McAfee Endpoint Encryption Presenter Name Presentation Date.
Encryption Forum presentation
description
Transcript of Encryption Forum presentation
1
Encryption Encryption Information ForumInformation Forum
Theresa A. Masse, State Chief Information Theresa A. Masse, State Chief Information Security OfficerSecurity Officer
Department of Administrative ServicesDepartment of Administrative ServicesEnterprise Security OfficeEnterprise Security Office
2
AgendaAgenda Encryption overviewEncryption overview Agency PanelAgency Panel
Oregon Department of Transportation Oregon Department of Transportation Oregon Employment DepartmentOregon Employment Department Oregon LotteryOregon Lottery
Statewide ContractsStatewide Contracts Q&AQ&A
3
Encryption OverviewEncryption Overview
Richard Woodford, Security AnalystRichard Woodford, Security Analyst
Enterprise Security OfficeEnterprise Security Office
Department of Administrative Department of Administrative ServicesServices
4
What is encryption? What is encryption? ““In In cryptography, encryptionencryption is the is the
process of transforming process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.”
-Wikipedia (2008)-Wikipedia (2008)
5
Need for Encryption … Need for Encryption … Keep confidential information safeKeep confidential information safe Prevent exposure of information while Prevent exposure of information while
in transit across an unsecure mediumin transit across an unsecure medium Prevent exposure of information when Prevent exposure of information when
a storage device is lost or stolena storage device is lost or stolen Oregon Identity Theft Protection Act Oregon Identity Theft Protection Act
(Senate Bill 583) “safe harbor”(Senate Bill 583) “safe harbor” Due careDue care
6
Oregon Consumer Identity Oregon Consumer Identity TheftTheft
Protection Act Protection Act Senate Bill 583 (2007 Legislative Senate Bill 583 (2007 Legislative
session)session) “ … “ … one or more of the following data one or more of the following data
elements, when the data elements are elements, when the data elements are not rendered unusable through not rendered unusable through encryption”encryption”
First name, last nameFirst name, last name
Social Security number, drivers license Social Security number, drivers license number, passport, financial account number, number, passport, financial account number, credit card numbercredit card number
7
““Safe Harbor”Safe Harbor” What’s good enough?What’s good enough? VJKU KU GPETARVGFVJKU KU GPETARVGF
Cipher – alphabetically shiftedCipher – alphabetically shifted Key – +2 Key – +2
SB 583 does not specify strengthSB 583 does not specify strength Reasonable careReasonable care
““Strong encryption” – 128-bitStrong encryption” – 128-bit Common minimum standard is FIPS Common minimum standard is FIPS
140-2 (see http://csrc.nist.gov)140-2 (see http://csrc.nist.gov)
8
Other DriversOther Drivers All applicable regulations should be All applicable regulations should be
examined for requirementsexamined for requirements HIPAAHIPAA Payment Card Industry (PCI) Payment Card Industry (PCI)
requirementsrequirements Sarbanes-OxleySarbanes-Oxley Statewide policiesStatewide policies
Information Asset ClassificationInformation Asset Classification Transporting Information AssetsTransporting Information Assets Controlling Portable and Removable DevicesControlling Portable and Removable Devices
Department policiesDepartment policies
9
Other DriversOther Drivers Other considerationsOther considerations
Mitigation costsMitigation costs Public trustPublic trust
10
When to Use EncryptionWhen to Use Encryption In any case where data could be at In any case where data could be at
risk from theft or eavesdroppingrisk from theft or eavesdropping Wireless networksWireless networks Transmitting data over public network Transmitting data over public network
(e.g. the Internet)(e.g. the Internet) Web pages (SSL)Web pages (SSL) E-mailE-mail
Data at RestData at Rest Portable devicesPortable devices
LaptopsLaptops Thumb drivesThumb drives
11
When to Use EncryptionWhen to Use Encryption Any device at risk of theft or exposureAny device at risk of theft or exposure Extra-sensitive dataExtra-sensitive data
12
Data at RestData at Rest Hardware basedHardware based
Built in to the hardware deviceBuilt in to the hardware device AdvantagesAdvantages
Automatically encrypts dataAutomatically encrypts data FastFast
DisadvantagesDisadvantages ProprietaryProprietary Lack of central managementLack of central management
13
Data at RestData at Rest Software basedSoftware based
AdvantagesAdvantages Lower costLower cost Does not require specific hardwareDoes not require specific hardware
