250 likes | 375 Views
Security SIG. August 19, 2010 Justin C. Klein Keane jukeane@sas.upenn.edu. Identity Finder. Identity Finder case study at http://www.educause.edu/Resources/IdentityFinderCaseStudy/206909 Identity Finder console is an important part of SAS deployment. IDF Console.
E N D
Security SIG August 19, 2010 Justin C. Klein Keane jukeane@sas.upenn.edu
Identity Finder Identity Finder case study at http://www.educause.edu/Resources/IdentityFinderCaseStudy/206909 Identity Finder console is an important part of SAS deployment
IDF Console Runs on a Windows Server machine Requires a MS SQL back end Communicates with clients over port 80 Clients encrypt data to the server Reported issues with running connection over 443
Console Considerations • Balance security and privacy • Collect no more data than you need! • Expect assumptions of big brother • It is possible to have multiple IDF configurations • Don't propagate toxic data • Be mindful of e-discovery and other legal requirements (HIPPA, FERPA, etc.)
Client Configuration Client installer must be bundled with rudimentary configuration Defaults for behavior IP address of server
Client Behavior Client will connect to server after installation to retrieve configuration Be sure client configs are system wide If config is stored in userland it will get overwritten when the client is upgraded Client “checks in with console” and will report scan statistics Client communication to server is invisible
Client Considerations • You may not want some features • Some features may prove dangerous • Licensing considerations when scanning shares • Choose a safe place for Quarantine option • Make sure users encrypt results • How can you easily manage client configs? • The console
Console Features Policy definitions which can be assigned to groups Reporting on scans and remediation Tracking of client machines Global ignore lists to avoid repeat false positives
Using the Console Console interface is web based Requires Microsoft Silverlight plug-in in the latest editions Users can be assigned privileges to access and use the console
Encryption PGP (whole disk, file and folder, net share) TrueCrypt AxCrypt GPG Enigmail
PGP Commercial software Supported by PGP Universal Server Universal Serval allows for: Key escrow and recovery Public key lookup Policy configuration and customization Central registration authority when installing Integration into AD structure
TrueCrypt - http://www.truecrypt.org Free Open Source Software (FOSS) Can do whole disk encryption for Windows Can do file volume encryption for Windows, Mac, and Linux Can do removable media encryption for Windows, Mac, and Linux (interoperably) Allows USB stick encrypted to be used on any platform with TrueCrypt installed Version 7 has full GUI support on Linux
AxCrypt - http://www.axantum.com/axcrypt/ Free Open Source Software AES 128 bit key encryption Windows only (32 and 64 bit support) Supports encrypting files Can create self decrypting archives Does auto re-encryption Provides secure shredding Adds encrypt and shred to right click menu And more...
GPG Enigmail GPG is GNU Privacy Guard Fully open source interoperable with PGP standard Available for Linux, Windows and Mac Can be used for key management, public key encryption, encrypting files and folders, and digital signatures
Enigmail Thunderbird Plugin Adds OpenGPG functions to email
Enigmail - Features (and Drawbacks) Automatic encryption to recipients with keys Automatic decryption Digital signatures and verification Encryption/decryption of attachments Not the easiest system to understand or use Manual key distribution is burdensome
Issues with Encryption Key escrow for recovery in case user forgets a password is CRITICAL! Damage of encrypted store will totally destroy it Speed and efficiency is reduced Users have to understand how to use technology properly Most useful encryption is not transparent Does not protect data in use