Docstoc

IT Procurement

Document Sample
IT Procurement Powered By Docstoc
					 Encryption For
 Click to add text
          Data At Rest
                                                           From Vision to Action



Why is data-at-rest encryption needed?




                                                                             2
State of Michigan • Department of Information Technology          2
                                                           From Vision to Action




     Additional reasons…if necessary

     Changes in Michigan Public Act 452 regarding
     “Breach Notification”
     Negative public relations and political distaste
     SOM is responsible for the protection of citizens
     privacy and identity
     To build citizen trust
     There are a lot of ways data can “leak” from the
     SOM’s network


                                                                             3
State of Michigan • Department of Information Technology          3
                                                                  From Vision to Action


  Enterprise Encryption Workgroup 
               (EEW)
 w Sponsors                                      w Office Automation
      § Dan Lohrmann (CSO)                            § Wayne Foster
      § Scot Ellsworth (CEA)                     w Enterprise Architecture
 w Agency Services                                    § Chad Sesvold
      § Bruce Colf                               w End-User Standards
      § Michael Goodness                              § Reid Sisson
      § Paul Groll
                                                 w OES
      § Donna Sivaraman
                                                      § Brent Ericks
      § Narayan Sivaraman
                                                      § Chris Kellogg




                                                                                    4
State of Michigan • Department of Information Technology                 4
                                                           From Vision to Action



    2 Objectives of the EA workgroup
                                    50,000 foot view


 w Provide EA guidance to agencies with existing
   “Data at Rest” encryption needs

            Ø   Through the Enterprise Architecture work group,
                develop and implement a state-wide “Data at
                Rest” encryption standard that addresses the
                business and technical needs
            Ø   Analyze and recommend one standard “Data at
                Rest” encryption tool that meets the standard


                                                                             5
State of Michigan • Department of Information Technology          5
                                                           From Vision to Action




                What is Data at Rest?

 w It is:
              Data that exists on a laptop hard drive
              Data that exists on a P.C. hard drive
              Data that exists on a locally attached server hard drive
              Data that exists on a portable storage mechanism (I.e., USB
              stick, CD, DVD)


 w It is not:
              Automatically the data being transmitted via e-mail
              Data being transmitted over the network (internal or external)
              Data written from server to the SAN or NAS


                                                                               6
State of Michigan • Department of Information Technology          6
                                                                    From Vision to Action


                             Project Scope
                       (as defined by the technical requirements)
 Priority scope
 Π    Laptops using confidential State resources must have full disk encryption
      Encryption of USB memory stick
 Ž     Encryption of as many transportable systems and data devices as
       possible (thumb and flash drives, CDs, DVDs, tablets, PDA’s, cameras, I-
       pod’s, etc)
      Locally attached server hard drives and control of server USB/DVD/CD
      Centralized management capability


 Additional scope
 ‘     Transparency to the end user – Minimal impact
 ’     Key recovery facility with Helpdesk interface
 “     Port/Device control including CD’s, DVD’s and memory sticks
 ”     Present findings and recommendations to multiple groups of individuals


                                                                                      7
State of Michigan • Department of Information Technology                   7
                                                                    From Vision to Action




                                Approach
 w Identify:
          Known requirements from agencies gathered
          Existing standards, policies and regulations
          Candidate products from Gartner Magic Quadrant and other industry resources
          Encryption tools already in use throughout the enterprise
          An assessment matrix from the requirements and other IT considerations




 w Accomplish:
          Build an assessment matrix based on the requirements identified by the group
          Schedule and hold vendor demonstrations that meet the matrix requirements
          Clarify outstanding issues with vendors
          Develop scoring mechanism (scorecard)



                                                                                         8
State of Michigan • Department of Information Technology                    8
                                                           From Vision to Action




           Work Group Deliverables
          Establish Enterprise Data Encryption (data at rest) requirements.
          Review industry vendor products for research, functional
          capability, and industry maturity.
          Score the vendor presentations utilizing the TRC scoring method
          (weighted questions).
          Recommend direction for the state.
          Draft State-Wide standard to address critical encryption
          requirements.
          Present recommendation to State of Michigan leadership
          (Agencies and MDIT).
          Proceed with recommended acquisition programs.