DisadvantagesDisadvantages Need to install, activate and manage it, Need to install, activate and manage it,
make sure it’s being usedmake sure it’s being used
14
Software SolutionsSoftware Solutions File based (PGP, Winzip)File based (PGP, Winzip)
Done on a file-by-file basis (only protects Done on a file-by-file basis (only protects file)file)
Not automaticNot automatic Dependent on end-userDependent on end-user
Volume based (TrueCrypt)Volume based (TrueCrypt) An encrypted “virtual drive” is createdAn encrypted “virtual drive” is created All files written are encrypted automaticallyAll files written are encrypted automatically Does not necessarily encrypt all files – for Does not necessarily encrypt all files – for
example, Windows system files, security example, Windows system files, security files, temp files …files, temp files …
15
Software SolutionsSoftware Solutions Disk based (whole-disk encryption)Disk based (whole-disk encryption)
Encrypts entire drive (most secure)Encrypts entire drive (most secure) Automatic; transparent to the userAutomatic; transparent to the user But … if you lock yourself out, you’re in But … if you lock yourself out, you’re in
troubletrouble Need administrative controlNeed administrative control
16
Key ManagementKey Management Elephant in the room – the only other Elephant in the room – the only other
requirement set forth by the requirement set forth by the Department of Defense policyDepartment of Defense policy ““Mechanism to recover data if the primary Mechanism to recover data if the primary
encryption system fails”encryption system fails” Need for the organization to keep control Need for the organization to keep control
of the keys rather than individualsof the keys rather than individuals Lost passwordsLost passwords Lost individualsLost individuals Access control (control of data, investigations)Access control (control of data, investigations)
17
Bad PracticesBad Practices Data encrypted with a single-key Data encrypted with a single-key
system is a security risk to the system is a security risk to the organizationorganization
Added note…Added note… ““If I accidently leave my computer If I accidently leave my computer
unlocked and someone gets it, I don’t have unlocked and someone gets it, I don’t have to worry because the hard disk is to worry because the hard disk is encrypted…”encrypted…”
Risk of sleepingRisk of sleeping Full disk encryption vulnerabilityFull disk encryption vulnerability Turn systems offTurn systems off Bad practices trump good securityBad practices trump good security
18
ESO RecommendationsESO Recommendations Develop agency-wide strategy and Develop agency-wide strategy and
approach to encryptionapproach to encryption Centralize key management and Centralize key management and
recovery processesrecovery processes Do some research and planningDo some research and planning When justifying cost, consider cost of When justifying cost, consider cost of
data disclosures, lost data and data disclosures, lost data and reputationreputation
Look for group purchase opportunitiesLook for group purchase opportunities
19
Some Good ProductsSome Good Products http://www.guardianedge.com/http://www.guardianedge.com/
shared/sb_overview.pdfshared/sb_overview.pdf http://www.pgp.com/products/http://www.pgp.com/products/
wholediskencryption/index.htmlwholediskencryption/index.html http://www.checkpoint.com/http://www.checkpoint.com/
products/datasecurity/protector/products/datasecurity/protector/index.htmlindex.html
http://www.safeboot.com/http://www.safeboot.com/
20
Agency PanelAgency Panel
Cindy Slye, Oregon Department of Cindy Slye, Oregon Department of TransportationTransportation
Marty Liddell, Oregon Employment Marty Liddell, Oregon Employment DepartmentDepartment
John McKean, Oregon LotteryJohn McKean, Oregon Lottery
21
Agency PanelAgency Panel
Cindy Slye, Project ManagerCindy Slye, Project Manager
Oregon Department of TransportationOregon Department of Transportation
Business Drivers New DAS EIS Policies:
Information Security Employee Security Controlling Portable and Removable
Storage Devices Transporting Confidential Information
Business Drivers Compliance with:
Regulated mandates – Federal Motor Carrier Safety Administration (FMCSA)
Senate Bill 583 ODOT policies and guidelines
Project Objective Find the best data encryption
product that can protect sensitive data by: Securing information on mobile devices Securing information on removable
devices Providing the best comprehensive
solution to cover all areas Simplifying deployment, maintenance
and data backup
How Does It Align With Our Goals?
