Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a Breach Encryption has been viewed as the ultimate way to protect sensitive data for compliance. But it has also been considered very complex to implement. Today, encryption is essential to meet compliance objectives, and has become much simpler to implement. The challenge is knowing when and where to use encryption, how it can simplify compliance, what controls need to be in place, and the options for good encryption key management. This session will cover the options for encryption and key management, what each provides, and their requirements. Encryption and key management topics include application-level encryption for data in use, network encryption of data in motion, and storage encryption for data at rest.

1. Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing the Impact of a BreachFTS-4874
Rick Robinson
Product Manager, Encryption and Key Management
IBM Data Security
October 27, 2014
© 2014 IBM Corporation

2. Please Note
•IBM‟s statements regarding its plans, directions, and intent are subject to change or
withdrawal without notice at IBM‟s sole discretion.
•Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
•The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.
•The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user‟s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
2

4. 4
Source: Wikimedia Commons

5. Source: Wikimedia Commons
PCI
HIPPA
Various Global Regulations
Auditors
You

6. Increased regulation

7. Compliance means alignment with global regulations
Canada: Personal Information Protection& Electronics Document Act
USA: Federal, Financial & HealthcareIndustry Regulations & State LawsMexico: E-Commerce Law
Colombia:
Political Constitution – Article 15Brazil: Constitution, Habeas Data& Code of Consumer Protection & Defense
Chile: Protection of Personal Data ActArgentina: Habeas DataAct
South Africa: Promotion of Accessto Information ActUnited Kingdom: Data ProtectionAct
EU:
ProtectionDirective
Switzerland: Federal Law onData Protection
Germany: Federal Data Protection Act & State Laws
Poland:
Polish Constitution
Israel: Protection ofPrivacy Law
Pakistan:
Banking CompaniesOrdinance
Russia: Computerization & Protection of Information/ Participation in Int’l Info Exchange
China Commercial Banking Law
Korea: 3 Acts for Financial Data PrivacyHong Kong: Privacy Ordinance
Taiwan: Computer-ProcessedPersonal Data Protection LawJapan: Guidelines for theProtection of ComputerProcessed Personal Data
India: SEC Board of India ActVietnam: Banking Law
Philippines: Secrecy of BankDeposit ActAustralia: Federal PrivacyAmendment Bill
Singapore: Monetary Authority ofSingapore Act
Indonesia: Bank SecrecyRegulation 8
New Zealand: Privacy Act
7

8. It‟s all about the data
… and the life it leads

9. Audit Requirements
COBIT (SOX)
PCI-DSS
ISO 27002
Data Privacy & Protection
Laws
NIST
SP 800-53 (FISMA)
1. Access to Sensitive Data
(Successful/Failed SELECTs)




2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.)





3. Data Changes (DML)
(Insert, Update, Delete)


4. Security Exceptions
(Failed logins, SQL errors, etc.)





5. Accounts, Roles & Permissions (DCL) (GRANT, REVOKE)





The Compliance Mandate –What do you need to monitor?
9
DDL = Data Definition Language (aka schema changes)
DML = Data Manipulation Language (data value changes)
DCL = Data Control Language

11. What is Account Data?
•Cardholder Data (may store)
Primary Account Number (PAN)
Cardholder Name
Expiry Date
Service Code
•Sensitive Authentication Data (may not store)
Security Code
Magnetic Stripe / Chip Data
PIN/ PIN Block

12. PCI DSS has a wide impact

13. 13

14. 14

15. Cryptography is fundamental to Compliance
•Key exchange for communication session keys
•Data is transit is protected using single-use keys
•Data at rest –Keys are long lived
Establishes Privacy of Data in Motion and Data at Rest
•Being able to encrypt or decrypt proves you are in possession of the key
•Certificates provide additional identity information
Establishes Identity
•Data Integrity is provided through keyed-hashes
•Hashes provide integrity checking for data in transit
Protects against Unauthorized Changes
•Digital signatures create undeniable authorship
Assigns Ownership to the Data or Message
15

16. Encryption Mitigates Risk
“If a covered entity chooses to encryptprotected health information, and subsequently discovers a breach of that encrypted information, the covered entity will not be required to provide breach notificationbecause the information is not considered „„unsecured protected health information‟‟ as it has been rendered unusable, unreadable, or indecipherable to unauthorized individuals.” Excerpt from US HITEC law -Breach Notification for Unsecured Protected Health Information (Aug 2009) Encryption changes the rules on disclosure

