infrastructure (PKI) Services

• IdM DeviceIdM Device

• Dynamic Encryption TunnelDynamic Encryption Tunnel

• DQT Application FirewallDQT Application Firewall

• Secure Tech – VPN and File TransferSecure Tech – VPN and File Transfer

DATAQUEST TECHNOLOGIES’ SOLUTIONSDATAQUEST TECHNOLOGIES’ SOLUTIONS

Virtual Security Network (VSN)Virtual Security Network (VSN)™™

VIRTUAL SECURITY NETWORK (VSN)VIRTUAL SECURITY NETWORK (VSN)™™

● Next Generation of VPN TechnologyNext Generation of VPN Technology● VSN is comprised of 4 componentsVSN is comprised of 4 components

(1) Application Firewall(1) Application Firewall(2) Dynamic Encryption Tunnel(2) Dynamic Encryption Tunnel(3) ID Trust Card(3) ID Trust Card™™(4) Digital Certificate(4) Digital Certificate

Public and Private Key PairPublic and Private Key Pair

Application FirewallApplication Firewall

DQT Application FirewallDQT Application Firewall

• Linux Base Firewall using SE LinuxLinux Base Firewall using SE Linux• Allows only authorized access to serverAllows only authorized access to server• Can Exist in LPAR or P5 PartitionCan Exist in LPAR or P5 Partition• National Security Administration (NSA) TechnologyNational Security Administration (NSA) Technology

Dynamic Encryption Tunnel ServerDynamic Encryption Tunnel Server

• Provides communication layer through the Application Provides communication layer through the Application FirewallFirewall

• Multiple Levels of Encryption AvailableMultiple Levels of Encryption Available• 128,256 and 3DES128,256 and 3DES• Proprietary 2048bit obscure algorithmProprietary 2048bit obscure algorithm

• Multiple Tunnel Layers AvailableMultiple Tunnel Layers Available• Replace VPN or ride on Top of VPNReplace VPN or ride on Top of VPN

• Can exist in LPAR or p5 PartitionCan exist in LPAR or p5 Partition• Must have public/private key pair to access tunnelMust have public/private key pair to access tunnel• Layers on top of any existing protocols 128SSL, WEPLayers on top of any existing protocols 128SSL, WEP• Low CPU drainLow CPU drain• Compresses MP4 Video/Data StreamsCompresses MP4 Video/Data Streams

IDTRUST CARD™IDTRUST CARD™

ID TRUST CARD FEATURES & CHARACTERISTICSID TRUST CARD FEATURES & CHARACTERISTICS

• Similar to credit card-sized “Smart Card,” but also contains on-card crypto processorSimilar to credit card-sized “Smart Card,” but also contains on-card crypto processor

• Maintains protected storage for public/private keys, digital certificates and digital Maintains protected storage for public/private keys, digital certificates and digital

signatures to be used during authentication processsignatures to be used during authentication process

• Executes cryptographic operations (verifies fingerprint) Executes cryptographic operations (verifies fingerprint)

• Works in conjunction with card operating system (COS)Works in conjunction with card operating system (COS)


HOW THE IDENTITY TRUST CARD WORKSHOW THE IDENTITY TRUST CARD WORKS

• User enrolls in the Biometric process Card maintains encrypted hash copy of User enrolls in the Biometric process Card maintains encrypted hash copy of

user’s fingerprint in EEPROMuser’s fingerprint in EEPROM

• When user wishes to authenticate him/herself, he/she simply places the correct When user wishes to authenticate him/herself, he/she simply places the correct

finger on the e-field sensorfinger on the e-field sensor

• The fingerprint is scanned, hashed and encryptedThe fingerprint is scanned, hashed and encrypted

• The crypto processor compares the fingerprint sample to the stored value on the The crypto processor compares the fingerprint sample to the stored value on the

external deviceexternal device

• Neither the fingerprint hash or the private key leave the USB deviceNeither the fingerprint hash or the private key leave the USB device

