Encryption In The Enterprise - Cloud Object StorageO… · Strength of Algorithms For AES-128: 2128...
Transcript of Encryption In The Enterprise - Cloud Object StorageO… · Strength of Algorithms For AES-128: 2128...
www.Vormetric.com
Encryption In The Enterprise
Twin Cities Oracle User’s Group
Chris Olive, Sales Engineer – Vormetric, Inc.
Agenda
Modern Encryption & Cryptography
What Should Be Encrypted and Why
Encryption in Enterprise Architecture
Tokenization Versus Application Encryption
Key Management
Handling Oracle TDE
The Vormetric Encryption Platform Solution
Q&A
Modern Encryption & Cryptography
Hashes/Hashing – Not encryption but used in cryptography
Computationally independent
Symmetric Keys – Based on a secret key
Stream Ciphers: RC4, Fish, Pike, Rabbit, etc. (many others)
Block Ciphers: DES, 3DES, Blowfish, RC5, AES, IDEA, etc. (many others)
Primary focus here on block ciphers and AES has popular attention right now
Asymmetric Keys – Based on key pairs
Examples: RSA, DSA, others
Most popular right now is RSA and based on PKCS#1
Generally used for short messages and key exchange
Protocols using Asymmetric Keys
S/MIME, PGP, OpenPGP, SSL, TLS, Bitcoin, others
Certificates – Metadata around a public key
Data-In-Motion vs. Data-At-Rest
Strength of Algorithms
For AES-128:
2128 combinations of the key
Brute force of ½ of the key combinations (2127) at 1,000,000,000 per
second would take approximately 10,000,000,000,000,000 (quadtrillion)
years
For AES-256:
2256 combinations of the key
Brute force of ½ of the key combinations is infinitely more than AES-
128. (Not enough space on this slide for the zeros!)
There are known attacks that cut down on these numbers:
Related Key, Known Key Distinguishing, Key Recovery, Tau Statistic, Side-Channel
NIST (National Institute of Standards & Technology)
Approval should be sought
Some vendors use algorithms that aren’t NIST approved
What should be encrypted and why?
Focus here is on Data-At-Rest (DAR)
High motivation for Data-In-Motion to be always encrypted
Recent push for all Web sites to use SSL/TLS
Should be considered “inside” all organizations as well, not just on the perimeter
BUT! Causes issues with traffic and layer 7 inspection – huge issue right now
Two lines of thought around encryption of DAR:
Encrypt (only) sensitive data
Encrypt everything
Encrypting “only sensitive data” has issues:
What defines “sensitive”? The definition tends to change and move over time.
What is actually “sensitive”? Actual sensitive data tends to change and move.
All the above tends to be expensive both in time and in money.
Meanwhile your data continues to grow/shift/move and remain exposed.
Constantly trying to hit a moving target.
Encrypt Everything
Recommendation now is to encrypt everything
Why?
Easy to do now whereas in the past it was much harder – all main
obstacles have been removed! Initial, On-Going, Transparency, Keys
Commercial solutions now make encryption ubiquitous
Data is the real gold: It used to be only financial payloads were
considered valuable – now ALL data is valuable!
Data should be protected the moment it’s born – then doesn’t have to
be analyzed for sensitivity (since now ALL data has become sensitive.)
The cost of data analysis and classification is reduced or evaporates
altogether.
“All data is valuable when married to the right economy”
Encryption In Enterprise Architecture
Co
mp
lexi
ty
Sec
uri
ty
App
Web
Laptop
DB
Storage
SSL/TLS
App/Token
Database
Server
Storage/FDE
End Point/DLP
Tokenization Versus EncryptionTokenization & Encryption are related:
Tokens are essentially format preserving encryption (best vaultless)
Tokens are encrypted in commercial tokenization solutions (vaulted)
Typically used in PCI compliance scenarios where servers are “taken out of
scope”
Commercial tokenization solutions tend to come with data
masking capabilities
Encryption used to be non-format preserving (non-FPE)
Generally lead or leads to changes to database schemas as…
Encrypted values would inflate and not preserve format
SSN is a great example
Most commercial encryption products have or are coming out with
FPE
In tokenization, same token always returned; in encryption you
don’t want this!
