www.Vormetric.com

Encryption In The Enterprise

Twin Cities Oracle User’s Group

Chris Olive, Sales Engineer – Vormetric, Inc.

Agenda

Modern Encryption & Cryptography

What Should Be Encrypted and Why

Encryption in Enterprise Architecture

Tokenization Versus Application Encryption

Key Management

Handling Oracle TDE

The Vormetric Encryption Platform Solution

Q&A

Modern Encryption & Cryptography

Hashes/Hashing – Not encryption but used in cryptography

Computationally independent

Symmetric Keys – Based on a secret key

Stream Ciphers: RC4, Fish, Pike, Rabbit, etc. (many others)

Block Ciphers: DES, 3DES, Blowfish, RC5, AES, IDEA, etc. (many others)

Primary focus here on block ciphers and AES has popular attention right now

Asymmetric Keys – Based on key pairs

Examples: RSA, DSA, others

Most popular right now is RSA and based on PKCS#1

Generally used for short messages and key exchange

Protocols using Asymmetric Keys

S/MIME, PGP, OpenPGP, SSL, TLS, Bitcoin, others

Certificates – Metadata around a public key

Data-In-Motion vs. Data-At-Rest

Strength of Algorithms

For AES-128:

2128 combinations of the key

Brute force of ½ of the key combinations (2127) at 1,000,000,000 per

second would take approximately 10,000,000,000,000,000 (quadtrillion)

years

For AES-256:

2256 combinations of the key

Brute force of ½ of the key combinations is infinitely more than AES-

128. (Not enough space on this slide for the zeros!)

There are known attacks that cut down on these numbers:

Related Key, Known Key Distinguishing, Key Recovery, Tau Statistic, Side-Channel

NIST (National Institute of Standards & Technology)

Approval should be sought

Some vendors use algorithms that aren’t NIST approved

What should be encrypted and why?

Focus here is on Data-At-Rest (DAR)

High motivation for Data-In-Motion to be always encrypted

Recent push for all Web sites to use SSL/TLS

Should be considered “inside” all organizations as well, not just on the perimeter

BUT! Causes issues with traffic and layer 7 inspection – huge issue right now

Two lines of thought around encryption of DAR:

Encrypt (only) sensitive data

Encrypt everything

Encrypting “only sensitive data” has issues:

What defines “sensitive”? The definition tends to change and move over time.

What is actually “sensitive”? Actual sensitive data tends to change and move.

All the above tends to be expensive both in time and in money.

Meanwhile your data continues to grow/shift/move and remain exposed.

Constantly trying to hit a moving target.

Encrypt Everything

Recommendation now is to encrypt everything

Why?

Easy to do now whereas in the past it was much harder – all main

obstacles have been removed! Initial, On-Going, Transparency, Keys

Commercial solutions now make encryption ubiquitous

Data is the real gold: It used to be only financial payloads were

considered valuable – now ALL data is valuable!

Data should be protected the moment it’s born – then doesn’t have to

be analyzed for sensitivity (since now ALL data has become sensitive.)

The cost of data analysis and classification is reduced or evaporates

altogether.

“All data is valuable when married to the right economy”

Encryption In Enterprise Architecture

Co

mp

lexi

ty

Sec

uri

ty

App

Web

Laptop

DB

Storage

SSL/TLS

App/Token

Database

Server

Storage/FDE

End Point/DLP

Tokenization Versus EncryptionTokenization & Encryption are related:

Tokens are essentially format preserving encryption (best vaultless)

Tokens are encrypted in commercial tokenization solutions (vaulted)

Typically used in PCI compliance scenarios where servers are “taken out of

scope”

Commercial tokenization solutions tend to come with data

masking capabilities

Encryption used to be non-format preserving (non-FPE)

Generally lead or leads to changes to database schemas as…

Encrypted values would inflate and not preserve format

SSN is a great example

Most commercial encryption products have or are coming out with

FPE

In tokenization, same token always returned; in encryption you

don’t want this!

