Encryption In The Enterprise

Transcription

1 Encryption In The Enterprise Twin Cities Oracle User s Group Chris Olive, Sales Engineer Vormetric, Inc.

2 Agenda Modern Encryption & Cryptography What Should Be Encrypted and Why Encryption in Enterprise Architecture Tokenization Versus Application Encryption Key Management Handling Oracle TDE The Vormetric Encryption Platform Solution Q&A

3 Modern Encryption & Cryptography Hashes/Hashing Not encryption but used in cryptography Computationally independent Symmetric Keys Based on a secret key Stream Ciphers: RC4, Fish, Pike, Rabbit, etc. (many others) Block Ciphers: DES, 3DES, Blowfish, RC5, AES, IDEA, etc. (many others) Primary focus here on block ciphers and AES has popular attention right now Asymmetric Keys Based on key pairs Examples: RSA, DSA, others Most popular right now is RSA and based on PKCS#1 Generally used for short messages and key exchange Protocols using Asymmetric Keys S/MIME, PGP, OpenPGP, SSL, TLS, Bitcoin, others Certificates Metadata around a public key Data-In-Motion vs. Data-At-Rest

4 Strength of Algorithms For AES-128: combinations of the key Brute force of ½ of the key combinations (2 127 ) at 1,000,000,000 per second would take approximately 10,000,000,000,000,000 (quadtrillion) years For AES-256: combinations of the key Brute force of ½ of the key combinations is infinitely more than AES (Not enough space on this slide for the zeros!) There are known attacks that cut down on these numbers: Related Key, Known Key Distinguishing, Key Recovery, Tau Statistic, Side-Channel NIST (National Institute of Standards & Technology) Approval should be sought Some vendors use algorithms that aren t NIST approved

5 What should be encrypted and why? Focus here is on Data-At-Rest (DAR) High motivation for Data-In-Motion to be always encrypted Recent push for all Web sites to use SSL/TLS Should be considered inside all organizations as well, not just on the perimeter BUT! Causes issues with traffic and layer 7 inspection huge issue right now Two lines of thought around encryption of DAR: Encrypt (only) sensitive data Encrypt everything Encrypting only sensitive data has issues: What defines sensitive? The definition tends to change and move over time. What is actually sensitive? Actual sensitive data tends to change and move. All the above tends to be expensive both in time and in money. Meanwhile your data continues to grow/shift/move and remain exposed. Constantly trying to hit a moving target.

6 Encrypt Everything Recommendation now is to encrypt everything Why? Easy to do now whereas in the past it was much harder all main obstacles have been removed! Initial, On-Going, Transparency, Keys Commercial solutions now make encryption ubiquitous Data is the real gold: It used to be only financial payloads were considered valuable now ALL data is valuable! Data should be protected the moment it s born then doesn t have to be analyzed for sensitivity (since now ALL data has become sensitive.) The cost of data analysis and classification is reduced or evaporates altogether. All data is valuable when married to the right economy

7 Encryption In Enterprise Architecture Laptop End Point/DLP Complexity SSL/TLS App Security App/Token Database Server Web DB Storage/FDE Storage

8 Tokenization Versus Encryption Tokenization & Encryption are related: Tokens are essentially format preserving encryption (best vaultless) Tokens are encrypted in commercial tokenization solutions (vaulted) Typically used in PCI compliance scenarios where servers are taken out of scope Commercial tokenization solutions tend to come with data masking capabilities Encryption used to be non-format preserving (non-fpe) Generally lead or leads to changes to database schemas as Encrypted values would inflate and not preserve format SSN is a great example Most commercial encryption products have or are coming out with FPE In tokenization, same token always returned; in encryption you don t want this!

9 Sample Tokenization Versus Encryption Current commercial tokenization solutions usually come in two flavors: Vaulted/Stateful: Tokens stored in a backend database and encrypted more secure but not as performant Vaultless/Stateless: Tokens stored in memory and encrypted very performant but not as secure Home-grown tokenization solutions are all over the map. Sample token table versus encryption: SSN Tokenized Encrypted iegh0caediemahng iec4lai0ainooloh Ahv0quaaseoG8hua

10 Considerations Tokenization & Application Encryption Full Data Analysis Data Points: Do you know every data element size, where, etc.? Application Matrix: Do you know every application touching every one of those data elements? Searching: Will it break searching, especially for encryption? Software Architecture: Generally executed by software architect(s) with little to no security experience or know how Time To Implement Relative to full, robust SDLC Unit, integration, customer, performance, QA and Production, usually governed by change management PER APPLICATION Both easier if done earlier in the SDLC or green field

11 Key Management Most point solutions have little or no key management Great example: Encrypting a MacBook hard drive Without access to keys, your data is toast! This is the premise behind Ransomware, right?! Great Key Management needs to be: Centralized Easy to manage but still SECURE! All types of keys: SSL/TLS, CAs, other generated keys generally from symmetric or asymmetric algorithms like OpenSSL, ssh-keygen, key appliance, etc.