                                                                              9
State of Michigan • Department of Information Technology          9
                                                           From Vision to Action




Gartner’s Magic Quadrant




                                                                            10
State of Michigan • Department of Information Technology         10
                                                           From Vision to Action



  Requirements Identified by the EA Sub-Group

                           Encryption Requirements
 w     Full disk encryption (FDE)
 w     Pre-boot authentication
 w     FIPS 140-2 certified
                          Operational Requirements
 w     Key recoverability
 w     Auditability
 w     Port control
                         Infrastructure Requirements
 w     Ability to load users from Active Directory, E-Directory, and
       manually
 w     Central key management (console)


                                                                            11
State of Michigan • Department of Information Technology         11
                                                           From Vision to Action




                       Vendor Finalists
     After establishing requirements and interacting with 13
     vendors, 3 have been targeted as viable solutions
            Ø   WinMagic
            Ø   SafeBoot
            Ø   PointSec

     These finalists align with Gartner’s Magic Quadrant

     Once the procurement method has been established the
     EA Sub-Group will identify one product as the State
     standard


                                                                            12
State of Michigan • Department of Information Technology         12
                                                                From Vision to Action




                 Final Scoring Criteria
 Laptops, Desktops                                                              Y/N
 PDA's (Ipod, Blackberry, Windows, Palm)                                              5
 Portable devices (USB Ports, CD, DVD, Firewire, etc.)                                5
 Gartner rating of Vendor                                                         10
 Prior Experience (Vendor customer's, E.g., DOD, etc.)                            15
 Financial Stability (Check information such as 10-Q and 10-K at 
 SEC.GOV)                                                                             5
 Enterprise Management Capability (Directory imports, manual entry, 
 centralized console, key management, key recovery)                               25
 User Experience                                                                  15
 Hot line interface (Customer Service Center)                                     10
 Maintenance  & support including installation                                    10
                                                                             
 Total Score                                                                     100

                                                                                      13
State of Michigan • Department of Information Technology               13
                                                               From Vision to Action


         Multi-Government Encryption 
            Procurement Initiative
 w Federal Government combined purchase initiative
   named the ESI/SmartBuy vehicle
            Ø   Was competitively bid
            Ø   Ten vendors granted approved for purchases under this vehicle
            Ø   State and local government can participate and combine purchase
                with Federal government


 w All 3 vendors that Michigan MDIT EA Sub-Group group
   have targeted are included in this federal purchase
   initiative.


                                                                                  14
State of Michigan • Department of Information Technology             14
                                                                                            From Vision to Action




                 More on ESI/Smartbuy
 w   USDA is utilizing the ESI/SmartBUY contract vehicle to purchase the SafeBoot
     product
            Ø   Full Disk Encryption (FDE)
            Ø   File/Folder Encryption (FES)
            Ø   Port Control
            Ø   All Connectors needed for directory and mobile devices
            Ø   1st Year 7x24 Maintenance & Support
            Ø   Management Console
            Ø   Database Backup
            Ø   Scripting Tool
            Ø   Web Help Desk
            Ø   Home use of all licenses
            Ø   Secondary use right for all licenses
            Ø   Immediate temporary enterprise license for use during natural disasters, acts of war and/or terror

 w   Rates are extremely reduced
            Ø   $11.56 per license (normal cost for all three products is approximately $230.00)
            Ø   Year two (2) Maintenance is $2.89 per license (normal maintenance is 18% of the normal cost)

 w   Timeline
      §   August 29th – October 29th, 2007
            Ø   PO for 1,000 Seat Minimum locks in price point until October 29th, 2008
            Ø   Letter of Intent Received on October 29th, 2007 provides an additional thirty (30) extension to receive
                PO to accommodate funding or legal requirements

                                                                                                                      15
State of Michigan • Department of Information Technology                                              15
                                                           From Vision to Action




Next Steps

 w Estimate Total-Cost-of Ownership (TCO) of
   solution.
 w Align purchase program of products and
   services via Federal ESI/SmartBuy vehicle.
 w Pilot project to begin Enterprise Data Encryption
   environment, deployment processes, and
   services.