• Card typically returns success or failure status to systemCard typically returns success or failure status to system

CRYPTO-PROCESSING CHIP LAYOUTCRYPTO-PROCESSING CHIP LAYOUT

VCC

Reset

Clock

GND

I/O

32-bit

Microprocessor

(Microcontroller)

RAM 2K Bytes

ROM 32K+ Bytes

EEPROM 64K+ Bytes

Crypto

Accelerator

(Processor)

ISO 7816 Family of

Smart/Crypto Card

Standards, i.e., power,

Clock & I/O Bus


CARD CUSTOMIZATION CAPABILITIESCARD CUSTOMIZATION CAPABILITIES

• Multiple processors (4,6,8, etc.)Multiple processors (4,6,8, etc.)

• Mix and match 8, 16 and 32 bit processors for focused tasksMix and match 8, 16 and 32 bit processors for focused tasks

• Memory (inter-processor and processor specific)Memory (inter-processor and processor specific)

• Multiple custom data structure (application and processor)Multiple custom data structure (application and processor)

• Potentially contact-based and contact-less cardsPotentially contact-based and contact-less cards

BIOMETRIC READERSBIOMETRIC READERS

● Optical SensorOptical Sensor– Low ResolutionLow Resolution– Easily FooledEasily Fooled– Image TemplateImage Template

● Capacitive SensorCapacitive Sensor– 3D image3D image– Fooled with piece of wood and silly puddyFooled with piece of wood and silly puddy

● E-Field SensorE-Field Sensor– Fingerprint template is minutia basedFingerprint template is minutia based– Stored as a hash algorithmStored as a hash algorithm

USER IDENTIFICATIONUSER IDENTIFICATION

• Crypto-processor cardCrypto-processor card

• Biometrics on cardBiometrics on card

• ACLU friendlyACLU friendly


USER IDENTIFICATION SUMMARYUSER IDENTIFICATION SUMMARY

• Crypto-processor cardCrypto-processor card

• Biometrics on cardBiometrics on card

• PKI data on cardPKI data on card


PKI PRODUCT SUITEPKI PRODUCT SUITE

idSAFEidSAFE

A platform to ensure transport and management of data in transit (Secure VPN)A platform to ensure transport and management of data in transit (Secure VPN)

idVOTEidVOTE

A product enabling Internet voting via secure voter authenticationA product enabling Internet voting via secure voter authentication

idSEALidSEAL

A smart encryption tool enabling the user to encrypt and decrypt individual filesA smart encryption tool enabling the user to encrypt and decrypt individual files


GOLD CAGOLD CAInternal External Certificate AuthorityInternal External Certificate Authority

INDUSTRY-SPECIFIC APPLICATIONSINDUSTRY-SPECIFIC APPLICATIONS

MasterTrustCenters

Organizations

Departments,Groups,RegionalCenters

DataQuestMaster Trust

Center (Security Level 1, 2, 3)

Smallbusiness

Level 1, 2Finance

Level 1Level 1, 3

Level 1, 2, 3

Level 1 Level 1, 2

Healthcare

Medical recordsdatabase

Level 3

Level 1, 2, 3

Level 1

Third Party Master Trust

Center Certificateinteroperability

(depends on level of trust)

Trust CenterTrust Center

Trust Center

Smallbusiness

Smallbusiness

Geographic(Regional)

Trust Center

Trust Center Trust Center

Trust Center Trust Center

Trust Center


Works in P5 SystemWorks in P5 System

Firewall

Hypervisor

LinuxApplication

Firewall

Dynamically resizable

1CPUs

1 CPUs

Ce

rtif

ica

te A

uth

ori

ty

Virtual I/O paths

Tu

nn

el

Ap

pli

ca

tio

n

AIX 5LApplication

Server

6CPUs

Ethernetsharing

Virtual I/O server

partition

Storagesharing

1 CPU

SECURITY DOORSSECURITY DOORS

PROFESSIONAL SERVICESPROFESSIONAL SERVICES

• Public Key Infrastructure Planning and Implementation ServicesPublic Key Infrastructure Planning and Implementation Services