Sample Tokenization Versus Encryption

Current commercial tokenization solutions usually come in

two flavors:

Vaulted/Stateful: Tokens stored in a backend database and encrypted –

more secure but not as performant

Vaultless/Stateless: Tokens stored in memory and encrypted – very

performant but not as secure

Home-grown tokenization solutions are all over the map.

Sample token table versus encryption:

SSN Tokenized Encrypted

123-45-6789 345-11-0011 iegh0caediemahNg

451-23-4561 565-04-2231 iec4Lai0AinooLoh

106-23-4560 452-09-3451 Ahv0quaaseoG8hua

Considerations Tokenization & Application Encryption

Full Data Analysis

Data Points: Do you know every data element – size, where, etc.?

Application Matrix: Do you know every application touching every one

of those data elements?

Searching: Will it break searching, especially for encryption?

Software Architecture: Generally executed by software architect(s) with

little to no security experience or know how

Time To Implement

Relative to full, robust SDLC

Unit, integration, customer, performance, QA and Production, usually

governed by change management

PER APPLICATION

Both easier if done earlier in the SDLC or green field

Key Management

Most point solutions have little or no key management

Great example: Encrypting a MacBook hard drive

Without access to keys, your data is toast!

This is the premise behind Ransomware, right?!

Great Key Management needs to be:

Centralized

Easy to manage but still…

SECURE!

All types of keys:

SSL/TLS, CAs, other generated keys generally from symmetric or

asymmetric algorithms – like OpenSSL, ssh-keygen, key appliance, etc.

TDE With Vormetric – Key Agents

12

TDE TablespaceEncryption Key

Encrypted Data Files

TDE TablespaceEncryption Key

Encrypted Data Files

TDE MasterEncryption Key

Oracle / MicrosoftTDE Database

SS

L N

etw

ork

Con

nect

ion

Key

Age

nt*

* PKCS-11 for Oracle and MSCAPI for MSSQL

Vormetric DSM acts as Network HSM

for Database Master Encryption Keys

Vormetric Key Agent is installed on the

database server

Commercial Key Management

Generally implement KMIP or should (Key

Management Interoperability Protocol)

When deployed as hardware appliances, can also

house HSMs or Hardware Security Managers

Necessary for FIPS-140-2 and FIPS-140-3 compliance (gov’t)

Tamper-proof

Capable of at least storing, reporting and alerting

(expirations) on keys stored in the device

Solutions in the industry vary in complexity and

pricing

Questions & Answers

www.Vormetric.com

Vormetric Data SecuritySimplifying Data Security for the

Enterprise

John Murakami - Regional Sales Manager

Chris Olive – Sales Engineer

Founded 2001

Customers Include 17 of the Fortune 30

Top names in Banking, Retail, Outsourcing, Manufacturing & Insurance

Used by the US Government including US Intelligence Community

IP Protection, Compliance, Client Data & Consumer Information Protection

Recently acquired by Thales

Vormetric Customers

Leverage Existing Investments

“Vormetric gives our customers best in class security controls needed for compliance, data breach protection and for safeguarding critical intellectual property through powerful data-at-rest encryption.” Rod Hamlin

Vice President

Copyright 2015 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.

• Physical

• Virtual

• Outsourced

• Sources

• Nodes

• Analytics

One Platform – One StrategyData-at-rest security that follows your data

Enterprise Data Centers

Remote Servers

Private, Public, Hybrid Clouds

Big Data

Vormetric Encryption Use Cases

Database Encryption Unstructured Data Encryption

Cloud Encryption

Usage: Encrypt Tablespace,

Log, and other DB files

Common Databases:

Oracle, MSSQL, DB2, Sybase,

Informix, MySQL…

Usage: Encrypt and Control

access to any type of data

used by LUW server

Common Data Types:

Logs, Reports, Images, ETL,

Audio/Video Recordings,

Documents, Big Data…

Examples: FileNet,

Documentum, Nice, Hadoop,

Home Grown, etc…

Usage: Encrypt and Control

Access to data used by Cloud

Instances

Common Cloud Providers:

