overcoming obstacles: encryption for everyone! · 2018-11-27 · e4e –overcoming obstacles q....
Post on 07-Aug-2020
2 Views
Preview:
TRANSCRIPT
Overcoming Obstacles:Encryption for Everyone!
Mechthild Stöwer
Head of Department Security Management
Fraunhofer Institute for Secure Information Technology
„Digital World“ is ubiquitous
New technologies and services produce and share mass of data.
Confidentiality in fokus
Companies‘ know-how is at risk:
• 51% of all companies are affected 1
• 51 bn damage 1
SMEs are in focus 2.
Privacy violations cause reputational losses and data protection laws breaches.
1 Study bitkom 7/20152 Corporate Trust: Study Industriespionage, 2014
Measures to protect confidentiality
• Up-to-date malware protection
• Implementation of firewall systems
• Data leakage prevention systems
• Appropriate access rights according to the need-to-know principle
• Monitoring of access rights
• Awareness programs
Encryption is the key measure
Data-in-Transit• E-Mail communication
• Instant messaging
• Voice communication
• Network access
• Collaboration platforms
Data-at-rest• Storage devices
• Container, folders
• Files
… but rarely used!
Results form a study from 2014 1:
• Only 14 % of all professional users encrypt E-Mails
• 65 % of all users do not have any technical support for encryption
• Even there where infrastructure is available only 20 % of users encrypt E-Mails
1 Study from the German organisation Bitkom - http://www.heise.de/ix/meldung/Befragung-Stand-der-E-Mail-Verschluesselung-ist-desastroes-2243124.html
State-of-the-art in SME
• Encryption is used basing on personal risk estimation
• No company wide policy is in use
• Different solutions are in place: inefficient administrative effort
• No recovery and emergency procedures: risk of loss of keys and encrypted data
• No key management: availability and confidentiality risks
• No mechanisms for process improvement
Best practice approach for SME
• Evaluation of information protection requirements
• Threat analysis
• Implementation of appropriate encryption solutions for storage and transfer of information
Example: small trading company
Source: KMU Diamant Consulting AG
• Small trading company managedby the two owners
• Two employees
• IT-infrastructure: 3 networkedPCs, one of them is a laptop
• Internet access, E-Mail in use, office applications, solution forinventory management
Step 1: Protection requirements
Information Evaluation
Personal information:
Employees’ data
Salaries
Absence from work
Highly sensitive information
High protection requirements
Customers’ related data Highly sensitive information
High protection requirements
Calculations Highly sensitive information
High protection requirements
Inventory information Low protection requirements
Product information, catalogues Low protection requirements
……
Step 2: Threat analysis
• Confidentiality violations when mobile storage devices or laptops get lost.
• Loss of know-how by unauthorized access at critical company’s, e.g.by unsatisfied employees who transfer them to new employers.
• Data protection law breaches by unauthorized access.
• Unauthorized access to E-Mails with confidential information.
Step 3: Encryption solution
Data-in-transit
• Confidential personal information transferred by E-Mail are encrypted.
• Offers for clients are encrypted.
Data-at-rest
• Storage devices at laptops are encrypted.
• Use of hardware-based USB sticks
• Sensitive information stored at PCs are saved at encrypted containers.
Guide for SME for use of encryption
https://www.sit.fraunhofer.de/reports
For the German speaking audience:
Main obstacles for use of encryption
• The concept of asymmetric encryption is not easy to understand.
• There is no accessible infrastructure to disseminate keys.
• User handle a variety of applications. They are not experienced to configure encryption solutions.
• The usability of solutions is unsatisfying.
• Lack of availability for keys and certificates.
Project „Ecryption for Everyone“
1. Solution Free certificates for all citizens
High quality identity check whencreating certificates (eID)
Automatic installation forapplication
2. Target group Citizens, SMEs, freelancer
Usability is first priority!
Project „Ecryption for Everyone“
E4E - Functions
• Verification of identity (eID, identity procedure supported by Deutsche Post, ID-Passport)
• Wizard supported handling
• Certificates are automatically integrated in E-Mail clients and browsers
• Private key remains with the user
• Easy ex- and import of certificates for other devices
CA-Network RA-Network WWW
CA-Server RA-Server
OCSP ResponderLDAP-Server
E4E-Software
eID-Provider
eID-Server
Utimaco HSM
E4E - Architecture
E4E – overcoming obstacles
Q. Availability of keys and certificatesmissing infrastructure for key distribution
A. Free certificates from an independent organization without commercial interests, publication of certificates, implementation of application
Q. Configuration of application in a correct and secure way
A. Automatic installation of certificats
Q. Missing support for the comprehensive process
A. Support of user during the whole life span of certificate
Q. Lack of usability of encryption applications
A. Application is easy to use, support by wizards
Tatjana RubinsteinMechthild Stöwer
Fraunhofer-Institut für Sichere Informationstechnologie SIT
www.sit.fraunhofer.de
Institutszentrum Schloss BirlinghovenD 54754 St. Augustin
E-Mail: mechthild.stoewer@sit.fraunhofer.de
top related