• Biometric smart card, trust center and PKI integrationBiometric smart card, trust center and PKI integration

• Secure application design, development and implementationSecure application design, development and implementation

• Enterprise security servicesEnterprise security services

• Disaster Recovery ServicesDisaster Recovery Services

• Linux Application Tuning on zSeries and pSeriesLinux Application Tuning on zSeries and pSeries

• Enterprise Linux DeploymentEnterprise Linux Deployment

• Custom software and consulting servicesCustom software and consulting services

• Technical support (hotline and on-site)Technical support (hotline and on-site)

• Project managementProject management

• Training and educationTraining and education

• Security Inventory ServiceSecurity Inventory Service

• Security Policies and Procedures Guide DevelopmentSecurity Policies and Procedures Guide Development

• Security Audit/Assessment ServiceSecurity Audit/Assessment Service

• Security Vulnerability ServiceSecurity Vulnerability Service

• Security Implementation ServiceSecurity Implementation Service

SECURITY SERVICESSECURITY SERVICES

SECURITY AUDIT SERVICESECURITY AUDIT SERVICE

TASK: REVIEW EXISTING CORPORATE SECURITY PRACTICES AS TASK: REVIEW EXISTING CORPORATE SECURITY PRACTICES AS THEY PERTAIN TOTHEY PERTAIN TO . . . . . .

• Day-to-day enterprise computing:Day-to-day enterprise computing:• Perimeter security (authentication, identity and authorization)Perimeter security (authentication, identity and authorization)• Information at restInformation at rest• Information in transit (distributed computing, file transfer, etc.)Information in transit (distributed computing, file transfer, etc.)• Business applications software and email usageBusiness applications software and email usage• Mobile computingMobile computing

• Management security directivesManagement security directives• Corporate security policy and procedure guidelinesCorporate security policy and procedure guidelines• Compliance with appropriate legislationCompliance with appropriate legislation

SECURITY AUDIT SERVICESECURITY AUDIT SERVICE

DELIVER DOCUMENTS DECLARING STATE OF EXISTING SECURITY DELIVER DOCUMENTS DECLARING STATE OF EXISTING SECURITY PREPAREDNESSPREPAREDNESS

• An inventory document defining the current sate of enterprise security methods, An inventory document defining the current sate of enterprise security methods,

techniques, corporate compliance and usagetechniques, corporate compliance and usage

• A document defining next steps in the overall process of defining a current A document defining next steps in the overall process of defining a current

corporate security strategy and implementation plan:corporate security strategy and implementation plan:

• Requirements analysis documentRequirements analysis document

• Security architecture documentSecurity architecture document

• Security products and implementation planSecurity products and implementation plan

EDUCATIONAL SERVICES (TECH TRAINING)EDUCATIONAL SERVICES (TECH TRAINING)

Modern Security PracticesModern Security Practices• Authentication/Perimeter Authentication/Perimeter

SecuritySecurity• Trust Center and PKI IntegrationTrust Center and PKI Integration

Secure Distributed ArchitecturesSecure Distributed Architectures• LinuxLinux• AIXAIX• VMSVMS• True-64True-64• WintelWintel

Secure Middleware IntegrationSecure Middleware Integration

• CORBACORBA

• DCEDCE

• Tivoli Identity ManagerTivoli Identity Manager

• Tivoli Access ManagerTivoli Access Manager

Programming LanguagesProgramming Languages

• CC

• Java/JavaScriptJava/JavaScript

• PerlPerl


Questions?Questions?

Documents

The Next Generation in Enterprise Security Presented by William Tabor and Howard Hellman (954) 970-9828 [email protected] [email protected]