the next generation in enterprise security presented by william tabor and howard hellman (954)...
Post on 19-Dec-2015
218 views
TRANSCRIPT
The Next Generation in Enterprise SecurityThe Next Generation in Enterprise SecurityPresented by William Tabor and Howard HellmanPresented by William Tabor and Howard Hellman
(954) 970-9828(954) [email protected]
Agenda
● Problems with Clear Text CommunicationProblems with Clear Text Communication● Virtual Security Network (VSN)Virtual Security Network (VSN)™™● Public/Private Key InfrastructurePublic/Private Key Infrastructure● Digital Right ManagementDigital Right Management● User IdentificationUser Identification● Certificate AuthorityCertificate Authority● ServicesServices
CASTLE TECHNOLOGYCASTLE TECHNOLOGY
• Walls (Firewalls)Walls (Firewalls)
• Draw Bridge (Tunnels)Draw Bridge (Tunnels)
• Moats (DMZs)Moats (DMZs)
HISTORYHISTORY
HISTORYHISTORY
The battle for TroyThe battle for Troy
proved thatproved that
this this does notdoes not work work
INTERNAL COMMUNICATIONINTERNAL COMMUNICATION
PROBLEMS WITH CLEAR TEXT COMMUNICATIONPROBLEMS WITH CLEAR TEXT COMMUNICATION
• Instant messagingInstant messaging
• EmailEmail
• Accounting informationAccounting information
INTERNAL COMM – INSTANT MESSAGINGINTERNAL COMM – INSTANT MESSAGING
EXAMPLE #1EXAMPLE #1
The CEO and personnel director of a medium-sized company were messaging The CEO and personnel director of a medium-sized company were messaging each other about potential layoffs.each other about potential layoffs.
This information exchange was detected by individuals within the IT department, This information exchange was detected by individuals within the IT department, and news of the discussion spread through the enterprise unchecked, well before and news of the discussion spread through the enterprise unchecked, well before any decisions could be made.any decisions could be made.
INTERNAL COMM – INSTANT MESSAGINGINTERNAL COMM – INSTANT MESSAGING
EXAMPLE #2EXAMPLE #2
Two writers for a well-known daytime drama were messaging each other regarding Two writers for a well-known daytime drama were messaging each other regarding a significant plot change.a significant plot change.
A tabloid reporter intercepted their conversation and printed his scoop.A tabloid reporter intercepted their conversation and printed his scoop.
The show subsequently dropped 15 ratings points. Each point translates into The show subsequently dropped 15 ratings points. Each point translates into advertising revenue of between $10 and $15 million. advertising revenue of between $10 and $15 million.
INTERNAL COMM – EMAILINTERNAL COMM – EMAIL
EXAMPLE #3EXAMPLE #3
A car manufacturer spent $240 million on researching and developing an A car manufacturer spent $240 million on researching and developing an innovative, advanced engine design.innovative, advanced engine design.
The company emailed the design to production plant, but the email was intercepted The company emailed the design to production plant, but the email was intercepted by a competing manufacturer. by a competing manufacturer.
The competitor promptly put the new engine design into production, beating the The competitor promptly put the new engine design into production, beating the developer to market – without having to pay a single euro into R&D!developer to market – without having to pay a single euro into R&D!
idTRUST – PKI INFRASTRUCTUREidTRUST – PKI INFRASTRUCTURE
WHY IS A PKI INFRASTRUCTURE NECESSARY?WHY IS A PKI INFRASTRUCTURE NECESSARY?• Optional key generationOptional key generation
• Validate initial identitiesValidate initial identities
• Issuance, renewal and termination of certificatesIssuance, renewal and termination of certificates
• Certificate validationCertificate validation
• Distribution of certificatesDistribution of certificates
• Secure archival and key recoverySecure archival and key recovery
• Generation of signatures and timestampsGeneration of signatures and timestamps
• Establish and manage trust relationshipsEstablish and manage trust relationships
WHAT HAS BLOCKED PKI FROM GLOBAL USE?WHAT HAS BLOCKED PKI FROM GLOBAL USE?
• CostCost
• PKI Integration with vertical application basePKI Integration with vertical application base
• CA portability and interoperabilityCA portability and interoperability
idTRUST – PKI INFRASTRUCTUREidTRUST – PKI INFRASTRUCTURE
PUBLIC/PRIVATE KEY GENERATIONPUBLIC/PRIVATE KEY GENERATION
LOCAL APPLICATIONLOCAL APPLICATION
• ERP, CRM, SCM….ERP, CRM, SCM….
BROWSERBROWSER
• WebSphere PortalWebSphere Portal
• Linux (PHP)Linux (PHP)
REMOTE SERVER COMMUNICATIONSREMOTE SERVER COMMUNICATIONS
Generate aPublic/Private
Key Pair
WHY USE CRYPTOGRAPHY?WHY USE CRYPTOGRAPHY?
