Cryptography As A Service

Slides:



Advertisements
Similar presentations
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Advertisements

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Akshat Sharma Samarth Shah
The System Center Family Microsoft. Mobile Device Manager 2008.
Beyond the Help Desk Getting ahead of the game Mihaela Damian Dan Sexton 11 th July 2013 CSCS > School of Clinical Medicine > University of Cambridge.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)
1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Dell Compellent and SafeNet KeySecure
Active Context Tracking™ technology enabling business transaction management in a distributed environment Rocky Mountain CMG Spring? ‘09 Forum.
Securing the Borderless Network March 21, 2000 Ted Barlow.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Security in Cloud Computing Presented by : Ahmed Alalawi.
InterSwyft Technology presentation. Introduction InterSwyft brings secured encrypted transmission of SMS messages for internal and external devices such.
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.
Computer Associates Solutions Managing eBusiness Catalin Matei, April 12, 2005
Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Page  1 SaaS – BUSINESS MODEL Debmalya Khan DEBMALYA KHAN.
The Right Choice for Call Recording OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
AGENDA Welcome and introductions Brief introduction to PSI Mobile Technical Overview Demonstration Q and A Next Actions.
SEC835 Database and Web application security Information Security Architecture.
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 Buying factors – HP.
Looking to Build a Secure Enterprise Mobile Application? Here’s How! Mush Hakhinian Chief Security Architect Intralinks Mush Hakhinian Chief Security Architect.
Lessons Learned in Smart Grid Cyber Security
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
Week #7 Objectives: Secure Windows 7 Desktop
M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.
XML in Development of Distributed Systems Tooling Programming Runtime.
Delivering Security for Mobile Device and Mobile Application Management INSERT MSP LOGO HERE.
General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.
Kevin Casady Hanna Short BJ Rollinson.  Centralized and Structured collection of data stored in a computer system  An electronic filing system  Easy.
Security Planning and Administrative Delegation Lesson 6.
Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite
X-Road – Estonian Interoperability Platform
© 2009 PGP Corporation Confidential State of Key Management Brian Tokuyoshi Solution Manager.
Supplementary to Presentation on Kiosk Services ATM System Overview TrigMax Enterprise Solutions Mason Liu, Ph.D.
·
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP Library Encryption - LTO4 Key.
CUTTING COMPLEXITY – SIMPLIFYING SECURITY INSERT PRESENTERS NAME HERE XXXX INSERT DATE OF EVENT HERE XXXX.
Future of the Server Room Tour. Ottawa Montreal Calgary Vancouver Toronto Future of Your Server Room Three Pillars of Windows Server 2008 Virtualization.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.
TESTING as a SERVICE An Emitac Enterprise Solutions offering that can be offered on CLOUD as well.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Securing Data in Transit and Storage Sanjay Beri Co-Founder & Senior Director of Product Management Ingrian Networks.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #22 Secure Web Information.
Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.
- NCSU project goals and requirements - Adoption Drivers - Current challenges and pain points - Identacor at NCSU - Identacor Features - NCSU Key Benefits.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 Automate your way to.
Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.
3/12/2013Computer Engg, IIT(BHU)1 CLOUD COMPUTING-1.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Database Administration Advanced Database Dr. AlaaEddin Almabhouh.
Security Policy and Key Management Centrally Manage Encryption Keys - Oracle TDE, SQL Server TDE and Vormetric. Tina Stewart, Vice President.
1© Copyright 2012 EMC Corporation. All rights reserved. Next Generation Authentication Bring Your Own security impact Tim Dumas – Technology Consultant.
ORACLE's Approach ORALCE uses a proprietary mechanism for security. They user OLS.... ORACLE Labeling Security. They do data confidentiality They do adjudication.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
CLOUDENTIFY.
Rocky Mountain CMG Spring? ‘09 Forum
What is Interesting in the CCSP certification?
Web Information Systems Engineering (WISE)
Hardware Sizing, Placement, & Capacity Planning
Security Planning and Administrative Delegation
Presentation transcript:

Cryptography As A Service Barclays Crypto Application Gateway and Beyond 23rd May 2013 George French – Barclays Dan Cvrcek – Smart Architects Unrestricted distribution

