1

Encryption Encryption Information ForumInformation Forum

Theresa A. Masse, State Chief Information Theresa A. Masse, State Chief Information Security OfficerSecurity Officer

Department of Administrative ServicesDepartment of Administrative ServicesEnterprise Security OfficeEnterprise Security Office

2

AgendaAgenda Encryption overviewEncryption overview Agency PanelAgency Panel

Oregon Department of Transportation Oregon Department of Transportation Oregon Employment DepartmentOregon Employment Department Oregon LotteryOregon Lottery

Statewide ContractsStatewide Contracts Q&AQ&A

3

Encryption OverviewEncryption Overview

Richard Woodford, Security AnalystRichard Woodford, Security Analyst

Enterprise Security OfficeEnterprise Security Office

Department of Administrative Department of Administrative ServicesServices

4

What is encryption? What is encryption? ““In In cryptography, encryptionencryption is the is the

process of transforming process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.”

-Wikipedia (2008)-Wikipedia (2008)

5

Need for Encryption … Need for Encryption … Keep confidential information safeKeep confidential information safe Prevent exposure of information while Prevent exposure of information while

in transit across an unsecure mediumin transit across an unsecure medium Prevent exposure of information when Prevent exposure of information when

a storage device is lost or stolena storage device is lost or stolen Oregon Identity Theft Protection Act Oregon Identity Theft Protection Act

(Senate Bill 583) “safe harbor”(Senate Bill 583) “safe harbor” Due careDue care

6

Oregon Consumer Identity Oregon Consumer Identity TheftTheft

Protection Act Protection Act Senate Bill 583 (2007 Legislative Senate Bill 583 (2007 Legislative

session)session) “ … “ … one or more of the following data one or more of the following data

elements, when the data elements are elements, when the data elements are not rendered unusable through not rendered unusable through encryption”encryption”

First name, last nameFirst name, last name

Social Security number, drivers license Social Security number, drivers license number, passport, financial account number, number, passport, financial account number, credit card numbercredit card number

7

““Safe Harbor”Safe Harbor” What’s good enough?What’s good enough? VJKU KU GPETARVGFVJKU KU GPETARVGF

Cipher – alphabetically shiftedCipher – alphabetically shifted Key – +2 Key – +2

SB 583 does not specify strengthSB 583 does not specify strength Reasonable careReasonable care

““Strong encryption” – 128-bitStrong encryption” – 128-bit Common minimum standard is FIPS Common minimum standard is FIPS

140-2 (see http://csrc.nist.gov)140-2 (see http://csrc.nist.gov)

8

Other DriversOther Drivers All applicable regulations should be All applicable regulations should be

examined for requirementsexamined for requirements HIPAAHIPAA Payment Card Industry (PCI) Payment Card Industry (PCI)

requirementsrequirements Sarbanes-OxleySarbanes-Oxley Statewide policiesStatewide policies

Information Asset ClassificationInformation Asset Classification Transporting Information AssetsTransporting Information Assets Controlling Portable and Removable DevicesControlling Portable and Removable Devices

Department policiesDepartment policies

9

Other DriversOther Drivers Other considerationsOther considerations

Mitigation costsMitigation costs Public trustPublic trust

10

When to Use EncryptionWhen to Use Encryption In any case where data could be at In any case where data could be at

risk from theft or eavesdroppingrisk from theft or eavesdropping Wireless networksWireless networks Transmitting data over public network Transmitting data over public network

(e.g. the Internet)(e.g. the Internet) Web pages (SSL)Web pages (SSL) E-mailE-mail

Data at RestData at Rest Portable devicesPortable devices

LaptopsLaptops Thumb drivesThumb drives

11

When to Use EncryptionWhen to Use Encryption Any device at risk of theft or exposureAny device at risk of theft or exposure Extra-sensitive dataExtra-sensitive data

12

Data at RestData at Rest Hardware basedHardware based

Built in to the hardware deviceBuilt in to the hardware device AdvantagesAdvantages

Automatically encrypts dataAutomatically encrypts data FastFast

DisadvantagesDisadvantages ProprietaryProprietary Lack of central managementLack of central management