Cryptography can be applied to the following information categories:Cryptography can be applied to the following information categories:
• Information at restInformation at rest
• Information in transitInformation in transit
Cryptography is used to enable information:Cryptography is used to enable information:
• Privacy – information cannot be readPrivacy – information cannot be read
• Integrity – information cannot be modifiedIntegrity – information cannot be modified
• Authentication – information proof of ownershipAuthentication – information proof of ownership
• Non-repudiation – cannot deny involvement in transactionNon-repudiation – cannot deny involvement in transaction
ASYMETTRIC KEY CRYPTOGRAPHYASYMETTRIC KEY CRYPTOGRAPHY
Different keys (secrets) are used for both the encryption and decryption processes:
Public KeyCipher Ciphertext
information
CleartextPrivate Key
CipherJ9%B8^cBt
Ciphertext
Asymmetric key“public key”
Asymmetric key“private key”
Decryption ProcessEncryption Process
Asymmetric key cryptography is characterized by the use of two independent but mathematically related keys
J9%B8^cBt
DIGITAL RIGHTSDIGITAL RIGHTS
WHAT IS DIGITAL RIGHTS?WHAT IS DIGITAL RIGHTS?
Gives us the ability to . . . Gives us the ability to . . .
• Assign ownership to documents or dataAssign ownership to documents or data
• Ensure that data has not been altered during transferEnsure that data has not been altered during transfer
• Provide authenticationProvide authentication
CURRENT METHODCURRENT METHOD
• Username and passwordUsername and password
• Card and PINCard and PIN
• RSA TokenRSA Token
• BiometricsBiometrics
USER IDENTIFICATIONUSER IDENTIFICATION
TOMORROW’S SECURITY TODAYTOMORROW’S SECURITY TODAY
• Secure user authenticationSecure user authentication
• PKIPKI
• Application firewallsApplication firewalls
• Dynamic TunnelsDynamic Tunnels
NEXT GENERATION SECURITYNEXT GENERATION SECURITY
PROVIDER OF SECURE SYSTEM SOLUTIONSPROVIDER OF SECURE SYSTEM SOLUTIONS
• Public Key Infrastructure (PKI) ServicesPublic Key Infrastructure (PKI) Services
• IdM DeviceIdM Device
• Dynamic Encryption TunnelDynamic Encryption Tunnel
• DQT Application FirewallDQT Application Firewall
• Secure Tech – VPN and File TransferSecure Tech – VPN and File Transfer
DATAQUEST TECHNOLOGIES’ SOLUTIONSDATAQUEST TECHNOLOGIES’ SOLUTIONS
Virtual Security Network (VSN)Virtual Security Network (VSN)™™
VIRTUAL SECURITY NETWORK (VSN)VIRTUAL SECURITY NETWORK (VSN)™™
● Next Generation of VPN TechnologyNext Generation of VPN Technology● VSN is comprised of 4 componentsVSN is comprised of 4 components
(1) Application Firewall(1) Application Firewall(2) Dynamic Encryption Tunnel(2) Dynamic Encryption Tunnel(3) ID Trust Card(3) ID Trust Card™™(4) Digital Certificate(4) Digital Certificate
Public and Private Key PairPublic and Private Key Pair
Application FirewallApplication Firewall
DQT Application FirewallDQT Application Firewall
• Linux Base Firewall using SE LinuxLinux Base Firewall using SE Linux• Allows only authorized access to serverAllows only authorized access to server• Can Exist in LPAR or P5 PartitionCan Exist in LPAR or P5 Partition• National Security Administration (NSA) TechnologyNational Security Administration (NSA) Technology
Dynamic Encryption Tunnel ServerDynamic Encryption Tunnel Server
• Provides communication layer through the Application Provides communication layer through the Application FirewallFirewall
• Multiple Levels of Encryption AvailableMultiple Levels of Encryption Available• 128,256 and 3DES128,256 and 3DES• Proprietary 2048bit obscure algorithmProprietary 2048bit obscure algorithm
• Multiple Tunnel Layers AvailableMultiple Tunnel Layers Available• Replace VPN or ride on Top of VPNReplace VPN or ride on Top of VPN
• Can exist in LPAR or p5 PartitionCan exist in LPAR or p5 Partition• Must have public/private key pair to access tunnelMust have public/private key pair to access tunnel• Layers on top of any existing protocols 128SSL, WEPLayers on top of any existing protocols 128SSL, WEP• Low CPU drainLow CPU drain• Compresses MP4 Video/Data StreamsCompresses MP4 Video/Data Streams
IDTRUST CARD™IDTRUST CARD™
ID TRUST CARD FEATURES & CHARACTERISTICSID TRUST CARD FEATURES & CHARACTERISTICS
• Similar to credit card-sized “Smart Card,” but also contains on-card crypto processorSimilar to credit card-sized “Smart Card,” but also contains on-card crypto processor
