Dr. Alin Dobra, CEO, Associate Prof. UF Chris Dudley, CTO Thomas Samant, CMO

Transcription

1

2 Dr. Alin Dobra, CEO, Associate Prof. UF Chris Dudley, CTO Thomas Samant, CMO

3 Special thanks to Dr. Kevin Gamache and Texas A&M for hosting this webex

4 Overview Use Case Security Features Deployment ROI Demo Q&A Take Control of Your Data

5 Uses of ticrypt

6 ticrypt Deals With Sensitive Data Securely store and process restricted data: electronic protected health information (ephi) (HIPAA) export-controlled data (ITAR/EAR) student data (FERPA) controlled unclassified information (CUI) intellectual property data (IP)

7 Academic Research is different Small, medium and large projects Projects must be fully separated Collaboration essential High level of sophistication: e.g. SAS, AI Bring your own tools (no restrictions on computation) Large data and significant computational needs Mild to very sensitive data

8 Specific Use Case Examples Single researcher with Data Use Agreement Faculty supervising multiple sensitive research projects Multiple researchers working on shared data Staff maintaining VMs Research developer working on data A researcher developing algorithms in Python, R, SAS, and even coding in C/C++ can be supported in the ticrypt platform

9 Three Issues to Address How to address security a. Need a lot of paranoia to meet security needs b. Need simple, straightforward user interface How to allow collaboration a. Collaboration should be straightforward b. Collaboration should be secure How ensure flexibility a. Accommodate huge variety of usage scenarios b. Setting up a new environment should be easy

10 Short Intro to Cryptography

11 Symmetric Encryption: AES-256 Same key encrypts and decrypts => symmetric Exceptionally strong Take the fastest supercomputer, for each grain of sand on Earth, for each Earth-like planet in our galaxy, for 50 million galaxies. Still need to run for the age of the universe to beak 1 key. Encryption key must be random Encryption key never used in same way twice

12 AES-256 Ultra-secure Super fast AES-NI instructions on Intel & AMD processors Server: 1.5GB/core/s encrypt & decrypt Laptop: MB/s encrypt & decrypt Main issues: password derived keys can be weak the same key cannot be used twice the same way (IV) Key management nightmare

13 Public Key Cryptography: RSA-2048 Two keys with asymmetric use public key & private key encryption: encrypt with public, decrypt with private digital signature: sign with private, verify with public mathematical wizardry based on Number Theory (primes and elliptic curves) Takes 1 billion years with current technology to break

14 ticrypt security is based on cryptography

15 A Honeycomb Approach

16 A public-private key for each user Generate public-private key on signup RSA-2048: 617 digit number Private key only stored/manipulated on client (Browser) server never sees the private key protect private key by AES-256 with password derived key Public keys of all users stored on server digitally signed to ensure they cannot be forged Private Key is stored encrypted in a text file

17

18 Authentication NIST FIPS 196: digital signature authentication client says I am Alin server: put 0x adda6923 in msg client: Digitally signed msg using Alin s private key server: verify msg using Alin s public key No passwords ever exchanged forging digital signature: impossible using current technology

19 Secure File Storage Randomly generate AES-256 key secure random number generator Encrypt file with key at source Encrypt AES key with user s public key Store encrypted key & file on server To decrypt: need user s private key

20 Secure File Sharing Bring encrypted file key from server Decrypt file key with private key Encrypt file key with other user public key Save on server other user can now use private key file safely handed over

21 End-to-End Encryption Encrypt the file as early as possible, decrypt as late as possible. File encrypted/decrypted in browser (WebCrypto) encrypted on server, encrypted in caches Strictly more secure than encryption in transit & at REST strict data confinement: only users with keys can access admin cannot access on server

22 Orthogonal Security ticrypt is compatible with traditional security mechanisms two fully independent defense methods need to defeat both to have a breach can leverage existing system security expertise Multi-factor authentication ensure stolen private keys cannot be used uniformly enforceable for all users Server administrators need not have data access

23 Traditional security vs ticrypt security ticrypt Security Everything is encrypted with AES-256 with random keys Random AES keys managed using RSA public key crypto No secret password explicitly shared No crypto weakness to exploit (weak passwords, etc.) Server breach results data breach Cannot decrypt with info stored on server Need user private keys

24 ticrypt Features

25 Data Confinement All data treated as sensitive at all times All files private until shared secure key exchange between users nobody including admins can read files if not shared ultimate control over data can never designate files as public Detailed auditing can be used to enforce confinement is the data shared inappropriately?

