Presentation Transcript

1. Encryptiona part of the whole security solution William Besenyei Solution Architect wbesenyei@fusionstorm.com
2. The Problem Citigroup Loses Data of 3.9 Million Customers Lost tapes containing personal data of 3.9 million consumer lost by UPS. 40 Million Visa, Mastercard and American Express Records Hacked CardSystems Solutions lost 40 million debit and credit card compromised in a successful hacking attempt using a malicious script. 26.5 Million Records Stolen From US Dept of Veteran Affairs Employee took a laptop home without authorization. The laptop had sensitive personal data of 26.5 million people on it Laptop was stolen during a burglary at the employee's home.
3. 800,000 Records Lost Four Storage Devices lost while in transit They fell out of an unsecured container Up to 800,000 person’s personal data at risk
4. 701,000 Records Exposed In-Home Support Services, state of California Dept. of Social Services 701,000 individuals’ personal information was in unencrypted microfiche It was mailed by a processing facility to the State Compensation Insurance Fund, The package was damaged in transit in May and some information found missing.
5. 315,000 Records Exposed Emory Healthcare, Inc. Located: Georgia Data related to 315,000 patients 10 computer disks Missing from a storage facility $200 million class-action lawsuit underway
6. State Data Breach Laws 46 of the 50 States have Data Breach Laws Except for Alabama, Kentucky, New Mexico, South Dakota Laws are very similar Personal Data Loss is Targeted Personal data definition first name or first initial and last name plus one or more of following data: Social Security Number, Driver’s License Number or state-issued ID card number, Account Number, Credit Card Number or Debit Card Number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes PI.
7. State Data Breach Laws When data is lost, the organization must: Provided written or electronic notice to victims of a security breach in the most expeditious time possible and without unreasonable delay Unless – Data is Encrypted - Known as “Safe Harbor” No notification is required Typical State Law “Safe Harbor” verbiage: “Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted.” Data Breach Penalties vary by State – See Mintz Levin Report at: http://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf
8. Why Encrypt Data? Need to comply with security standards to avoid post data breach penalties. Typically Auditors will need to see that Encryption at Rest has been implemented Encrypted Data in Transit is useless without the proper key “Safe Harbor” if lost or stolen data was encrypted No notifications are required No penalties are incurred
9. Encryption Defined Encryption is a way of rendering readable data into cipher data that makes no apparent sense unless processed with the proper encryption algorithm and key.
10. History of Encryption Encryption is not new: 700 BC – The Spartans used the Scytale made of Leather and Wood Spartan Scytale
11. History of Encryption Encryption is not new: 700 BC – The Spartans used the Scytale made of Leather and Wood 1467 – The Alberti cipher –Two wheels mounted on an axle Alberti Cipher Discs
12. History of Encryption Encryption is not new: 700 BC – The Spartans used the Scytale made of Leather and Wood 1467 – The Alberti cipher –Two wheels mounted on an axle 1797 – Thomas Jefferson, while secretary of state, invented a 26 cylinder wooden cipher tool Jefferson’s Disk Cipher
13. History of Encryption Encryption is not new: 700 BC – The Spartans used the Scytale made of Leather and Wood 1467 – The Alberti cipher –Two wheels mounted on an axle 1797 – Thomas Jefferson, while secretary of state, invented a 26 cylinder wooden cipher tool 1930s & 1940s the German Enigma machine was used by German armed forces to encode their messages German Enigma Machine
14. The German Enigma 150 Quintillion Possibilities
15. The Enigma Algorithm
16. The Bombe Decryption Device 150 Quintillion Possibilities 150,000,000,000,000,000,000
17. The Lorenz Machine The German Lorenz Encryption Machine The Colossus Decryption Machine At Bletchley Park in England
18. Navajo Code Talkers WWII Pacific Theater US Codes being rapidly broken by the Japanese US tried complex codes Solution Navajo Code Talkers Code derived from Navajo language It was never broken Even Navajo marines couldn’t break it!
19. Public/Private Keys Two keys are involved Public key is used to encrypt Private key is used to decrypt Public key is assigned to the recipient and is distributed to those wishing to send encrypted data Private key is known only to the recipient. Only the Private key can decrypt the encrypted data. Typically used to initiate secure communications.