• Maintains protected storage for public/private keys, digital certificates and digital Maintains protected storage for public/private keys, digital certificates and digital
signatures to be used during authentication processsignatures to be used during authentication process
• Executes cryptographic operations (verifies fingerprint) Executes cryptographic operations (verifies fingerprint)
• Works in conjunction with card operating system (COS)Works in conjunction with card operating system (COS)
IDTRUST CARD™IDTRUST CARD™
HOW THE IDENTITY TRUST CARD WORKSHOW THE IDENTITY TRUST CARD WORKS
• User enrolls in the Biometric process Card maintains encrypted hash copy of User enrolls in the Biometric process Card maintains encrypted hash copy of
user’s fingerprint in EEPROMuser’s fingerprint in EEPROM
• When user wishes to authenticate him/herself, he/she simply places the correct When user wishes to authenticate him/herself, he/she simply places the correct
finger on the e-field sensorfinger on the e-field sensor
• The fingerprint is scanned, hashed and encryptedThe fingerprint is scanned, hashed and encrypted
• The crypto processor compares the fingerprint sample to the stored value on the The crypto processor compares the fingerprint sample to the stored value on the
external deviceexternal device
• Neither the fingerprint hash or the private key leave the USB deviceNeither the fingerprint hash or the private key leave the USB device
• Card typically returns success or failure status to systemCard typically returns success or failure status to system
CRYPTO-PROCESSING CHIP LAYOUTCRYPTO-PROCESSING CHIP LAYOUT
VCC
Reset
Clock
GND
I/O
32-bit
Microprocessor
(Microcontroller)
RAM 2K Bytes
ROM 32K+ Bytes
EEPROM 64K+ Bytes
Crypto
Accelerator
(Processor)
ISO 7816 Family of
Smart/Crypto Card
Standards, i.e., power,
Clock & I/O Bus
IDTRUST CARD™IDTRUST CARD™
CARD CUSTOMIZATION CAPABILITIESCARD CUSTOMIZATION CAPABILITIES
• Multiple processors (4,6,8, etc.)Multiple processors (4,6,8, etc.)
• Mix and match 8, 16 and 32 bit processors for focused tasksMix and match 8, 16 and 32 bit processors for focused tasks
• Memory (inter-processor and processor specific)Memory (inter-processor and processor specific)
• Multiple custom data structure (application and processor)Multiple custom data structure (application and processor)
• Potentially contact-based and contact-less cardsPotentially contact-based and contact-less cards
BIOMETRIC READERSBIOMETRIC READERS
● Optical SensorOptical Sensor– Low ResolutionLow Resolution– Easily FooledEasily Fooled– Image TemplateImage Template
● Capacitive SensorCapacitive Sensor– 3D image3D image– Fooled with piece of wood and silly puddyFooled with piece of wood and silly puddy
● E-Field SensorE-Field Sensor– Fingerprint template is minutia basedFingerprint template is minutia based– Stored as a hash algorithmStored as a hash algorithm
USER IDENTIFICATIONUSER IDENTIFICATION
• Crypto-processor cardCrypto-processor card
• Biometrics on cardBiometrics on card
• ACLU friendlyACLU friendly
DATAQUEST TECHNOLOGIES’ SOLUTIONSDATAQUEST TECHNOLOGIES’ SOLUTIONS
USER IDENTIFICATION SUMMARYUSER IDENTIFICATION SUMMARY
• Crypto-processor cardCrypto-processor card
• Biometrics on cardBiometrics on card
• PKI data on cardPKI data on card
DATAQUEST TECHNOLOGIES’ SOLUTIONSDATAQUEST TECHNOLOGIES’ SOLUTIONS
PKI PRODUCT SUITEPKI PRODUCT SUITE
idSAFEidSAFE
A platform to ensure transport and management of data in transit (Secure VPN)A platform to ensure transport and management of data in transit (Secure VPN)
idVOTEidVOTE
A product enabling Internet voting via secure voter authenticationA product enabling Internet voting via secure voter authentication
idSEALidSEAL
A smart encryption tool enabling the user to encrypt and decrypt individual filesA smart encryption tool enabling the user to encrypt and decrypt individual files
DATAQUEST TECHNOLOGIES’ SOLUTIONSDATAQUEST TECHNOLOGIES’ SOLUTIONS
GOLD CAGOLD CAInternal External Certificate AuthorityInternal External Certificate Authority
INDUSTRY-SPECIFIC APPLICATIONSINDUSTRY-SPECIFIC APPLICATIONS
MasterTrustCenters
Organizations
Departments,Groups,RegionalCenters
DataQuestMaster Trust
Center (Security Level 1, 2, 3)
Smallbusiness
Level 1, 2Finance
Level 1Level 1, 3
Level 1, 2, 3
Level 1 Level 1, 2
Healthcare
Medical recordsdatabase
Level 3
Level 1, 2, 3
Level 1
