SlideShare ist ein Scribd-Unternehmen logo

Computer Forensics Conference Encryption Deployment Strategies

Ben Rothke
Ben Rothke

Ben Rothke presented on effective encryption deployment strategies. He began by discussing common mistakes made in encryption rollouts and emphasized that encryption is a process, not just a product. He then outlined a 3 step strategy: 1) define requirements, 2) know where sensitive data resides, and 3) create detailed implementation plans. Finally, he discussed various technical considerations for encryption deployment including full disk encryption, key management, and database encryption.

Technologie
1 von 45
Downloaden Sie, um offline zu lesen
The Computer Forensics Show Conference April 19-20, 2010 New York, NY Deployment Strategies for Effective Encryption Ben Rothke, CISSP, CISM, PCI QSA Senior Security Consultant BT Global Services April 19, 2010 The Computer Forensics
About Me • Ben Rothke, CISSP CISM QSA • Senior Security Consultant – BT Global Services • In IT sector since 1988 and information security since 1994 • Frequent writer and speaker • Author - Computer Security: 20 Things Every Employee Should Know (McGraw-Hill) 2
Overview • Encryption internals are built on complex mathematics and number theory • Your successful encryption program requires a CISSP, CISA and/or PMP, not necessarily a PhD • Effective encryption requires attention to detail, good design, combined with good project management and documentation • Your encryption strategy must reflect this – This is not a monologue – ask a question, share a comment at any time. 3
It’s 2010 – Where’s the Encryption? • Many roll-outs nothing more than stop-gap solutions • Getting it done often takes precedence over key management, documentation, processes, etc. • Many organizations lack required security expertise • These and more combine to obstruct encryption from being ubiquitous • Adds up to a significant need for encryption deployment strategies 4
Encryption strategy in 3 easy steps 1. Define your requirements 2. Know where your sensitive data resides 3. Create detailed implementation plans • When implementing your encryption strategy, remember that information security is a process, not a product. 5
Typical encryption nightmare scenario • Monday 9AM – Audit report released to CEO – Numerous failings, namely lack of strong encryption • Monday 11 AM – CEO screams at CIO • Monday Noon – CIO screams at CISO • Monday 2PM – CISO screams at staff • Tuesday – With blank check, CISO tells info security manager to order encryption equipment ASAP • Thursday - Security team spends two days and nights installing/configuring encryption hardware and software • Six months later – Complete disarray with regard to encryption key management. CEO screams at CIO, who fires the CISO. • Next day – Interim CISO tells team to get encryption working by the weekend 6
Encryption nirvana scenario Deployment Deployment Define Drivers Data Mapping Implementation Initial Drivers Strategy Strategy Policy Policy • Business Data Effective Risk Modeling Management • Technical Classification Encryption • Regulatory Policy Definition Control Gaps Audit 7
Encryption challenges • Operating systems and application vendors haven’t made it easy and seamless to implement encryption – Lack of legacy support • Laws/guidelines often conflict or fail to provide effective guidance • Far too few companies have encryption policies and/or a formal encryption strategy • Costs / Performance – Up-front and on-going maintenance costs – Performance hit – Added technical staff 8
Encryption – a double-edged sword Effective Encryption Strategy No one, not No one, even NSA, CIA, including KGB, or evil yourself, hacker, can can read read your data your data 9
Common encryption deployment mistakes 1. Thinking encryption is PnP – Hardware is PnP – Making encryption work is not 2. Going to a vendor too early – Vendors sell hardware/software – You need requirements 3. Not being transparent to end users – If it’s a pain to use, they will ignore/go around it. 4. Not giving enough time to design/test – Effective encryption roll-outs take time – Require significant details – You can’t rush this! 10
Dealing with vendors • When you drive the project – You define the requirements – You have chosen them – Vendors provides best practices / assistance – Vendor input can be invaluable – Project succeeds • They are brought in as the experts – They are expected to put out a fire – They spec out their product – You don’t have internal expertise working with them – Project fails 11
Encryption and the technically advanced airplane paradox • TAA in theory have more available safety, but without proper training for their pilots, they could be less safe than airplanes with less available safety • FAA found that without proper training for the pilots who fly them, technically advanced airplanes don’t advance safety at all • TAA presents challenges that under-prepared pilots might not be equipped to handle • Encryption is exactly like a TAA • Your staff must be trained and prepared. 12
Encryption Strategy • Mathematics of cryptography is rocket science – But most aspects of information security, compliance and audit are not! • Good computer security is simply attention to detail and good design, combined with effective project management • Encryption strategy must reflect this • Define what needs to be addressed in the enterprise encryption strategy – Not everyone will need encryption across the board – Policies need to be determined first as to what requires encryption – Any information going over the Internet or internal source code 13
What should the strategy include? • Laptop encryption Application encryption • Database encryption Storage encryption • Network encryption PDAs • Smart cards USB • Mobile encryption Floppies/CD-ROM/DVD • Wireless encryption Emerging technologies • Smart phones • iPad/iPod/iPhone 14