20. Symetric Keys The same key is used to Encrypt and Decrypt Typically used for data at rest More efficient than Public/Private key pairs Used for data at rest implementations Typically managed by a key manager which could be Software on the host A physical appliance Embedded in a storage device
21. DES Algorithm DES developed in the early 1970’s 1976 – DES accepted as a standard by NEBS 1977 – NEBS publishes DES as a standard (FIPS 46) 1988 – Reaffirmed as a standard (FIPS 46-1) 1993 – Reaffirmed as a standard (FIPS 46-2) 1996 – Deep Crack breaks DES key in 56 hours 1999 – Deep Crack and Distributed.net break DES key in 22 hours 1999 – Triple DES affirmed as standard (FIPS 46-3) 2001 – NIST selected AES as the new cipher algorithm
22. The DES Algorithm 64 Bit Key (56 Bits are the actual key) 64 Byte Data Blocks There are 16 Cipher Rounds Each round operates on half the block Derives a key from main key
23. Triple DES Still considered as practically unbreakable Uses three keys to encrypt data Step 1 Key 1 Encrypt using DES Step 2 Key 2 Decrypt using DES Step 3 Key 3 Encrypt using DES Decrypting is simply reversing the process Step 1 Key 3 Decrypt using DES Step 2 Key 2 Encrypt using DES Step 3 Key 1 Decrypt using DES
24. Advanced Encryption Standard Developed in 1997 by NISTNational Institute of Standards and Technology. Based on the Rijndael Algorithm (look it up) Designed to work with long Keys of random bits. Keys can be 128, 192, 256 bits long Keys represented by Hexadecimal notation Data Blocks are always 128 bytes long
25. General design of AES encryption cipher
26. Structure of each round at the encryption site
27. AES AES was designed after DES. Most of the known attacks on DES were already tested on AES. Brute-Force Attack AES is definitely more secure than DES due to the larger-size key. Statistical Attacks Numerous tests have failed to do statistical analysis of the ciphertext. Differential and Linear Attacks There are no differential and linear attacks on AES as yet. AES can be implemented in software, hardware, and firmware. The implementation can use table lookup process or routines that use a well-defined algebraic structure.
28. How Secure is AES256 The Brute Force method – try every possible bit combination 2256 Possible combinations of bits Assume: One computer could do 1014 decryptions per second or 3.15*1021 per year One computer uses 3741 kWh annually at $0.12 per kWh = $450/year To try 2255 key combinations in one year: You would need (2255 / 3.15*1021) ~ 1.84*1055 computers So that would cost ($450 * 8*1055) ~ $8*1057 or $8 Octodecillion Dollars Moore’s law states that compute power doubles every 18 to 24 months. Even still that puts AES 256 into the infeasible range for many, many years to come.
29. Practical Brute Force Attack Hire the MOB to work over the guy with the key That might cost any where from $50K to a $1Million It might only take a few days Advice: Don’t be the guy with the key!