ODOT IT Strategic Plan
Senate Bill 583
DAS PolicyControlling Portable
and Removable Storage Devices
Federal Motor Carrier Safety Administration
ODOT Security Fabric Initiative
Protect, Manage Protect, Manage Protect, Manage
Consequences What are the consequences of
compromising sensitive information? Negative publicity Loss of customer confidence Damaged reputation Financial loss
Safe Harbor Provision Data encryption is the most effective
solution for safeguarding sensitive electronic data
Data encryption is identified as an acceptable “Safe Harbor” approach in providing privacy assurances If the information is properly encrypted:
No further duty It may be assumed that no privacy breach has
occurred Risk mitigation approach that limits agency
liability Enhances trust in the event of a security breach
Candidates We Considered
Why Guardian Edge? Guardian Edge clearly met ODOT
business requirements: Strong Active Directory Integration Ease of Use Robust Management Console (MMC) Facilitates Compliance with DAS and
ODOT Security Policies
Magic Quadrant for Mobile Data Protection
Project TimelineDate Milestone
January 2007 Project Kick-off
June 2007 Opportunity Evaluation approval
July 2007 Product evaluations and pilot
September 2007
Product selection
October 2007 ICOI presentation, ADM approvals
December 2007 ODOT and DAS CIO approval, IRR approval
April 2008 ASAP Order Confirmation
May 2008 First Phase Motor Carrier Pilot Deployment
TBD Remaining Motor Carrier Deployments
TBD Financial Services Deployment
Lessons Learned Things to consider:
What value (strategic and operational) should this project create?
Organize the work and follow a process Understand the priority given other work Plan for risk – how to avoid and prepare for
it What will motivate people to adopt this
change? Set expectations Communication Training
33
Agency PanelAgency Panel
Marty Liddell, Infrastructure ArchitectMarty Liddell, Infrastructure Architect
Oregon Employment DepartmentOregon Employment Department
What made OED encrypt Response to Senate Bill 583 Significant amount of personally
identifiable information including ssn, name, address, dob
Information collected is required to provide services
Many staff use mobile computing devices including laptops to collect information
ITS is committed to protecting the information assets of the agency
Requirements Ability to encrypt full hard drive Ease of internal support Key management Recoverable Keys when agents are
in field Ability to easily integrate into
existing architecture Ease of use by end user
Process of choosing product
Researched products Guardian Edge Pointsec
• Demo products• Pilot product
Decision points Integration into Active Directory Single sign-on Capability Familiarity with administration
toolset Key management
Security questions One-time password reset Recoverable hard drive in case of
investigation
Deployment Created security groups in Active
Directory Automatically installed software
client on PC when customer logged in
Monitor progress Don’t forget helpdesk and end user
training!
Lessons learned Do NOT double encrypt a computer
Very bad (total loss of data) Angry user
Provide good documentation to the end user
Define a process for shared computer resources
Moving forward GE Removable Storage Encryption GE Device Control Remote file server encryption Desktop encryption Email encryption
41
Agency PanelAgency Panel
John McKean, Sr. Systems Security John McKean, Sr. Systems Security Admin.Admin.