Strategy prioritization • Prioritize based on specific requirements and compensating controls – Start with assumption that by default, data need not be encrypted unless there is a specific requirement to encrypt that data or – Identify high-risk situation where encrypting data will avert disaster • Unnecessary or poorly prioritized encryption deployments may do more harm than good – false sense of security – takes budget away from more pressing encryption requirements – increases administrative burden – locked out of your own data 15
Current state • Evaluate current encryption strategy and policy – In sync with industry security best practices? • Encryption framework in place? Define Drivers • Policies in place? Policy Policy Data Classification • Define what regulations must be complied with • Document current encryption hardware / Policy Definition software environment 16
Analyze your encryption needs • Protect data from loss and exposure • Prevent access to the system itself? • Does software need to access the files after encryption? • Data to be transported securely? By what means? • How much user burden is acceptable? • How strong does the encryption need to be? • Do you need to match the solution to the hardware? • Regulatory, contractual, organizational policy • Ask a lot of questions at this point! 17
Where are your encryption keys from? • VPN connections • SSL/TLS • PKI/IdM • User-generated keys • File system encryption • Third parties • Trusted Platform Module (TPM) – Built into news desktops and laptops 18
Drivers • Business – Customer trust – Intellectual property Define Drivers • Technical Policy Policy Data – AES, PGP, BitLocker, etc. Classification – Increase in mobile devices Policy Definition • Regulatory – PCI / SoX / EU Privacy directive / ISO-17799 – State data breach laws • Note: Keep a wider picture in mind when complying with specific mandates 19
Documentation and policies • Encryption must be supported by policies, documentation and a formal system and risk management program – Shows work adequately planned and supervised Define Drivers – Demonstrates internal controls studied and evaluated Policy Policy Data Classification • Policy must be: Policy Definition – Endorsed by management – Communicated to end-users and business partners / 3rd-parties that handle sensitive data. If can’t meet company’s policies, don’t give access to your data • Encryption responsibility should be fixed with consequences for noncompliance 20
Encryption processes • Encryption is a process intensive • Must be well-defined and documented • If not implemented and configured properly, Define Drivers can cause system performance degradation or Policy Policy Data Classification operational hurdles Policy Definition • Improperly configured encryption processes give false sense of security – Perception that confidentiality of sensitive information is protected when it’s not 21
Data classification • Provides users with information to guide security- related information handling • Process must align with business processes Define Drivers • Classification is dynamic Policy Data – Changes as data objects move from one class to another Classification – Changes as business strategies, structures and external Policy Definition forces change – Understand potential for change – Embed appropriate processes to manage it • Gartner: Organizations that do not have an effective data classification program usually fail at their data encryption projects. 22
Data classification drivers Compliance, discovery, archiving, never delete retention policy, performance, availability, recovery attributes, etc. Define Drivers Four Category Five Category • Secret Policy Data Top Secret Classification • Confidential Highly Confidential Policy Definition • Private Proprietary • Unclassified Internal Use Only Public 23
Encryption strategy • Identify all methods of data input/output • Storage media • Business partners and other third parties Data Mapping • Applicable regulations and laws Strategy Risk Modeling • High-risk areas Control Gaps – Laptops – Wireless – Data backups – Others 24
Data discovery • Identify precisely where data is stored and all data flows • System wide audit of all data repositories – Significant undertaking for large enterprises – Process can take months • Required to comply with PCI? – Confirm you are not storing PCI-prohibited data – Manually review data flows within POS application to find files where results of card swipe are written – PCI compliance staff should view relevant data files and verify they are not storing full track data – Many fail PCI since they have flat (non-partitioned) networks in which card databases aren’t segmented from rest of network 25
Data-flow definition 26
Requirements analysis • Define business, technical, and operational requirements and objectives for encryption • Define policies, architecture, and scope of encryption Data Mapping requirements Strategy Strategy • Conduct interviews, review policy documents, analyze Risk Modeling current and proposed encryption strategy to identify Control Gaps possible security gaps • Determine liabilities • Better requirements definition directly correlates to successful encryption program 27
Legacy systems • Most legacy systems not designed for encryption • Legacy encryption options – Retrofitting application so that encryption is built-in to application functions – Using encryption appliance that sits between app and database – Off-loading encryption to storage mechanism or database • Hardest platform – AS/400 28
Full-disk / host-based encryption (at rest) • Data encrypted at creation – First possible level of data security • Little chance of encrypted data being intercepted, accidentally or maliciously – If intercepted, encryption renders it unreadable Deployment Deployment Implementation • Can significantly increase processing overhead Management • Requires additional processing power/expense Audit • Highly secure and well-suited to active data files • Large-scale data encryption can be unwieldy and impact performance • Vendors: Microsoft, Check Point, PGP, TrueCrypt 29
Appliance-based encryption • Data leaves host unencrypted, then goes to dedicated appliance for encryption • After encryption, data enters network or storage device • Quickest to implement Deployment Deployment Implementation Management • Can be easy to bypass Audit • Costly • Not easily scalable • Good quick fix – for extensive data storage encryption, cost and management complexity of encrypting in-band can increase significantly • Vendors: NetApp, Thales/nCipher 30
