2016 FS-ISAC Annual Summit (Miami) - Developing Effective Encryption Strategies

Developing Effective Encryption Strategies CASE STUDY & LESSONS LEARNED

Joshua NicholsonTom Baxley

JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT

2

AgendaIntroductions 4

Case Study background 5

Challenges and Benefits of Encryption 7

Encryption Strategy Methodology 9

Data Inventory and Encryption Scenarios 10

Prioritization and Selection 18

Roadmap and Execution 25

Lessons Learned 26

Questions


3

IntroductionsJoshua Nicholson

CISSP, CISM, GCIH, GCWN, GWEB

Joshua Nicholson is serving as the Information Security Consulting Manager for the Consumer Lending Group (CLG) of Wells Fargo. Josh is located in Charlotte, NC and is responsible for managing a team of 23 cyber security professionals that serve as the first line of defense for all Information Security risks. He has over 20 years of IT and Cyber Security experience with 14 years of direct Information Security engineering, operations, and management experience. Prior to joining Wells Fargo Josh was a Manager for Ernst & Young’s (EY) Financial Services Cyber Security team conducting assessments and providing consulting and advisory services for some of the largest financial institutions in the world.

Tom Baxley Tom Baxley is an Information Security Engineer at Pine River Capital Management, a global alternative asset management firm. Prior to his role at Pine River Capital, Tom was a Cybersecurity Consultant with Ernst & Young’s cyber practice. Tom worked with clients across the financial services industry to find innovative solutions to complex cybersecurity questions. During his time at EY he helped create prioritized encryption strategies and roadmaps for financial services clients.


4

Case study background Project: The Chief Information Security Officer (CISO) for a large financial services company requested EY Cyber Security consultants to assess their use of encryption technologies for the protection of confidential data (3 month onsite duration)

Project Objective: Develop a tailored strategy that answers the questions of how, what, when and where their organization should use encryption.

Deliverables: Current state assessment of encryption

capabilities and usage Future state recommendations Multi-year implementation roadmap

aligned to other departmental strategic plans

Success Factors:

The strategy must consider the varying sensitivity of, and threat to, data across their global footprint

Recommended enhancements should be compared against industry peers for maturity and reliability

The operational impact and cost of encryption, including potential security downsides of encryption need to be incorporated

Business priorities and existing technology strategy must align with any encryption strategy

Microsoft Office User

I just changed some wording.


5

Encryption ChallengesWHY SHOULD YOU DEVELOP A STRATEGY?


6

Encryption ChallengesWhy should you develop a strategy?

Large organizations have an enormous amount of data to

protect

Data exists in multiple forms, in different locations, and at

different accessible layers

There are many different encryption

technologies

Encryption can often have serious negative

impacts

Different organizational groups need to work

together to successfully implement encryption

…. Is encryption going to blind my cyber defense tools?

…. Will I be able to recover data in a disaster?

…. Is there a better way than encryption?

…. Will encryption be effective?

…. Where do I even start?


7

MethodologyMETHODOLOGY FOR DEVELOPING AN ENCRYPTION STRATEGY


8

MethodologyGoals: Organized Actionable Structured Agreed

Data Inventory and Encryption Scenarios

Prioritization and Selection

Strategy Development

Roadmap and Execution

• Data is inventoried from the point of view of encryption scenarios.

• A scenario includes the type of data, the location, the state, and if encryption technology is currently being used.

• Scenarios cover data at rest, in motion, and in use.

• Each scenario that is currently not protected by encryption is scored in the categories of:

• Data Sensitivity• Threat to Data• Impact of

Encryption• Scores are rolled up into

an overall benefit score and used to prioritize scenarios.

• High priority scenarios are converted to initiative and projects. Budgets are established for each.

• Management decisioning and prioritization exercise.

• Initiatives and projects are integrated with existing roadmaps and scheduled for execution.

• Management team aligns resources to work plan for execution.


9

Encryption Scenarios

High

Med

Low

All Encryption Scenarios Scenarios are prioritized/filtered to a list of projects/initiatives

RoadmapAssess Current State Analyze and Prioritize Develop Strategy

Define Possible Encryption Scenarios

Assess Encryption Practices

Gap Analysis

Map to Existing Strategies

Impact of using Encryption

Costs

User Impact Operations Impact


10

Phase 1Data Inventory


11

Encryption Scenario Categories

Below is a sampling of the encryption scenario that we have used in the past. Within each of these domains encryption scenarios describe the uses of encryption to protect data during transport, at rest, and in use.

