Data Encryption - MMSA by vivi07


									Metro Midrange Systems Association
September 18, 2008 Introduction to encryption and data security


Data security
 Why we should protect sensitive information
 What information do we need to protect  How do we go about securing it

 What is encryption and how is it used


Why should we protect sensitive information?
Regulations require it (PCI, HIPAA, GLBA, Privacy notification) Penalties are severe for not protecting it (PCI, Privacy notification)

Stakeholders want to protect their investments (Sarbanes-Oxley)
Customers expect it

Payment Card Industry (PCI)
Privacy Notification (state laws requiring notification of data loss) Health Insurance Portability and Accountability Act (HIPAA) Gramm Leach Bliley Act (GLBA) Sarbanes-Oxley (SOX)

… and more

The regulatory environment is evolving to include broader definitions of sensitive data, larger penalties for non-compliance, and more specific requirements for data security.

Expect new federal regulations, stronger PCI requirements, and more stringent state laws on privacy notification.


What information do we need to protect?
Credit card information for PCI data security

Personally identifiable information (PII) for Privacy Notification and other regulations


• Personally Identifiable Information or PII
– – – – – – – – – – – First Name Last Name Former Name Maiden Name Address Birth date Drivers license number Health insurance number Checking account number PIN codes And a lot more!


Credit card information
Credit card number (encrypt or hash) Track 1 and Track 2 data (do not store) CVV, CVV2, CID security code (do not store) Account name (encrypt or hash)


Personally identifiable information
Take a very broad view of what constitutes PII: Any and all information that used alone, or combined with other information that you may not have, can be used to verify the identity of an individual.


Name, former name, maiden name, mother’s maiden name Address, city, state, zip code Social security number Credit card, debit card, checking account, health insurance number Driver’s license, identify card, military ID Home phone number, work number Favorite pet’s name PIN codes, passwords, prompts eBay and PayPal account numbers

Data security is disruptive technology.

We need to re-think how we design databases and application systems, how we process and store information, and how we monitor access to information.

Prepare executive management for the work ahead.

How do we go about securing credit card and PII?
Don’t panic
Start with an assessment Avoid point solutions Data moves across platforms Data crosses Enterprise boundaries Remove sensitive data where possible

Develop good data security partners

Start with an assessment
A formal assessment will be required to pass an audit.
A formal assessment is a necessary input to data security project plans.

Use self-assessment software and guides to start.
Engage application and data security partners. An assessment will help you with future rounds of data security requirements.

Where does sensitive data live?
- Database and flat files - IFS / QNTC / NFS files - Backup tapes - Save files - On the network - In the air (WiFi) - Reports - Program memory - Laptops - PDAs, cell phones, thumb drives

Components of an assessment
Locate and document sensitive data.
Identify all internal servers and applications that use and store sensitive data. Document data flows inside the organization. Document data flows to and from vendors, customers, and employees. Identify compliance monitoring and reporting points.

Avoid point solutions
Tape Call Center


Query and BI

Laptop & PC


Point solutions:
Do not solve the problem of securing data at rest or in motion.
By themselves will not solve the regulatory requirements.

May make the overall implementation more complex.
However: Point solutions can provide immediate relief for specific problems.

Data flows inside the Enterprise


Data flows to vendors, customers, employees


Service Providers



Engage with software vendors
Contact your software vendors to discuss PCI, Privacy Notification, etc.
Get a statement of strategic direction and planned release dates.

Understand their approach to encryption – does it meet basic criteria for strong encryption?
Your management should engage with software vendor management to convey the importance of the requirements.

Remove sensitive data where possible
If sensitive data is not needed in a file, remove it.
Review reports for unnecessary information and remove it. Review data transfers and terminate when not needed. Review query and business intelligence tools to remove sensitive data.


Purge historical data
When historical data is no longer needed, purge it from the system.


What is encryption and how is it used?
Encryption is the process of obscuring information to make it unreadable without special knowledge.
--- Wikipedia

In practice, encryption refers to well-established public algorithms that have undergone, and continue to undergo, extensive review by cryptography and data security specialists, and which meet certain accepted criteria.






Symmetric and Asymmetric encryption
Symmetric encryption uses one shared secret (an encryption key) that is shared between two parties.

Asymmetric encryption uses two different, but related, encryption keys – one for encryption and one for decryption. This is sometimes called public/private key encryption.


Symmetric encryption for field security
Generally, symmetric key encryption is used for field level security in database systems because it is much more efficient.
Asymmetric encryption may be used to fetch a symmetric key but is almost never used for data encryption tasks. (We’ll concentrate on Symmetric encryption because it is at the core of data security).

Asymmetric encryption for securing end point connections
Asymmetric encryption is most commonly used to secure physically separate end points. Examples include:  Web browser and web server (HTTPS)  VPN client and server  Secure FTP (SSL encrypted connection) Often Symmetric and Asymmetric functions are combined to provide end point security and efficient encryption.