Storage device encryption • Data transmitted unencrypted to storage device • Easiest integration into existing backup environments • Supports in-device key management • Easy to export encrypted data to tape Deployment Deployment Implementation • Easy to implement and cost-effective Management • Best suited to static and archived data or encrypting Audit large quantities of data for transport • Large numbers of devices can be managed from single key management platform • Vendors: EMC, IBM, Hitachi 31
Tape-based encryption • Data can be encrypted on tape drive • Most secure solution • No performance penalty • Easy to implement Deployment Deployment Implementation • Customer or regulatory body notification not required Management as information not accessible to unauthorized parties Audit • Provides protection from both offsite and on-premise information loss • Enables secure shipment of data • Allows secure reuse of tapes • Vendors: Thales, HP, CA, Brocade, NetApp 32
Database encryption • DBMS-based encryption vulnerable when encryption key used to encrypt data stored in DB table inside the DB, protected by native DBMS access controls • Users who have access rights to encrypted data often have access rights to encryption key Deployment Deployment Implementation Management – Creates security vulnerability because encrypted text not separated from means to decrypt it Audit • Also doesn’t provide adequate tracking or monitoring of suspicious activities 33
Database encryption Inside DBMS Outside DBMS • Least impact on app • Remove computational • Security vulnerability- overhead from DBMS and encryption key stored in application servers database table • Separate encrypted data from • Performance degradation encrypted key • To separate keys, additional • Communication overhead hardware required, e.g., HSM • Must administer more servers 34
Key Management (KM) • Generation, distribution, storage, recovery and destruction of encryption keys • Encryption is 90% management & policy, 10% technology • Most encryption failures due to ineffective KM processes • 80% of 22 SAP testing procedures related to encryption are about KM • Effective KM policy and design requires significant time and effort 35
The n2 Problem • With symmetric cryptography, as number of users increases, number of keys required increases rapidly • For group of n users, there needs to be 1/2 (n2 - n) keys for total communications • As number of parties (n) increases, number of symmetric keys becomes unreasonably large for practical use U s e rs 1 /2 (n 2 - n ) S h a r e d k e y p a ir s r e q u ir e d 2 ½ (4 - 2 ) 1 3 ½ (9 – 3 ) 3 10 ½ (1 0 0 – 1 0 ) 45 100 ½ (1 0 ,0 0 0 – 1 0 0 ) 4 ,9 5 0 1000 ½ ( 1 ,0 0 0 ,0 0 0 – 4 9 9 ,5 0 0 1 ,0 0 0 ) 36
Key management questions • How many keys do you need? • Where are keys stored? • Who has access to keys? • How will you manage keys? • How will you protect access to encryption keys? • How often should keys change? • What if key is lost or damaged? • How much key management training will we need? • How about disaster recovery? 37
PCI DSS key management requirements • Requirement 3.6 – Generation of strong keys – Secure key distribution – Periodic key changes – Destruction of old keys – Dual control of keys – Replacement of compromised keys – Key revocation Ensuring all these requirements are met for multiple applications can be overwhelming. 38
Key Management • Keys must be accessible for the data to be accessible – If too accessible, higher risk of compromise • Reliability – Outage in the system will prevent business from functioning • Centralized key management – Can help simplify key management for multiple applications 39
Key generation and destruction • Generation Destruction – FIPS 140-2 validated Getting rid of keys is just as detailed as cryptographic module creating them – Distribution Processes must deal with keys stored on: • Manual – Hard drives • Electronic – USB – EPROM – Backup/restore – Third parties – Split knowledge Facilities must exist to destroy hard- – Destruction copies of key, both on paper and in hardware 40
OASIS Enterprise Key Management Infrastructure (EKMI) • Focused on standardizing management of symmetric encryption cryptographic keys across the enterprise within a symmetric KM system • Working on creation of: – Symmetric Key Services Markup Language (SKSML) protocol – Implementation and operations guidelines for an SKMS – Audit guidelines for auditing an SKMS – Interoperability test-suite for SKSML implementations – www.oasis-open.org/committees/ekmi/ 41
For more information • Guideline for Implementing Cryptography in the Federal Government – http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-1_Dec2005.pdf • Cryptographic Toolkit – http://csrc.nist.gov/groups/ST/toolkit/index.html • Recommendation for Key Management – http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf – http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part2.pdf • Encryption Strategies: The Key to Controlling Data – www.sun.com/encryption/wp/encryption_strategies_wp.pdf 42
Books 43
Conclusions • Organizations that do not have an effective data classification program usually fail at their data encryption projects • Creating an effective deployment strategy is the difference between strong encryption and an audit failure • Encryption is about attention to detail, good design and project management 44
The Computer Forensics Show Conference Forensic Trade Shows, LLC, 94 Field Point Circle, Greenwich, CT 06830 | Tel.: (203) 661-4312 | Fax: (203) 869-0283 info@computerforensicshow.com New York Metro InfraGard, 249-12 Jericho Turnpike, Suite 252, Floral Park, NY 11001 | Tel.: (516) 216-1869 | Fax: (516) 216-1870 | info@www.nym-infragard.us • Ben Rothke, CISSP PCI QSA Senior Security Consultant BT Global Services ben.rothke@bt.com • www.linkedin.com/in/benrothke • www.twitter.com/benrothke The Computer Forensics