Sample Tokenization Versus Encryption
Current commercial tokenization solutions usually come in
two flavors:
Vaulted/Stateful: Tokens stored in a backend database and encrypted –
more secure but not as performant
Vaultless/Stateless: Tokens stored in memory and encrypted – very
performant but not as secure
Home-grown tokenization solutions are all over the map.
Sample token table versus encryption:
SSN Tokenized Encrypted
123-45-6789 345-11-0011 iegh0caediemahNg
451-23-4561 565-04-2231 iec4Lai0AinooLoh
106-23-4560 452-09-3451 Ahv0quaaseoG8hua
Considerations Tokenization & Application Encryption
Full Data Analysis
Data Points: Do you know every data element – size, where, etc.?
Application Matrix: Do you know every application touching every one
of those data elements?
Searching: Will it break searching, especially for encryption?
Software Architecture: Generally executed by software architect(s) with
little to no security experience or know how
Time To Implement
Relative to full, robust SDLC
Unit, integration, customer, performance, QA and Production, usually
governed by change management
PER APPLICATION
Both easier if done earlier in the SDLC or green field
Key Management
Most point solutions have little or no key management
Great example: Encrypting a MacBook hard drive
Without access to keys, your data is toast!
This is the premise behind Ransomware, right?!
Great Key Management needs to be:
Centralized
Easy to manage but still…
SECURE!
All types of keys:
SSL/TLS, CAs, other generated keys generally from symmetric or
asymmetric algorithms – like OpenSSL, ssh-keygen, key appliance, etc.
TDE With Vormetric – Key Agents
12
TDE TablespaceEncryption Key
Encrypted Data Files
TDE TablespaceEncryption Key
Encrypted Data Files
TDE MasterEncryption Key
Oracle / MicrosoftTDE Database
SS
L N
etw
ork
Con
nect
ion
Key
Age
nt*
* PKCS-11 for Oracle and MSCAPI for MSSQL
Vormetric DSM acts as Network HSM
for Database Master Encryption Keys
Vormetric Key Agent is installed on the
database server
Commercial Key Management
Generally implement KMIP or should (Key
Management Interoperability Protocol)
When deployed as hardware appliances, can also
house HSMs or Hardware Security Managers
Necessary for FIPS-140-2 and FIPS-140-3 compliance (gov’t)
Tamper-proof
Capable of at least storing, reporting and alerting
(expirations) on keys stored in the device
Solutions in the industry vary in complexity and
pricing
Questions & Answers
www.Vormetric.com
Vormetric Data SecuritySimplifying Data Security for the
Enterprise
John Murakami - Regional Sales Manager
Chris Olive – Sales Engineer
Founded 2001
Customers Include 17 of the Fortune 30
Top names in Banking, Retail, Outsourcing, Manufacturing & Insurance
Used by the US Government including US Intelligence Community
IP Protection, Compliance, Client Data & Consumer Information Protection
Recently acquired by Thales
Vormetric Customers
Leverage Existing Investments
“Vormetric gives our customers best in class security controls needed for compliance, data breach protection and for safeguarding critical intellectual property through powerful data-at-rest encryption.” Rod Hamlin
Vice President
Copyright 2015 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
• Physical
• Virtual
• Outsourced
• Sources
• Nodes
• Analytics
One Platform – One StrategyData-at-rest security that follows your data
Enterprise Data Centers
Remote Servers
Private, Public, Hybrid Clouds
Big Data
Vormetric Encryption Use Cases
Database Encryption Unstructured Data Encryption
Cloud Encryption
Usage: Encrypt Tablespace,
Log, and other DB files
Common Databases:
Oracle, MSSQL, DB2, Sybase,
Informix, MySQL…
Usage: Encrypt and Control
access to any type of data
used by LUW server
Common Data Types:
Logs, Reports, Images, ETL,
Audio/Video Recordings,
Documents, Big Data…
Examples: FileNet,
Documentum, Nice, Hadoop,
Home Grown, etc…
Usage: Encrypt and Control
Access to data used by Cloud
Instances
Common Cloud Providers:
Amazon EC2, Rackspace, MS
Azure
Vormetric Data Security Tools
Data Encryption Access Control Audit
Encrypts file system
data transparently to:
Applications
Databases
Storage
Infrastructure
Integrated Key
Management
High Efficiency
Encryption
Firewall-like access
controls for data
access
Separate data
access from data
management for
systems privileged
users(root, SA,
etc…)
Granular data access
logging
Denied Access
Events
Expected Access
Events
Key Management
Key Management for
Vormetric keys and
3rd Party Encryption
Products
Provide Network HSM
for other encryption
solutions
� PKCS#11
� (Oracle 11gR2)
� EKM (MSSQL 2008
R2)
Vormetric Transparent Encryption
Vormetric Security IntelligenceLogs to SIEM
Storage
Database
Application
User
File Systems
VolumeManagers
Big Data, Databases or Files
Allow/Block Encrypt/Decrypt
VormetricData Security Managervirtual or physical appliance
Cloud Admin, Storage
Admin, etc
*$^!@#)(-|”_}?$%-:>>
DSM
*$^!@#)(-|”_}?$%-:>>
Encrypted& Controlled
Privileged Users
John Smith 401 Main Street
Clear Text
Approved Processes and Users
Server
DSM
Storage
Database
Application
User
File Systems
VolumeManagers
Protects structured/unstructured data
Encryption with integrated key management
Policy-based access control
Security Intelligence
Transparent data protection for any app, OS, data type, and storage
Vormetric Application EncryptionEncrypts specific fields or columns in files and databases
Allow/Block
Encrypt/Decrypt
Database
Storage
Database
Application
User
File Systems
VolumeManagers
Big Data, Databases or Files
Approved UsersPrivileged Users SA
root user*$^!@#)(
-|”_}?$%-:>>
John Smith 401 Main Street
Cloud Provider /Outsource
Administrators
*$^!@#)(-|”_}?$%-:>>
DSMDSM
VormetricSecurity IntelligenceLogs to SIEM
VormetricData Security Manager
on Enterprise premise or in cloudvirtual or physical appliance
DBA
Name: Jon DoughSS: if030jclPO: Jan395-2014
Vormetric Data Security Manager
(Key Management)
www.shopping.comWeb Server
Vormetric Application Encryption Workflow
Vormetric Confidential
ApplicationVAE
Agent
Application Server
2
3
4
5
1
Workflow:
1. User submits personal information to purchase items.2. Web server sends personal information to application server.3. Application calls into Vormetric Application Encryption (VAE) library
to encrypt data. (NOTE: VAE obtains keys from the DSM only once)4. VAE returns the value back to the application.5. Application then stores the encrypted value in the database server.
Credit Card#
Credit Card#
Encrypted Keys
Credit Card#
Encrypted Credit Card#
Encrypted Credit Card#
Database, Big Data or File Storage
DSMDSM
Vormetric Tokenization w/Dynamic Data Masking use case
Slide No: 24 Copyright 2015 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
Accounts Payable
0544-4124-4325-3490
App Servers
1 Request 3
6
DSMREST API
4
5
Token Vault((CC)e, Token) Lookups
1234-4567-6789-1234
2
Database(production data tokenized)
VormetricToken ServerMask
Data Sent
AD/LDAPServer
1234-4567-6789-1234
Customer Service
7 Response
Credit Card
Token or mask
Vormetric Cloud GatewayEncrypting and controlling SaaS data
Slide No: 25 Copyright 2015 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
Security Intelligence
Personal Computers
Mobile Devices
Servers
VormetricCloud Gateway
Enterprise SaaS
DSM
Q2
20
15
Fu
ture
• Physical
• Virtual
• Outsourced
• Sources
• Nodes
• Analytics
One Platform – One StrategyData-at-rest security that follows your data
Enterprise Data Centers
Remote Servers
Private, Public, Hybrid Clouds
Big Data
Questions?