Portable encryption technologies at Sandia Jeremy Baca Cyber Security Technologies Department Sandia National Labs Sandia is a multiprogram laboratory.

Slides:



Advertisements
Similar presentations
Meganet Corporation VME Office Meganet Corporation Meganet Corporation is a leading worldwide provider of data security to Governments, Military,
Advertisements

© 2012 All rights reserved to Ceedo. Enhanced Mobility with Tighter Security.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
eToken Virtual and MobilePASS
U N C L A S S I F I E D LA-UR LANL Exchange / Blackberry Deployment June 2, 2009 Anil Karmel Solutions Architect Network and Infrastructure Engineering.
Module 3 Windows Server 2008 Branch Office Scenario.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Data Encryption Overview South Seas Corporation Jared Owensby.
Cyber Security and Key Management Models Smart Grid Networks The Network System Key Management and Utilization Why Hardware Security Christopher Gorog,
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008
Confidential Computer Systems Group HD Lock for Toshiba Notebook August 3rd, 2006.
Page Copyright Giritech A/S an – Excitor company.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Course 201 – Administration, Content Inspection and SSL VPN
Clinic Security and Policy Enforcement in Windows Server 2008.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Anil Karmel Deputy Chief Technology Officer National Nuclear Security Administration Streamlined Application Management The Intersection of Cloud and Mobility.
Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Securing Microsoft® Exchange Server 2010
Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Week #7 Objectives: Secure Windows 7 Desktop
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Troubleshooting Windows Vista Security Chapter 4.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Configuring Directory Certificate Services Lesson 13.
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Lessons learned during Sandia’s encryption implementation NLIT 2009 May 2008 Sam Jones Matt Snitchler Desktop Technology Development Sandia is a multiprogram.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 7: Implementing Security Using Group Policy.
Creating and Managing Digital Certificates Chapter Eleven.
Encryption as a Preventive Countermeasure Sean Maher, Information Security Coordinator.
About Softex Mission Statement: “To provide innovative security software products and solutions for computing devices” Softex was founded in 1992 by IBM.
Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.
Module 8 Implementing Security Using Group Policy.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
Why EMS? What benefit does EMS provide O365 customers Manage Mobile Productivity Increase IT ProductivitySimplify app delivery and deployment LOB Apps.
Technology Requirements for Online Testing Training Module Copyright © 2014 American Institutes for Research. All rights reserved.
© 2014 IBM Corporation Mobile Customization & Administration IBM Connections 5.0 Workshop Author: Paul Godby IBM Ecosystem Development Duration: 30 minutes.
Virtual Directory Services and Directory Synchronization May 13 th, 2008 Bill Claycomb Computer Systems Analyst Infrastructure Computing Systems Department.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Protecting Data at Rest Through Encryption CIO Summit November 30, 2007.
Key management issues in PGP
Mobile Security for QlikView
Mobile Security for QlikView
Download dumps - Microsoft Real Exam Questions Dumps4download
Implementing Client Security on Windows 2000 and Windows XP Level 150
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
IT Management, Simplified
Microsoft Virtual Academy
Presentation transcript:

Portable encryption technologies at Sandia Jeremy Baca Cyber Security Technologies Department Sandia National Labs Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

Topics I will cover Entrust ESP 8 for Encryption Credant Deployment IronKey Pen Drives Other Software Encryption Technologies Hardware Encrypted Hard Drives Blackberry S/MIME integration Blackberry Enterprise Server Encryption Entrust Messaging server (EMS) PKI integration with the new HSPD12 badge

Entrust ESP 8 for Encryption Sandia has done inter-operability testing with ESP and the old client and found no major issues with between the two systems Tested ESP client in current deployed OS of XP with Office 2003 and Office 2007 and Vista with Office 2007 Changed from SHA1/3DES algorithms to SHA256/AES256 Sandia started deployment of Entrust 8 via SMS on April 23 Sandia has deployed Entrust 8 to over 6,800 computers with a 12% call rate to our help desk We currently have about 1,800 computers to go with the majority of users hitting cancel when prompted to install