Symmetric encryption for data
Cust Name: ABC Cons Cust Num: 499513 Prod Num: 212 Qty: 3 Visa 4882 6332 1452 6890


Field Level Encryption

Cust Name: ABC Cons Cust Num: 499513 Prod Num: 212 Qty: 3 F2500C015G06518

Securing Data at its source is the core competency for Data Security Compliance

Symmetric decryption for data
Cust Name: ABC Cons Cust Num: 499513 Prod Num: 212 Qty: 3 F2500C015G06518


Field Level Decryption

Cust Name: ABC Cons Cust Num: 499513 Prod Num: 212 Qty: 3 Visa 4882 6332 1452 6890

Securing Data at its source is the core competency for Data Security Compliance

Which symmetric algorithm to use?
Advanced Encryption Standard (AES) is the accepted standard of the National Institute of Standards and Technology (NIST). It undergoes regular review by cryptographers and data security specialists, and provides a mechanism for independent certification.

See FIPS-197 for technical documentation.


Modes of encryption
AES encryption always involves some data to be encrypted, an encryption key, and possibly an initialization vector. The five NIST-approved modes of encryption provide different ways of using these elements. The modes of encryption are:

ECB – Electronic code book CBC – Cipher block chaining CTR – Counter OFB – Output feed back CFB – Cipher feed back

Why modes of encryption matter
Some modes of encryption add extra randomness to the encryption process. With these modes you can encrypt the same credit card number with the same key, but you will get different results. This is very important in database applications where fields may be small or predictable, and exist in many records.  CBC, CTR and other modes are appropriate for securing fields in database files.

 ECB is not appropriate because it lacks this randomness.

What are encryption keys?
Encryption keys are the secret part of encryption. The most commonly used key sizes:
128-bit (16 bytes) 192-bit (24 bytes) 256-bit (32 bytes) The larger the key the more secure the encrypted information, and the more processing is used during encryption.


Key management strategies:
Store in source code (very bad)
Store in files without encryption (still bad) Store in Key Management facility on same system (better) Store in external key management facility (better still) Store in external key management facility with FIPS-140 certification (best)

How are encryption keys managed?
Because encryption keys are the primary secret, special applications are used to protect the encryption key.

These are referred to as Key Management systems.


Key Management systems:
- Enforce Key Manager access rules. - Create and destroy encryption keys. - Securely store and retrieve keys. - Escrow unused keys. - Authenticate requests for keys. - Provide a mechanism for retreiving keys. - Provide compliance reporting on key use. Often provide a level of physical separation between key use and key storage.

Recommended practices
Modularize data security code to allow future changes with minimal disruption. Use appropriate encryption algorithms and modes. Know the usage rules for encryption modes.

Use appropriate key management and key distribution practices.
Monitor and report inappropriate access to encryption keys and sensitive information.


Technology considerations
Certifications are important – document the independent certifications and tests of your vendors and solutions. Plan for cross platform support – how will you encrypt in Windows and decrypt in i5/OS? Linux? UNIX? Mainframe? Use best programming practices with encryption – remove observability, initialize variables, optimize.

Have a key management strategy – know where you are today and where you will be in the future.

 AES Validation is an NIST defined certification process for AES encryption. Normally applied to data security applications.  FIPS-140-2 is an NIST defined certification process for cryptographic modules. Normally applied to key management systems.  ISO 17799 is a European standard for security practices. Covers security policies.

Certifications help insure compatibility, manage loss investigations, and help limit legal liability.

Why certification is important
 Confidence: It is how you will know that encryption is being done the right way.  Compatibility: It is how you will know that you can encrypt and decrypt across server, vendor, and customer boundaries.

 Risk management: It is how you will defend yourself in the event of a loss.
 IT investment protection: It is how you will avoid re-engineering applications.

Cross-platform issues
Computer manufacturers and software vendors use incompatible and proprietary interfaces: - Microsoft .NET and SQL Server - Oracle database - IBM DB2 - Java - Sun Solaris - Open SSL Using a common cross-platform encryption library will reduce data exposure and minimize development resources.

Encryption will impact:  CPU utilization  Total job run times  Interactive response time

Be sure to profile your applications and create Proof-Of-Concept tests. Ask your software vendor for performance information.

Compliance logging
 Log access to sensitive data  Log user access and authentication denials  Log application access denials  Log database / field level access denials

 Log access to configurations (key management, user controls, system options)
System logs should be secure from modification or deletion.

Securing data in motion
Transfer data that is already encrypted.

Use secure protocols like HTTPS, SSL FTP and SFTP
Use secure VPN networks. Use file encryption technology such as Pretty Good Privacy (PGP).


- Thinking “It won’t happen to us” - Bypassing assessment - Not using standard encryption - Not using certified software - Not using the correct encryption mode - Not using Key Management - Not securing data in motion - Not using cross-platform technologies - Not implementing compliance monitoring - Not securing query and BI tools


Thank you

Patrick Townsend Patrick Townsend & Associates, Inc. Email: (800) 357-1019




To top