Third Party Master Trust
Center Certificateinteroperability
(depends on level of trust)
Trust CenterTrust Center
Trust Center
Smallbusiness
Smallbusiness
Geographic(Regional)
Trust Center
Trust Center Trust Center
Trust Center Trust Center
Trust Center
DATAQUEST TECHNOLOGIES’ SOLUTIONSDATAQUEST TECHNOLOGIES’ SOLUTIONS
Works in P5 SystemWorks in P5 System
Firewall
Hypervisor
LinuxApplication
Firewall
Dynamically resizable
1CPUs
1 CPUs
Ce
rtif
ica
te A
uth
ori
ty
Virtual I/O paths
Tu
nn
el
Ap
pli
ca
tio
n
AIX 5LApplication
Server
6CPUs
Ethernetsharing
Virtual I/O server
partition
Storagesharing
1 CPU
PROFESSIONAL SERVICESPROFESSIONAL SERVICES
• Public Key Infrastructure Planning and Implementation ServicesPublic Key Infrastructure Planning and Implementation Services
• Biometric smart card, trust center and PKI integrationBiometric smart card, trust center and PKI integration
• Secure application design, development and implementationSecure application design, development and implementation
• Enterprise security servicesEnterprise security services
• Disaster Recovery ServicesDisaster Recovery Services
• Linux Application Tuning on zSeries and pSeriesLinux Application Tuning on zSeries and pSeries
• Enterprise Linux DeploymentEnterprise Linux Deployment
• Custom software and consulting servicesCustom software and consulting services
• Technical support (hotline and on-site)Technical support (hotline and on-site)
• Project managementProject management
• Training and educationTraining and education
• Security Inventory ServiceSecurity Inventory Service
• Security Policies and Procedures Guide DevelopmentSecurity Policies and Procedures Guide Development
• Security Audit/Assessment ServiceSecurity Audit/Assessment Service
• Security Vulnerability ServiceSecurity Vulnerability Service
• Security Implementation ServiceSecurity Implementation Service
SECURITY SERVICESSECURITY SERVICES
SECURITY AUDIT SERVICESECURITY AUDIT SERVICE
TASK: REVIEW EXISTING CORPORATE SECURITY PRACTICES AS TASK: REVIEW EXISTING CORPORATE SECURITY PRACTICES AS THEY PERTAIN TOTHEY PERTAIN TO . . . . . .
• Day-to-day enterprise computing:Day-to-day enterprise computing:• Perimeter security (authentication, identity and authorization)Perimeter security (authentication, identity and authorization)• Information at restInformation at rest• Information in transit (distributed computing, file transfer, etc.)Information in transit (distributed computing, file transfer, etc.)• Business applications software and email usageBusiness applications software and email usage• Mobile computingMobile computing
• Management security directivesManagement security directives• Corporate security policy and procedure guidelinesCorporate security policy and procedure guidelines• Compliance with appropriate legislationCompliance with appropriate legislation
SECURITY AUDIT SERVICESECURITY AUDIT SERVICE
DELIVER DOCUMENTS DECLARING STATE OF EXISTING SECURITY DELIVER DOCUMENTS DECLARING STATE OF EXISTING SECURITY PREPAREDNESSPREPAREDNESS
• An inventory document defining the current sate of enterprise security methods, An inventory document defining the current sate of enterprise security methods,
techniques, corporate compliance and usagetechniques, corporate compliance and usage
• A document defining next steps in the overall process of defining a current A document defining next steps in the overall process of defining a current
corporate security strategy and implementation plan:corporate security strategy and implementation plan:
• Requirements analysis documentRequirements analysis document
• Security architecture documentSecurity architecture document
• Security products and implementation planSecurity products and implementation plan
EDUCATIONAL SERVICES (TECH TRAINING)EDUCATIONAL SERVICES (TECH TRAINING)
Modern Security PracticesModern Security Practices• Authentication/Perimeter Authentication/Perimeter
SecuritySecurity• Trust Center and PKI IntegrationTrust Center and PKI Integration
Secure Distributed ArchitecturesSecure Distributed Architectures• LinuxLinux• AIXAIX• VMSVMS• True-64True-64• WintelWintel
Secure Middleware IntegrationSecure Middleware Integration
• CORBACORBA
• DCEDCE
• Tivoli Identity ManagerTivoli Identity Manager
• Tivoli Access ManagerTivoli Access Manager
Programming LanguagesProgramming Languages
• CC
• Java/JavaScriptJava/JavaScript
• PerlPerl