Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach
-
Upload
ibm-security-systems -
Category
Technology
-
view
448 -
download
0
description
Transcript of Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach
Encryption and Key Management:Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach
FTS-4874
Rick Robinson
Product Manager, Encryption and Key Management
IBM Data Security
October 27, 2014
© 2014 IBM Corporation
Please Note
• IBM‟s statements regarding its plans, directions, and intent are subject to change orwithdrawal without notice at IBM‟s sole discretion.
• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.
• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user‟s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
2
4
Source: Wikimedia Commons
Source: Wikimedia Commons
PCI
HIPPA
Various
Global
Regulations
Auditors
You
Increased regulation
Compliance means alignment with global regulations
Canada:
Personal Information Protection
& Electronics Document Act
USA:
Federal, Financial & Healthcare
Industry Regulations & State Laws
Mexico:
E-Commerce Law
Colombia:
Political Constitution –
Article 15
Brazil:
Constitution, Habeas Data &
Code of Consumer Protection &
Defense
Chile:
Protection of
Personal Data Act
Argentina:
Habeas Data Act
South Africa:
Promotion of Access
to Information Act
United Kingdom:
Data Protection
Act
EU:
Protection
Directive
Switzerland:
Federal Law on
Data Protection
Germany:
Federal Data Protection
Act & State Laws
Poland:
Polish
Constitution
Israel:
Protection of
Privacy Law
Pakistan:
Banking Companies
Ordinance
Russia:
Computerization & Protection of Information
/ Participation in Int’l Info Exchange
China
Commercial
Banking Law
Korea:
3 Acts for Financial
Data Privacy
Hong Kong:
Privacy Ordinance
Taiwan:
Computer- Processed
Personal Data
Protection LawJapan:
Guidelines for the
Protection of Computer
Processed Personal Data
India:
SEC Board of
India Act
Vietnam:
Banking Law
Philippines:
Secrecy of Bank
Deposit ActAustralia:
Federal Privacy
Amendment Bill
Singapore:
Monetary Authority of
Singapore Act
Indonesia:
Bank Secrecy
Regulation 8
New Zealand:
Privacy Act
7
It‟s all about the data
… and the life it leads
Audit RequirementsCOBIT
(SOX)PCI-DSS ISO 27002
Data
Privacy &
Protection
Laws
NIST
SP 800-53
(FISMA)
1. Access to Sensitive Data(Successful/Failed SELECTs)
2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.)
3. Data Changes (DML)(Insert, Update, Delete)
4. Security Exceptions(Failed logins, SQL errors, etc.)
5. Accounts, Roles &
Permissions (DCL) (GRANT,
REVOKE)
The Compliance Mandate – What do you need to monitor?
9
DDL = Data Definition Language (aka schema changes)
DML = Data Manipulation Language (data value changes)
DCL = Data Control Language
What is Account Data?
• Cardholder Data (may store)
Primary Account Number (PAN)
Cardholder Name
Expiry Date
Service Code
• Sensitive Authentication Data (may not store)
Security Code
Magnetic Stripe / Chip Data
PIN/ PIN Block
PCI DSS has a wide impact
13
14
Cryptography is fundamental to Compliance
• Key exchange for communication session keys
• Data is transit is protected using single-use keys
• Data at rest – Keys are long lived
Establishes Privacy of Data in Motion and Data at Rest
• Being able to encrypt or decrypt proves you are in possession of the key
• Certificates provide additional identity informationEstablishes Identity
• Data Integrity is provided through keyed-hashes
• Hashes provide integrity checking for data in transit
Protects against Unauthorized
Changes
• Digital signatures create undeniable authorshipAssigns Ownership
to the Data or Message
15
Encryption Mitigates Risk
“If a covered entity chooses to encrypt protected health
information, and subsequently discovers a breach of that
encrypted information, the covered entity will not be required
to provide breach notification because the information is not
considered „„unsecured protected health information‟‟ as it has
been rendered unusable, unreadable, or indecipherable to
unauthorized individuals.”
