Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach
Encryption has been viewed as the ultimate way to protect sensitive data for compliance. But it has also been considered very complex to implement. Today, encryption is essential to meet compliance objectives, and has become much simpler to implement. The challenge is knowing when and where to use encryption, how it can simplify compliance, what controls need to be in place, and the options for good encryption key management. This session will cover the options for encryption and key management, what each provides, and their requirements. Encryption and key management topics include application-level encryption for data in use, network encryption of data in motion, and storage encryption for data at rest.
2. Please Note
•IBM‟s statements regarding its plans, directions, and intent are subject to change or
withdrawal without notice at IBM‟s sole discretion.
•Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
•The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.
•The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user‟s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
2
7. Compliance means alignment with global regulations
Canada: Personal Information Protection& Electronics Document Act
USA: Federal, Financial & HealthcareIndustry Regulations & State LawsMexico: E-Commerce Law
Colombia:
Political Constitution – Article 15Brazil: Constitution, Habeas Data& Code of Consumer Protection & Defense
Chile: Protection of Personal Data ActArgentina: Habeas DataAct
South Africa: Promotion of Accessto Information ActUnited Kingdom: Data ProtectionAct
EU:
ProtectionDirective
Switzerland: Federal Law onData Protection
Germany: Federal Data Protection Act & State Laws
Poland:
Polish Constitution
Israel: Protection ofPrivacy Law
Pakistan:
Banking CompaniesOrdinance
Russia: Computerization & Protection of Information/ Participation in Int’l Info Exchange
China Commercial Banking Law
Korea: 3 Acts for Financial Data PrivacyHong Kong: Privacy Ordinance
Taiwan: Computer-ProcessedPersonal Data Protection LawJapan: Guidelines for theProtection of ComputerProcessed Personal Data
India: SEC Board of India ActVietnam: Banking Law
Philippines: Secrecy of BankDeposit ActAustralia: Federal PrivacyAmendment Bill
Singapore: Monetary Authority ofSingapore Act
Indonesia: Bank SecrecyRegulation 8
New Zealand: Privacy Act
7
9. Audit Requirements
COBIT (SOX)
PCI-DSS
ISO 27002
Data Privacy & Protection
Laws
NIST
SP 800-53 (FISMA)
1. Access to Sensitive Data
(Successful/Failed SELECTs)
2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.)
3. Data Changes (DML)
(Insert, Update, Delete)
4. Security Exceptions
(Failed logins, SQL errors, etc.)
5. Accounts, Roles & Permissions (DCL) (GRANT, REVOKE)
The Compliance Mandate –What do you need to monitor?
9
DDL = Data Definition Language (aka schema changes)
DML = Data Manipulation Language (data value changes)
DCL = Data Control Language
10.
11. What is Account Data?
•Cardholder Data (may store)
Primary Account Number (PAN)
Cardholder Name
Expiry Date
Service Code
•Sensitive Authentication Data (may not store)
Security Code
Magnetic Stripe / Chip Data
PIN/ PIN Block
15. Cryptography is fundamental to Compliance
•Key exchange for communication session keys
•Data is transit is protected using single-use keys
•Data at rest –Keys are long lived
Establishes Privacy of Data in Motion and Data at Rest
•Being able to encrypt or decrypt proves you are in possession of the key
•Certificates provide additional identity information
Establishes Identity
•Data Integrity is provided through keyed-hashes
•Hashes provide integrity checking for data in transit
Protects against Unauthorized Changes
•Digital signatures create undeniable authorship
Assigns Ownership to the Data or Message
15
16. Encryption Mitigates Risk
“If a covered entity chooses to encryptprotected health information, and subsequently discovers a breach of that encrypted information, the covered entity will not be required to provide breach notificationbecause the information is not considered „„unsecured protected health information‟‟ as it has been rendered unusable, unreadable, or indecipherable to unauthorized individuals.” Excerpt from US HITEC law -Breach Notification for Unsecured Protected Health Information (Aug 2009) Encryption changes the rules on disclosure