17. 17

18. Market Drivers and Trends
Source: 2013 Global Encryption Trends Study –Thales & PonemonInstitute
Companieswith Encryption Strategies are overtaking those who don‟t

19. Market Drivers and Trends
Human Erroris #1 Threat
Source: 2013 Global Encryption Trends Study –Thales & PonemonInstitute

20. Market Drivers and Trends
Encryption Usage is no longer just about compliance
Source: 2013 Global Encryption Trends Study –Thales & PonemonInstitute

21. Market Drivers and Trends
Encryption Usage is no longer just about compliance
21
Source: 2013 Global Encryption Trends Study –Thales & PonemonInstitute

22. Market Drivers and TrendsSource: 2014 Cost of Data Breach Study –IBM & PonemonInstitute

23. Market Drivers and Trends
Source: 2014 Cost of Data Breach Study –IBM & PonemonInstitute

24. Why Should All Data at Rest be Encrypted?
•Addresses Standards
-Privacy breach disclosure laws
-Protection of financial data
•Keeps sensitive information confidential
-Insider threat
-Lost/stolen tape or disk
-Disk being repaired (Solid-state disks fail in a read-only state)
•Simplifies end-of-life-of-media scenarios
-Destroy the key and the data is unusable
-Cryptographic Erasure (NIST SP800-88)
-Reducing media disposal costs

25. The Traditional Approach is Changing…. Security is no longer controlled and enforced through the network perimeter
Trusted Intranet
Online Banking Application
Employee Application
DMZ
Untrusted Internet

26. …. With Mobile and Cloud There Is No PerimeterSecurity must be centered on applications and transactions
Online Banking Application
InvestmentAPI Services
Employee ApplicationDeliver Mobile AppConsume Apps and ServicesLeverage Public Clouds
Trusted Intranet
DMZ
Untrusted Internet

27. …. and becoming Mobile
27
In 2000In 2012
6billion
mobile subscribers worldwide
87% of the world’s population
720 million
mobile subscribers worldwide
12%
of the world’s population

28. Motivation and sophistication is evolving rapidly
28 M O T I V A T I O N S O P H I S T I C A T I O NNational Security, Economic Espionage
Notoriety, Activism, Defamation
HacktivistsLulzsec, AnonymousMonetary Gain
Organized crime
Zeus, ZeroAccess, BlackholeExploit Pack
Nuisance, Curiosity
Insiders, Spammers, Script-kiddiesNigerian 419 Scams, Code Red
Nation-stateactors, APTsStuxnet, Aurora, APT-1

29. Weak security has a significant impact on your brand
29
Costs $52,646per minute
Lasts 19.7 minutes
Minor event
chance of happening69%
Lasts about 2 hours
Costs $38,069per minute
Moderate event
chance of happening*
37%
*The IBM 2013 Global Study on the Economic Impact of IT Risk Study.
Lasts about 7.5 hours
Costs $30,995per minute
Substantial event
chance of happening*
23%
Most security breaches go undetected for eight months

30. 30
X-Force Trend and Risk Report

31. Collaborative IBM teams monitor and analyze the changing threat landscapeCoverage
20,000+ devices under contract
3,700+ managed clients worldwide
15B+ events managed per day
133monitored countries (MSS)
1,000+ security related patents
Depth
17Banalyzed web pages & images
40M spam & phishing attacks
76Kdocumented vulnerabilities
Billionsof intrusion attempts daily
Millions of unique malware samples

32. Cloud, Analytics, Mobile and Social Power Enterprise Growth
CLOUD ANALYTICS MOBILE Social

33. Increasing risk of attack can undermine CAMS initiatives
SQL injection
Watering hole
Physical access
Malware
Third-party software
DDoSSpear phishing
XSS
Undisclosed
Attack types
Note: Size of circle estimates relative impact of incident in terms of cost to business
Source: IBM X-ForceThreat Intelligence Quarterly –1Q 2014
2011
Year of the breach
2012
40% increase
2013
500,000,000+ records breached
61%
of organizations say data theft and cybercrime are their greatest threats
2012 IBM Global Reputational Risk & IT Study
$3.5M+
average cost of a data breach
2014 Cost of Data Breach, Ponemon Institute

34. What is the impact of a data breach
and
Where are customers most affected?

35. Vulnerabilities exploited to gain access
Exploitation
Gain access
XSS typically attacks web apps

36. has become a new playground for attackers
Social Media top target for attacks and mobile devices are expanding those targets
-Pre-attack intelligence gathering
-Criminals selling accounts
-Campaigns enticing user to click on malicious links