Cryptography As A Service Key Management Applications Application Cryptography Interface Audit Logging Authentication BCAG / CSG Service Vendor HSM interfaces Application Key Management Cryptography Policy Enforcement Why Do Banks Use Cryptography - Traditionally as a control to mitigate risk Legal Regulatory Scheme Governance Reputation Interoperability - Recently Business Enabler for new tech The real value is to reduce the burden on existing systems to “enable more to be done” HSMs Operations and Audit 2 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Beginning … Cryptography and Business Requirement Solution lead time Encrypt data (... and decrypt possibly) day Secure key generation and management, recovery months Decryption after 30 years, huge data collections (tera bytes), multiple application support, integration > year Support and recovery after incidents Multiply by 2+ As surprising as it may sound there are very few security products that would actually work and could be managed with a small operational team. The main culprits: - integration, scalability, reliability, support 3 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Crypto Service Must Provide For … Audit Cryptography is deployed as a control to mitigate a risk it is therefore necessary to be able to demonstrate that the control is effective. Cryptographic Management The problem with cryptography is the decryption process. NEVER GIVE DEVELOPERS OPTIONS WHEN ENCRYPTING DATA Centralised Management Small teams even in multinational companies Monitoring of usage / capacity BAU operational tasks Security audits Information for business units 4 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Problem Space for The Use of Cryptography What we are trying to manage Business Capturing Business Requirements Provision of a defined operational model Project/Bespoke development Testing Why Do Banks Use Cryptography - Traditionally as a control to mitigate risk Legal Regulatory Scheme Governance Reputation Interoperability - Recently Business Enabler for new tech The real value is to reduce the burden on existing systems to “enable more to be done” 5 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Problem Space for The Use of Cryptography What we are trying to manage Business Capturing Business Requirements Provision of a defined service Risk Mitigation Bullet Build Requires Specialised knowledge Meet requirements Internal governance and standards compliance Infrastructure build Change management “The usual suspects” Securely building data structures Data migration Secure clustering Access control Applications Use of vendor APIs Lack of understanding in the use of cryptography Problem with support for key rollover and data migration. Implementation issues Threading API credentials Hardware Vendor lock-in Bespoke development of processes and procedures that are specific to the vendors products. Under utilisation of hardware Due to the HA requirements of standard patterns and the requirement for application segregation based on the current deployed HSM products. Cost 6 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Problem Space for The Use of Cryptography What we are trying to manage Business Capturing Business Requirements. Provision of a defined service. Risk Mitigation Bullet Requires Specialised knowledge Meet requirements Internal governance and standards compliance Infrastructure build Change management Build Hardware Utilisation Project model delivers variances Patch and Security Vulnerability Management Operation impact of outages “Non-functional” Requirements Operation Management and support issues of device Location of HSMs HSMs are located in the Data Centres, access is restricted Manual intervention required Change configurations Key change (LMK) Collection of Diagnostic Information 7 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Problem Space for The Use of Cryptography What we are trying to manage Business Capturing Business Requirements. Provision of a defined service. Risk Mitigation Bullet Build Requires Specialised knowledge “The usual suspects” Internal governance and standards compliance Operation Hardware Utilisation Project model delivers variances Patch and Security Vulnerability Management Operation impact of outages Compliance Regulatory and scheme compliance Internal Audit Customer Due diligence 8 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Problem Space for The Use of Cryptography What we are trying to manage Business Capturing Business Requirements. Provision of a defined service. Risk Mitigation Bullet Build Requires Specialised knowledge “The usual suspects” Internal governance and standards compliance Operation Hardware Utilisation Project model delivers variances Patch and Security Vulnerability Management Operation impact of outages Compliance Regulatory and scheme compliance Internal Audit Customer Due diligence ... I know nothing short of impossible but here we go 9 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