Empfohlen

7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure OrganizationsHelpSystems
 
12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business 12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business NSUGSCIS
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecurityLock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecuritySmartCompliance
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Dinesh O Bareja
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber SecurityMisha Hanin
 
Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Rui Miguel Feio
 
Ben Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction PracticesBen Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction PracticesBen Rothke
 

Empfohlen

7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure OrganizationsHelpSystems
 
12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business 12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business NSUGSCIS
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecurityLock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecuritySmartCompliance
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Dinesh O Bareja
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber SecurityMisha Hanin
 
Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Rui Miguel Feio
 
Ben Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction PracticesBen Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction PracticesBen Rothke
 
Acuent Security
Acuent Security Acuent Security
Acuent Security Stephen Bates
 
(2016_01_20)_IS_Management_Basics_LinkedIn
(2016_01_20)_IS_Management_Basics_LinkedIn(2016_01_20)_IS_Management_Basics_LinkedIn
(2016_01_20)_IS_Management_Basics_LinkedInIan Naumenko, CISSP, CRISC
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance AwarenessDinesh O Bareja
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Cybercrime: 5 Practical Tips for Law Firms on Avoiding Financial & Reputation...
Cybercrime: 5 Practical Tips for Law Firms on Avoiding Financial & Reputation...Cybercrime: 5 Practical Tips for Law Firms on Avoiding Financial & Reputation...
Cybercrime: 5 Practical Tips for Law Firms on Avoiding Financial & Reputation...Lucien Pierce
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Federation for Identity and Cross-Credentialing Systems (FiXs)
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Valuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handoutValuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handoutMarc Vael
 
(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2Rui Miguel Feio
 
(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)Rui Miguel Feio
 
Chapter 8 Wireless Network Security
Chapter 8 Wireless Network SecurityChapter 8 Wireless Network Security
Chapter 8 Wireless Network SecurityDr. Ahmed Al Zaidy
 
Rothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professionalRothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professionalBen Rothke
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityJoel Cardella
 
Selling to The IT Department
Selling to The IT DepartmentSelling to The IT Department
Selling to The IT Department3VR Inc.
 
Irfan Ur Rehman
Irfan Ur RehmanIrfan Ur Rehman
Irfan Ur RehmanIrfan Ur Rehman
 
SecurityOperations
SecurityOperationsSecurityOperations
SecurityOperationsAntonio (Tony) Robinson
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practicesBen Rothke
 
Cybertopic_2security
Cybertopic_2securityCybertopic_2security
Cybertopic_2securityAnne Starr
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...North Texas Chapter of the ISSA
 
GxP Feb 2016
GxP Feb 2016GxP Feb 2016
GxP Feb 2016Ellerbeck Walda
 
Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 

Weitere ähnliche Inhalte

Was ist angesagt?

Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Cybercrime: 5 Practical Tips for Law Firms on Avoiding Financial & Reputation...
Cybercrime: 5 Practical Tips for Law Firms on Avoiding Financial & Reputation...Cybercrime: 5 Practical Tips for Law Firms on Avoiding Financial & Reputation...
Cybercrime: 5 Practical Tips for Law Firms on Avoiding Financial & Reputation...Lucien Pierce
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Valuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handoutValuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handoutMarc Vael
 
(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2Rui Miguel Feio
 
(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)Rui Miguel Feio
 
Chapter 8 Wireless Network Security
Chapter 8 Wireless Network SecurityChapter 8 Wireless Network Security
Chapter 8 Wireless Network SecurityDr. Ahmed Al Zaidy
 
Rothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professionalRothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professionalBen Rothke
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityJoel Cardella
 
Selling to The IT Department
Selling to The IT DepartmentSelling to The IT Department
Selling to The IT Department3VR Inc.
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practicesBen Rothke
 
Cybertopic_2security
Cybertopic_2securityCybertopic_2security
Cybertopic_2securityAnne Starr
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...North Texas Chapter of the ISSA
 

Was ist angesagt? (20)

Acuent Security
Acuent Security Acuent Security
Acuent Security
 
(2016_01_20)_IS_Management_Basics_LinkedIn
(2016_01_20)_IS_Management_Basics_LinkedIn(2016_01_20)_IS_Management_Basics_LinkedIn
(2016_01_20)_IS_Management_Basics_LinkedIn
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 
Cybercrime: 5 Practical Tips for Law Firms on Avoiding Financial & Reputation...
Cybercrime: 5 Practical Tips for Law Firms on Avoiding Financial & Reputation...Cybercrime: 5 Practical Tips for Law Firms on Avoiding Financial & Reputation...
Cybercrime: 5 Practical Tips for Law Firms on Avoiding Financial & Reputation...
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Valuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handoutValuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handout
 
(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2
 
(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)
 
Chapter 8 Wireless Network Security
Chapter 8 Wireless Network SecurityChapter 8 Wireless Network Security
Chapter 8 Wireless Network Security
 
Rothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professionalRothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professional
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 
Selling to The IT Department
Selling to The IT DepartmentSelling to The IT Department
Selling to The IT Department
 
