Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Encryption Information Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services Enterprise Security Office.

Similar presentations


Presentation on theme: "1 Encryption Information Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services Enterprise Security Office."— Presentation transcript:

1 1 Encryption Information Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services Enterprise Security Office

2 2 Agenda Encryption overview Encryption overview Agency Panel Agency Panel Oregon Department of Transportation Oregon Department of Transportation Oregon Employment Department Oregon Employment Department Oregon Lottery Oregon Lottery Statewide Contracts Statewide Contracts Q&A Q&A

3 3 Encryption Overview Richard Woodford, Security Analyst Enterprise Security Office Department of Administrative Services

4 4 What is encryption? “In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.” “In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.”cryptographyinformation plaintextcipherkeycryptographyinformation plaintextcipherkey -Wikipedia (2008)

5 5 Need for Encryption … Keep confidential information safe Keep confidential information safe Prevent exposure of information while in transit across an unsecure medium Prevent exposure of information while in transit across an unsecure medium Prevent exposure of information when a storage device is lost or stolen Prevent exposure of information when a storage device is lost or stolen Oregon Identity Theft Protection Act (Senate Bill 583) “safe harbor” Oregon Identity Theft Protection Act (Senate Bill 583) “safe harbor” Due care Due care

6 6 Oregon Consumer Identity Theft Protection Act Senate Bill 583 (2007 Legislative session) Senate Bill 583 (2007 Legislative session) “ … one or more of the following data elements, when the data elements are not rendered unusable through encryption” “ … one or more of the following data elements, when the data elements are not rendered unusable through encryption” First name, last name First name, last name Social Security number, drivers license number, passport, financial account number, credit card number Social Security number, drivers license number, passport, financial account number, credit card number

7 7 “Safe Harbor” What’s good enough? What’s good enough? VJKU KU GPETARVGF VJKU KU GPETARVGF Cipher – alphabetically shifted Cipher – alphabetically shifted Key – +2 Key – +2 SB 583 does not specify strength SB 583 does not specify strength Reasonable care Reasonable care “Strong encryption” – 128-bit “Strong encryption” – 128-bit Common minimum standard is FIPS 140-2 (see http://csrc.nist.gov) Common minimum standard is FIPS 140-2 (see http://csrc.nist.gov) http://csrc.nist.gov

8 8 Other Drivers All applicable regulations should be examined for requirements All applicable regulations should be examined for requirements HIPAA HIPAA Payment Card Industry (PCI) requirements Payment Card Industry (PCI) requirements Sarbanes-Oxley Sarbanes-Oxley Statewide policies Statewide policies Information Asset Classification Information Asset Classification Transporting Information Assets Transporting Information Assets Controlling Portable and Removable Devices Controlling Portable and Removable Devices Department policies Department policies

9 9 Other Drivers Other considerations Other considerations Mitigation costs Mitigation costs Public trust Public trust

10 10 When to Use Encryption In any case where data could be at risk from theft or eavesdropping In any case where data could be at risk from theft or eavesdropping Wireless networks Wireless networks Transmitting data over public network (e.g. the Internet) Transmitting data over public network (e.g. the Internet) Web pages (SSL) Web pages (SSL) E-mail E-mail Data at Rest Data at Rest Portable devices Portable devices Laptops Laptops Thumb drives Thumb drives

11 11 When to Use Encryption Any device at risk of theft or exposure Any device at risk of theft or exposure Extra-sensitive data Extra-sensitive data

12 12 Data at Rest Hardware based Hardware based Built in to the hardware device Built in to the hardware device Advantages Advantages Automatically encrypts data Automatically encrypts data Fast Fast Disadvantages Disadvantages Proprietary Proprietary Lack of central management Lack of central management

13 13 Data at Rest Software based Software based Advantages Advantages Lower cost Lower cost Does not require specific hardware Does not require specific hardware Disadvantages Disadvantages Need to install, activate and manage it, make sure it’s being used Need to install, activate and manage it, make sure it’s being used

14 14 Software Solutions File based (PGP, Winzip) File based (PGP, Winzip) Done on a file-by-file basis (only protects file) Done on a file-by-file basis (only protects file) Not automatic Not automatic Dependent on end-user Dependent on end-user Volume based (TrueCrypt) Volume based (TrueCrypt) An encrypted “virtual drive” is created An encrypted “virtual drive” is created All files written are encrypted automatically All files written are encrypted automatically Does not necessarily encrypt all files – for example, Windows system files, security files, temp files … Does not necessarily encrypt all files – for example, Windows system files, security files, temp files …

15 15 Software Solutions Disk based (whole-disk encryption) Disk based (whole-disk encryption) Encrypts entire drive (most secure) Encrypts entire drive (most secure) Automatic; transparent to the user Automatic; transparent to the user But … if you lock yourself out, you’re in trouble But … if you lock yourself out, you’re in trouble Need administrative control Need administrative control