13

Data at RestData at Rest Software basedSoftware based

AdvantagesAdvantages Lower costLower cost Does not require specific hardwareDoes not require specific hardware

DisadvantagesDisadvantages Need to install, activate and manage it, Need to install, activate and manage it,

make sure it’s being usedmake sure it’s being used

14

Software SolutionsSoftware Solutions File based (PGP, Winzip)File based (PGP, Winzip)

Done on a file-by-file basis (only protects Done on a file-by-file basis (only protects file)file)

Not automaticNot automatic Dependent on end-userDependent on end-user

Volume based (TrueCrypt)Volume based (TrueCrypt) An encrypted “virtual drive” is createdAn encrypted “virtual drive” is created All files written are encrypted automaticallyAll files written are encrypted automatically Does not necessarily encrypt all files – for Does not necessarily encrypt all files – for

example, Windows system files, security example, Windows system files, security files, temp files …files, temp files …

15

Software SolutionsSoftware Solutions Disk based (whole-disk encryption)Disk based (whole-disk encryption)

Encrypts entire drive (most secure)Encrypts entire drive (most secure) Automatic; transparent to the userAutomatic; transparent to the user But … if you lock yourself out, you’re in But … if you lock yourself out, you’re in

troubletrouble Need administrative controlNeed administrative control

16

Key ManagementKey Management Elephant in the room – the only other Elephant in the room – the only other

requirement set forth by the requirement set forth by the Department of Defense policyDepartment of Defense policy ““Mechanism to recover data if the primary Mechanism to recover data if the primary

encryption system fails”encryption system fails” Need for the organization to keep control Need for the organization to keep control

of the keys rather than individualsof the keys rather than individuals Lost passwordsLost passwords Lost individualsLost individuals Access control (control of data, investigations)Access control (control of data, investigations)

17

Bad PracticesBad Practices Data encrypted with a single-key Data encrypted with a single-key

system is a security risk to the system is a security risk to the organizationorganization

Added note…Added note… ““If I accidently leave my computer If I accidently leave my computer

unlocked and someone gets it, I don’t have unlocked and someone gets it, I don’t have to worry because the hard disk is to worry because the hard disk is encrypted…”encrypted…”

Risk of sleepingRisk of sleeping Full disk encryption vulnerabilityFull disk encryption vulnerability Turn systems offTurn systems off Bad practices trump good securityBad practices trump good security

18

ESO RecommendationsESO Recommendations Develop agency-wide strategy and Develop agency-wide strategy and

approach to encryptionapproach to encryption Centralize key management and Centralize key management and

recovery processesrecovery processes Do some research and planningDo some research and planning When justifying cost, consider cost of When justifying cost, consider cost of

data disclosures, lost data and data disclosures, lost data and reputationreputation

Look for group purchase opportunitiesLook for group purchase opportunities

19

Some Good ProductsSome Good Products http://www.guardianedge.com/http://www.guardianedge.com/

shared/sb_overview.pdfshared/sb_overview.pdf http://www.pgp.com/products/http://www.pgp.com/products/

wholediskencryption/index.htmlwholediskencryption/index.html http://www.checkpoint.com/http://www.checkpoint.com/

products/datasecurity/protector/products/datasecurity/protector/index.htmlindex.html

http://www.safeboot.com/http://www.safeboot.com/

20

Agency PanelAgency Panel

Cindy Slye, Oregon Department of Cindy Slye, Oregon Department of TransportationTransportation

Marty Liddell, Oregon Employment Marty Liddell, Oregon Employment DepartmentDepartment

John McKean, Oregon LotteryJohn McKean, Oregon Lottery

21

Agency PanelAgency Panel

Cindy Slye, Project ManagerCindy Slye, Project Manager

Oregon Department of TransportationOregon Department of Transportation

Business Drivers New DAS EIS Policies:

Information Security Employee Security Controlling Portable and Removable

Storage Devices Transporting Confidential Information

Business Drivers Compliance with:

Regulated mandates – Federal Motor Carrier Safety Administration (FMCSA)

Senate Bill 583 ODOT policies and guidelines

Project Objective Find the best data encryption

product that can protect sensitive data by: Securing information on mobile devices Securing information on removable

devices Providing the best comprehensive

solution to cover all areas Simplifying deployment, maintenance

and data backup

How Does It Align With Our Goals?