Irfan Ur Rehman
Irfan Ur RehmanIrfan Ur Rehman
Irfan Ur Rehman
 
SecurityOperations
SecurityOperationsSecurityOperations
SecurityOperations
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
 
Cybertopic_2security
Cybertopic_2securityCybertopic_2security
Cybertopic_2security
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
 

Andere mochten auch

Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionBen Rothke
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionBen Rothke
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systemsBen Rothke
 
GxP in the Cloud is a good practice. Here's why.
GxP in the Cloud is a good practice. Here's why.GxP in the Cloud is a good practice. Here's why.
GxP in the Cloud is a good practice. Here's why.Appian
 
The Future Of Work & The Work Of The Future
The Future Of Work & The Work Of The FutureThe Future Of Work & The Work Of The Future
The Future Of Work & The Work Of The FutureArturo Pelayo
 

Andere mochten auch (7)

GxP Feb 2016
GxP Feb 2016GxP Feb 2016
GxP Feb 2016
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
GxP in the Cloud is a good practice. Here's why.
GxP in the Cloud is a good practice. Here's why.GxP in the Cloud is a good practice. Here's why.
GxP in the Cloud is a good practice. Here's why.
 
The Future Of Work & The Work Of The Future
The Future Of Work & The Work Of The FutureThe Future Of Work & The Work Of The Future
The Future Of Work & The Work Of The Future
 

Ähnlich wie Computer Forensics Conference Encryption Deployment Strategies

Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Precisely
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightScale
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Understanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iUnderstanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iPrecisely
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataPrecisely
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information SecurityAhmed Sayed-
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Valencell, Inc.
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about themBen Rothke
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...Cloudera, Inc.
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Trend Micro
 
Rothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsRothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsBen Rothke
 
093049ov4.pptx
093049ov4.pptx093049ov4.pptx
093049ov4.pptxNguyenNM
 

Ähnlich wie Computer Forensics Conference Encryption Deployment Strategies (20)

Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public Cloud
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Understanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iUnderstanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM i
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i Data
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
BREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAPBREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAP
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about them
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
 
Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat Experiences
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012
 
Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011
 
Rothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsRothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security Products
 
093049ov4.pptx
093049ov4.pptx093049ov4.pptx
093049ov4.pptx
 

Mehr von Ben Rothke

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Ben Rothke
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsBen Rothke
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comBen Rothke
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligattBen Rothke
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeBen Rothke
 
Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperBen Rothke
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010Ben Rothke
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeBen Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceBen Rothke
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftBen Rothke
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperBen Rothke
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Ben Rothke
 
Ben Rothke Getting A Handle On Wireless Security For Pci Dss Compliance
Ben Rothke Getting A Handle On Wireless Security For Pci Dss ComplianceBen Rothke Getting A Handle On Wireless Security For Pci Dss Compliance
Ben Rothke Getting A Handle On Wireless Security For Pci Dss ComplianceBen Rothke
 
Virtualization, Cloud Computing And The Pci Dss
Virtualization, Cloud Computing And The Pci DssVirtualization, Cloud Computing And The Pci Dss
Virtualization, Cloud Computing And The Pci DssBen Rothke
 
Ben Rothke RSA PK 2010
Ben Rothke RSA PK 2010Ben Rothke RSA PK 2010
Ben Rothke RSA PK 2010Ben Rothke
 
Rothke Using Kazaa To Test Your Security Posture
Rothke Using Kazaa To Test Your Security PostureRothke Using Kazaa To Test Your Security Posture
Rothke Using Kazaa To Test Your Security PostureBen Rothke
 
In Sync Network Time Ben Rothke
In Sync Network Time Ben RothkeIn Sync Network Time Ben Rothke
In Sync Network Time Ben RothkeBen Rothke
 

Mehr von Ben Rothke (20)

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity com
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligatt
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothke
 
Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. Hooper
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS Compliance
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswift
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White Paper
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security
 
Ben Rothke Getting A Handle On Wireless Security For Pci Dss Compliance
Ben Rothke Getting A Handle On Wireless Security For Pci Dss ComplianceBen Rothke Getting A Handle On Wireless Security For Pci Dss Compliance
Ben Rothke Getting A Handle On Wireless Security For Pci Dss Compliance
 
Virtualization, Cloud Computing And The Pci Dss
Virtualization, Cloud Computing And The Pci DssVirtualization, Cloud Computing And The Pci Dss
Virtualization, Cloud Computing And The Pci Dss
 
Ben Rothke RSA PK 2010
Ben Rothke RSA PK 2010Ben Rothke RSA PK 2010
Ben Rothke RSA PK 2010
 
Rothke Using Kazaa To Test Your Security Posture
Rothke Using Kazaa To Test Your Security PostureRothke Using Kazaa To Test Your Security Posture
Rothke Using Kazaa To Test Your Security Posture
 
In Sync Network Time Ben Rothke
In Sync Network Time Ben RothkeIn Sync Network Time Ben Rothke
In Sync Network Time Ben Rothke
 