18. Market Drivers and Trends
Source: 2013 Global Encryption Trends Study –Thales & PonemonInstitute
Companieswith Encryption Strategies are overtaking those who don‟t
19. Market Drivers and Trends
Human Erroris #1 Threat
Source: 2013 Global Encryption Trends Study –Thales & PonemonInstitute
20. Market Drivers and Trends
Encryption Usage is no longer just about compliance
Source: 2013 Global Encryption Trends Study –Thales & PonemonInstitute
21. Market Drivers and Trends
Encryption Usage is no longer just about compliance
21
Source: 2013 Global Encryption Trends Study –Thales & PonemonInstitute
22. Market Drivers and TrendsSource: 2014 Cost of Data Breach Study –IBM & PonemonInstitute
23. Market Drivers and Trends
Source: 2014 Cost of Data Breach Study –IBM & PonemonInstitute
24. Why Should All Data at Rest be Encrypted?
•Addresses Standards
-Privacy breach disclosure laws
-Protection of financial data
•Keeps sensitive information confidential
-Insider threat
-Lost/stolen tape or disk
-Disk being repaired (Solid-state disks fail in a read-only state)
•Simplifies end-of-life-of-media scenarios
-Destroy the key and the data is unusable
-Cryptographic Erasure (NIST SP800-88)
-Reducing media disposal costs
25. The Traditional Approach is Changing…. Security is no longer controlled and enforced through the network perimeter
Trusted Intranet
Online Banking Application
Employee Application
DMZ
Untrusted Internet
26. …. With Mobile and Cloud There Is No PerimeterSecurity must be centered on applications and transactions
Online Banking Application
InvestmentAPI Services
Employee ApplicationDeliver Mobile AppConsume Apps and ServicesLeverage Public Clouds
Trusted Intranet
DMZ
Untrusted Internet
27. …. and becoming Mobile
27
In 2000In 2012
6billion
mobile subscribers worldwide
87% of the world’s population
720 million
mobile subscribers worldwide
12%
of the world’s population
28. Motivation and sophistication is evolving rapidly
28 M O T I V A T I O N S O P H I S T I C A T I O NNational Security, Economic Espionage
Notoriety, Activism, Defamation
HacktivistsLulzsec, AnonymousMonetary Gain
Organized crime
Zeus, ZeroAccess, BlackholeExploit Pack
Nuisance, Curiosity
Insiders, Spammers, Script-kiddiesNigerian 419 Scams, Code Red
Nation-stateactors, APTsStuxnet, Aurora, APT-1
29. Weak security has a significant impact on your brand
29
Costs $52,646per minute
Lasts 19.7 minutes
Minor event
chance of happening69%
Lasts about 2 hours
Costs $38,069per minute
Moderate event
chance of happening*
37%
*The IBM 2013 Global Study on the Economic Impact of IT Risk Study.
Lasts about 7.5 hours
Costs $30,995per minute
Substantial event
chance of happening*
23%
Most security breaches go undetected for eight months
31. Collaborative IBM teams monitor and analyze the changing threat landscapeCoverage
20,000+ devices under contract
3,700+ managed clients worldwide
15B+ events managed per day
133monitored countries (MSS)
1,000+ security related patents
Depth
17Banalyzed web pages & images
40M spam & phishing attacks
76Kdocumented vulnerabilities
Billionsof intrusion attempts daily
Millions of unique malware samples
33. Increasing risk of attack can undermine CAMS initiatives
SQL injection
Watering hole
Physical access
Malware
Third-party software
DDoSSpear phishing
XSS
Undisclosed
Attack types
Note: Size of circle estimates relative impact of incident in terms of cost to business
Source: IBM X-ForceThreat Intelligence Quarterly –1Q 2014
2011
Year of the breach
2012
40% increase
2013
500,000,000+ records breached
61%
of organizations say data theft and cybercrime are their greatest threats
2012 IBM Global Reputational Risk & IT Study
$3.5M+
average cost of a data breach
2014 Cost of Data Breach, Ponemon Institute
34. What is the impact of a data breach
and
Where are customers most affected?
