Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

58
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach FTS-4874 Rick Robinson Product Manager, Encryption and Key Management IBM Data Security October 27, 2014 © 2014 IBM Corporation

description

Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach Encryption has been viewed as the ultimate way to protect sensitive data for compliance. But it has also been considered very complex to implement. Today, encryption is essential to meet compliance objectives, and has become much simpler to implement. The challenge is knowing when and where to use encryption, how it can simplify compliance, what controls need to be in place, and the options for good encryption key management. This session will cover the options for encryption and key management, what each provides, and their requirements. Encryption and key management topics include application-level encryption for data in use, network encryption of data in motion, and storage encryption for data at rest.

Transcript of Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Page 1: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Encryption and Key Management:Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

FTS-4874

Rick Robinson

Product Manager, Encryption and Key Management

IBM Data Security

October 27, 2014

© 2014 IBM Corporation

Page 2: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Please Note

• IBM‟s statements regarding its plans, directions, and intent are subject to change orwithdrawal without notice at IBM‟s sole discretion.

• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.

• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user‟s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

2

Page 3: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach
Page 4: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

4

Source: Wikimedia Commons

Page 5: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Source: Wikimedia Commons

PCI

HIPPA

Various

Global

Regulations

Auditors

You

Page 6: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Increased regulation

Page 7: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Compliance means alignment with global regulations

Canada:

Personal Information Protection

& Electronics Document Act

USA:

Federal, Financial & Healthcare

Industry Regulations & State Laws

Mexico:

E-Commerce Law

Colombia:

Political Constitution –

Article 15

Brazil:

Constitution, Habeas Data &

Code of Consumer Protection &

Defense

Chile:

Protection of

Personal Data Act

Argentina:

Habeas Data Act

South Africa:

Promotion of Access

to Information Act

United Kingdom:

Data Protection

Act

EU:

Protection

Directive

Switzerland:

Federal Law on

Data Protection

Germany:

Federal Data Protection

Act & State Laws

Poland:

Polish

Constitution

Israel:

Protection of

Privacy Law

Pakistan:

Banking Companies

Ordinance

Russia:

Computerization & Protection of Information

/ Participation in Int’l Info Exchange

China

Commercial

Banking Law

Korea:

3 Acts for Financial

Data Privacy

Hong Kong:

Privacy Ordinance

Taiwan:

Computer- Processed

Personal Data

Protection LawJapan:

Guidelines for the

Protection of Computer

Processed Personal Data

India:

SEC Board of

India Act

Vietnam:

Banking Law

Philippines:

Secrecy of Bank

Deposit ActAustralia:

Federal Privacy

Amendment Bill

Singapore:

Monetary Authority of

Singapore Act

Indonesia:

Bank Secrecy

Regulation 8

New Zealand:

Privacy Act

7

Page 8: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

It‟s all about the data

… and the life it leads

Page 9: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Audit RequirementsCOBIT

(SOX)PCI-DSS ISO 27002

Data

Privacy &

Protection

Laws

NIST

SP 800-53

(FISMA)

1. Access to Sensitive Data(Successful/Failed SELECTs)

2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.)

3. Data Changes (DML)(Insert, Update, Delete)

4. Security Exceptions(Failed logins, SQL errors, etc.)

5. Accounts, Roles &

Permissions (DCL) (GRANT,

REVOKE)

The Compliance Mandate – What do you need to monitor?

9

DDL = Data Definition Language (aka schema changes)

DML = Data Manipulation Language (data value changes)

DCL = Data Control Language

Page 10: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach
Page 11: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

What is Account Data?

• Cardholder Data (may store)

Primary Account Number (PAN)

Cardholder Name

Expiry Date

Service Code

• Sensitive Authentication Data (may not store)

Security Code

Magnetic Stripe / Chip Data

PIN/ PIN Block

Page 12: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

PCI DSS has a wide impact

Page 13: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

13

Page 14: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

14

Page 15: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Cryptography is fundamental to Compliance

• Key exchange for communication session keys

• Data is transit is protected using single-use keys

• Data at rest – Keys are long lived

Establishes Privacy of Data in Motion and Data at Rest

• Being able to encrypt or decrypt proves you are in possession of the key

• Certificates provide additional identity informationEstablishes Identity

• Data Integrity is provided through keyed-hashes

• Hashes provide integrity checking for data in transit

Protects against Unauthorized

Changes

• Digital signatures create undeniable authorshipAssigns Ownership

to the Data or Message

15

Page 16: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Encryption Mitigates Risk

“If a covered entity chooses to encrypt protected health

information, and subsequently discovers a breach of that

encrypted information, the covered entity will not be required

to provide breach notification because the information is not

considered „„unsecured protected health information‟‟ as it has

been rendered unusable, unreadable, or indecipherable to

unauthorized individuals.”