Amazon EC2, Rackspace, MS

Azure

Vormetric Data Security Tools

Data Encryption Access Control Audit

Encrypts file system

data transparently to:

Applications

Databases

Storage

Infrastructure

Integrated Key

Management

High Efficiency

Encryption

Firewall-like access

controls for data

access

Separate data

access from data

management for

systems privileged

users(root, SA,

etc…)

Granular data access

logging

Denied Access

Events

Expected Access

Events

Key Management

Key Management for

Vormetric keys and

3rd Party Encryption

Products

Provide Network HSM

for other encryption

solutions

� PKCS#11

� (Oracle 11gR2)

� EKM (MSSQL 2008

R2)

Vormetric Transparent Encryption

Vormetric Security IntelligenceLogs to SIEM

Storage

Database

Application

User

File Systems

VolumeManagers

Big Data, Databases or Files

Allow/Block Encrypt/Decrypt

VormetricData Security Managervirtual or physical appliance

Cloud Admin, Storage

Admin, etc

*$^!@#)(-|”_}?$%-:>>

DSM

*$^!@#)(-|”_}?$%-:>>

Encrypted& Controlled

Privileged Users

John Smith 401 Main Street

Clear Text

Approved Processes and Users

Server

DSM

Storage

Database

Application

User

File Systems

VolumeManagers

Protects structured/unstructured data

Encryption with integrated key management

Policy-based access control

Security Intelligence

Transparent data protection for any app, OS, data type, and storage

Vormetric Application EncryptionEncrypts specific fields or columns in files and databases

Allow/Block

Encrypt/Decrypt

Database

Storage

Database

Application

User

File Systems

VolumeManagers

Big Data, Databases or Files

Approved UsersPrivileged Users SA

root user*$^!@#)(

-|”_}?$%-:>>

John Smith 401 Main Street

Cloud Provider /Outsource

Administrators

*$^!@#)(-|”_}?$%-:>>

DSMDSM

VormetricSecurity IntelligenceLogs to SIEM

VormetricData Security Manager

on Enterprise premise or in cloudvirtual or physical appliance

DBA

Name: Jon DoughSS: if030jclPO: Jan395-2014

Vormetric Data Security Manager

(Key Management)

www.shopping.comWeb Server

Vormetric Application Encryption Workflow

Vormetric Confidential

ApplicationVAE

Agent

Application Server

2

3

4

5

1

Workflow:

1. User submits personal information to purchase items.2. Web server sends personal information to application server.3. Application calls into Vormetric Application Encryption (VAE) library

to encrypt data. (NOTE: VAE obtains keys from the DSM only once)4. VAE returns the value back to the application.5. Application then stores the encrypted value in the database server.

Credit Card#

Credit Card#

Encrypted Keys

Credit Card#

Encrypted Credit Card#

Encrypted Credit Card#

Database, Big Data or File Storage

DSMDSM

Vormetric Tokenization w/Dynamic Data Masking use case

Slide No: 24 Copyright 2015 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.

Accounts Payable

0544-4124-4325-3490

App Servers

1 Request 3

6

DSMREST API

4

5

Token Vault((CC)e, Token) Lookups

1234-4567-6789-1234

2

Database(production data tokenized)

VormetricToken ServerMask

Data Sent

AD/LDAPServer

1234-4567-6789-1234

Customer Service

7 Response

Credit Card

Token or mask

Vormetric Cloud GatewayEncrypting and controlling SaaS data

Slide No: 25 Copyright 2015 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.

Security Intelligence

Personal Computers

Mobile Devices

Servers

VormetricCloud Gateway

Enterprise SaaS

DSM

Q2

20

15

Fu

ture

• Physical

• Virtual

• Outsourced

• Sources

• Nodes

• Analytics

One Platform – One StrategyData-at-rest security that follows your data

Enterprise Data Centers

Remote Servers

Private, Public, Hybrid Clouds

Big Data

Questions?