Kürzlich hochgeladen

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 

Kürzlich hochgeladen (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 

Computer Forensics Conference Encryption Deployment Strategies

  • 1. The Computer Forensics Show Conference April 19-20, 2010 New York, NY Deployment Strategies for Effective Encryption Ben Rothke, CISSP, CISM, PCI QSA Senior Security Consultant BT Global Services April 19, 2010 The Computer Forensics
  • 2. About Me • Ben Rothke, CISSP CISM QSA • Senior Security Consultant – BT Global Services • In IT sector since 1988 and information security since 1994 • Frequent writer and speaker • Author - Computer Security: 20 Things Every Employee Should Know (McGraw-Hill) 2
  • 3. Overview • Encryption internals are built on complex mathematics and number theory • Your successful encryption program requires a CISSP, CISA and/or PMP, not necessarily a PhD • Effective encryption requires attention to detail, good design, combined with good project management and documentation • Your encryption strategy must reflect this – This is not a monologue – ask a question, share a comment at any time. 3
  • 4. It’s 2010 – Where’s the Encryption? • Many roll-outs nothing more than stop-gap solutions • Getting it done often takes precedence over key management, documentation, processes, etc. • Many organizations lack required security expertise • These and more combine to obstruct encryption from being ubiquitous • Adds up to a significant need for encryption deployment strategies 4
  • 5. Encryption strategy in 3 easy steps 1. Define your requirements 2. Know where your sensitive data resides 3. Create detailed implementation plans • When implementing your encryption strategy, remember that information security is a process, not a product. 5
  • 6. Typical encryption nightmare scenario • Monday 9AM – Audit report released to CEO – Numerous failings, namely lack of strong encryption • Monday 11 AM – CEO screams at CIO • Monday Noon – CIO screams at CISO • Monday 2PM – CISO screams at staff • Tuesday – With blank check, CISO tells info security manager to order encryption equipment ASAP • Thursday - Security team spends two days and nights installing/configuring encryption hardware and software • Six months later – Complete disarray with regard to encryption key management. CEO screams at CIO, who fires the CISO. • Next day – Interim CISO tells team to get encryption working by the weekend 6
  • 7. Encryption nirvana scenario Deployment Deployment Define Drivers Data Mapping Implementation Initial Drivers Strategy Strategy Policy Policy • Business Data Effective Risk Modeling Management • Technical Classification Encryption • Regulatory Policy Definition Control Gaps Audit 7
  • 8. Encryption challenges • Operating systems and application vendors haven’t made it easy and seamless to implement encryption – Lack of legacy support • Laws/guidelines often conflict or fail to provide effective guidance • Far too few companies have encryption policies and/or a formal encryption strategy • Costs / Performance – Up-front and on-going maintenance costs – Performance hit – Added technical staff 8
  • 9. Encryption – a double-edged sword Effective Encryption Strategy No one, not No one, even NSA, CIA, including KGB, or evil yourself, hacker, can can read read your data your data 9
  • 10. Common encryption deployment mistakes 1. Thinking encryption is PnP – Hardware is PnP – Making encryption work is not 2. Going to a vendor too early – Vendors sell hardware/software – You need requirements 3. Not being transparent to end users – If it’s a pain to use, they will ignore/go around it. 4. Not giving enough time to design/test – Effective encryption roll-outs take time – Require significant details – You can’t rush this! 10
  • 11. Dealing with vendors • When you drive the project – You define the requirements – You have chosen them – Vendors provides best practices / assistance – Vendor input can be invaluable – Project succeeds • They are brought in as the experts – They are expected to put out a fire – They spec out their product – You don’t have internal expertise working with them – Project fails 11
  • 12. Encryption and the technically advanced airplane paradox • TAA in theory have more available safety, but without proper training for their pilots, they could be less safe than airplanes with less available safety • FAA found that without proper training for the pilots who fly them, technically advanced airplanes don’t advance safety at all • TAA presents challenges that under-prepared pilots might not be equipped to handle • Encryption is exactly like a TAA • Your staff must be trained and prepared. 12
  • 13. Encryption Strategy • Mathematics of cryptography is rocket science – But most aspects of information security, compliance and audit are not! • Good computer security is simply attention to detail and good design, combined with effective project management • Encryption strategy must reflect this • Define what needs to be addressed in the enterprise encryption strategy – Not everyone will need encryption across the board – Policies need to be determined first as to what requires encryption – Any information going over the Internet or internal source code 13
  • 14. What should the strategy include? • Laptop encryption Application encryption • Database encryption Storage encryption • Network encryption PDAs • Smart cards USB • Mobile encryption Floppies/CD-ROM/DVD • Wireless encryption Emerging technologies • Smart phones • iPad/iPod/iPhone 14
  • 15. Strategy prioritization • Prioritize based on specific requirements and compensating controls – Start with assumption that by default, data need not be encrypted unless there is a specific requirement to encrypt that data or – Identify high-risk situation where encrypting data will avert disaster • Unnecessary or poorly prioritized encryption deployments may do more harm than good – false sense of security – takes budget away from more pressing encryption requirements – increases administrative burden – locked out of your own data 15
