Rothke rsa 2013 - deployment strategies for effective encryption
Download as PPTX, PDF0 likes585 views
This document discusses effective strategies for deploying encryption. It emphasizes that encryption requires attention to detail, good design, and project management. It warns that many encryption roll-outs are incomplete solutions that lack proper key management, documentation, and processes. The document provides steps for developing an effective encryption strategy, including defining requirements, identifying sensitive data locations, and creating detailed implementation plans. It stresses that encryption is a process, not a product, and must be properly planned and managed.
Ad
More Related Content
What's hot (19)
Similar to Rothke rsa 2013 - deployment strategies for effective encryption (20)
Ad
More from Ben Rothke (20)
Ad
Recently uploaded (20)
Rothke rsa 2013 - deployment strategies for effective encryption
- 1. Session ID: Session Classification: Ben Rothke, CISSP, CISA Information Security Wyndham Worldwide Corp. DSP-W25B Intermediate Deployment Strategies for Effective Encryption
- 2. ► encryption internals are built on complex mathematics and number theory ► your successful encryption program requires a CISSP, CISA and PMP, not necessarily a PhD ► effective encryption strategy requires attention to detail, good design, combined with good project management and documentation ► your encryption strategy must reflect this Deployment Strategies for effective encryption
- 3. ► many roll-outs are nothing more than stop-gap solutions ► Getting it done often takes precedence over key management, documentation, processes, etc. ► many organizations lack required security expertise ► these and more combine to obstruct encryption from being ubiquitous ► adds up to a significant need for an effective encryption deployment strategy It’s 2013 – where’s the encryption?
- 4. 1. define your requirements 2. know where your sensitive data resides 3. create detailed implementation plans ► when implementing your encryption strategy, it’s imperative to remember that your encryption project, and information security is a process, not a product. 3 steps to effective encryption
- 5. Encryption nirvana scenario Strategy Data Mapping Risk Modeling Control Gaps Implementation Management Audit Deployment Define Drivers Data Classification Policy Definition Policy Initial Drivers • Business • Technical • Regulatory Effective Encryption
- 6. ► Thinking encryption projects are plug and play ► until they have to deal with key management ► don’t forget about legacy systems ► Going to a vendor too early ► vendors sell hardware/software ► you need requirements, project plans, implementation plans, etc. ► Not giving enough time to design and testing ► an effective encryption roll-out takes time ► requires significant details ► you can’t rush this! Common deployment mistakes
- 7. ► mathematics of cryptography is rocket science ► most aspects of information security, compliance and audit aren’t ► good computer security is attention to detail and good design, combined with effective project management ► enterprise encryption strategy must reflect this ► not everyone will need encryption across the board ► policies need to be determined first as to what requires encryption ► strategy of “let’s just encrypt everything” demonstrates confusion Encryption strategy
- 8. ► protect data from loss and exposure ► prevent access to the system itself? ► does software need to access the files after encryption? ► data to be transported securely? via what means? ► how much user burden is acceptable? ► how strong does the encryption need to be? ► do you need to match the solution to the hardware? ► regulatory, contractual, organizational policy ► ask a lot of questions at this point! ► and when you are done, ask a lot more Analyze your encryption needs
- 9. ► If you don’t know your drivers, you’re driving blind. ► Business ► customer trust ► intellectual property ► Technical ► AES, PGP, BitLocker, etc. ► mobile devices ► Regulatory ► PCI / SoX / EU / ISO-17799 ► State data breach laws Drivers and requirements Image source: http://www.whattofix.com/blog/archives/2008/05/peace-for-pachy.php
- 10. ► Encryption must be supported by policies, documentation and a formal risk management program ► shows work adequately planned and supervised ► demonstrates internal controls studied and evaluated ► Policy must be ► endorsed by management ► communicated to end-users and business partners / 3rd-parties that handle sensitive data. If it can’t meet company’s policies, don’t give others access to the data ► encryption responsibility should be fixed with consequences for noncompliance Documentation and policies
- 11. ► encryption is a process intensive endeavor ► must be well-defined and documented ► if not implemented and configured properly, can cause system performance degradation, operational hurdles and locking yourself out of your own data ► improperly configured encryption processes give false sense of security ► perception that confidentiality of sensitive information is protected when it’s not Encryption processes
- 12. ► Identify all methods of data input/output ► storage media ► smartphones, USB, laptops, removable, SSD, and more ► business partners and other third parties ► understand all applicable regulations and laws ► high-risk areas ► laptops ► wireless ► data backups ► others It’s all about the data
- 13. ► define business, technical, and operational requirements and objectives for encryption ► define policies, architecture, and scope of encryption requirements ► conduct interviews, review policy documents, analyze current and proposed encryption strategy to identify possible security gaps ► determine liabilities ► better requirements definition directly correlates to successful encryption program Requirements analysis
- 14. ► full-disk / host-based encryption (at rest) ► data encrypted at creation, first possible level of data security ► appliance-based ► data leaves host unencrypted, then goes to dedicated appliance for encryption. Quickest to implement; but can be costly ► storage device encryption ► data transmitted unencrypted to storage device ► easiest integration into existing backup environments ► tape ► data encrypted on tape drive; easy to implement ► provides protection from both offsite and on-premise information loss ► database ► database encrypted tables inside the database, protected by native DBMS access controls Understand your encryption options
- 15. ► Key management is a big deal; don’t underestimate it ► generation, distribution, storage, recovery and destruction of encryption keys ► encryption is 90% management and policy, 10% technology ► most encryption failures due to ineffective KM processes ► 80% of 22 SAP testing procedures related to encryption are about KM ► effective KM policy and design requires significant time and effort Key management (KM)
- 16. Ask lots of the fundamental questions: ► how many keys do you need? ► where are keys stored? ► who has access to keys? ► how will you manage keys? ► how will you protect access to encryption keys? ► how often should keys change? ► what if key is lost or damaged? ► how much key management training will we need? ► how about disaster recovery? Key management fundamentals
- 17. Immediate steps in the long-term encryption expedition ► prioritize based on specific requirements and compensating controls ► identify your most sensitive/confidential data and know where it resides ► organizations that don’t have an effective data classification program usually fail at their data encryption projects - Gartner ► know which regulatory mandates matter most ► leverage DLP to more effectively identify sensitive content that resides on the network and at the endpoint Encryption is a long journey
- 18. There’s a book for that
- 19. ► organizations that do not have an effective data classification program usually fail at their data encryption projects ► creating an effective deployment strategy is the difference between strong encryption and an audit failure ► encryption is about attention to detail, good design and project management. Summary
- 20. Ben Rothke, CISSP CISA Manager – Information Security Wyndham Worldwide Corporation www.linkedin.com/in/benrothke www.twitter.com/benrothke www.slideshare.net/benrothke