1 / 50

Encryption Information Forum

Encryption Information Forum. Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services Enterprise Security Office. Agenda. Encryption overview Agency Panel Oregon Department of Transportation Oregon Employment Department Oregon Lottery

tiara
Download Presentation

Encryption Information Forum

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Encryption Information Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative ServicesEnterprise Security Office

  2. Agenda • Encryption overview • Agency Panel • Oregon Department of Transportation • Oregon Employment Department • Oregon Lottery • Statewide Contracts • Q&A

  3. Encryption Overview Richard Woodford, Security Analyst Enterprise Security Office Department of Administrative Services

  4. What is encryption? • “In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.” -Wikipedia (2008)

  5. Need for Encryption … • Keep confidential information safe • Prevent exposure of information while in transit across an unsecure medium • Prevent exposure of information when a storage device is lost or stolen • Oregon Identity Theft Protection Act (Senate Bill 583) “safe harbor” • Due care

  6. Oregon Consumer Identity TheftProtection Act • Senate Bill 583 (2007 Legislative session) • “ … one or more of the following data elements, when the data elements are not rendered unusable through encryption” • First name, last name • Social Security number, drivers license number, passport, financial account number, credit card number

  7. “Safe Harbor” • What’s good enough? • VJKU KU GPETARVGF • Cipher – alphabetically shifted • Key – +2 • SB 583 does not specify strength • Reasonable care • “Strong encryption” – 128-bit • Common minimum standard is FIPS 140-2 (see http://csrc.nist.gov)

  8. Other Drivers • All applicable regulations should be examined for requirements • HIPAA • Payment Card Industry (PCI) requirements • Sarbanes-Oxley • Statewide policies • Information Asset Classification • Transporting Information Assets • Controlling Portable and Removable Devices • Department policies

  9. Other Drivers • Other considerations • Mitigation costs • Public trust

  10. When to Use Encryption • In any case where data could be at risk from theft or eavesdropping • Wireless networks • Transmitting data over public network (e.g. the Internet) • Web pages (SSL) • E-mail • Data at Rest • Portable devices • Laptops • Thumb drives

  11. When to Use Encryption • Any device at risk of theft or exposure • Extra-sensitive data

  12. Data at Rest • Hardware based • Built in to the hardware device • Advantages • Automatically encrypts data • Fast • Disadvantages • Proprietary • Lack of central management

  13. Data at Rest • Software based • Advantages • Lower cost • Does not require specific hardware • Disadvantages • Need to install, activate and manage it, make sure it’s being used

  14. Software Solutions • File based (PGP, Winzip) • Done on a file-by-file basis (only protects file) • Not automatic • Dependent on end-user • Volume based (TrueCrypt) • An encrypted “virtual drive” is created • All files written are encrypted automatically • Does not necessarily encrypt all files – for example, Windows system files, security files, temp files …

  15. Software Solutions • Disk based (whole-disk encryption) • Encrypts entire drive (most secure) • Automatic; transparent to the user • But … if you lock yourself out, you’re in trouble • Need administrative control

  16. Key Management • Elephant in the room – the only other requirement set forth by the Department of Defense policy • “Mechanism to recover data if the primary encryption system fails” • Need for the organization to keep control of the keys rather than individuals • Lost passwords • Lost individuals • Access control (control of data, investigations)

  17. Bad Practices • Data encrypted with a single-key system is a security risk to the organization • Added note… • “If I accidently leave my computer unlocked and someone gets it, I don’t have to worry because the hard disk is encrypted…” • Risk of sleeping • Full disk encryption vulnerability • Turn systems off • Bad practices trump good security

  18. ESO Recommendations • Develop agency-wide strategy and approach to encryption • Centralize key management and recovery processes • Do some research and planning • When justifying cost, consider cost of data disclosures, lost data and reputation • Look for group purchase opportunities

  19. Some Good Products • http://www.guardianedge.com/shared/sb_overview.pdf • http://www.pgp.com/products/wholediskencryption/index.html • http://www.checkpoint.com/products/datasecurity/protector/index.html • http://www.safeboot.com/

  20. Agency Panel • Cindy Slye, Oregon Department of Transportation • Marty Liddell, Oregon Employment Department • John McKean, Oregon Lottery

  21. Agency Panel Cindy Slye, Project Manager Oregon Department of Transportation

  22. Business Drivers • New DAS EIS Policies: • Information Security • Employee Security • Controlling Portable and Removable Storage Devices • Transporting Confidential Information

  23. Business Drivers • Compliance with: • Regulated mandates – Federal Motor Carrier Safety Administration (FMCSA) • Senate Bill 583 • ODOT policies and guidelines

  24. Project Objective • Find the best data encryption product that can protect sensitive data by: • Securing information on mobile devices • Securing information on removable devices • Providing the best comprehensive solution to cover all areas • Simplifying deployment, maintenance and data backup

  25. How Does It Align With Our Goals? ODOT IT StrategicPlan ODOTSecurityFabricInitiative DAS Policy Controlling Portable and Removable Storage Devices Federal Motor Carrier Safety Administration Senate Bill 583 Protect, Manage Protect, Manage Protect, Manage