  • 16. Current state • Evaluate current encryption strategy and policy – In sync with industry security best practices? • Encryption framework in place? Define Drivers • Policies in place? Policy Policy Data Classification • Define what regulations must be complied with • Document current encryption hardware / Policy Definition software environment 16
  • 17. Analyze your encryption needs • Protect data from loss and exposure • Prevent access to the system itself? • Does software need to access the files after encryption? • Data to be transported securely? By what means? • How much user burden is acceptable? • How strong does the encryption need to be? • Do you need to match the solution to the hardware? • Regulatory, contractual, organizational policy • Ask a lot of questions at this point! 17
  • 18. Where are your encryption keys from? • VPN connections • SSL/TLS • PKI/IdM • User-generated keys • File system encryption • Third parties • Trusted Platform Module (TPM) – Built into news desktops and laptops 18
  • 19. Drivers • Business – Customer trust – Intellectual property Define Drivers • Technical Policy Policy Data – AES, PGP, BitLocker, etc. Classification – Increase in mobile devices Policy Definition • Regulatory – PCI / SoX / EU Privacy directive / ISO-17799 – State data breach laws • Note: Keep a wider picture in mind when complying with specific mandates 19
  • 20. Documentation and policies • Encryption must be supported by policies, documentation and a formal system and risk management program – Shows work adequately planned and supervised Define Drivers – Demonstrates internal controls studied and evaluated Policy Policy Data Classification • Policy must be: Policy Definition – Endorsed by management – Communicated to end-users and business partners / 3rd-parties that handle sensitive data. If can’t meet company’s policies, don’t give access to your data • Encryption responsibility should be fixed with consequences for noncompliance 20
  • 21. Encryption processes • Encryption is a process intensive • Must be well-defined and documented • If not implemented and configured properly, Define Drivers can cause system performance degradation or Policy Policy Data Classification operational hurdles Policy Definition • Improperly configured encryption processes give false sense of security – Perception that confidentiality of sensitive information is protected when it’s not 21
  • 22. Data classification • Provides users with information to guide security- related information handling • Process must align with business processes Define Drivers • Classification is dynamic Policy Data – Changes as data objects move from one class to another Classification – Changes as business strategies, structures and external Policy Definition forces change – Understand potential for change – Embed appropriate processes to manage it • Gartner: Organizations that do not have an effective data classification program usually fail at their data encryption projects. 22
  • 23. Data classification drivers Compliance, discovery, archiving, never delete retention policy, performance, availability, recovery attributes, etc. Define Drivers Four Category Five Category • Secret Policy Data Top Secret Classification • Confidential Highly Confidential Policy Definition • Private Proprietary • Unclassified Internal Use Only Public 23
  • 24. Encryption strategy • Identify all methods of data input/output • Storage media • Business partners and other third parties Data Mapping • Applicable regulations and laws Strategy Risk Modeling • High-risk areas Control Gaps – Laptops – Wireless – Data backups – Others 24
  • 25. Data discovery • Identify precisely where data is stored and all data flows • System wide audit of all data repositories – Significant undertaking for large enterprises – Process can take months • Required to comply with PCI? – Confirm you are not storing PCI-prohibited data – Manually review data flows within POS application to find files where results of card swipe are written – PCI compliance staff should view relevant data files and verify they are not storing full track data – Many fail PCI since they have flat (non-partitioned) networks in which card databases aren’t segmented from rest of network 25
  • 27. Requirements analysis • Define business, technical, and operational requirements and objectives for encryption • Define policies, architecture, and scope of encryption Data Mapping requirements Strategy Strategy • Conduct interviews, review policy documents, analyze Risk Modeling current and proposed encryption strategy to identify Control Gaps possible security gaps • Determine liabilities • Better requirements definition directly correlates to successful encryption program 27
  • 28. Legacy systems • Most legacy systems not designed for encryption • Legacy encryption options – Retrofitting application so that encryption is built-in to application functions – Using encryption appliance that sits between app and database – Off-loading encryption to storage mechanism or database • Hardest platform – AS/400 28
  • 29. Full-disk / host-based encryption (at rest) • Data encrypted at creation – First possible level of data security • Little chance of encrypted data being intercepted, accidentally or maliciously – If intercepted, encryption renders it unreadable Deployment Deployment Implementation • Can significantly increase processing overhead Management • Requires additional processing power/expense Audit • Highly secure and well-suited to active data files • Large-scale data encryption can be unwieldy and impact performance • Vendors: Microsoft, Check Point, PGP, TrueCrypt 29
  • 30. Appliance-based encryption • Data leaves host unencrypted, then goes to dedicated appliance for encryption • After encryption, data enters network or storage device • Quickest to implement Deployment Deployment Implementation Management • Can be easy to bypass Audit • Costly • Not easily scalable • Good quick fix – for extensive data storage encryption, cost and management complexity of encrypting in-band can increase significantly • Vendors: NetApp, Thales/nCipher 30
