building trust in a digital world - verisec€¦ · 2. preparing the cardholder data card brands...

Building Trust in a Digital World

Brian Phelps, BSc CISSP

Director of Advanced Solutions Group EMEA

Thales UK, Ltd.

2 Global incidents

www. pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml

Equivalent of 117,339 incoming

attacks per day, everyday

Total number of detected incidents

- growth of 66% CAGR

3 And more targeted

www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

2015

2014

4 How Much is Data Worth?

At the end of April, there were 270 reported breaches with

102,372,157 records compromised!

Source- Identity Theft Resource Center

5 Trust in a digital world…

Smart phones Smart grid Smart vehicles

eCommerce eGovernment eCitizen

6 Trust Management is a central problem to solve

Organizations are losing control over their application environment

Clouds, consumer devices (BYOD), remote connected devices , fragmented workforce - emphasis moves from ‘control’ to ‘trust’

Targeted attacks drive need for data neutralization

Mobile, remote devices and cloud services increase attack surface

Privacy requirements drive need for data protection – wherever it resides

Increased scrutiny and governance drives need to prove trust as well as simply establish it

Dynamic business relationships requires trust to be dynamic

Federated, transitory and anonymous relationships create the need for new trust models and technologies

Virtualized and shared environments

Need for trust varies by application but infrastructure is increasingly shared

Scale and dynamics of “connected everything” forces automation of trust properties

Manual controls are no longer practical or cost effective

7 Crypto is the key to establish and enforce trust

Identity and

Access Controls

Data Confidentiality

and privacy

Data Integrity and

Non-Repudiation

8

Key

Management

The role of cryptography

SSL

Network encryption

Digital rights

management

Tape encryption Database

encryption Application-level

encryption

Server-file encryption

SAN switch

encryption

Tokenization Disk encryption

Point of sale

encryption (P2PE)

Email

encryption

Payments

processing

Public Key

Infrastructure

Credential

management

Payment card

issuance

Strong

authentication

Password

protection

Document

signing

Signed email

Code signing

DNSSEC Audit & log

signing

Identity and

Access Controls

Data Confidentiality

and privacy

Data Integrity and

Non-Repudiation

9

Thales e-Security | CONFIDENTIAL

10 The ‘pain’ of key management

“Please rate the overall “pain” associated with key

and certificate management in your organization”

Source: 2015 Global Encryption and Key Management Trends Study - Ponemon Institute (April 2015)

0%

5%

10%

15%

20%

25%

30%

35%

1-2

(Minor)

3-4 5-6 7-8 9-10

(Severe)

55%

11 What makes key management hard?

Source: 2015 Global Encryption and Key Management Trends Study - Ponemon Institute (April 2015)

12 What’s at stake?

The secrecy of keys underpins trust

– if keys are stolen or misused, data is compromised

The availability of keys keeps systems running

– lost keys can destroy data and bring services to a standstill

Lifecycle management of keys is costly

– complexity, delays and errors can quickly escalate

Key management is under intense scrutiny

– policies, controls and reporting simplify audits and compliance

13

Trusted Platform

Modules (TPM)

protect desktop apps

Hardware secures applications everywhere

Secure Elements

and SIMs protect

mobile apps

Hardware Security

Modules (HSM) protect

server based apps

14

So, what’s changing?

15

Mobile payments

16 Mobile Payments – from Buzzwords to Business

The race is finally on ! Mobile acceptance versus mobile payments

Retail versus Person to Person

Disruptors versus incumbents

mPOS

EMV

NFC SE

HCE

TSM

Mobile Payments Mobile Commerce

17 Knocking down the barriers

1. Convincing consumers to give it a try

2. Preparing the cardholder data

3. Equipping phones to protecting the data

4. Delivering the data to the phone

5. Enabling merchants to read the phones

6. Enabling user to easily authorize transactions

7. Encouraging consumers to make it a habit

18 Simple ecosystems are good

Barrier

Apple Android

Apple Pay SE/TSM HCE

1. Convincing consumers to give it a try Apple Phone

manufacturer,

wallet provider

Issuer

2. Preparing the cardholder data Card

brands

Issuer Issuer

3. Equipping phones to protecting the

data

Apple Phone

manufacturer or

carrier (SIM)

Issuer

(cloud)

4. Delivering the data to the phone Apple Carrier or 3rd

party

Issuer

5. Enabling merchants to read the

phones

NFC NFC NFC

6. Enabling user to easily authorize

transactions

Apple Wallet provider Issuer

7. Encouraging consumers to make it a

habit

Apple ? Issuer

19 Mobile Payments

Thales PayShield HSM’s

significant player across the

mobile payments ecosystem

International roll-out in 2015…

2015 campaign to

target Android market

through new HCE

capability in payShield

and ASAP partners

Our blog – www.thales-esecurity.com/blogs/2014/september/apple-enables-mobile-payments

20

Thales e-Security | CONFIDENTIAL

Keys in the cloud

21 Amazon Key Management

$1

per key

per month

$0.03

per 10,000

operations

22 HSMs in the cloud

“The Key Vault service performs all cryptographic operations

on HSM-protected keys inside Hardware Security Modules.