37. The Cloud is bringing greater opportunity…
•To Users
•To Business
•To Thieves…. How Do We Solve This?

38. Encryption shouldnotaffect performanceEncryption shouldbe Transparent
Operations management of encryption and key management shouldbe negligible
Encrypted systems shouldleverage investments in high availability and security
Centralize Key Management
First Principles for Encryption and Key Management

39. Disk and Tape options in IBM Self-Encrypting StorageDS8870
DS3500
XIV
N seriesTS3500 libraryTS1140 drive
LTO6 driveTS3310 libraryGPFS
Self-encrypting solutions that protect Data-at-Rest

40. Self-Encrypting Devices
Security Key Lifecycle Manager (SKLM)
• SKLM is a Key Distribution and
Management software solution
• Uses standard protocols
(i.e. KMIP: Key Management
Interoperability Protocol)
• Provides centralized key mgmt for
self-encrypting drives (tape, disk)
• Light-weight & highly-scalable
• SKLM helps customers keep data
private, compliant, and encryption
keys well-managed
• Helps customers maintain
alignment with best practices and
compliance
KMIP
Cloud file systems
(GPFS, Netezza, etc.)
Databases
Smart Meter
Infrastructures
Switches /
Networking
Disk Storage Arrays
e.g. DS8000, DS5xxx, XIV, …
Enterprise Tape Libraries
e.g. TS11xx, TS2xxx, TS3xxx,
SKLM

41. Your security team sees noise
41

42. Reaching security maturity 13-09-17
Security Intelligence
Predictive Analytics, Big Data Workbench, Flow Analytics
SIEM and Vulnerability Management
Log Management
Advanced Fraud Protection
People
Data
Applications
Infrastructure
Identity governance
Fine-grained entitlements
Privileged user management
Data governance
Encryption key management
Fraud detection
Hybrid scanning and correlation
Multi-facetednetwork protection
Anomaly detection
Hardened systems
User provisioning
Access management
Strong authentication
Data masking / redaction
Database activity monitoring
Data loss prevention
Web application protection
Source code scanning
Virtualization security
Asset management
Endpoint / network security management
Directorymanagement
Encryption
Database access control
Applicationscanning
Perimeter security
Host security
Anti-virus
Optimized
Proficient
Basic

43. Security challenges are a complex, four-dimensional puzzle…
Applications
Web
Applications
Systems Applications
Web 2.0
Mobile
Infrastructure
Datacenters
PCs
Laptops
MobileCloudNon-traditional
Data
At rest
UnstructuredStructured
People
Attackers
Suppliers
Consultants
Partners
Employees
Outsourcers
CustomersEmployees
Unstructured
Structured
In motion
CustomersMobile Applications

44. …that requires a new approach that combinesencryption with Security Intelligence
Collect and Analyze EverythingDataBasic- control
Applications
Bolt-on
Infrastructure
Thickerwalls
Insight
Now
People
Administration
Then
Smarterdefenses
Built-inLaser- focused44

45. Time Products

46. Time
Products
Complexity
CostAgility
Effectiveness

47. Monitor Everything

48. Consume Threat Intelligence

49. Integrate Across Domains

50. Security Intelligence

51. Clarity…

52. Insights…

53. Compliance

54. @RickCipher

55. Find out more on IBM Security:
“Discover how to stop attackers with Big Data Analytics” with our CTO Sandy Bird, Security Keynote Session, Tues 1.45pm
Visit the IBM Security Zone and talk to our experts @ the EXPO Center
Keep up to date with our latest news: @IBMSecurity& @RickCipher
Analysis and Insight for Information Security Professionals: SecurityIntelligence.com/author/rick-robinson

56. We Value Your Feedback!
•Don‟tforget to submit your Insight session and speaker feedback! Your feedback is very important to us –we use it to continually improve the conference.
•Access the Insight Conference Connect tool to quickly submit your surveys from your smartphone, laptop or conference kiosk.
56

57. Acknowledgements and Disclaimers
Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They areprovided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreementgoverning the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
© Copyright IBM Corporation 2014. All rights reserved.
—U.S. Government Users Restricted Rights –Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, ibm.com,andIBM Security Key Lifecycle Manager are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at
•“Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
•Other company, product, or service names may be trademarks or service marks of others.
57

58. Thank You