2016 FS-ISAC Annual Summit (Miami) - Developing Effective Encryption Strategies
-
Upload
joshua-r-nicholson -
Category
Technology
-
view
282 -
download
0
Transcript of 2016 FS-ISAC Annual Summit (Miami) - Developing Effective Encryption Strategies
Developing Effective Encryption Strategies CASE STUDY & LESSONS LEARNED
Joshua NicholsonTom Baxley
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
2
AgendaIntroductions 4
Case Study background 5
Challenges and Benefits of Encryption 7
Encryption Strategy Methodology 9
Data Inventory and Encryption Scenarios 10
Prioritization and Selection 18
Roadmap and Execution 25
Lessons Learned 26
Questions
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
3
IntroductionsJoshua Nicholson
CISSP, CISM, GCIH, GCWN, GWEB
Joshua Nicholson is serving as the Information Security Consulting Manager for the Consumer Lending Group (CLG) of Wells Fargo. Josh is located in Charlotte, NC and is responsible for managing a team of 23 cyber security professionals that serve as the first line of defense for all Information Security risks. He has over 20 years of IT and Cyber Security experience with 14 years of direct Information Security engineering, operations, and management experience. Prior to joining Wells Fargo Josh was a Manager for Ernst & Young’s (EY) Financial Services Cyber Security team conducting assessments and providing consulting and advisory services for some of the largest financial institutions in the world.
Tom Baxley Tom Baxley is an Information Security Engineer at Pine River Capital Management, a global alternative asset management firm. Prior to his role at Pine River Capital, Tom was a Cybersecurity Consultant with Ernst & Young’s cyber practice. Tom worked with clients across the financial services industry to find innovative solutions to complex cybersecurity questions. During his time at EY he helped create prioritized encryption strategies and roadmaps for financial services clients.
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
4
Case study background Project: The Chief Information Security Officer (CISO) for a large financial services company requested EY Cyber Security consultants to assess their use of encryption technologies for the protection of confidential data (3 month onsite duration)
Project Objective: Develop a tailored strategy that answers the questions of how, what, when and where their organization should use encryption.
Deliverables: Current state assessment of encryption
capabilities and usage Future state recommendations Multi-year implementation roadmap
aligned to other departmental strategic plans
Success Factors:
The strategy must consider the varying sensitivity of, and threat to, data across their global footprint
Recommended enhancements should be compared against industry peers for maturity and reliability
The operational impact and cost of encryption, including potential security downsides of encryption need to be incorporated
Business priorities and existing technology strategy must align with any encryption strategy
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
5
Encryption ChallengesWHY SHOULD YOU DEVELOP A STRATEGY?
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
6
Encryption ChallengesWhy should you develop a strategy?
Large organizations have an enormous amount of data to
protect
Data exists in multiple forms, in different locations, and at
different accessible layers
There are many different encryption
technologies
Encryption can often have serious negative
impacts
Different organizational groups need to work
together to successfully implement encryption
…. Is encryption going to blind my cyber defense tools?
…. Will I be able to recover data in a disaster?
…. Is there a better way than encryption?
…. Will encryption be effective?
…. Where do I even start?
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
7
MethodologyMETHODOLOGY FOR DEVELOPING AN ENCRYPTION STRATEGY
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
8
MethodologyGoals: Organized Actionable Structured Agreed
Data Inventory and Encryption Scenarios
Prioritization and Selection
Strategy Development
Roadmap and Execution
• Data is inventoried from the point of view of encryption scenarios.
• A scenario includes the type of data, the location, the state, and if encryption technology is currently being used.
• Scenarios cover data at rest, in motion, and in use.
• Each scenario that is currently not protected by encryption is scored in the categories of:
• Data Sensitivity• Threat to Data• Impact of
Encryption• Scores are rolled up into
an overall benefit score and used to prioritize scenarios.
• High priority scenarios are converted to initiative and projects. Budgets are established for each.
• Management decisioning and prioritization exercise.
• Initiatives and projects are integrated with existing roadmaps and scheduled for execution.
• Management team aligns resources to work plan for execution.
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
9
Encryption Scenarios
High
Med
Low
All Encryption Scenarios Scenarios are prioritized/filtered to a list of projects/initiatives
RoadmapAssess Current State Analyze and Prioritize Develop Strategy
Define Possible Encryption Scenarios
Assess Encryption Practices
Gap Analysis
Map to Existing Strategies
Impact of using Encryption
Costs
User Impact Operations Impact
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
10
Phase 1Data Inventory
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
11
Encryption Scenario Categories
Below is a sampling of the encryption scenario that we have used in the past. Within each of these domains encryption scenarios describe the uses of encryption to protect data during transport, at rest, and in use.