30. Encryption at work Data At Rest – The encryption of data on storage devices Protects data on storage devices carried out of a secure datacenter. Data in Transit – The encryption of data as it is transmitted between devices or datacenters Protects data from being understood if intercepted while being transmitted For instance, SSL (Secure Socket Layer) is extensively used to encrypt https traffic 700 BC Spartan Military Scytale Used to encrypt military messages In transit and at rest Constructed of a Leather Strap wrapped around an eight sided stick
31. SSL - Secure Socket Layer Based on Public / Private Key Each side has their own Public / Private Key Public Keys are exchanged Each side uses the other’s Public Key to Encrypt The Other Side uses their Private Key to decrypt Once the Public Keys are exchanged some protocols then use Public / Private Keys to exchange a Symmetric Key to continue data exchange Public / Private is much slower to encrypt / decrypt than Symmetric Key encryption / decryption
32. Data at Rest Encryption Data at Rest Encryption is used for Tape and Disk Encryption at Rest is implemented in the following ways At the source In the fabric (SAN) In the storage platform
33. Data At Rest Considerations Encrypted data without the Key is useless Keys must be protected against loss or theft You can’t manually track and manage the keys (256 bits = 64 characters) You can’t manually serve up keys as fast as they are needed Key managers are the answer They maintain a database of enterprise specific keys Each key has a local ID that is only meaningful enterprise wide More than one Key Manager is required for High Availability Key manager communications are encrypted Keys must be backed up and shared with all the other Enterprise Key Managers
34. Key Manager Architecture Key Manager 1 Key Manager 1 Key Manager 1 Management LAN Encryption Device Encryption Device Encryption Device
35. Encryption Key Management Key Management Servers have been proprietary Keys could only be served to the same vendor’s devices Possibility that several vendor’s Key Management Servers might be needed Now a consortium of vendors have developed a standard key management interface protocol – KMIP Allows one vendor to supply a Key Management Service for the entire enterprise Developed by IBM, HP, RSA (EMC) and Thales
36. OASIS - KMIP OASIS = Organization for the Advancement of Structured Information Standards KMIP = Key Management Interoperability Protocol OASIS KMIP Original Sponsors: Brocade, EMC, HP, IBM, LSI, Netapp, Seagate and Thales OASIS KMIP Technical Committee Members: Axway Software, CA Technologies, CertiVox Ltd, , Cryptsoft Pty Ltd., EMC, Hewlett-Packard, IBM, NIST, Oracle, Red Hat, SafeNet, Inc., Symantec Corp., Thales e-Security, Venafi, Inc., VMware, Inc., Vormetric, Inc.
37. Key Manager Data Encryption at the Source Source based encryption This is the most secure as data is unreadable except by the source based code or hardware. Other servers will need to have the proper key and software/hardware to read the data HTTPS is an example of source based encryption EMC offers source based encryption via PowerPath optional software.
38. Key Manager Data Encryption in the Fabric Fabric based encryption Server is not involved in the encryption process Any server connected to the SAN and properly zoned to the LUN can read encrypted data LUNs in heterogeneous storage can be encrypted by the fabric Keys stored in an external Key Manager
39. Data Encryption in the Storage Platform Storage Array based encryption Server is not involved in the encryption process Data is written and read as plan text Encryption and Encryption Keys are controlled by the array. Drives that are removed from the storage array are unreadable even by another identical storage array Keys cannot be lost
40. LTO4 & 5 Encryption SAN Data LTO 4 & 5 Tape Drives ASICS programmed to perform encryption Keys need to be supplied by software or hardware key manager Software Typically, backup software will manage the keys and turn drive encryption ASIC on and off Hardware External Key Manager through library control and policy management Encryption presents no additional overhead Fabric Based Encryption Tape Drive ASIC is not engaged Fabric based engine and key management Compression Encryption
41. Encryption Keys AES Encryption needs randomly generated keys as the basis for the AES algorithm. Each key will produce a unique cipher (AES has no weak keys due to it’s algorithm) Encrypted data can only be read if the proper key is available for the AES algorithm. Lose a key and you also lose the data that was encrypted with that key Key Manager Servers are used to securely hold encryption keys Devices can request a key when needed More than one Key Manager Server is typically used to ensure that keys are never lost or unavailable All encryption devices are connected to the Key Manager Server via the corporate LAN/WAN Keys are encrypted while being stored on the Key Manager Server and also while in transit between Key Manager Servers or Encryption Devices
42. So, Is Encryption Enough? Encryption only renders data unreadable Encryption does not stop Hackers gaining access to data Internal employees or contractors gaining access to data At the edge of the encryption boundary data is in plain text Therefore encryption only protects data on disk and tape drives once they leave the data center perimeter That satisfies state law and certain auditors but it is not the total answer to security
43. Threat Agents Threat Agents over time by percent of breaches Data taken from 2012 Data Breach Investigations Report by Verizon
44. Threat Actions Threat action categories by percent of breaches and percent of records – LARGER ORGS Data taken from 2012 Data Breach Investigations Report by Verizon
45. So, Is Encryption Enough? NO! Encryption is a great tool as far as it goes, however it is not the whole answer to the issue of data security Beware of external hackers and malware Harden Passwords Scrub Email Scan Downloads, Applets and Cookies Secure the Network with firewalls and malware filters Secure Laptops and personal devices
46. Thank You for Your Attention William Besenyei Solution Architect wbesenyei@fusionstorm.com