  26. Consequences • What are the consequences of compromising sensitive information? • Negative publicity • Loss of customer confidence • Damaged reputation • Financial loss

  27. Safe Harbor Provision • Data encryption is the most effective solution for safeguarding sensitive electronic data • Data encryption is identified as an acceptable “Safe Harbor” approach in providing privacy assurances • If the information is properly encrypted: • No further duty • It may be assumed that no privacy breach has occurred • Risk mitigation approach that limits agency liability • Enhances trust in the event of a security breach

  28. Candidates We Considered

  29. Why Guardian Edge? • Guardian Edge clearly met ODOT business requirements: • Strong Active Directory Integration • Ease of Use • Robust Management Console (MMC) • Facilitates Compliance with DAS and ODOT Security Policies

  30. Magic Quadrant for Mobile Data Protection

  31. Project Timeline

  32. Lessons Learned • Things to consider: • What value (strategic and operational) should this project create? • Organize the work and follow a process • Understand the priority given other work • Plan for risk – how to avoid and prepare for it • What will motivate people to adopt this change? • Set expectations • Communication • Training

  33. Agency Panel Marty Liddell, Infrastructure Architect Oregon Employment Department

  34. What made OED encrypt • Response to Senate Bill 583 • Significant amount of personally identifiable information including ssn, name, address, dob • Information collected is required to provide services • Many staff use mobile computing devices including laptops to collect information • ITS is committed to protecting the information assets of the agency

  35. Requirements • Ability to encrypt full hard drive • Ease of internal support • Key management • Recoverable Keys when agents are in field • Ability to easily integrate into existing architecture • Ease of use by end user

  36. Process of choosing product • Researched products • Guardian Edge • Pointsec • Demo products • Pilot product

  37. Decision points • Integration into Active Directory • Single sign-on Capability • Familiarity with administration toolset • Key management • Security questions • One-time password reset • Recoverable hard drive in case of investigation

  38. Deployment • Created security groups in Active Directory • Automatically installed software client on PC when customer logged in • Monitor progress • Don’t forget helpdesk and end user training!

  39. Lessons learned • Do NOT double encrypt a computer • Very bad (total loss of data) • Angry user  • Provide good documentation to the end user • Define a process for shared computer resources

  40. Moving forward • GE Removable Storage Encryption • GE Device Control • Remote file server encryption • Desktop encryption • Email encryption

  41. Agency Panel John McKean, Sr. Systems Security Admin. Oregon Lottery

  42. PGP Universal Server • Key Management • Centralized Policy Enforcement • Whole Disk Encryption (deployed) • Desktop Email Encryption (future) • Gateway Email (Future) • Transparent to user • Encrypts automatically at the gateway • Requires recipient to have similar technology

  43. The “USB Problem” • Easily lost or stolen • Lottery USB’s have onboard encryption • Non-Lottery USB’s not allowed! • TriGeo SIM (Security Information Manager) • Logs all USB access • Enforces Lottery USB Policy

  44. Electronic Rights Management Defined • Secures content with strong encryption • Protection cannot be removed • Controls and audits data access: • Users work normally using their existing applications • Defines authorized uses through workflows, directory groups, and user

  45. Where ERM Fits In Usage Enterprise Rights Management Liquid Machines, Microsoft RMS, Others Content Filtering and Monitoring Vericept, Vontu, Orchestria, Verdasys Granularity ofControls PKI Products Entrust, PGP, Voltage Enterprise Content Management DCTM, LiveLink, SharePoint Full Disk Encryption EFS, Pointsec Secure Transport/DeliverySSL, Postx, PGP Access Network Security Tools Firewalls, VPNs, ACLs Data at Rest Data in Motion Data in Use

  46. Considerations when selecting an ERM User Experience • User adoption is the most important factor • Expect resistance if difficult to use • Protection goals must be enforced automatically • Users must be aware protection is in effect • Users want to work normally

  47. How ERM Works ECM System LOB App Fileserver ERM Server Connection required for offline renewal 1 Content encrypted and usage rights applied Read, Edit, Print, & Offline enabled with expiration Read Only Read & Print 3 2 Content protected at rest or in transit Content protected in use

  48. Statewide Contracts • Price Agreement #2257 – ASAP Software Express • Mandatory for state agency purchase of shrink-wrapped (out of the box) desktop software • SPO Contact: Chris Mahoney, (503) 378-2998, chris.mahoney@state.or.us • ASAP Contact: Brad Hickey, (888) 883-1025, bhickey@asap.com

  49. For further information … • Theresa Masse, DAS Enterprise Security Office(503) 378-4896, theresa.a.masse@state.or.us • Richard Woodford, DAS Enterprise Security Office(503) 378-4518, richard.woodford@state.or.us • Cindy Slye, Department of Transportation(503) 986-3234, cindy.slye@state.or.us • Marty Liddell, Employment Department(503) 947-1627, marty.m.liddell@state.or.us • John McKean, Oregon Lottery(503) , john.mckean@state.or.us

  50. Next Forum … Information Security Plans Tools and Techniques Panel Presentation June 23, 2008

More Related