16 16 Key Management Elephant in the room – the only other requirement set forth by the Department of Defense policy Elephant in the room – the only other requirement set forth by the Department of Defense policy “Mechanism to recover data if the primary encryption system fails” “Mechanism to recover data if the primary encryption system fails” Need for the organization to keep control of the keys rather than individuals Need for the organization to keep control of the keys rather than individuals Lost passwords Lost passwords Lost individuals Lost individuals Access control (control of data, investigations) Access control (control of data, investigations)

17 17 Bad Practices Data encrypted with a single-key system is a security risk to the organization Data encrypted with a single-key system is a security risk to the organization Added note… Added note… “If I accidently leave my computer unlocked and someone gets it, I don’t have to worry because the hard disk is encrypted…” “If I accidently leave my computer unlocked and someone gets it, I don’t have to worry because the hard disk is encrypted…” Risk of sleeping Risk of sleeping Full disk encryption vulnerability Full disk encryption vulnerability Turn systems off Turn systems off Bad practices trump good security Bad practices trump good security

18 18 ESO Recommendations Develop agency-wide strategy and approach to encryption Develop agency-wide strategy and approach to encryption Centralize key management and recovery processes Centralize key management and recovery processes Do some research and planning Do some research and planning When justifying cost, consider cost of data disclosures, lost data and reputation When justifying cost, consider cost of data disclosures, lost data and reputation Look for group purchase opportunities Look for group purchase opportunities

19 19 Some Good Products http://www.guardianedge.com/shared/sb_over view.pdf http://www.guardianedge.com/shared/sb_over view.pdf http://www.guardianedge.com/shared/sb_over view.pdf http://www.guardianedge.com/shared/sb_over view.pdf http://www.pgp.com/products/wholediskencry ption/index.html http://www.pgp.com/products/wholediskencry ption/index.html http://www.pgp.com/products/wholediskencry ption/index.html http://www.pgp.com/products/wholediskencry ption/index.html http://www.checkpoint.com/products/datasec urity/protector/index.html http://www.checkpoint.com/products/datasec urity/protector/index.html http://www.checkpoint.com/products/datasec urity/protector/index.html http://www.checkpoint.com/products/datasec urity/protector/index.html http://www.safeboot.com/ http://www.safeboot.com/ http://www.safeboot.com/

20 20 Agency Panel Cindy Slye, Oregon Department of Transportation Cindy Slye, Oregon Department of Transportation Marty Liddell, Oregon Employment Department Marty Liddell, Oregon Employment Department John McKean, Oregon Lottery John McKean, Oregon Lottery

21 21 Agency Panel Cindy Slye, Project Manager Oregon Department of Transportation

22 Business Drivers New DAS EIS Policies: Information Security Employee Security Controlling Portable and Removable Storage Devices Transporting Confidential Information

23 Business Drivers Compliance with: Regulated mandates – Federal Motor Carrier Safety Administration (FMCSA) Senate Bill 583 ODOT policies and guidelines

24 Project Objective Find the best data encryption product that can protect sensitive data by: Securing information on mobile devices Securing information on removable devices Providing the best comprehensive solution to cover all areas Simplifying deployment, maintenance and data backup

25 How Does It Align With Our Goals? ODOT IT Strategic Plan Senate Bill 583 DAS Policy Controlling Portable and Removable Storage Devices Federal Motor Carrier Safety Administration ODOT Security Fabric Initiative Protect, Manage

26 Consequences What are the consequences of compromising sensitive information? Negative publicity Loss of customer confidence Damaged reputation Financial loss

27 Safe Harbor Provision Data encryption is the most effective solution for safeguarding sensitive electronic data Data encryption is identified as an acceptable “Safe Harbor” approach in providing privacy assurances If the information is properly encrypted: No further duty It may be assumed that no privacy breach has occurred Risk mitigation approach that limits agency liability Enhances trust in the event of a security breach

28 Candidates We Considered

29 Why Guardian Edge? Guardian Edge clearly met ODOT business requirements: Strong Active Directory Integration Ease of Use Robust Management Console (MMC) Facilitates Compliance with DAS and ODOT Security Policies

30 Magic Quadrant for Mobile Data Protection

31 Project Timeline DateMilestone January 2007Project Kick-off June 2007Opportunity Evaluation approval July 2007Product evaluations and pilot September 2007Product selection October 2007ICOI presentation, ADM approvals December 2007ODOT and DAS CIO approval, IRR approval April 2008ASAP Order Confirmation May 2008First Phase Motor Carrier Pilot Deployment TBDRemaining Motor Carrier Deployments TBDFinancial Services Deployment

32 Lessons Learned Things to consider: What value (strategic and operational) should this project create? Organize the work and follow a process Understand the priority given other work Plan for risk – how to avoid and prepare for it What will motivate people to adopt this change? Set expectations Communication Training

33 33 Agency Panel Marty Liddell, Infrastructure Architect Oregon Employment Department