Credant Deployment Sandia deployed Credant as its data at rest encryption solution We implanted Credant on all mobile laptops, pen drives, and PDAs Data is encrypted with common and user encryption keys defined by policy on the server Keys are generated by the CMG Enterprise server and mapped to a Device/User combination Authentication is tied to users Windows login. Login options include two factor and one-time password generators Users are imported from an LDAP directory such as Active Directory that already exists in our enterprise The initial encryption can take quite a bit of performance from the computer During normal operation there is still a performance impact of this product. It is most noticed though when there is heavy processor use (compile, renderings). Its generally not noticed with business apps

IronKey Pen Drives Sandia added the Ironkey pen drives to our approved list of devices after through testing The Ironkey pen drives employ AES CBC-mode hardware encryption that meets FIPS Active Anti-Malware Protection – Secure AutoRun Remote Administration and Policy Enforcement Onboard portable applications –Secure Web browser –Secure Password Manager –Virtual Keyboard password protection for untrusted hosts –Encrypted local backup Remotely Disable or Terminate Lost and Stolen USB Drives –Deny - Prohibits accessing the data on the device –Disable - Locks out the user the next time the device connects –Destroy - Instructs the device to initiate its self-destruct sequence

Other Software Encryption Technologies Sandia did testing on the following products as part of an NNSA research project: –Credant –WinMagic –Mobile Amour Guard –BeCrypt –Utimaco –PGP Full Disk –Pointsec –Guardin Edge Sandia along with LANL, Pantex, Savanha River, KCP and Y-12 prepaired a 115 page report for the NNSA on the pros and cons of each product

Hardware Encrypted Hard Drives Sandia evaluated SeagateFED encrypted hard drives and WAVE management software. One big problem with this technology is compatibly with hardware. We found most Dell and Lenovo laptops worked with the Segate drive Key management is major issue and the 3 rd party apps do not yet have a solid enterprise solution or full set of enterprise support features The Seagate is hardware based AES encryption on the entire disk Encryption has almost no impact on performance of the drive

Blackberry S/MIME integration Blackberry Issues and Functionality –Directory issues with multiple CA sites –Inaccessible CRL files –Some old Desktops use Entrust message format as default and not S/MIME –Testing at Sandia, ORNL and DOE/HQ –User Certificate can be imported over the wire and work properly, but we still have issues doing this over the cellular network –Certificates status can not be determined cross site using the over the air option (Blackberry device hangs or gives a stale certificate message) –Blackberry tries to communicate directly to the issuing certificate directory and will not chain through the site directories (firewalls between sites cause this to fail) –Had to change master certificate specifications to include a URL CDP point for the Blackberry since it can not use the X.500 CDP point

Blackberry Enterprise Server Encryption Blackberrys by default encrypt all data traffic over the cellular connection from the device to the Blackberry Enterprise Server on the Sandia network Voice traffic is not encrypted over the cellular connection Sandia’s Blackberry policy enforces content protection that turns on full data encryption on the device We set an auto lock time out of 15 minutes We have also set the device to wipe after ten bad password attempts Our BES policy also prevents 3-party applications from being installed on the device We do not allow Blackberry to be connected to non-Sandia computer

Entrust Messaging Server (EMS) Entrust Messaging Server - an additional component within the PKI infrastructure to assist user’s secure by: –Locating others public certificates. These may be Entrust or another PKI vendors certificates. –Managing other’s public certificates. Certificates will be stored on the server instead of user’s local systems. –Notifying others to obtain PKI certificates. Users will be notified to obtain a certificate if one can not be found. Sandia is testing with an EMS server to see what the impact will be on our environment and should have it implemented by end of 3 rd quarter 2009

PKI integration with the new HSPD12 badge The new HSPD12 badges have an integrated smart chip with Entrust certificates issued from EDS. (PIV Authentication, Digital Signature, Key Management) The new badge also contains multiple data elements for the purpose of verifying identity. They consist of a PIN, a Cardholder Unique Identifier (CHUID), one asymmetric key pair and corresponding certificate for authentication, a digital picture and two digital fingerprints This data model may be optionally extended to meet agency- specific requirements. This is being looked at to possibly hold certificates for and digital signatures and for two-factor computer access

Portable encryption technologies at Sandia

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.