36. has become a new playground for attackers
Social Media top target for attacks and mobile devices are expanding those targets
-Pre-attack intelligence gathering
-Criminals selling accounts
-Campaigns enticing user to click on malicious links
37. The Cloud is bringing greater opportunity…
•To Users
•To Business
•To Thieves…. How Do We Solve This?
38. Encryption shouldnotaffect performanceEncryption shouldbe Transparent
Operations management of encryption and key management shouldbe negligible
Encrypted systems shouldleverage investments in high availability and security
Centralize Key Management
First Principles for Encryption and Key Management
39. Disk and Tape options in IBM Self-Encrypting StorageDS8870
DS3500
XIV
N seriesTS3500 libraryTS1140 drive
LTO6 driveTS3310 libraryGPFS
Self-encrypting solutions that protect Data-at-Rest
40. Self-Encrypting Devices
Security Key Lifecycle Manager (SKLM)
• SKLM is a Key Distribution and
Management software solution
• Uses standard protocols
(i.e. KMIP: Key Management
Interoperability Protocol)
• Provides centralized key mgmt for
self-encrypting drives (tape, disk)
• Light-weight & highly-scalable
• SKLM helps customers keep data
private, compliant, and encryption
keys well-managed
• Helps customers maintain
alignment with best practices and
compliance
KMIP
Cloud file systems
(GPFS, Netezza, etc.)
Databases
Smart Meter
Infrastructures
Switches /
Networking
Disk Storage Arrays
e.g. DS8000, DS5xxx, XIV, …
Enterprise Tape Libraries
e.g. TS11xx, TS2xxx, TS3xxx,
SKLM
42. Reaching security maturity 13-09-17
Security Intelligence
Predictive Analytics, Big Data Workbench, Flow Analytics
SIEM and Vulnerability Management
Log Management
Advanced Fraud Protection
People
Data
Applications
Infrastructure
Identity governance
Fine-grained entitlements
Privileged user management
Data governance
Encryption key management
Fraud detection
Hybrid scanning and correlation
Multi-facetednetwork protection
Anomaly detection
Hardened systems
User provisioning
Access management
Strong authentication
Data masking / redaction
Database activity monitoring
Data loss prevention
Web application protection
Source code scanning
Virtualization security
Asset management
Endpoint / network security management
Directorymanagement
Encryption
Database access control
Applicationscanning
Perimeter security
Host security
Anti-virus
Optimized
Proficient
Basic
43. Security challenges are a complex, four-dimensional puzzle…
Applications
Web
Applications
Systems Applications
Web 2.0
Mobile
Infrastructure
Datacenters
PCs
Laptops
MobileCloudNon-traditional
Data
At rest
UnstructuredStructured
People
Attackers
Suppliers
Consultants
Partners
Employees
Outsourcers
CustomersEmployees
Unstructured
Structured
In motion
CustomersMobile Applications
44. …that requires a new approach that combinesencryption with Security Intelligence
Collect and Analyze EverythingDataBasic- control
Applications
Bolt-on
Infrastructure
Thickerwalls
Insight
Now
People
Administration
Then
Smarterdefenses
Built-inLaser- focused44
55. Find out more on IBM Security:
“Discover how to stop attackers with Big Data Analytics” with our CTO Sandy Bird, Security Keynote Session, Tues 1.45pm
Visit the IBM Security Zone and talk to our experts @ the EXPO Center
Keep up to date with our latest news: @IBMSecurity& @RickCipher
Analysis and Insight for Information Security Professionals: SecurityIntelligence.com/author/rick-robinson
56. We Value Your Feedback!
•Don‟tforget to submit your Insight session and speaker feedback! Your feedback is very important to us –we use it to continually improve the conference.
•Access the Insight Conference Connect tool to quickly submit your surveys from your smartphone, laptop or conference kiosk.
56