Email Business Applications Documents Database 3rd Party Hosted Cloud
Storage Web Applications Infrastructure - Network
Infrastructure - Server Mobile Applications Backup
Telecommunication IM/ConferencingContent
Management Applications
Technology Management Memory
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
12
At Rest In Motion In Use
Data stored as a file on a storage device
Block or stream data transmissions over the network infrastructure
Data that is being processed or stored and processed in the volatile memory are of the computer
- Unstructured document storage systems
- Internal and external system file transfers initiated to move data from one network to another
- Large data sets of data stored and processed without being written to disk
- Stored application data - Application communications and transactions sent over a network
- Transaction messages (i.e. Web services, MQ,
- Database technology (RDBMS, No-SQL)
- End user communication traffic
- Client and server encryption keys, sensitive data, passwords, etc.
Data
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
13
Example Category We developed a matrix to assist with the evaluation of each encryption scenario.
Each scenario was classified as “Encrypted”, “Partially Encrypted” or “Not Encrypted”.◦ “Encrypted” – all use cases of this scenario are using encryption.◦ “Partially Encrypted” – some use cases of this scenario are using encryption (E.g. Most
file transfers use SFTP, however some legacy applications still use unencrypted FTP).◦ “Not Encrypted” – no encryption is used for this scenario.
Ref #Scenario Category Type Encryption Scenario Description
Current State Encryption Current State Encryption Notes
1.01 Email MotionEmail - External Email Communication
Email data w hich is sent to external organizations over the Internet
Partially Encrypted
Currently using TLS, but not required for all domains. Envelope service used for some processes.
1.02 Email MotionEmail - Internal Email Communication
Email sent to and from internal recipients Not Encrypted No encryption used
1.03 Email MotionEmail - Host/Server Communication
Email data in transit betw een email clients (e.g. Outlook) and email servers (e.g. Exchange)
Not Encrypted No encryption used
Encryption Analysis MatrixPhase 1 - Scenario Development and Current StateLast Updated: xx/xx/20xx
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
14
Business Applications Encryption
Application Technology
Application Development
Security Engineering
Infrastructure
Supporting Teams
2.05
2.042.01
2.03
2.07
General Observations Many internal business platform and software interfaces are not using transport level encryption. Not all
authentication traffic is using an encrypted protocol. The majority of application data is not encrypted at rest or when e-mailed through reporting. Production data movement and printing of highly-sensitive information is sent unencrypted. The majority of business applications using LDAP authentication are using the secure form (LDAP/S),
however some legacy applications use plain-text LDAP. Encryption certificates are not centrally managed or standardized on. Legacy certificate keys and self-
signed certs using old more vulnerable algorithms could be present.
Current State Encryption ScenariosData in Motion PII Corp 3rd Trading Encryption
2.01 API Calls n n n n Partially Encrypted
2.02 Application Terminal Connections - Internal n n Partially Encrypted
2.03 Emailed Reports n n n n Not Encrypted
2.04 File Transfers (FTP, SFTP, etc.) n n n n Partially Encrypted
2.05 LDAP Operations n Partially Encrypted
2.06 Reporting Transport and Distribution n n n n Partially Encrypted
2.07 System Printing n n n n Not Encrypted
2.08 Web Service Calls - External n Encrypted
2.09 Web Service Calls - Internal n n n n Not Encrypted
2.10 Application Terminal Connections - External n n n n Partially Encrypted
Data at Rest PII Corp 3rd Pos/Trade Encryption
2.12 Application Configuration Files n Partially Encrypted
2.13 Printed System Data* n n n Not Encrypted
2.14 Reporting and Analysis Servers n n Not Encrypted
2.15 Web Service Calls n n n n Not Encrypted
Desktop Engineering
2.132.08
2.112.09 2.15
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
15
Current State Rollup After a thorough examination of all scenarios, the results should be rolled up and prepared for the prioritization phase. An illustration of sample results is below.
It is important to note that at this stage we are not considering mitigating countermeasures, the sensitivity of data, or impact of using encryption.
Not Encrypted60%Partially Encrypted
26%
Data at Rest30%
Data in Motion70%
Not Feasible10%
Partially Feasible40%
Feasible50%
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
16
Phase 2Prioritize
Measure & Compare
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
17
Scenario Evaluation Criteria
Quantitative Factors Qualitative Factors
Data Sensitivity Threat to Data Cost Impact of Encryption
Sensitivity
Threat Impact of Encryption
Encryption Initiative
PrioritizationData
Sensitivity
Compen.Controls
Likelihood of Loss
Cost to Implement
Impact to Users
Impact to Operations
Encryption Viability
Cost
Conformance / Compliance Requirements
Industry Perspective
• Considers industry peer norms
• The need for assertion of security conformance for partners or clients.