34 What made OED encrypt Response to Senate Bill 583 Significant amount of personally identifiable information including ssn, name, address, dob Information collected is required to provide services Many staff use mobile computing devices including laptops to collect information ITS is committed to protecting the information assets of the agency

35 Requirements Ability to encrypt full hard drive Ease of internal support Key management Recoverable Keys when agents are in field Ability to easily integrate into existing architecture Ease of use by end user

36 Process of choosing product Researched products Guardian Edge Pointsec Demo products Pilot product

37 Decision points Integration into Active Directory Single sign-on Capability Familiarity with administration toolset Key management Security questions One-time password reset Recoverable hard drive in case of investigation

38 Deployment Created security groups in Active Directory Automatically installed software client on PC when customer logged in Monitor progress Don’t forget helpdesk and end user training!

39 Lessons learned Do NOT double encrypt a computer Very bad (total loss of data) Angry user Provide good documentation to the end user Define a process for shared computer resources

40 Moving forward GE Removable Storage Encryption GE Device Control Remote file server encryption Desktop encryption Email encryption

41 41 Agency Panel John McKean, Sr. Systems Security Admin. Oregon Lottery

42 PGP Universal Server Key Management Centralized Policy Enforcement Whole Disk Encryption (deployed) Desktop Email Encryption (future) Gateway Email (Future) Transparent to user Encrypts automatically at the gateway Requires recipient to have similar technology

43 The “USB Problem” Easily lost or stolen Lottery USB’s have onboard encryption Non-Lottery USB’s not allowed! TriGeo SIM (Security Information Manager) Logs all USB access Enforces Lottery USB Policy

44 Electronic Rights Management Defined Secures content with strong encryption Protection cannot be removed Controls and audits data access: Users work normally using their existing applications Defines authorized uses through workflows, directory groups, and user ReadModifyPrintScreen Capture PasteCopyE-MailNetwork transfer

45 Where ERM Fits In Data at RestData in MotionData in Use Secure Transport/Delivery SSL, Postx, PGP PKI Products Entrust, PGP, Voltage Enterprise Content Management DCTM, LiveLink, SharePoint Content Filtering and Monitoring Vericept, Vontu, Orchestria, Verdasys Enterprise Rights Management Liquid Machines, Microsoft RMS, Others Granularity of Controls Usage Access Full Disk Encryption EFS, Pointsec Network Security Tools Firewalls, VPNs, ACLs

46 Considerations when selecting an ERM User Experience User adoption is the most important factor Expect resistance if difficult to use Protection goals must be enforced automatically Users must be aware protection is in effect Users want to work normally

47 How ERM Works Content protected at rest or in transit ERM Server Content encrypted and usage rights applied 1 Read Only Read & Print Read, Edit, Print, & Offline enabled with expiration 2 3 Connection required for offline renewal Content protected in use ECM System LOB App File server

48 48 Statewide Contracts Price Agreement #2257 – ASAP Software Express Price Agreement #2257 – ASAP Software Express Mandatory for state agency purchase of shrink- wrapped (out of the box) desktop software Mandatory for state agency purchase of shrink- wrapped (out of the box) desktop software SPO Contact: Chris Mahoney, (503) 378-2998, chris.mahoney@state.or.us SPO Contact: Chris Mahoney, (503) 378-2998, chris.mahoney@state.or.us chris.mahoney@state.or.us ASAP Contact: Brad Hickey, (888) 883-1025, bhickey@asap.com ASAP Contact: Brad Hickey, (888) 883-1025, bhickey@asap.com bhickey@asap.com

49 49 For further information … Theresa Masse, DAS Enterprise Security Office (503) 378-4896, theresa.a.masse@state.or.us Theresa Masse, DAS Enterprise Security Office (503) 378-4896, theresa.a.masse@state.or.ustheresa.a.masse@state.or.us Richard Woodford, DAS Enterprise Security Office (503) 378-4518, richard.woodford@state.or.us Richard Woodford, DAS Enterprise Security Office (503) 378-4518, richard.woodford@state.or.usrichard.woodford@state.or.us Cindy Slye, Department of Transportation (503) 986-3234, cindy.slye@state.or.us Cindy Slye, Department of Transportation (503) 986-3234, cindy.slye@state.or.uscindy.slye@state.or.us Marty Liddell, Employment Department (503) 947-1627, marty.m.liddell@state.or.us Marty Liddell, Employment Department (503) 947-1627, marty.m.liddell@state.or.usmarty.m.liddell@state.or.us John McKean, Oregon Lottery (503), john.mckean@state.or.us John McKean, Oregon Lottery (503), john.mckean@state.or.usjohn.mckean@state.or.us

50 50 Next Forum … Information Security Plans Tools and Techniques Panel Presentation June 23, 2008


Download ppt "1 Encryption Information Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services Enterprise Security Office."

Similar presentations


Ads by Google