protecting sensitive data using encryption and key management

© 2008, Linoma Software. All rights reserved.

Protecting Sensitive Datausing Encryption and

Key Management


Information Systems Trends

IT’s success has been greatly measured by how quickly informationis made available to users and partners Open Standards (TCPIP, FTP, Telnet) Multiple operating systems (i5/OS, Windows, Linux, AIX, etc.) Movement away from private lines to the Internet On-line ordering and customer service Remote employee access Integration of applications to improve efficiencies and reduce costs Organizations (vendors, customers, banks, government agencies) are becoming increasingly interconnected with each other Gigabytes of data can be downloaded in seconds to a laptop, thumb drive, etc. Information is more accessible than ever before… and more vulnerable


Data Risks

Databases can be accessedthrough a wide variety of tools byboth external hackers and rogueemployees.

Backup media often passes throughmany hands to reach its off-sitestorage location.

Unless otherwise protected, all datatransfers travel openly over the Internetand can be monitored or read by others.


Statistics

46% of interviewed organizations expect a serious data loss at least once a year. (Source: Symantec Corporation, January 2008) Data breaches were 69% greater in 2008 than the same period in 2007. (Source: Identity Theft Resource Center) 56% of organizations reported a loss in existing customers from a data breach. (Source: Ponemon Institute, June 2008) 1 out of 3 computer professionals admit to accessing confidential data within their companies. (Source: MSNBC, June 2008) Employees, not hackers, cause most data losses (Source: ars technica, October 2008)

“A former Countrywide employee was arrestedand charged with illegally accessing the firm’s

computers for more than two years. As many as2 million loan applicants may have had their

data stolen, the FBI said.”(Source: LA Times Sept 11, 2008)


Costs of Data Breaches

“Data Loss Study” conducted by Ponemon Institute 32,000 lost customer records per breach Average cost is £120 for each lost record £4.0 million cost per breach Costs: Administrative and IT resource costs Notifications to customers Public relations Regaining trust

44 U.S. states have enacted legislationrequiring notification of security breaches

involving personal information.( http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm )


Data Which Needs a High Level of Protection

Anything that is confidential to the organization, its employees and its customers Credit card numbers National Insurance numbers Birth dates Payroll information (e.g. wages) Health-related information Bank Account numbers Driver License information Financial data Trade Secrets (e.g. product formulas)

To comply with regulations: HIPAA Sarbanes Oxley Gramm-Leach-Bliley Data Protection Act To avoid potential penalties and lawsuits To comply with PCI Security Standards To avoid bad public relations To ensure your continued employment (you don’t want to be the one that “takes the fall”)


Why Should You Protect This Data?

“A senior database administrator at a subsidiary ofFidelity National Information Services took data

belonging to as many as 8.5 million consumers. Thestolen data included names, addresses, birth dates, bankaccount and credit card information, the company said.”

(Source: ComputerWorld, July 2007)


PCI 1.1 Data Security Standard

Data Security Standard developed by Payment Card Industry (PCI) Latest Standard is 1.1 (released in Sept 2006) View complete text of PCI Data Security Standard at: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

Excerpt from Standard:

3.4 Render Primary Account Number (PAN), at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:• Strong one-way hash functions (hashed indexes)• Truncation• Index tokens and pads (pads must be securely stored)• Strong cryptography with associated key management processes and procedures.

The MINIMUM account information that must be rendered unreadable is the PAN.


PCI 1.1 Data Security Standard

3.5 Protect encryption keys used for encryption of cardholder data against both disclosure and misuse . 3.5.1 Restrict access to keys to the fewest number of custodians necessary 3.5.2 Store keys securely in the fewest possible locations and forms.3.6 Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data, including the following: 3.6.1 Generation of strong keys 3.6.2 Secure key distribution 3.6.3 Secure key storage 3.6.4 Periodic changing of keys • As deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically • At least annually. 3.6.5 Destruction of old keys 3.6.6 Split knowledge and establishment of dual control of keys (so that it require two or three people, each knowing only their part of the key, to reconstruct the whole key) 3.6.7 Prevention of unauthorized substitution of keys 3.6.8 Replacement of known or suspected compromised keys 3.6.9 Revocation of old or invalid keys 3.6.10 Requirement for key custodians to sign a form stating that they understand and accept their key-custodian responsibilities.10.0 Track and monitor all access to network resources and cardholder data

Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.