Strategic Plans
• Needs which align to strategic IT plans.
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
18
Scenario Analysis Matrix We developed an Encryption Analysis Matrix for documenting the current use of encryption and the feasibility of implementing encryption controls.
The matrix was used to track the feasibility of each scenario in order to filter out scenarios that are not practical and will not be considered during future state analysis.
15 8 8 5 5 10 5
+ - + - - + -
Ref #Scenario Category Type Encryption Scenario Description
Current State Encryption Current State Encryption Notes Sensitivity Sensitivity
ScoreSensitivity Comments
Counter-measures
Likelihood of Loss
Threat Score Threat Comments Impact to
UsersImpact to
Ops Feasibility Impact Score Impact Comments Cost Cost
ScoreCountermeasures
w/ EncryptionNew Threat
ScoreDiff in
Threat Score
1.01 Email MotionEmail - External Email Communication
Email data w hich is sent to external organizations over the Internet
Partially Encrypted
Currently using TLS, but not required for all domains. Envelope service used for some processes.
3 45 2 4 16 2 2 4 20 1 -5 4 0 16
1.02 Email Motion Email - Internal Email Communication
Email sent to and from internal recipients Not Encrypted No encryption used 3 45 0 3 24 2 2 4 20 2 -10 4 -8 32
1.03 Email MotionEmail - Host/Server Communication
Email data in transit betw een email clients (e.g. Outlook) and email servers (e.g. Exchange)
Not Encrypted No encryption used 3 45 0 1 8 1 1 4 30 1 -5 4 -24 32
1.04 Email Motion Email - Mobile Devices Email in transit to mobile devices EncryptedMobieIron is used for mobile e-mail, w hich communicates over an encrypted channel.
- Encrypted - not scored - Encrypted - not
scored - Encrypted - not scored 0 -
1.05 Email Motion Email - Webmail Portal Email data accessed over the Internet via w eb portals
Encrypted OWA uses HTTPS. - Encrypted - not scored
- Encrypted - not scored
- Encrypted - not scored
0 -
1.06 Email Rest Email - Archive Data stored in email archives Not Encrypted Exchange email archives are unencrypted.
3 45 Encrypted - not scored
1 1 0 Encrypted - not scored
1 1 3 20 Encrypted - not scored
3 -15 4 -24 24
1.07 Email Rest Email - Disk Backups Data stored in email backups on disk Not Encrypted Disk backups are not encrypted 3 45 Encrypted - not scored
2 2 0 Encrypted - not scored
0 2 4 30 Encrypted - not scored
2 -10 4 -16 16
1.08 Email Rest Email - Tape Backups Data stored in email backups on tape n/a Tape backups are not encrypted - n/a - not scored - n/a - not scored - n/a - not scored 0 -
Encryption Analysis MatrixPhase 2 - Scenario PrioritizationLast Updated: xx/xx/20xx
Threat Impact BenefitCostSensitivity
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
19
Feasibility/Suitability Filter
We quickly learned that while evaluating every possible encryption scenario is a good method to ensure completeness, once phase 2 begins, a “feasibility/suitability” filter needs to be applied.
Initial scenarios: 120
Already encrypted: 20
Does not apply to enterprise: 5
No tech solution: 15
Remaining for consideration: 80
Examples of scenarios that should be removed:
– The scenario does not occur at our company
– There is currently no technological encryption solution available for the scenario
Example Scenarios Breakdown:
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
20
Analyze and Prioritize Remaining encryption scenarios are prioritized based on the quantitative factors (sensitivity, threat, impact, and cost).
The lower prioritized scenarios are then reviewed in detail for:◦ Red flags: items which should have been prioritized higher◦ Qualitative factors: items which should be considered because of industry norms,
compliance or conformance requirements, or client strategic plans.