Email Business Applications Documents Database 3rd Party Hosted Cloud

Storage Web Applications Infrastructure - Network

Infrastructure - Server Mobile Applications Backup

Telecommunication IM/ConferencingContent

Management Applications

Technology Management Memory


12

At Rest In Motion In Use

Data stored as a file on a storage device

Block or stream data transmissions over the network infrastructure

Data that is being processed or stored and processed in the volatile memory are of the computer

- Unstructured document storage systems

- Internal and external system file transfers initiated to move data from one network to another

- Large data sets of data stored and processed without being written to disk

- Stored application data - Application communications and transactions sent over a network

- Transaction messages (i.e. Web services, MQ,

- Database technology (RDBMS, No-SQL)

- End user communication traffic

- Client and server encryption keys, sensitive data, passwords, etc.

Data


13

Example Category We developed a matrix to assist with the evaluation of each encryption scenario.

Each scenario was classified as “Encrypted”, “Partially Encrypted” or “Not Encrypted”.◦ “Encrypted” – all use cases of this scenario are using encryption.◦ “Partially Encrypted” – some use cases of this scenario are using encryption (E.g. Most

file transfers use SFTP, however some legacy applications still use unencrypted FTP).◦ “Not Encrypted” – no encryption is used for this scenario.

Ref #Scenario Category Type Encryption Scenario Description

Current State Encryption Current State Encryption Notes

1.01 Email MotionEmail - External Email Communication

Email data w hich is sent to external organizations over the Internet

Partially Encrypted

Currently using TLS, but not required for all domains. Envelope service used for some processes.

1.02 Email MotionEmail - Internal Email Communication

Email sent to and from internal recipients Not Encrypted No encryption used

1.03 Email MotionEmail - Host/Server Communication

Email data in transit betw een email clients (e.g. Outlook) and email servers (e.g. Exchange)

Not Encrypted No encryption used

Encryption Analysis MatrixPhase 1 - Scenario Development and Current StateLast Updated: xx/xx/20xx


14

Business Applications Encryption

Application Technology

Application Development

Security Engineering

Infrastructure

Supporting Teams

2.05

2.042.01

2.03

2.07

General Observations Many internal business platform and software interfaces are not using transport level encryption. Not all

authentication traffic is using an encrypted protocol. The majority of application data is not encrypted at rest or when e-mailed through reporting. Production data movement and printing of highly-sensitive information is sent unencrypted. The majority of business applications using LDAP authentication are using the secure form (LDAP/S),

however some legacy applications use plain-text LDAP. Encryption certificates are not centrally managed or standardized on. Legacy certificate keys and self-

signed certs using old more vulnerable algorithms could be present.

Current State Encryption ScenariosData in Motion PII Corp 3rd Trading Encryption

2.01 API Calls n n n n Partially Encrypted

2.02 Application Terminal Connections - Internal n n Partially Encrypted

2.03 Emailed Reports n n n n Not Encrypted

2.04 File Transfers (FTP, SFTP, etc.) n n n n Partially Encrypted

2.05 LDAP Operations n Partially Encrypted

2.06 Reporting Transport and Distribution n n n n Partially Encrypted

2.07 System Printing n n n n Not Encrypted

2.08 Web Service Calls - External n Encrypted

2.09 Web Service Calls - Internal n n n n Not Encrypted

2.10 Application Terminal Connections - External n n n n Partially Encrypted

Data at Rest PII Corp 3rd Pos/Trade Encryption

2.12 Application Configuration Files n Partially Encrypted

2.13 Printed System Data* n n n Not Encrypted

2.14 Reporting and Analysis Servers n n Not Encrypted

2.15 Web Service Calls n n n n Not Encrypted

Desktop Engineering

2.132.08

2.112.09 2.15


15

Current State Rollup After a thorough examination of all scenarios, the results should be rolled up and prepared for the prioritization phase. An illustration of sample results is below.

It is important to note that at this stage we are not considering mitigating countermeasures, the sensitivity of data, or impact of using encryption.

Not Encrypted60%Partially Encrypted

26%

Data at Rest30%

Data in Motion70%

Not Feasible10%

Partially Feasible40%

Feasible50%


16

Phase 2Prioritize

Measure & Compare


17

Scenario Evaluation Criteria

Quantitative Factors Qualitative Factors

Data Sensitivity Threat to Data Cost Impact of Encryption

Sensitivity

Threat Impact of Encryption

Encryption Initiative

PrioritizationData

Sensitivity

Compen.Controls

Likelihood of Loss

Cost to Implement

Impact to Users

Impact to Operations

Encryption Viability

Cost

Conformance / Compliance Requirements

Industry Perspective

• Considers industry peer norms

• The need for assertion of security conformance for partners or clients.