Excerpt from US HITEC law - Breach Notification for Unsecured Protected Health Information (Aug 2009)
Encryption changes
the rules on disclosure
17
Market Drivers and Trends
Source: 2013 Global Encryption Trends Study – Thales & Ponemon Institute
Companies with
Encryption Strategies
are overtaking those
who don‟t
Market Drivers and Trends
Human Error is #1
Threat
Source: 2013 Global Encryption Trends Study – Thales & Ponemon Institute
Market Drivers and Trends
Encryption Usage is no
longer just about complianceSource: 2013 Global Encryption Trends Study – Thales & Ponemon Institute
Market Drivers and Trends
Encryption Usage is no
longer just about compliance
21
Source: 2013 Global Encryption Trends Study – Thales & Ponemon Institute
Market Drivers and Trends
Source: 2014 Cost of Data Breach Study – IBM & Ponemon Institute
Market Drivers and Trends
Source: 2014 Cost of Data Breach Study – IBM & Ponemon Institute
Why Should All Data at Rest be Encrypted?
• Addresses Standards
- Privacy breach disclosure laws
- Protection of financial data
• Keeps sensitive information confidential
- Insider threat
- Lost/stolen tape or disk
- Disk being repaired (Solid-state disks fail in a read-only state)
• Simplifies end-of-life-of-media scenarios
- Destroy the key and the data is unusable
- Cryptographic Erasure (NIST SP800-88)
- Reducing media disposal costs
The Traditional Approach is Changing…. Security is no longer controlled and enforced through the network perimeter
Trusted Intranet
Online Banking
Application
Employee
Application
DMZ Untrusted Internet
…. With Mobile and Cloud There Is No PerimeterSecurity must be centered on applications and transactions
Online Banking
Application
Investment
API Services
Employee
Application
Deliver Mobile App
Consume Apps and Services
Leverage Public Clouds
Trusted Intranet DMZ Untrusted Internet
…. and becoming Mobile
27
In 2000 In 2012
6 billionmobile subscribers worldwide
87%of the world’s population
720 millionmobile subscribers worldwide
12%of the world’s population
Motivation and sophistication is evolving rapidly
28
M O
T I V
A T
I O
N
S O P H I S T I C A T I O N
National Security,
Economic Espionage
Notoriety, Activism,
Defamation
HacktivistsLulzsec, Anonymous
Monetary
Gain
Organized crimeZeus, ZeroAccess, Blackhole Exploit Pack
Nuisance,
Curiosity
Insiders, Spammers, Script-kiddiesNigerian 419 Scams, Code Red
Nation-stateactors, APTsStuxnet, Aurora,APT-1
Weak security has a significant impact on your brand
29
Costs
$52,646per minute
Lasts
19.7 minutes
Minor event
chance of
happening
69%
Lasts about
2 hours
Costs
$38,069per minute
Moderate event
chance of
happening*
37%
*The IBM 2013 Global Study on the Economic Impact of IT Risk Study.
Lasts about
7.5 hours
Costs
$30,995
per minute
Substantial event
chance of
happening*
23%
Most security breaches go undetected for eight months
30
X-Force Trend and Risk Report
Collaborative IBM teams monitor and analyze the changing threat landscape
Coverage
20,000+ devices
under contract
3,700+ managed
clients worldwide
15B+ events
managed per day
133 monitored
countries (MSS)
1,000+ security
related patents
Depth
17B analyzed
web pages & images
40M spam &
phishing attacks
76K documented
vulnerabilities
Billions of intrusion
attempts daily
Millions of unique
malware samples
Cloud, Analytics, Mobile and Social Power Enterprise Growth
CLOUD ANALYTICS MOBILE Social
Increasing risk of attack can undermine CAMS initiatives
SQL
injectionWatering
hole
Physical
access
MalwareThird-party
software
DDoSSpear
phishing
XSS Undisclosed
Attack types
Note: Size of circle estimates relative impact of incident in terms of cost to business Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2014
2011
Year of the breach
2012
40% increase
2013
500,000,000+ records breached
61% of organizations say
data theft and cybercrime
are their greatest threats2012 IBM Global Reputational Risk & IT Study
$3.5M+ average cost
of a data breach2014 Cost of Data Breach, Ponemon Institute
What is the impact of a data breach
and
Where are customers most affected?
Vulnerabilities exploited to gain access
Exploitation
Gain access
XSS typically
attacks web apps
has become a new playground for attackers
Social Media top target for attacks
and mobile devices are expanding
those targets
- Pre-attack intelligence gathering
- Criminals selling accounts
- Campaigns enticing user to click
on malicious links
The Cloud is bringing greater opportunity…• To Users
• To Business
• To Thieves….