The service uses Thales nShield HSMs”

Dan Plastina - Microsoft

Our blog – www.thales-esecurity.com/blogs/2015/february/trust-anchors-in-the-azure-cloud

23 Microsoft Azure Key Vault

24

Software

Applications & content

Platform

OS, tools & services

Evolving cloud landscape

Users (service consumers)

Infrastructure

Hardware & networks

25 Evolving cloud landscape

Users (service consumers)

Service providers operating

from the cloud

Enterprises

with

workloads in

the cloud

Enterprises

running

private

clouds

Software

Applications

& content

Platform

OS, tools &

services

Infrastructure

Hardware &

networks

26

CSP

CSP CSP

CSP

Evolving cloud landscape

Users (service consumers)

Private

infrastructure

Private

infrastructure Public infrastructure

Service providers operating

from the cloud

Enterprises

with

workloads

in the cloud

Enterprises

running

private

clouds

Software

Applications

& content

Platform

OS, tools &

services

Infrastructure

Hardware &

networks

27 Evolving cloud landscape

CSP

CSP CSP

CSP

Users (service consumers)

Private

infrastructure

Private

infrastructure Public infrastructure

Service providers operating

from the cloud

Enterprises

with

workloads

in the cloud

Enterprises

running

private

clouds

Software

Applications

& content

Platform

OS, tools &

services

Infrastructure

Hardware &

networks

28 Evolving cloud landscape

CSP

CSP CSP

CSP

Users (service consumers)

Private

infrastructure

Private

infrastructure Public infrastructure

Service providers operating

from the cloud

Enterprises

with

workloads

in the cloud

Enterprises

running

private

clouds

Software

Applications

& content

Platform

OS, tools &

services

Infrastructure

Hardware &

networks

29

Thales e-Security | CONFIDENTIAL

Crypto-currency

30 Cryptocurrency

Our blog – www.thales-esecurity.com/blogs/2015/january/bitcoin-steps-up-to-bank-grade-security

“We looked at every

HSM on the market to

find one that could

support Bitcoin wallets,

and none of them could

do it, so we built it

ourselves {using

codeSafe}. Thales

really came through for

us, and the level of

enthusiasm they have

for our growing industry

is incredible.”

Micah Winkelspecht -

Gem CEO and Founder

31 Digital currency

Public

key

crypto

Bitcoin

Wallets

to store

private

keys

Bitcoin mining

Interface to traditional

payment rails

32 Bitcoin Hacks

“Reports suggested the

site shut down after it

discovered that an

estimated 744,000 bitcoins

- about $350m (£210m) -

had been stolen due to a

loophole in its security.”

33 Bitcoin Hacks

34 What is our value proposition

Private key protection Key derivation for

privacy and scale

‘Multi-signature’ for dual

control security

35

36 IoT Touches EVERYTHING

Asset tracking

Healthcare

Agriculture Building management

Security

Energy Consumer Smart homes & cities

Automotive

National infrastructure

Embedded

Mobile

37 Big Numbers – Big Challenge

38 Market Potential - The Internet of Things

”A development of the Internet in which everyday objects have

network connectivity, allowing them to send and receive

data.” Oxford Dictionary

39 The IoT Has Passed an Inflection Point

According to Cisco Internet

Business Systems Group

(IBSG), the Internet of Things

was born in 2008 when more

“things” were connected to the

Internet than people.

According to Gartner, “By 2020,

the number of smart-phones,

tablets, and PCs in use will

reach about 7.3 billion units. In

contrast, the IoT will have

about 26 billion units at that

time.”

IDC Predicts that IoT will reach

$3 Trillion by 2020.

40 Impact of those “things”

Economic value-add by vertical in 2020 (total value-add $1.9 Trillion)

Source - The Internet of Things, Worldwide Forecast (Gartner Nov 2013)

41 Problems are we trying to solve

Establishing trust between distributed entities

Mutual authentication of devices, processes and users

Credential creation, management, provisioning, validation and revocation

Validating integrity of remote systems

Secure configuration

Secure communications between systems and devices

Network and message level encryption

Message signing and validation – non-repudiation

Protection of data ‘at rest’ and ‘in use’ in

command/control systems

Storage, file, database and application level encryption and tokenization

Multi-platform support for multiple application

environments

Datacenter, cloud, mobile and embedded systems (e.g. Internet of Things)

Support for a wide range of scale and assurance levels

42 The Automobile – the Ultimate Connected Thing

While a lot of the discussions surrounding connected

vehicles focus on safety and anti hacking measures, several

industry strategic positions are clear:

Autonomous vehicles are Job One

Infotainment systems will converge with mobile phones

The connected car will become a payments platform

43 There is an App for that!

Thales e-Security | CONFIDENTIAL

• Unlock and Lock Doors

• Track status of vehicles systems

• Schedule automated commands

• Control the heater/ air conditioner

• Open the sunroof

• Gather GPS data

And its an OPEN SOURCE APP!

44 What about Paying Cars?

Thales e-Security | CONFIDENTIAL

BumperPay Announces $100 Million Series A Funding

• High Speed P2P payments

• Drive Through Services

45