Strategic Plans

• Needs which align to strategic IT plans.


18

Scenario Analysis Matrix We developed an Encryption Analysis Matrix for documenting the current use of encryption and the feasibility of implementing encryption controls.

The matrix was used to track the feasibility of each scenario in order to filter out scenarios that are not practical and will not be considered during future state analysis.

15 8 8 5 5 10 5

+ - + - - + -

Ref #Scenario Category Type Encryption Scenario Description

Current State Encryption Current State Encryption Notes Sensitivity Sensitivity

ScoreSensitivity Comments

Counter-measures

Likelihood of Loss

Threat Score Threat Comments Impact to

UsersImpact to

Ops Feasibility Impact Score Impact Comments Cost Cost

ScoreCountermeasures

w/ EncryptionNew Threat

ScoreDiff in

Threat Score

1.01 Email MotionEmail - External Email Communication

Email data w hich is sent to external organizations over the Internet

Partially Encrypted

Currently using TLS, but not required for all domains. Envelope service used for some processes.

3 45 2 4 16 2 2 4 20 1 -5 4 0 16

1.02 Email Motion Email - Internal Email Communication

Email sent to and from internal recipients Not Encrypted No encryption used 3 45 0 3 24 2 2 4 20 2 -10 4 -8 32

1.03 Email MotionEmail - Host/Server Communication

Email data in transit betw een email clients (e.g. Outlook) and email servers (e.g. Exchange)

Not Encrypted No encryption used 3 45 0 1 8 1 1 4 30 1 -5 4 -24 32

1.04 Email Motion Email - Mobile Devices Email in transit to mobile devices EncryptedMobieIron is used for mobile e-mail, w hich communicates over an encrypted channel.

- Encrypted - not scored - Encrypted - not

scored - Encrypted - not scored 0 -

1.05 Email Motion Email - Webmail Portal Email data accessed over the Internet via w eb portals

Encrypted OWA uses HTTPS. - Encrypted - not scored

- Encrypted - not scored

- Encrypted - not scored

0 -

1.06 Email Rest Email - Archive Data stored in email archives Not Encrypted Exchange email archives are unencrypted.

3 45 Encrypted - not scored

1 1 0 Encrypted - not scored

1 1 3 20 Encrypted - not scored

3 -15 4 -24 24

1.07 Email Rest Email - Disk Backups Data stored in email backups on disk Not Encrypted Disk backups are not encrypted 3 45 Encrypted - not scored

2 2 0 Encrypted - not scored

0 2 4 30 Encrypted - not scored

2 -10 4 -16 16

1.08 Email Rest Email - Tape Backups Data stored in email backups on tape n/a Tape backups are not encrypted - n/a - not scored - n/a - not scored - n/a - not scored 0 -

Encryption Analysis MatrixPhase 2 - Scenario PrioritizationLast Updated: xx/xx/20xx

Threat Impact BenefitCostSensitivity


19

Feasibility/Suitability Filter

We quickly learned that while evaluating every possible encryption scenario is a good method to ensure completeness, once phase 2 begins, a “feasibility/suitability” filter needs to be applied.

Initial scenarios: 120

Already encrypted: 20

Does not apply to enterprise: 5

No tech solution: 15

Remaining for consideration: 80

Examples of scenarios that should be removed:

– The scenario does not occur at our company

– There is currently no technological encryption solution available for the scenario

Example Scenarios Breakdown:


20

Analyze and Prioritize Remaining encryption scenarios are prioritized based on the quantitative factors (sensitivity, threat, impact, and cost).

The lower prioritized scenarios are then reviewed in detail for:◦ Red flags: items which should have been prioritized higher◦ Qualitative factors: items which should be considered because of industry norms,

compliance or conformance requirements, or client strategic plans.