Excerpt from US HITEC law - Breach Notification for Unsecured Protected Health Information (Aug 2009)

Encryption changes

the rules on disclosure

Page 17: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

17

Page 18: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Market Drivers and Trends

Source: 2013 Global Encryption Trends Study – Thales & Ponemon Institute

Companies with

Encryption Strategies

are overtaking those

who don‟t

Page 19: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Market Drivers and Trends

Human Error is #1

Threat

Source: 2013 Global Encryption Trends Study – Thales & Ponemon Institute

Page 20: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Market Drivers and Trends

Encryption Usage is no

longer just about complianceSource: 2013 Global Encryption Trends Study – Thales & Ponemon Institute

Page 21: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Market Drivers and Trends

Encryption Usage is no

longer just about compliance

21

Source: 2013 Global Encryption Trends Study – Thales & Ponemon Institute

Page 22: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Market Drivers and Trends

Source: 2014 Cost of Data Breach Study – IBM & Ponemon Institute

Page 23: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Market Drivers and Trends

Source: 2014 Cost of Data Breach Study – IBM & Ponemon Institute

Page 24: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Why Should All Data at Rest be Encrypted?

• Addresses Standards

- Privacy breach disclosure laws

- Protection of financial data

• Keeps sensitive information confidential

- Insider threat

- Lost/stolen tape or disk

- Disk being repaired (Solid-state disks fail in a read-only state)

• Simplifies end-of-life-of-media scenarios

- Destroy the key and the data is unusable

- Cryptographic Erasure (NIST SP800-88)

- Reducing media disposal costs

Page 25: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

The Traditional Approach is Changing…. Security is no longer controlled and enforced through the network perimeter

Trusted Intranet

Online Banking

Application

Employee

Application

DMZ Untrusted Internet

Page 26: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

…. With Mobile and Cloud There Is No PerimeterSecurity must be centered on applications and transactions

Online Banking

Application

Investment

API Services

Employee

Application

Deliver Mobile App

Consume Apps and Services

Leverage Public Clouds

Trusted Intranet DMZ Untrusted Internet

Page 27: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

…. and becoming Mobile

27

In 2000 In 2012

6 billionmobile subscribers worldwide

87%of the world’s population

720 millionmobile subscribers worldwide

12%of the world’s population

Page 28: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Motivation and sophistication is evolving rapidly

28

M O

T I V

A T

I O

N

S O P H I S T I C A T I O N

National Security,

Economic Espionage

Notoriety, Activism,

Defamation

HacktivistsLulzsec, Anonymous

Monetary

Gain

Organized crimeZeus, ZeroAccess, Blackhole Exploit Pack

Nuisance,

Curiosity

Insiders, Spammers, Script-kiddiesNigerian 419 Scams, Code Red

Nation-stateactors, APTsStuxnet, Aurora,APT-1

Page 29: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Weak security has a significant impact on your brand

29

Costs

$52,646per minute

Lasts

19.7 minutes

Minor event

chance of

happening

69%

Lasts about

2 hours

Costs

$38,069per minute

Moderate event

chance of

happening*

37%

*The IBM 2013 Global Study on the Economic Impact of IT Risk Study.

Lasts about

7.5 hours

Costs

$30,995

per minute

Substantial event

chance of

happening*

23%

Most security breaches go undetected for eight months

Page 30: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

30

X-Force Trend and Risk Report

Page 31: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Collaborative IBM teams monitor and analyze the changing threat landscape

Coverage

20,000+ devices

under contract

3,700+ managed

clients worldwide

15B+ events

managed per day

133 monitored

countries (MSS)

1,000+ security

related patents

Depth

17B analyzed

web pages & images

40M spam &

phishing attacks

76K documented

vulnerabilities

Billions of intrusion

attempts daily

Millions of unique

malware samples

Page 32: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Cloud, Analytics, Mobile and Social Power Enterprise Growth

CLOUD ANALYTICS MOBILE Social

Page 33: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Increasing risk of attack can undermine CAMS initiatives

SQL

injectionWatering

hole

Physical

access

MalwareThird-party

software

DDoSSpear

phishing

XSS Undisclosed

Attack types

Note: Size of circle estimates relative impact of incident in terms of cost to business Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2014

2011

Year of the breach

2012

40% increase

2013

500,000,000+ records breached

61% of organizations say

data theft and cybercrime

are their greatest threats2012 IBM Global Reputational Risk & IT Study

$3.5M+ average cost

of a data breach2014 Cost of Data Breach, Ponemon Institute

Page 34: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

What is the impact of a data breach

and

Where are customers most affected?