12 TDE With Vormetric Key Agents TDE Master Encryption Key Vormetric DSM acts as Network HSM for Database Master Encryption Keys Vormetric Key Agent is installed on the database server SSL Network Connection Key Agent* Oracle / Microsoft TDE Database TDE Tablespace Encryption Key Encrypted Data Files TDE Tablespace Encryption Key Encrypted Data Files 12 * PKCS-11 for Oracle and MSCAPI for MSSQL

13 Commercial Key Management Generally implement KMIP or should (Key Management Interoperability Protocol) When deployed as hardware appliances, can also house HSMs or Hardware Security Managers Necessary for FIPS and FIPS compliance (gov t) Tamper-proof Capable of at least storing, reporting and alerting (expirations) on keys stored in the device Solutions in the industry vary in complexity and pricing

14 Questions & Answers

15 Vormetric Data Security Simplifying Data Security for the Enterprise John Murakami - Regional Sales Manager Chris Olive Sales Engineer

16 Vormetric Customers Founded 2001 Customers Include 17 of the Fortune 30 Top names in Banking, Retail, Outsourcing, Manufacturing & Insurance Used by the US Government including US Intelligence Community IP Protection, Compliance, Client Data & Consumer Information Protection Recently acquired by Thales

17 Leverage Existing Investments Vormetric gives our customers best in class security controls needed for compliance, data breach protection and for safeguarding critical intellectual property through powerful data-at-rest encryption. Rod Hamlin Vice President Copyright 2015 Vormetric, Inc. Proprietary and Confidential. All rights reserved.

18 One Platform One Strategy Data-at-rest security that follows your data Physical Virtual Outsourced Enterprise Data Centers Private, Public, Hybrid Clouds Sources Nodes Analytics Remote Servers Big Data

19 Vormetric Encryption Use Cases Database Encryption Usage: Encrypt Tablespace, Log, and other DB files Common Databases: Oracle, MSSQL, DB2, Sybase, Informix, MySQL Unstructured Data Encryption Usage:Encrypt and Control access to any type of data used by LUW server Common Data Types: Logs, Reports, Images, ETL, Audio/Video Recordings, Documents, Big Data Examples:FileNet, Documentum, Nice, Hadoop, Home Grown, etc Cloud Encryption Usage: Encrypt and Control Access to data used by Cloud Instances Common Cloud Providers: Amazon EC2, Rackspace, MS Azure

20 Vormetric Data Security Tools Data Encryption Access Control Key Management Audit Encrypts file system data transparently to: Applications Databases Storage Infrastructure Integrated Key Management High Efficiency Encryption Firewall-like access controls for data access Separate data access from data management for systems privileged users(root, SA, etc ) Key Management for Vormetric keys and 3 rd Party Encryption Products Provide Network HSM for other encryption solutions PKCS#11 (Oracle 11gR2) EKM (MSSQL 2008 R2) Granular data access logging Denied Access Events Expected Access Events

21 Vormetric Transparent Encryption Protects structured/unstructured data Encryption with integrated key management Policy-based access control Security Intelligence Privileged Users - _}?$%-:>> Approved Processes and Users John Smith 401 Main Street Vormetric Security Intelligence Logs to SIEM User Encrypted & Controlled Clear Text User Application DSM DSM Vormetric Data Security Manager virtual or physical appliance Database File Systems File Systems Application Database Storage Server Volume Managers Volume Managers Allow/Block Encrypt/Decrypt Big Data, Databases or Files Cloud Admin, Storage Admin, etc Transparent data protection for any app, OS, data type, and storage - _}?$%-:>>

22 Vormetric Application Encryption Encrypts specific fields or columns in files and databases Privileged Users - _}?$%-:>> root SA DBA user Approved Users John Smith 401 Main Street Vormetric Security Intelligence Logs to SIEM Database User Application Database Allow/Block Encrypt/Decrypt Cloud Provider / Outsource Administrators DSM Vormetric Data Security Manager on Enterprise premise or in cloud virtual or physical appliance File Systems Storage Volume Managers Name: Jon Dough SS: if030jcl PO: Jan Big Data, Databases or Files *$^!@#)( - _}?$%-:>>

23 Vormetric Application Encryption Workflow Web Server Workflow: 1 Credit Card# 2 Credit Card# 1. User submits personal information to purchase items. 2. Web server sends personal information to application server. 3. Application calls into Vormetric Application Encryption (VAE) library to encrypt data. (NOTE: VAE obtains keys from the DSM only once) 4. VAE returns the value back to the application. 5. Application then stores the encrypted value in the database server. Application Server 3 Credit Card# Application 4 Encrypted Credit Card# VAE Agent Encrypted Keys DSM Vormetric Data Security Manager (Key Management) 5 Encrypted Credit Card# Database, Big Data or File Storage Vormetric Confidential

24 Vormetric Tokenization w/ Dynamic Data Masking use case 1 Request 3 4 DSM Accounts Payable App Servers REST API 6 Mask Data Sent Vormetric Token Server Customer Service 7 Response Database (production data tokenized) 5 Token Vault ((CC)e, Token) Lookups AD/LDAP Server Credit Card Token or mask Slide No: 24 Copyright 2015 Vormetric, Inc. Proprietary and Confidential. All rights reserved.

25 Vormetric Cloud Gateway Encrypting and controlling SaaS data Security Intelligence Personal Computers Mobile Devices DSM Vormetric Cloud Gateway Q Future Servers Enterprise SaaS Slide No: 25 Copyright 2015 Vormetric, Inc. Proprietary and Confidential. All rights reserved.

26 One Platform One Strategy Data-at-rest security that follows your data Physical Virtual Outsourced Enterprise Data Centers Private, Public, Hybrid Clouds Sources Nodes Analytics Remote Servers Big Data

27 Questions?