Gap

AnalysisInitial PrioritizationBased on qualitative factors

WorkshopsEncryption

Strategy and Roadmap

High Priority Scenarios (30)

Low Priority Scenarios (50)Remaining

scenarios for consideration:

80Non-Encryption

Decisions

No Action Needed

Non-Encryption Recommendation

Defer Action


21

High Priority Scenarios (Example)

Low Cost

Peers Do Encrypt

Peers Do Not Encrypt

Medium Cost

HighCost

Motion / Rest

Some PeersEncrypt

Risk Benefit

Im

pact

External Email

Internal Email

SAN/NAS Traffic

Backup Traffic (Servers)

Backup Replication

Outlook/Exchange Data

Internal API Calls

Report Transport

Database Connections

Database Servers

Cloud Data

SAN/NAS Replication

MFD Hard Drives

Sensitive Internal Web Apps

WAN Traffic

Backup Traffic (DB)

VoIP Services

Sharepoint Data

Documentum Traffic

Documentum Data

Source CodePrivileged Access Storage

Source Code

Printer Traffic


22

Risk Benefit vs. Impact

Systems Integration Encryption (Example)

Issues Proposed Next Steps Benefits

►Highly sensitive data is routinely transferred between systems in plain-text. This includes sensitive customer and transaction data as well as client and associate PII.

►Determine if the encryption of sensitive service calls and file transfers is practical for the majority of sensitive use cases.

►Develop standards for the encryption of service calls and file transfers.

►Integrate new standards for the use of transport encryption into SDLC processes.

►Initiate a project to remediate non-compliant systems.

►Sensitive data in transit between systems over the internal and external networks will be protected from interception and/or unauthorized modification.

►Developers and administrators will have a clear standard and guidance on the use of encrypted protocols for systems integration and file transfers..

Risk Benefit Impact

Estimated Cost: $1,000,000

High

Risk Benefit

Impa

ct

Outcome Description

• Determine if the encryption of sensitive service calls and file transfers is practical for the majority of sensitive use cases and develop standards for the encryption of service calls and file transfers.

• Rollout standards for internal service call and file transfer encryption, and remediate those sensitive transfers that do not meet the new standard.

Use Cases Roadmap Considerations►Data transfers will be sent over

encrypted protocols between internal and external systems.

►Many of the remediation projects can be aligned with the planned new managed file transfer system implementation.

Internal API Calls

High


23

Phase 3

1. Develop a roadmap for execution2. Logically integrate with technology

roadmaps for feasibility assessment and execution

Roadmap


24

Encryption Outcomes Roadmap

Application Administration Work stream

Security Work stream

Infrastructure Engineering Work stream

KeyEncryption Strategy

ProjectExisting Project

External Email Encryption

Selective DBEncryption

Cloud Encryption Policies and Standard

Developed and Approved

Service Call and File Transfer

Encryption Standards

Tools for DBConnection

Encryption Deployed

Centralized Source Code Repository

Encrypted

Encryption Progress Reviewed and

Strategy Refreshed

FY15 FY16 FY17 BeyondQ2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

Oct – Dec Jan – Mar Apr – Jun Jul – Sept Oct – Dec Jan – Mar Apr – Jun Jul – Sept Oct – Dec Jan – Mar Apr – Jun2014 2015 2016 2017

Logical AccessCleanup

Palo Alto Upgrade

Policies, Procedures and Standards to Govern the Use of

Encryption are ApprovedEncryption Management Program

Built and OperationalizedPrivileged Access Storage Tool

Deployment Expanded and Matured

Reduced Privileged Level Access New Email

Security Gateway

New Backup System SQL ServersUpgrade

Major ApplicationsTo Linux

SDLC Management System

DB ConnectionEncryption

Selected Sensitive Databases Encrypted

V –Service Call and FileTransfer Standards Rollout*

New Datawarehouse

Encryption Strategy Projects

Existing Projects

Existing Projects


Existing Projects

SSL for Sensitive Internal Web

Apps

Exchange 2013

Outlook RPC Data Encrypted (in transit) Internal Email Encryption

Exchange 2013Archiving

Lotus Erradicated

Transport Encryption for Source Code

DB Connection Encryption Standards



25

Lessons Learned Pros & Cons for developing your

strategy internally or using outside consultants

Very difficult to get right when your internal IT and security team is already overwhelmed with day-to-day operations

Consensus building, inclusion, and relationship management are key elements (cannot stress enough)

Understanding that encrypting everything is a really bad idea that can cause more problems than it’s worth

Much easier to determine what data not to save then it is to encrypt it in all locations and forms.

Tokenization and obfuscation can be a better solution for some use cases

Your strategy is bound to fail without an investment in encryption key management technology and a sound operational program

Much easier to build separate computing infrastructure that supports the encryption plan and have the data repositories migrated over

Many network and application systems have encryption capabilities built in that can be leveraged, most are rarely configured.


26

Questions

2016 FS-ISAC Annual Summit (Miami) - Developing Effective Encryption Strategies

Technology

Transcript of 2016 FS-ISAC Annual Summit (Miami) - Developing Effective Encryption Strategies