BCAG Cryptographic Approach Separating use from management and configuration Use (business units): Request system authentication credentials (e.g., password); Do Crypto – e.g., Api.Encrypt(“CC_Number”, “ME”, “Main_DB”, <transaction>) Management (BU and Crypto Operations): Policy – what business functions (e.g., encrypt credit card number), how many parties (DB, web app, middleware, …). Technical (Crypto Operations): how many keys, algorithms, crypto modes, key lengths, key validity, and so on. It is possible to provide cryptographic solutions by providing two of the points e.g. API and a cryptographic provider or Crypto provider and Key management The first implementations of hardware based cryptography required bespoke vendor APIs to support applications. The next stage was the addition of simple Key Management functionality which again was vendor specific. This is the situation that we find ourselves in today with three separate Key Management systems that do not interoperate without manual key management operations taking place. It is worth noting that a number of standards (de facto and Standards Bodies) have been developed, but they deal with specific instances of cryptography, business sectors or products e.g. PKCS#1 – 16 Various uses of RSA based Asymmetric based cryptography from RSA Labs X 509 Exchange and use of Asymmetric keys from ANSI MSCAPI Cryptographic support for Microsoft applications from Microsoft BSAFE Cryptographic toolkits provider from RSA Control Vectors Key Management from IBM LMK Variants Key Management from Thales ACL Key Management from nCipher GSS-API API Framework from IETF X9.24 pt1/2 Key Management (Banking) from ANSI With any of the APIs described above there is the problem of vendor implementation and vendor lock-in, coupled with the reluctance of vendors to build solutions that support high levels of integration between other vendor’s products and services. This gives raise to the following issues: If we standardise on specific vendor then either the bespoke APIs or Key management implementations of the vendor will need to be integrated into applications. Change of vendor would require a change to applications. Reliant on sole provider It is possible for applications to adopt certain standards (e.g. PKCS#11); to try and de-couple vendor specific Application API implementations. In the case of PKCS#11 this would decouple the application API but there would still be a reliance on the vendor’s implementation and key management solution. Also the wholesale adoption general encryption APIs such as PKCS#11 do not allow for the deployment of business specific cryptographic mechanisms i.e. for the banking sector PIN block translation, CVV generation etc. In order to be vendor agnostic, a different approach to the provision of cryptography is required. To address this the HSM Farm was developed. 10 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

BCAG Business Approach Pay for what you use Centralised use of resources (people, hardware, network, …) HSMs used “per operation”, not “per project”. Commissioning of cryptographic system components by Crypto Operations skills; volume; and single place for deployment and management -> strategy. Decoupling components (i.e., HSM) from applications Eliminate vendor lock-in; and Introduce service-based architecture with replaceable products. 11 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

What Does It Look Like – Architectural Blocks Business Crypto support (1st line) Solution support (2nd line) Product support (3rd line) 12 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

System Mechanics - Onboarding Administrative process for enrolling new business application to BCAG Capture Business Requirements The most difficult part as the business does not usually have a structured description of cryptographic requirements Convert BR to policy specification Semi-automated process that generates a BCAG policy definition Amend BCAG access control with new “user” privileges Key generation and deployment (manual or semi-automatic process) Use. 13 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Mechanics - Operation And 3 pieces of information that have to align: Authentication details = username and password Policy = username and authorised operations and key locator data Crypto Key definitions = key value and key locator data 14 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Doing Crypto - Key Lookup Traditionally Key Label = Key Value You change a key value, you get a new key label The new key label has to be propagated to all applications using the old key BCAG Approach Structured key locators: user, function, base_function, from, to Algorithm for locating keys Dynamic, as it does not use 1:1 mapping but lookup algorithm Efficient – 2 layers of caching of recently used keys 15 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Key Lookup – BCAG 16 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Beyond Large data processing; we talk about Daily encryption of giga and terabytes of data Protection of archives with 100,000s of DB tables Composite cryptography Grouping cryptographic operations into transactions that require specific order of operations Breach of a transaction is a potential data compromise Centralised key management Replacement of manual key loading to HSMs with an automatic process to minimise human errors and increase security 17 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Beyond … banking Platform for mobile app cryptography Platform for financial services for future applications Providing API and system for banking transactions to developers without actually building a bank Being able to build own virtual Central Bank with a few button clicks All this requires something like BCAG to: Access to payment schemes (VISA, MasterCard) Strong cryptographic system able to ensure pre-defined security properties (like cheating, counterfeiting … within the model of a virtual world) In some cases compliance with financial regulations 18 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Thank you for your attention! Dan@SmartArchitects.co.uk George.French@Barclays.com

Security Policy – Two Abstractions Use - Visible for Business Units Users just names, possibly with domain (e.g., LDAP) And authentication options (specs for tickets) User groups – just names Alias – just names for required crypto operations Manage - Internal to Crypto Management Params – the technical bit, e.g. [PARAMS CookieParams] ManagedEncryption=false Cipher=AES KeySize=128 ModeOfOperation=CBC IV=Random Padding=NoPad 20 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Doing Crypto - Key Lookup as You Know It 21 | Cryptography as a Service 23rd May 2013 Unrestricted distribution