Ensuring Confidentiality Ensuring Confidentiality (and trust) (and trust)
Encryption, Data Retrieval, and Encryption, Data Retrieval, and Key Management TechnologiesKey Management Technologies
www.oasis-open.org
Jerry Smith, US Department of Defense
Anthony Rutkowski, Yaana Technologies
Bob Griffin, RSA, the Security Division of EMC
Ensuring confidentiality and trust …… is not easy
• Information growth• Mobility, virtualization & cloud
• Evolving threat landscape• Collaboration / Exchange
Agency Staff Privileged Users
-BusinessAnalytics
-ElectronicHealth Records
-Replica
-BackupDisk
-Backup Tape
-SharePointRoom, etc.
-File Server
-DiskArrays
-ProductionDatabase
-Physicians
-ClinicalUsers
Apps/DB StorageFS/CMSNetworkEndpoint
Endpoint theft/loss
Network LeakEmail-IM-HTTP-
FTP-etc.
PrivilegedUser Breach
InappropriateAccess
Tapes lost or stolen
Data LeakPublic
Infrastructure Access Hack
UnintentionalDistribution
(Semi) Trusted User
Misuse
Discarded disk exploited
-Patients
Remote Employees
Channels
VPN
Partner Entry Points
Partners
Channels
Customers
ChannelsPartner Entry Points
2
Privileged Users Privileged Users Privileged Users
Ensuring ConfidentialityEnsuring Confidentiality(and trust): (and trust):
the Extended Validation the Extended Validation Certificate PlatformCertificate Platform
www.oasis-open.org
Tony RutkowskiSVP for Regulatory Affairs and Standards, Yaana TechnologiesITU-T Rapporteur for CybersecurityEditor, Rec. ITU-T X.evcertLiaison, CA/Browser Forum
Identity Management 2010
EVcerts: critical for IdM and cybersecurity Trust in network sites and providers is critical to
achieving effective Identity Management and cybersecurity adverse effects include harm to users, other
providers, and the infrastructure; loss of assurance The Extended Validation Certificate platform
bundles together a proven set of technologies and practices to significantly enhance trust assurance in the
site/provider create an encrypted path with the site sign software
Some of what the EVcertplatform provides
Visible EVcerttrust indication in user browser
SSL (Secure Sockets Layer) encryption for end-to-end confidentiality
Real-time Online Certificate Status Protocol
(OCSP) checking
Extensive initial and continuing identity proofing of service provider; signing software
Extensive process and auditing requirements for issuing EVcertauthorities
Additional value proposition CA/Browser Forum: developed and initially
implemented by the most prominent software and digital certificate vendors worldwide over the past several years
The platform has been included as a core capability in security standards by ETSI, Liberty Alliance, and ISO
The platform is completely “open” and promotes a competitive environment
ITU-T is importing and promulgating the platform for adoption in early 2011 as the X.evcert Framework to enhance global ubiquity and further its development
Version 1.3 includes features to enhance use for cloud computing
How browsers display EVcert informationMicrosoft Explorer 8.0Microsoft Explorer 8.0Google Chrome Google Chrome
Opera 10.51Opera 10.51 Apple Safari 4.0.5Apple Safari 4.0.5Mozilla Firefox 3.1 preMozilla Firefox 3.1 pre
Comprehensive specification and continuing examination/evolution
EnrollmentEnrollment
Status CheckingStatus Checking Employee & Third PartyEmployee & Third Party
Data and Record
Data and Record
ComplianceCompliance
CredentialsCredentials
Trust ModelTrust Model
ContentContentInitialVerification
Methods
InitialVerification
Methods
EnrollmentRegistrant
Requirements
EnrollmentRegistrant
Requirements
RevocationCapabilitiesRevocationCapabilities
ReportingInvestigation
Response
ReportingInvestigation
Response
TechnicalAbility to
Check Status
TechnicalAbility to
Check Status
Trustworthi-ness &
Competence
Trustworthi-ness &
Competence
TrustedDelegation of
Functions
TrustedDelegation of
Functions
Data SecurityData Security
Audit TrailAudit Trail
AuditRequirements
AuditRequirements
ContinuingVerification& Renewal
ContinuingVerification& Renewal
RequiredInformation
RequiredInformation
EnrollmentLegal
Requirements
EnrollmentLegal
Requirements
IssuerApproval
IssuerApproval
CredentialStrength &Weakness
CredentialStrength &Weakness
ReaderStrength &Weakness
ReaderStrength &Weakness
ValidityPeriodValidityPeriod
TransportSecurity
TransportSecurity
SSLSSL
Extensible roadmap New kinds of organizations New applications Expanded geographical coverage and
assurance schemas Expanded Cloud IdM use Enhanced user visual indicators
Ensuring ConfidentialityEnsuring Confidentiality(and trust): (and trust):
Extending Enterprise Key Extending Enterprise Key Management to Infrastructure Entity Management to Infrastructure Entity AuthenticationAuthentication
www.oasis-open.org
Bob Griffin
Technical Director, RSA, the Security Division of EMCCo-chair, OASIS Key Management Interoperability Protocol TC