26 Key Escrow What if I lose my Key? nobody can recover private files without private key Key recovery system designed to require cooperation Protects against individual user key loss

27

28 Ease of Use Mirrored after the ease of use of Dropbox, Box, and Google Drive. Drag and Drop Sharing Easy to use functionality Smooth transition of use from current file sharing solutions Groups

29 Block-chain relational audit log Events logged at the ms level Blockchain technology Hashing (SHA 256) Protects against rogue admins Re-creation of entire system history is easy

30 Secure Audit Logs and Mining 50+ events are monitored in the Audit Logs: Session actions: request, challenge, lookup, delete, certificate session, sub sessions Directory actions: create, delete, rename, add/remove entry

31 Secure Audit Logs and Mining Virtual machine actions: create, delete, register, proxy Virtual machine drive actions: attach, detach, create, delete, add/get/delete key File actions: create, delete, add/get/delete key, read/write chunk Group actions: create, delete, add/remove member, modify group/member Storage actions: read, write User management actions: add, delete, modified

32 Virtual Machines

33

34

35

36 Receiving Outside Files with timailbox A feature to securely send files to a ticrypt user No need for an account Browser based (web interface) Command line based (10GB-10TB transfers) Same encryption mechanism: AES and RSA Encryption is performed at the source Only mailbox owner can decrypt the files

37

38 tiforms Securely collect and analyze sensitive surveys Currently implemented---> UF Pharma medical marijuana surveys Custom Wordpress frontend Export to files and VMs Under construction: form designer & frontend deployment Full roll out Q Complete replacement for RedCap

39 Deployment

40 Scalable Deployment for Research Groups Micro service back-end. Highly scalable Front-end runs locally in-browser Dist. software using Red Hat Ent. & CentOS signed RPMs

41 Deployment Solutions Private Cloud Deployment Private Server Deployment Complete control of your system Can use existing or new hardware Successful large scale deployment at the University of Florida 1.2 PB Storage, 200 Cores Uses LusterFS and WAS

42 What is the ROI on a system like this?

43 Streamlining the data management behind changing FAR case policy FAR Case has potential to require NIST for CUI When not if Becoming a core competency in securing grant funding. AWS Edu and Box are not appropriate for researchers with sensitive data Existing enterprise solutions too expensive Designed for organization wide solution Not feasible for small/medium groups

44 Necessity or Indulgence? Do we need this => cannot afford not to have this Future awards depend on such environments Late adoption => panic missed grants => unhappy faculty, missed overhead FAR Case Updates:

45 Pricing

46 Pricing for Traditional FISMA Environment Average FISMA Environment Deployment: ~$1.3 million Average FISMA Environment Annual Fees: ~$200,000-$400,000 *Numbers from the NIST Case Study Costs are per project Infeasible for small/medium projects Does not include add-on applications Inflexible Hard to add software Long lead time for setup Lots of consulting

47 ticrypt Introductory Pricing Deployment Fee: $80,000 Annual Licensing and TS: $125,000 Covers initial setup, system design, etc. Includes all features & add-ons Future updates & add-ons Unlimited support Price lock for the life of the system Priced per system Includes extra test system Discount for multiple systems *Prices and terms are subject to change No limits on deployment size No user limits No storage limits No VM server limits No project limits UF Partnered Software Solution

48 ticrypt Demo

49 Tera Insights Contact Alin Dobra CEO & UF Associate Professor Thomas Samant CMO University of Florida Inquires Stephanie Gray Assistant Vice President & Director, Division of Sponsored Programs University of Florida Alicia Turner Business Relationship Manager University of Florida