How Do We Solve This?
Encryption should notaffect performance
Encryption should be Transparent
Operations management of encryption and key
management should be negligible
Encrypted systems should leverage
investments in high availability and security
Centralize Key Management
First Principles for Encryption and Key Management
Disk and Tape options in IBM Self-Encrypting Storage
DS8870
DS3500
XIVN series
TS3500 library
TS1140
drive
LTO6 drive
TS3310
libraryGPFS
Self-encrypting
solutions that protect
Data-at-Rest
Self-Encrypting Devices
Security Key Lifecycle Manager (SKLM)
• SKLM is a Key Distribution and
Management software solution
• Uses standard protocols
(i.e. KMIP: Key Management
Interoperability Protocol)
• Provides centralized key mgmt for
self-encrypting drives (tape, disk)
• Light-weight & highly-scalable
• SKLM helps customers keep data
private, compliant, and encryption
keys well-managed
• Helps customers maintain
alignment with best practices and
complianceK
MIP
Cloud file systems
(GPFS, Netezza, etc.)
Databases
Smart Meter
Infrastructures
Switches /
Networking
Disk Storage Arrayse.g. DS8000, DS5xxx, XIV, …
Enterprise Tape Librariese.g. TS11xx, TS2xxx, TS3xxx,
SKLM
Your security team sees noise
41
Reaching security maturity1
3-0
9-1
7
Security Intelligence
Predictive Analytics, Big Data Workbench, Flow Analytics
SIEM and Vulnerability Management
Log Management
Advanced Fraud Protection
People Data Applications Infrastructure
Identity governance
Fine-grained entitlements
Privileged user management
Data governance
Encryption key management
Fraud detection
Hybrid scanning and correlation
Multi-facetednetwork protection
Anomaly detection
Hardened systems
User provisioning
Access management
Strong authentication
Data masking / redaction
Database activity monitoring
Data loss prevention
Web application protection
Source code scanning
Virtualization security
Asset management
Endpoint / network security management
Directorymanagement
Encryption
Database access control
Applicationscanning
Perimeter security
Host security
Anti-virus
Optimized
Proficient
Basic
Security challenges are a complex, four-dimensional puzzle…
ApplicationsWeb
ApplicationsSystems
ApplicationsWeb 2.0 Mobile
Applications
Infrastructure
Datacenters PCs Laptops Mobile Cloud Non-traditional
Data At rest In motionUnstructuredStructured
PeopleAttackers Suppliers
Consultants Partners
Employees Outsourcers
Customers
Employees
Unstructured
Web 2.0Systems Applications
Outsourcers
Structured In motion
Customers
Mobile
Applications
…that requires a new approach that combines encryption with Security Intelligence
Collect and Analyze Everything
DataBasic-
control
Applications Bolt-on
InfrastructureThicker
walls
Insight
Now
PeopleAdministration
Then
Smarter
defenses
Built-in
Laser-
focused
44
Time
Pro
du
cts
Time
Pro
du
cts
Complexity
Cost
Agility
Effectiveness
Monitor Everything
Consume Threat Intelligence
Integrate Across Domains
Security Intelligence
Clarity…
Insights…
Compliance
@RickCipher
Find out more on IBM Security:
“Discover how to stop attackers with Big Data Analytics” with our CTO Sandy Bird, Security Keynote Session, Tues 1.45pm
Visit the IBM Security Zone and talk to our experts @ the EXPO Center
Keep up to date with our latest news: @IBMSecurity & @RickCipher
Analysis and Insight for Information Security Professionals:
SecurityIntelligence.com/author/rick-robinson
We Value Your Feedback!
• Don‟t forget to submit your Insight session and speaker feedback! Your feedback is very important to us – we use it to continually improve the conference.
• Access the Insight Conference Connect tool to quickly submit your surveys from your smartphone, laptop or conference kiosk.
56
Acknowledgements and Disclaimers Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
© Copyright IBM Corporation 2014. All rights reserved.
— U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, ibm.com, and IBM Security Key Lifecycle Manager are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at
•“Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml•Other company, product, or service names may be trademarks or service marks of others.
57
Thank You