Gap
AnalysisInitial PrioritizationBased on qualitative factors
WorkshopsEncryption
Strategy and Roadmap
High Priority Scenarios (30)
Low Priority Scenarios (50)Remaining
scenarios for consideration:
80Non-Encryption
Decisions
No Action Needed
Non-Encryption Recommendation
Defer Action
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
21
High Priority Scenarios (Example)
Low Cost
Peers Do Encrypt
Peers Do Not Encrypt
Medium Cost
HighCost
Motion / Rest
Some PeersEncrypt
Risk Benefit
Im
pact
External Email
Internal Email
SAN/NAS Traffic
Backup Traffic (Servers)
Backup Replication
Outlook/Exchange Data
Internal API Calls
Report Transport
Database Connections
Database Servers
Cloud Data
SAN/NAS Replication
MFD Hard Drives
Sensitive Internal Web Apps
WAN Traffic
Backup Traffic (DB)
VoIP Services
Sharepoint Data
Documentum Traffic
Documentum Data
Source CodePrivileged Access Storage
Source Code
Printer Traffic
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
22
Risk Benefit vs. Impact
Systems Integration Encryption (Example)
Issues Proposed Next Steps Benefits
►Highly sensitive data is routinely transferred between systems in plain-text. This includes sensitive customer and transaction data as well as client and associate PII.
►Determine if the encryption of sensitive service calls and file transfers is practical for the majority of sensitive use cases.
►Develop standards for the encryption of service calls and file transfers.
►Integrate new standards for the use of transport encryption into SDLC processes.
►Initiate a project to remediate non-compliant systems.
►Sensitive data in transit between systems over the internal and external networks will be protected from interception and/or unauthorized modification.
►Developers and administrators will have a clear standard and guidance on the use of encrypted protocols for systems integration and file transfers..
Risk Benefit Impact
Estimated Cost: $1,000,000
High
Risk Benefit
Impa
ct
Outcome Description
• Determine if the encryption of sensitive service calls and file transfers is practical for the majority of sensitive use cases and develop standards for the encryption of service calls and file transfers.
• Rollout standards for internal service call and file transfer encryption, and remediate those sensitive transfers that do not meet the new standard.
Use Cases Roadmap Considerations►Data transfers will be sent over
encrypted protocols between internal and external systems.
►Many of the remediation projects can be aligned with the planned new managed file transfer system implementation.
Internal API Calls
High
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
23
Phase 3
1. Develop a roadmap for execution2. Logically integrate with technology
roadmaps for feasibility assessment and execution
Roadmap
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
24
Encryption Outcomes Roadmap
Application Administration Work stream
Security Work stream
Infrastructure Engineering Work stream
KeyEncryption Strategy
ProjectExisting Project
External Email Encryption
Selective DBEncryption
Cloud Encryption Policies and Standard
Developed and Approved
Service Call and File Transfer
Encryption Standards
Tools for DBConnection
Encryption Deployed
Centralized Source Code Repository
Encrypted
Encryption Progress Reviewed and
Strategy Refreshed
FY15 FY16 FY17 BeyondQ2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Oct – Dec Jan – Mar Apr – Jun Jul – Sept Oct – Dec Jan – Mar Apr – Jun Jul – Sept Oct – Dec Jan – Mar Apr – Jun2014 2015 2016 2017
Logical AccessCleanup
Palo Alto Upgrade
Policies, Procedures and Standards to Govern the Use of
Encryption are ApprovedEncryption Management Program
Built and OperationalizedPrivileged Access Storage Tool
Deployment Expanded and Matured
Reduced Privileged Level Access New Email
Security Gateway
New Backup System SQL ServersUpgrade
Major ApplicationsTo Linux
SDLC Management System
DB ConnectionEncryption
Selected Sensitive Databases Encrypted
V –Service Call and FileTransfer Standards Rollout*
New Datawarehouse
Encryption Strategy Projects
Existing Projects
Existing Projects
Encryption Strategy Projects
Existing Projects
SSL for Sensitive Internal Web
Apps
Exchange 2013
Outlook RPC Data Encrypted (in transit) Internal Email Encryption
Exchange 2013Archiving
Lotus Erradicated
Transport Encryption for Source Code
DB Connection Encryption Standards
Encryption Strategy Projects
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
25
Lessons Learned Pros & Cons for developing your
strategy internally or using outside consultants
Very difficult to get right when your internal IT and security team is already overwhelmed with day-to-day operations
Consensus building, inclusion, and relationship management are key elements (cannot stress enough)
Understanding that encrypting everything is a really bad idea that can cause more problems than it’s worth
Much easier to determine what data not to save then it is to encrypt it in all locations and forms.
Tokenization and obfuscation can be a better solution for some use cases
Your strategy is bound to fail without an investment in encryption key management technology and a sound operational program
Much easier to build separate computing infrastructure that supports the encryption plan and have the data repositories migrated over
Many network and application systems have encryption capabilities built in that can be leveraged, most are rarely configured.
JOSHUA NICHOLSON & TOM BAXLEY - ENCRYPTION STRATEGY 2016 FS-ISAC ANNUAL SUMMIT
26
Questions