Page 35: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Vulnerabilities exploited to gain access

Exploitation

Gain access

XSS typically

attacks web apps

Page 36: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

has become a new playground for attackers

Social Media top target for attacks

and mobile devices are expanding

those targets

- Pre-attack intelligence gathering

- Criminals selling accounts

- Campaigns enticing user to click

on malicious links

Page 37: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

The Cloud is bringing greater opportunity…• To Users

• To Business

• To Thieves….

How Do We Solve This?

Page 38: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Encryption should notaffect performance

Encryption should be Transparent

Operations management of encryption and key

management should be negligible

Encrypted systems should leverage

investments in high availability and security

Centralize Key Management

First Principles for Encryption and Key Management

Page 39: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Disk and Tape options in IBM Self-Encrypting Storage

DS8870

DS3500

XIVN series

TS3500 library

TS1140

drive

LTO6 drive

TS3310

libraryGPFS

Self-encrypting

solutions that protect

Data-at-Rest

Page 40: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Self-Encrypting Devices

Security Key Lifecycle Manager (SKLM)

• SKLM is a Key Distribution and

Management software solution

• Uses standard protocols

(i.e. KMIP: Key Management

Interoperability Protocol)

• Provides centralized key mgmt for

self-encrypting drives (tape, disk)

• Light-weight & highly-scalable

• SKLM helps customers keep data

private, compliant, and encryption

keys well-managed

• Helps customers maintain

alignment with best practices and

complianceK

MIP

Cloud file systems

(GPFS, Netezza, etc.)

Databases

Smart Meter

Infrastructures

Switches /

Networking

Disk Storage Arrayse.g. DS8000, DS5xxx, XIV, …

Enterprise Tape Librariese.g. TS11xx, TS2xxx, TS3xxx,

SKLM

Page 41: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Your security team sees noise

41

Page 42: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Reaching security maturity1

3-0

9-1

7

Security Intelligence

Predictive Analytics, Big Data Workbench, Flow Analytics

SIEM and Vulnerability Management

Log Management

Advanced Fraud Protection

People Data Applications Infrastructure

Identity governance

Fine-grained entitlements

Privileged user management

Data governance

Encryption key management

Fraud detection

Hybrid scanning and correlation

Multi-facetednetwork protection

Anomaly detection

Hardened systems

User provisioning

Access management

Strong authentication

Data masking / redaction

Database activity monitoring

Data loss prevention

Web application protection

Source code scanning

Virtualization security

Asset management

Endpoint / network security management

Directorymanagement

Encryption

Database access control

Applicationscanning

Perimeter security

Host security

Anti-virus

Optimized

Proficient

Basic

Page 43: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Security challenges are a complex, four-dimensional puzzle…

ApplicationsWeb

ApplicationsSystems

ApplicationsWeb 2.0 Mobile

Applications

Infrastructure

Datacenters PCs Laptops Mobile Cloud Non-traditional

Data At rest In motionUnstructuredStructured

PeopleAttackers Suppliers

Consultants Partners

Employees Outsourcers

Customers

Employees

Unstructured

Web 2.0Systems Applications

Outsourcers

Structured In motion

Customers

Mobile

Applications

Page 44: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

…that requires a new approach that combines encryption with Security Intelligence

Collect and Analyze Everything

DataBasic-

control

Applications Bolt-on

InfrastructureThicker

walls

Insight

Now

PeopleAdministration

Then

Smarter

defenses

Built-in

Laser-

focused

44

Page 45: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Time

Pro

du

cts

Page 46: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Time

Pro

du

cts

Complexity

Cost

Agility

Effectiveness

Page 47: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Monitor Everything

Page 48: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Consume Threat Intelligence

Page 49: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Integrate Across Domains

Page 50: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Security Intelligence

Page 51: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Clarity…

Page 52: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Insights…

Page 53: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Compliance

Page 54: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

@RickCipher

Page 55: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Find out more on IBM Security:

“Discover how to stop attackers with Big Data Analytics” with our CTO Sandy Bird, Security Keynote Session, Tues 1.45pm

Visit the IBM Security Zone and talk to our experts @ the EXPO Center

Keep up to date with our latest news: @IBMSecurity & @RickCipher

Analysis and Insight for Information Security Professionals:

SecurityIntelligence.com/author/rick-robinson

Page 56: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

We Value Your Feedback!

• Don‟t forget to submit your Insight session and speaker feedback! Your feedback is very important to us – we use it to continually improve the conference.

• Access the Insight Conference Connect tool to quickly submit your surveys from your smartphone, laptop or conference kiosk.

56

Page 57: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Acknowledgements and Disclaimers Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.

The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

© Copyright IBM Corporation 2014. All rights reserved.

— U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM, the IBM logo, ibm.com, and IBM Security Key Lifecycle Manager are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at

•“Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml•Other company, product, or service names may be trademarks or service marks of others.

57

Page 58: Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach

Thank You