                                                                            16
State of Michigan • Department of Information Technology         16
                                                               From Vision to Action




Encryption of Data At Rest

                                       ?
                                                                 ?
    ?
                 ?
                                                           ?
                                              ?
                     ?

                                                                                17
State of Michigan • Department of Information Technology             17
                                                           From Vision to Action




Support Slides….

 w Please reference the following slides as
   additional work group research and Data
   Encryption requirements.




                                                                            18
State of Michigan • Department of Information Technology         18
                                                             From Vision to Action


                    “Encryption Requirements”
                         Full Disk Encryption

 w Without “Full Disk” encryption users cannot be
   sure that their data is encrypted.

            Ø   Normal file deletion leaves residual data on the hard drive

            Ø   Applications and Browsers leave data in unpredictable areas
                on the hard drive

            Ø   Users often do not realize they have sensitive data on their
                devices


                                                                               19
State of Michigan • Department of Information Technology           19
                                                           From Vision to Action


               “Encryption Requirements” 
        File level encryption not recommended




                                                                            20
State of Michigan • Department of Information Technology         20
                                                           From Vision to Action


                “Encryption Requirements”
            Full Disk Encryption recommended




       Note that FDE encrypts the entire disk including the un-
            used space before the C partition and after it.
       (Encrypting only the drive C may leave attacker code in
                            these spaces.)
                                                                            21
State of Michigan • Department of Information Technology         21
                                                           From Vision to Action


                   “Encryption Requirements”
                      Pre-Boot Authentication

 w User must be identified prior to accessing the
   operating system
 w Can be implemented in single sign on mode
   thereby requiring only 1 username and 1
   password to login to windows (transparent to
   user)
 w Compatible with existing SecurID tokens, Smart
   Cards, Biometrics and many other multi-factor
   authentication devices


                                                                            22
State of Michigan • Department of Information Technology         22
                                                           From Vision to Action


                   “Encryption Requirements”
                        FIPS 140-2 Certified

 w The Federal Information Processing Standard
   (FIPS) Publication 140-2, is a U.S. government
   computer security standard used to accredit
   cryptographic modules

 w Industry best practice dictates that successful
   implementations of encryption products meet the
   FIPS 140-2 certification.


                                                                            23
State of Michigan • Department of Information Technology         23
                                                           From Vision to Action


                   “Operational Requirements”
                         Key Recoverability

 w User forgets login – product must have an
   interface for Client Service Center to restore
   access
 w Master login must not exist (backdoor)
 w OES must have access to keys for acceptable
   use policy investigations and others




                                                                            24
State of Michigan • Department of Information Technology         24
                                                           From Vision to Action


                   “Operational Requirements”
                             Auditability

 w Product must be able to validate that encryption
   has taken place for each device that is
   encrypted
 w Audit logs will be used to remediate the
   notification requirement changes within Public
   Act 452
 w Port control audit logs can be used to enforce
   sensitive data control policies


                                                                            25
State of Michigan • Department of Information Technology         25
                                                           From Vision to Action


                   “Operational Requirements”
                            Port Control

 w Ability to restrict “Writing” to USB ports for
   agencies that request it
 w Selective device control (I.e., Dell USB but not
   U3 USB devices)
 w Automatic encryption of data when sent to the
   USB port if allowed




                                                                            26
State of Michigan • Department of Information Technology         26
                                                           From Vision to Action


                 “Infrastructure Requirements”


 w Central console to manage encryption enterprise-wide

 w Centralized policy enforcement for users and groups of users

 w Web-based interface for password recovery situations for the CSC

 w Ability to interface with different LDAP directories (I.e., Novell E-
   Directory, Microsoft Active Directory and manual entry for users that
   don’t exist in an LDAP)




                                                                            27
State of Michigan • Department of Information Technology         27

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:10/10/2013
language:English
pages:27