Identity Management 2010
Storage Array
TapeLibrary
SANApplication
Server
Application
Application
Application
Enterprise Key Manager
Data Encryption using Symmetric Keys
Key Management Interoperability Protocol
- 11 -
Enterprise Cryptographic Environments
Enterprise Key Management
DiskArrays
BackupDisk
BackupTape
BackupSystem
Collaboration &Content Mgmt
Systems
File ServerPortalsProductionDatabase
Replica
Staging
Key Management Interoperability Protocol
EnterpriseApplications
eCommerceApplications
Business Analytics
Dev/Test Obfuscation
WANLANVPN
CRM
KMIP: Single Protocol Supporting Enterprise Cryptographic Environments
- 12 -
User Identity with Asymmetric Keys
Public Key
Public Key
Public Key
Public Key
Public Key
KMIP
- 13 -
KMIP to Commercial Meter
Utility
Infrastructure Entity Identification
KMIP to low-end Residential Meter
KMIP to Industrial Meter
- 14 -
Enterprise Key Manager
Request Header
Get Unique Identifier
Symmetric Key
Response Header
Unique Identifier
Key Value
KMIP Request / Response Model
Encrypted data
Unencrypted data
- 15 -
Commercial Meter
Utility
Name: XYZSSN: 1234567890Acct No: 45YT-658Status: Gold
@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@
Transport-Level EncodingKey Client Key Server
API
Internal representation
Transport
Internal representation
Transport
KMIP Encode
KMIP Encode
KMIP Decode
KMIP Decode
API
KMIP
- 16 -
Objects, Operations and Attributes
CreateCreate Key PairRegisterRe-keyDerive KeyCertifyRe-certifyLocateCheckGetGet AttributesGet Attribute ListAdd AttributeModify AttributeDelete AttributeObtain LeaseGet Usage AllocationActivateRevokeDestroyArchiveRecoverValidateQueryCancelPollNotifyPut
Unique IdentifierNameObject TypeCryptographic AlgorithmCryptographic LengthCryptographic ParametersCryptographic Domain ParametersCertificate TypeCertificate IdentifierCertificate IssuerCertificate SubjectDigestOperation Policy NameCryptographic Usage MaskLease TimeUsage LimitsStateInitial DateActivation DateProcess Start DateProtect Stop DateDeactivation DateDestroy DateCompromise Occurrence DateCompromise DateRevocation ReasonArchive DateObject GroupLinkApplication Specific InformationContact InformationLast Change DateCustom Attribute
CertificateSymmetric KeyPublic KeyPrivate KeySplit KeyTemplateSecret DataOpaque Object
Managed ObjectsProtocol Operations Object Attributes
- 17 -
IT Transformation
15%
30%
70%
85% 95%
IT ProductionLower Costs
Business ProductionImprove Quality Of Service
IT-As-A-ServiceImprove Agility
% Virtualized
HighAvailability
DataProtection
18
Secure multi-tenancy, verifiable chain fo trust.
Information-centric security, risk-driven policies, IT and security operations in alignment, information compliance
Visibility into virtualization infrastructure, privileged user monitoring, access management, network security, infrastructure compliance
IT INFRASTRUCTUREPhysical Virtual Cloud
Security as a System
19
EVIDENCE
SIEM ConfigurationManagement
Patch and VulnerabilityManagement
FraudPreventionDLP
CONTROLS and CAPABILITIESFirewalls Anti-Virus Anti-Malware
Authentication Access Management DLP Encryption Key Management
CONTEXT | POLICY
Business Strategy and Risk
BUSINESS VIEWS
BUSINESS PROCESS
The Need to Extend Enterprise Key Management
End
to e
nd c
hain
of t
rust
VM layerVM layer
Virtual Infrastructure(including hypervisor)
Virtual Infrastructure(including hypervisor)
APPAPP
OSOS
APPAPP
OSOS
APPAPP
OSOS
StorageStorageComputeCompute NetworkNetwork
Trusted zone DMZ
End
to e
nd v
isib
ility
Establishing the Web of Trust
21
End
to e
nd c
hain
of t
rustVM layerVM layer
Virtual Infrastructure(including hypervisor)
Virtual Infrastructure(including hypervisor)
APPAPP
OSOS
APPAPP
OSOS
APPAPP
OSOS
StorageStorageComputeCompute NetworkNetwork
Trusted zone DMZ
End
to e
nd v
isib
ility
End
to e
nd c
hain
of t
rust
VM layerVM layer
Virtual Infrastructure(including hypervisor)
Virtual Infrastructure(including hypervisor)
APPAPP
OSOS
APPAPP
OSOS
APPAPP
OSOS
StorageStorageComputeCompute NetworkNetwork
Trusted zone DMZ
End
to e
nd v
isib
ility
End
to e
nd c
hain
of t
rust
VM layerVM layer
Virtual Infrastructure(including hypervisor)
Virtual Infrastructure(including hypervisor)
APPAPP
OSOS
APPAPP
OSOS
APPAPP
OSOS
StorageStorageComputeCompute NetworkNetwork
Trusted zone DMZ
End
to e
nd v
isib
ility
End
to e
nd c
hain
of t
rust
VM layerVM layer
Virtual Infrastructure(including hypervisor)
Virtual Infrastructure(including hypervisor)
APPAPP
OSOS
APPAPP
OSOS
APPAPP
OSOS
StorageStorageComputeCompute NetworkNetwork
Trusted zone DMZ
End
to e
nd v
isib
ility
End
to e
nd c
hain
of t
rust
VM layerVM layer
Virtual Infrastructure(including hypervisor)
Virtual Infrastructure(including hypervisor)
APPAPP
OSOS
APPAPP
OSOS
APPAPP
OSOS
StorageStorageComputeCompute NetworkNetwork
Trusted zone DMZ
End
to e
nd v
isib
ility
Services Services