Encryption Basics

Encryption is the process transforming understandable text (plaintext) into an unintelligible piece of data (ciphertext). Encryption hides the meaning of the message, but not its existence Converts ordinary information into unreadable gibberish. Example Before: The quick brown fox jumped over the lazy dog After: „OE \ËKä°BBY ý \åê·Ñ‚C‹Ÿ^{F+rÀJ[1]Ï(¾Y½i›”®t Cipher is a pair of algorithms that perform encryption and decryption. Example ciphers are AES and TDES Key controls the detailed operations of the Cipher algorithms. The output (cipher text) is therefore manipulated by the Key. A Key is represented by bits (i.e. 101001…). AES256 uses a 256 bit Key. Symmetric Key Cryptology is a form of cryptology in which the sender and receiver share the same key. The key must be kept secret or the security is compromised. Also known as Secret key cryptology. Asymmetric Key Cryptology is a form of cryptology that implements Key Pairs, in which the Public key portion of the Key Pair is used to encrypt information and the Private key portion is used to decrypt information. Otherwise known as Public Key Cryptology.


AES Encryption

AES is the abbreviation for Advanced Encryption Standard

Ideal for protecting database fields and backups

Uses Symmetric Keys

No known attacks

Fast form of Encryption – 6 times faster than Triple DES

Can use a 128, 192 or 256 bit key length

Quote from US National Security Agency (NSA) – June 2003

"The design and strength of all key lengths of the AES Algorithm (i.e., 128, 192 and 256) are sufficient to

protect classified information up to the SECRET level.


Open PGP Encryption

Widely used for protecting data sent over the internet. Uses combination of Asymmetric-key and Symmetric-key cryptology to provide high level of protection and speed Encrypt with Public Key -- Decrypt with Private Key (Secret Key) Encrypted files can be sent over standard FTP connections or Email Provides compression to reduce file sizes

TERMS

OpenPGP standard is a non-proprietaryand industry-accepted protocol whichdefines the standard format for encryptedmessages, signatures and keys. Thisstandard is managed by the IETF(Internet Engineering Task Force).Key Pair is a combination of a Privatekey and its corresponding Public key.Key Pairs are used within AsymmetricCryptology systems, such as OpenPGP,SSH and SSL.Private Key is the portion of a Key Pairwhich is used by the owner to decryptinformation and to encode digitalsignatures. The Private key, typicallyprotected by a password, should be keptsecret by the owner and NOT shared withtrading partners. Also known as a SecretKey.Public Key is the portion of the Key Pairwhich is used to encrypt informationbound for its owner and to verifysignatures made by its owner. Theowner’s Public key should be shared withits trading partners.


Secure FTP

FTPS and SFTP will protect the entire FTP connection Provides strong encryption with support for popular algorithms such as AES FTPS (FTP over SSL) - Authenticate using certificates - Support for self-signed certificates and CA certificates - Complies with SSL and TLS standard - Implicit and Explicit connections SFTP (FTP over SSH) - Authenticate using a password or an asymmetric key - Complies with SSH 2.0 standard - Popular in UNIX and LINUX systems

TERMS

Authentication is a mechanism to positivelyidentify the server, and optionally the client, byrequesting credentials such as a password or adigital signature.Certificate is a digital identification documentthat allow both servers and clients to authenticateeach other. A certificate contains informationabout a company and the organization thatsigned the certificate (such as Verisign).SSL is an abbreviation for Secure Sockets Layer.SSL is a security protocol for encryptingcommunications between two hosts over anetwork. SSL utilizes certificates to establish trustbetween the two hosts. The latest version of SSLis also called TLS (Transport Layer Security).SSH is an abbreviation for Secure Shell. SSH isboth a computer program and an associatednetwork protocol designed for encryptingcommunications between two untrusted hostsover a network. It utilizes Public keys to provideasymmetric cryptology.


Data Encryption Solutions

Crypto Complete™ automates the encryption of System i database fields and backupswith native key management and audit trails.

Protegrity™ automates the encryption of Oracle, Informix, SQL Server, Sybase, DB/2 andTeradata database fields with centralized key management and audit trails.

GoAnywhere™ automates data movement, encryption, translation and compression fromone centralized solution. Runs on System i, Windows, Linux, Unix, Solaris and HP-UX.

COMPLETE

OpenPGP- Secure FTP- Key Management- Audit Trails

- Backup Encryption- AES- Key Management- Audit Trails


Encryption Customers

CustomersOver 3,000 Installations Worldwide

BeautiControl CosmeticsCarolina Biological SupplyCentersoftCertegyCity of KetchikanCity of ReddingConsolidated Telephone CompaniesCU*AnswersDiscovery ToysEOG ResourcesFairmount MineralsFidelity ExpressThe Geo Group Inc.Hermann SonsIngram IndustriesKOA Kampgrounds of America

Korta PaymentsLandau Uniforms

Love’s Travel Stops & Country StoresMid-Continent Group

Muscatine Foods CorporationNorthwest Natural Gas

Oneida Tribe of Indians of WIPermanent General Agency

Rural Community Insurance ServicesService Insurance Group

SG Private BankingSilverleaf Resorts

Slomin’sSturm, Ruger & Company

United MusicUSA Mobility Wireless

ViaTech Publishing Solutions

protecting sensitive data using encryption and key management

Technology