Oregon LotteryOregon Lottery
PGP Universal Server Key Management Centralized Policy Enforcement Whole Disk Encryption (deployed) Desktop Email Encryption (future) Gateway Email (Future)
Transparent to user Encrypts automatically at the gateway Requires recipient to have similar
technology
The “USB Problem” Easily lost or stolen Lottery USB’s have onboard
encryption Non-Lottery USB’s not allowed! TriGeo SIM (Security Information
Manager) Logs all USB access Enforces Lottery USB Policy
Electronic Rights Management Defined
Secures content with strong encryption Protection cannot be removed Controls and audits data access:
Users work normally using their existing applications
Defines authorized uses through workflows, directory groups, and user
Read Modify Print Screen Capture
Paste Copy E-Mail Network transfer
Where ERM Fits In
Data at Rest Data in Motion Data in Use
Secure Transport/DeliverySecure Transport/DeliverySSL, Postx, PGPSSL, Postx, PGP
Secure Transport/DeliverySecure Transport/DeliverySSL, Postx, PGPSSL, Postx, PGP
PKI ProductsPKI ProductsEntrust, PGP, VoltageEntrust, PGP, Voltage
PKI ProductsPKI ProductsEntrust, PGP, VoltageEntrust, PGP, Voltage
Enterprise Content Management Enterprise Content Management DCTM, LiveLink, SharePointDCTM, LiveLink, SharePoint
Enterprise Content Management Enterprise Content Management DCTM, LiveLink, SharePointDCTM, LiveLink, SharePoint
Content Filtering and MonitoringContent Filtering and MonitoringVericept, Vontu, Orchestria, VerdasysVericept, Vontu, Orchestria, Verdasys
Content Filtering and MonitoringContent Filtering and MonitoringVericept, Vontu, Orchestria, VerdasysVericept, Vontu, Orchestria, Verdasys
Enterprise Rights ManagementEnterprise Rights ManagementLiquid Machines, Microsoft RMS, OthersLiquid Machines, Microsoft RMS, Others
Enterprise Rights ManagementEnterprise Rights ManagementLiquid Machines, Microsoft RMS, OthersLiquid Machines, Microsoft RMS, Others
Gra
nu
lari
ty
of
Con
trols
Usa
ge
Acc
ess
Full Disk EncryptionFull Disk EncryptionEFS, PointsecEFS, Pointsec
Full Disk EncryptionFull Disk EncryptionEFS, PointsecEFS, Pointsec
Network Security ToolsNetwork Security ToolsFirewalls, VPNs, ACLsFirewalls, VPNs, ACLsNetwork Security ToolsNetwork Security ToolsFirewalls, VPNs, ACLsFirewalls, VPNs, ACLs
Considerations when selecting an ERM
User Experience User adoption is the most important
factor Expect resistance if difficult to use Protection goals must be enforced
automatically Users must be aware protection is in
effect Users want to work normally
How ERM Works
Content protected at rest or in transit
ERM Server
Content encrypted and usage rights applied
1
Read Only
Read & Print
Read, Edit, Print, & Offline enabled with
expiration2
3
Connection required for
offline renewal
Content protected in use
ECM System
LOB App File server
48
Statewide ContractsStatewide Contracts Price Agreement #2257 – ASAP Price Agreement #2257 – ASAP
Software ExpressSoftware Express Mandatory for state agency purchase Mandatory for state agency purchase
of shrink-wrapped (out of the box) of shrink-wrapped (out of the box) desktop softwaredesktop software
SPO Contact: Chris Mahoney, (503) SPO Contact: Chris Mahoney, (503) 378-2998, [email protected], [email protected]
ASAP Contact: Brad Hickey, (888) ASAP Contact: Brad Hickey, (888) 883-1025, [email protected], [email protected]
49
For further information For further information ……
Theresa Masse, DAS Enterprise Security Theresa Masse, DAS Enterprise Security OfficeOffice(503) 378-4896, [email protected](503) 378-4896, [email protected]
Richard Woodford, DAS Enterprise Richard Woodford, DAS Enterprise Security OfficeSecurity Office(503) 378-4518, [email protected](503) 378-4518, [email protected]
Cindy Slye, Department of TransportationCindy Slye, Department of Transportation(503) 986-3234, [email protected] (503) 986-3234, [email protected]
Marty Liddell, Employment DepartmentMarty Liddell, Employment Department(503) 947-1627, [email protected] (503) 947-1627, [email protected]
John McKean, Oregon LotteryJohn McKean, Oregon Lottery(503) , [email protected] (503) , [email protected]
50
Next Forum …Next Forum …
Information Security Information Security PlansPlans
Tools and TechniquesTools and Techniques
Panel PresentationPanel Presentation
June 23, 2008June 23, 2008