  • 31. Storage device encryption • Data transmitted unencrypted to storage device • Easiest integration into existing backup environments • Supports in-device key management • Easy to export encrypted data to tape Deployment Deployment Implementation • Easy to implement and cost-effective Management • Best suited to static and archived data or encrypting Audit large quantities of data for transport • Large numbers of devices can be managed from single key management platform • Vendors: EMC, IBM, Hitachi 31
  • 32. Tape-based encryption • Data can be encrypted on tape drive • Most secure solution • No performance penalty • Easy to implement Deployment Deployment Implementation • Customer or regulatory body notification not required Management as information not accessible to unauthorized parties Audit • Provides protection from both offsite and on-premise information loss • Enables secure shipment of data • Allows secure reuse of tapes • Vendors: Thales, HP, CA, Brocade, NetApp 32
  • 33. Database encryption • DBMS-based encryption vulnerable when encryption key used to encrypt data stored in DB table inside the DB, protected by native DBMS access controls • Users who have access rights to encrypted data often have access rights to encryption key Deployment Deployment Implementation Management – Creates security vulnerability because encrypted text not separated from means to decrypt it Audit • Also doesn’t provide adequate tracking or monitoring of suspicious activities 33
  • 34. Database encryption Inside DBMS Outside DBMS • Least impact on app • Remove computational • Security vulnerability- overhead from DBMS and encryption key stored in application servers database table • Separate encrypted data from • Performance degradation encrypted key • To separate keys, additional • Communication overhead hardware required, e.g., HSM • Must administer more servers 34
  • 35. Key Management (KM) • Generation, distribution, storage, recovery and destruction of encryption keys • Encryption is 90% management & policy, 10% technology • Most encryption failures due to ineffective KM processes • 80% of 22 SAP testing procedures related to encryption are about KM • Effective KM policy and design requires significant time and effort 35
  • 36. The n2 Problem • With symmetric cryptography, as number of users increases, number of keys required increases rapidly • For group of n users, there needs to be 1/2 (n2 - n) keys for total communications • As number of parties (n) increases, number of symmetric keys becomes unreasonably large for practical use U s e rs 1 /2 (n 2 - n ) S h a r e d k e y p a ir s r e q u ir e d 2 ½ (4 - 2 ) 1 3 ½ (9 – 3 ) 3 10 ½ (1 0 0 – 1 0 ) 45 100 ½ (1 0 ,0 0 0 – 1 0 0 ) 4 ,9 5 0 1000 ½ ( 1 ,0 0 0 ,0 0 0 – 4 9 9 ,5 0 0 1 ,0 0 0 ) 36
  • 37. Key management questions • How many keys do you need? • Where are keys stored? • Who has access to keys? • How will you manage keys? • How will you protect access to encryption keys? • How often should keys change? • What if key is lost or damaged? • How much key management training will we need? • How about disaster recovery? 37
  • 38. PCI DSS key management requirements • Requirement 3.6 – Generation of strong keys – Secure key distribution – Periodic key changes – Destruction of old keys – Dual control of keys – Replacement of compromised keys – Key revocation Ensuring all these requirements are met for multiple applications can be overwhelming. 38
  • 39. Key Management • Keys must be accessible for the data to be accessible – If too accessible, higher risk of compromise • Reliability – Outage in the system will prevent business from functioning • Centralized key management – Can help simplify key management for multiple applications 39
  • 40. Key generation and destruction • Generation Destruction – FIPS 140-2 validated Getting rid of keys is just as detailed as cryptographic module creating them – Distribution Processes must deal with keys stored on: • Manual – Hard drives • Electronic – USB – EPROM – Backup/restore – Third parties – Split knowledge Facilities must exist to destroy hard- – Destruction copies of key, both on paper and in hardware 40
  • 41. OASIS Enterprise Key Management Infrastructure (EKMI) • Focused on standardizing management of symmetric encryption cryptographic keys across the enterprise within a symmetric KM system • Working on creation of: – Symmetric Key Services Markup Language (SKSML) protocol – Implementation and operations guidelines for an SKMS – Audit guidelines for auditing an SKMS – Interoperability test-suite for SKSML implementations – www.oasis-open.org/committees/ekmi/ 41
  • 42. For more information • Guideline for Implementing Cryptography in the Federal Government – http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-1_Dec2005.pdf • Cryptographic Toolkit – http://csrc.nist.gov/groups/ST/toolkit/index.html • Recommendation for Key Management – http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf – http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part2.pdf • Encryption Strategies: The Key to Controlling Data – www.sun.com/encryption/wp/encryption_strategies_wp.pdf 42
  • 43. Books 43
  • 44. Conclusions • Organizations that do not have an effective data classification program usually fail at their data encryption projects • Creating an effective deployment strategy is the difference between strong encryption and an audit failure • Encryption is about attention to detail, good design and project management 44
  • 45. The Computer Forensics Show Conference Forensic Trade Shows, LLC, 94 Field Point Circle, Greenwich, CT 06830 | Tel.: (203) 661-4312 | Fax: (203) 869-0283 info@computerforensicshow.com New York Metro InfraGard, 249-12 Jericho Turnpike, Suite 252, Floral Park, NY 11001 | Tel.: (516) 216-1869 | Fax: (516) 216-1870 | info@www.nym-infragard.us • Ben Rothke, CISSP PCI QSA Senior Security Consultant BT Global Services ben.rothke@bt.com • www.linkedin.com/in/benrothke • www.twitter.com/benrothke The Computer Forensics