ODOT IT Strategic Plan

Senate Bill 583

DAS PolicyControlling Portable

and Removable Storage Devices

Federal Motor Carrier Safety Administration

ODOT Security Fabric Initiative

Protect, Manage Protect, Manage Protect, Manage

Consequences What are the consequences of

compromising sensitive information? Negative publicity Loss of customer confidence Damaged reputation Financial loss

Safe Harbor Provision Data encryption is the most effective

solution for safeguarding sensitive electronic data

Data encryption is identified as an acceptable “Safe Harbor” approach in providing privacy assurances If the information is properly encrypted:

No further duty It may be assumed that no privacy breach has

occurred Risk mitigation approach that limits agency

liability Enhances trust in the event of a security breach

Candidates We Considered

Why Guardian Edge? Guardian Edge clearly met ODOT

business requirements: Strong Active Directory Integration Ease of Use Robust Management Console (MMC) Facilitates Compliance with DAS and

ODOT Security Policies

Magic Quadrant for Mobile Data Protection

Project TimelineDate Milestone

January 2007 Project Kick-off

June 2007 Opportunity Evaluation approval

July 2007 Product evaluations and pilot

September 2007

Product selection

October 2007 ICOI presentation, ADM approvals

December 2007 ODOT and DAS CIO approval, IRR approval

April 2008 ASAP Order Confirmation

May 2008 First Phase Motor Carrier Pilot Deployment

TBD Remaining Motor Carrier Deployments

TBD Financial Services Deployment

Lessons Learned Things to consider:

What value (strategic and operational) should this project create?

Organize the work and follow a process Understand the priority given other work Plan for risk – how to avoid and prepare for

it What will motivate people to adopt this

change? Set expectations Communication Training

33

Agency PanelAgency Panel

Marty Liddell, Infrastructure ArchitectMarty Liddell, Infrastructure Architect

Oregon Employment DepartmentOregon Employment Department

What made OED encrypt Response to Senate Bill 583 Significant amount of personally

identifiable information including ssn, name, address, dob

Information collected is required to provide services

Many staff use mobile computing devices including laptops to collect information

ITS is committed to protecting the information assets of the agency

Requirements Ability to encrypt full hard drive Ease of internal support Key management Recoverable Keys when agents are

in field Ability to easily integrate into

existing architecture Ease of use by end user

Process of choosing product

Researched products Guardian Edge Pointsec

• Demo products• Pilot product

Decision points Integration into Active Directory Single sign-on Capability Familiarity with administration

toolset Key management

Security questions One-time password reset Recoverable hard drive in case of

investigation

Deployment Created security groups in Active

Directory Automatically installed software

client on PC when customer logged in

Monitor progress Don’t forget helpdesk and end user

training!

Lessons learned Do NOT double encrypt a computer

Very bad (total loss of data) Angry user

Provide good documentation to the end user

Define a process for shared computer resources

Moving forward GE Removable Storage Encryption GE Device Control Remote file server encryption Desktop encryption Email encryption

41

Agency PanelAgency Panel

John McKean, Sr. Systems Security John McKean, Sr. Systems Security Admin.Admin.

Oregon LotteryOregon Lottery

PGP Universal Server Key Management Centralized Policy Enforcement Whole Disk Encryption (deployed) Desktop Email Encryption (future) Gateway Email (Future)

Transparent to user Encrypts automatically at the gateway Requires recipient to have similar

technology

The “USB Problem” Easily lost or stolen Lottery USB’s have onboard

encryption Non-Lottery USB’s not allowed! TriGeo SIM (Security Information

Manager) Logs all USB access Enforces Lottery USB Policy

Electronic Rights Management Defined

Secures content with strong encryption Protection cannot be removed Controls and audits data access:

Users work normally using their existing applications

Defines authorized uses through workflows, directory groups, and user

Read Modify Print Screen Capture

Paste Copy E-Mail Network transfer

Where ERM Fits In

Data at Rest Data in Motion Data in Use

Secure Transport/DeliverySecure Transport/DeliverySSL, Postx, PGPSSL, Postx, PGP

Secure Transport/DeliverySecure Transport/DeliverySSL, Postx, PGPSSL, Postx, PGP

PKI ProductsPKI ProductsEntrust, PGP, VoltageEntrust, PGP, Voltage

PKI ProductsPKI ProductsEntrust, PGP, VoltageEntrust, PGP, Voltage

Enterprise Content Management Enterprise Content Management DCTM, LiveLink, SharePointDCTM, LiveLink, SharePoint

Enterprise Content Management Enterprise Content Management DCTM, LiveLink, SharePointDCTM, LiveLink, SharePoint

Content Filtering and MonitoringContent Filtering and MonitoringVericept, Vontu, Orchestria, VerdasysVericept, Vontu, Orchestria, Verdasys

Content Filtering and MonitoringContent Filtering and MonitoringVericept, Vontu, Orchestria, VerdasysVericept, Vontu, Orchestria, Verdasys

Enterprise Rights ManagementEnterprise Rights ManagementLiquid Machines, Microsoft RMS, OthersLiquid Machines, Microsoft RMS, Others

Enterprise Rights ManagementEnterprise Rights ManagementLiquid Machines, Microsoft RMS, OthersLiquid Machines, Microsoft RMS, Others

Gra

nu

lari

ty

of

Con

trols

Usa

ge

Acc

ess

Full Disk EncryptionFull Disk EncryptionEFS, PointsecEFS, Pointsec

Full Disk EncryptionFull Disk EncryptionEFS, PointsecEFS, Pointsec

Network Security ToolsNetwork Security ToolsFirewalls, VPNs, ACLsFirewalls, VPNs, ACLsNetwork Security ToolsNetwork Security ToolsFirewalls, VPNs, ACLsFirewalls, VPNs, ACLs

Considerations when selecting an ERM

User Experience User adoption is the most important

factor Expect resistance if difficult to use Protection goals must be enforced

automatically Users must be aware protection is in

effect Users want to work normally

How ERM Works

Content protected at rest or in transit

ERM Server

Content encrypted and usage rights applied

1

Read Only

Read & Print

Read, Edit, Print, & Offline enabled with

expiration2

3

Connection required for

offline renewal

Content protected in use

ECM System

LOB App File server

48

Statewide ContractsStatewide Contracts Price Agreement #2257 – ASAP Price Agreement #2257 – ASAP

Software ExpressSoftware Express Mandatory for state agency purchase Mandatory for state agency purchase

of shrink-wrapped (out of the box) of shrink-wrapped (out of the box) desktop softwaredesktop software

SPO Contact: Chris Mahoney, (503) SPO Contact: Chris Mahoney, (503) 378-2998, chris.mahoney@state.or.us378-2998, chris.mahoney@state.or.us

ASAP Contact: Brad Hickey, (888) ASAP Contact: Brad Hickey, (888) 883-1025, bhickey@asap.com883-1025, bhickey@asap.com

49

For further information For further information ……

Theresa Masse, DAS Enterprise Security Theresa Masse, DAS Enterprise Security OfficeOffice(503) 378-4896, theresa.a.masse@state.or.us(503) 378-4896, theresa.a.masse@state.or.us

Richard Woodford, DAS Enterprise Richard Woodford, DAS Enterprise Security OfficeSecurity Office(503) 378-4518, richard.woodford@state.or.us(503) 378-4518, richard.woodford@state.or.us

Cindy Slye, Department of TransportationCindy Slye, Department of Transportation(503) 986-3234, cindy.slye@state.or.us (503) 986-3234, cindy.slye@state.or.us

Marty Liddell, Employment DepartmentMarty Liddell, Employment Department(503) 947-1627, marty.m.liddell@state.or.us (503) 947-1627, marty.m.liddell@state.or.us

John McKean, Oregon LotteryJohn McKean, Oregon Lottery(503) , john.mckean@state.or.us (503) , john.mckean@state.or.us

50

Next Forum …Next Forum …

Information Security Information Security PlansPlans

Tools and TechniquesTools and Techniques

Panel PresentationPanel Presentation

June 23, 2008June 23, 2008