Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise Key Management Infrastructure (EKMI) Arshad Noor, Chair, EKMI TC OASIS IDtrust Workshop Barcelona, Spain October.

Published byAdam Johns Modified over 8 years ago

Similar presentations

Presentation on theme: "Enterprise Key Management Infrastructure (EKMI) Arshad Noor, Chair, EKMI TC OASIS IDtrust Workshop Barcelona, Spain October."— Presentation transcript:

1 Enterprise Key Management Infrastructure (EKMI) Arshad Noor, Chair, EKMI TC arshad.noor@strongauth.com OASIS IDtrust Workshop Barcelona, Spain October 22, 2007 arshad.noor@strongauth.com www.oasis-open.org

2 Why do you need EKMI? Avoid going to jail UK's Regulation of Investigatory Powers (RIPA) Act 2000 Part 3 1 Avoid breach-related charges TJX charge of $216M 2 1: http://www.opsi.gov.uk/acts/acts2000/20000023.htmhttp://www.opsi.gov.uk/acts/acts2000/20000023.htm 2: http://www.sec.gov/Archives/edgar/data/109198/000095013507005281/b66678tje10vq.htmhttp://www.sec.gov/Archives/edgar/data/109198/000095013507005281/b66678tje10vq.htm

3 www.oasis-open.org Why do you need EKMI? Regulatory Compliance PCI-DSS, PCSA, HIPAA, FISMA, SB-1386, etc. Impending Massachusetts H213 bill Avoiding fines - ChoicePoint $15M, Nationwide Building Society £1 M Avoiding lawsuits Accenture, BofA, TD Ameritrade, TJX (multiple) Avoiding negative publicity VA, IRS, Fidelity, E&Y, Citibank, BofA, WF, Ralph Lauren, UC, 300+ others

4 The Encryption Problem ● Define Policy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Audit ● Define Policy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Audit ● Define Policy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Audit ● Define Policy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Audit ● Define Policy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Audit ● Define Policy ● Generate ● Encrypt ● Decrypt ● Escrow ● Authorize ● Recover ● Destroy ● Audit.........and on and on www.oasis-open.org

5 Key Management Silos www.oasis-open.org

6 EKMI Harmony www.oasis-open.org

7 The Encryption Solution www.oasis-open.org

8 What is an EKMI? An Enterprise Key Management Infrastructure is: “A collection of technology, policies and procedures for managing all cryptographic keys in the enterprise.” www.oasis-open.org

9 EKMI Characteristics A single place to define EKM policy A single place to manage all keys Standard protocols for EKM services Platform and Application-independent Scalable to service millions of clients Available even when network fails Extremely secure www.oasis-open.org

10 EKMI Components Public Key Infrastructure For digital certificate management; used for strong-authentication, and secure storage & transport of symmetric encryption keys Symmetric Key Management System SKS Server for symmetric key management SKCL for client interactions with SKS Server SKSML protocol EKMI = PKI + SKMS www.oasis-open.org

11 SKMS Big-Picture DB Server Crypto Module Application Server Crypto Module SKCL C/C++ Application RPG Application Java Application Key Cache JNIRPGNI Server Client Network 1 2 3 4 5 6 1. Client Application makes a request for a symmetric key 2. SKCL makes a digitally signed request to the SKS 3. SKS verifies SKCL request, generates, encrypts, digitally signs & escrows key in DB 4. Crypto HSM provides security for RSA Signing & Encryption keys of SKS 5. SKS responds to SKCL with signed and encrypted symmetric key 6. SKCL verifies response, decrypts key and hands it to the Client Application 7. Native (non-Java) applications make requests through Java Native Interface 77 www.oasis-open.org

12 The Sharing Problem - (DHS-PCII) DHS Personnel First Responder Encryption Key Private Sector PCI Data PCI Ciphertext Encryption Key shared out-of-band Internet + = Key shared out-of-band www.oasis-open.org

13 The Sharing Problem - Multiplied Encryption Keys First Responders (50 States, 3000+ Counties, 20,000+ Cities) DHS Personnel (180,000+) Private Sector PCI Data (Tens of thousands?) www.oasis-open.org

14 The Sharing Problem - Solved* PCII Database SKS Server Internet DHS Personnel (180,000+) Private Sector PCI Data (Tens of thousands?) First Responders (50 States, 3000+ Counties, 20,000+ Cities) www.oasis-open.org

15 The Retail Solution Store N Back-Office Database Bank Settlement Fraud Analysis SKS Server WAN Store 1 www.oasis-open.org

16 The Healthcare Solution ER Application and Database Patient Registration SKS Server EMT N Laptop EMT 1 Laptop Wireless MAN AP ER Nurse www.oasis-open.org

17 The Financial Solution www.oasis-open.org

18 EKMI TC Goals Standardize Symmetric Key Services Markup Language (SKSML) Create Implementation & Operations Guidelines Create Audit Guidelines Create Interoperability Test-Suite www.oasis-open.org

19 33 EKMI TC Members/Observers FundServ* MISMO NuParadigm Government Systems PA Consulting (UK) PrimeKey (Sweden) Red Hat StrongAuth* US Dept. of Defense Visa International* Wave Systems Wells Fargo WISeKey (Switzerland) OS Software company Database SW company PKI SW company (Canada) Storage/Security SW company Govt. Agency (New Zealand) Individuals representing Audit and Security backgrounds* * Founder Members www.oasis-open.org

20 Burton Group on EKMI "The life cycle of encryption keys is incredibly important. As enterprises deploy ever-increasing numbers of encryption solutions, they often find themselves managing silos with inconsistent policies, availability, and strength of protection. Enterprises need to maintain keys in a consistent way across various applications and business units," said Trent Henry, senior analyst, Burton Group. "EKMI will be an important step in addressing this problem in an open, cross-vendor manner." http://www.oasis-open.org/news/oasis-news-2007-06-25.php www.oasis-open.org

21 Conclusion “Securing the Core” should have been Plan A from the beginning – but its not too late for remediation OASIS EKMI TC is driving new key- management standards that cuts across platforms, applications and industries. Get involved! www.oasis-open.org

22 Resources OASIS EKMI TC Resources Use Cases, SKSML Schema, Presentations, White Papers, Guidelines, etc. www.strongkey.org - Open Source SKMS implementation www.strongkey.org www.issa.org - Article on SKMS in February 2007 issue of ISSA Journal www.issa.org www.oasis-open.org

Download ppt "Enterprise Key Management Infrastructure (EKMI) Arshad Noor, Chair, EKMI TC OASIS IDtrust Workshop Barcelona, Spain October."

Similar presentations

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
Introduction to z/OS Security Lesson 4: There’s more to it than RACF

Introduction to z/OS Security Lesson 4: There’s more to it than RACF
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
The OASIS IDtrust (I M The OASIS IDtrust (Identity and Trusted Infrastructure ) Member Section For more information please see:

The OASIS IDtrust (I M The OASIS IDtrust (Identity and Trusted Infrastructure ) Member Section For more information please see:
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
Enterprise Key Management Infrastructures: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC.

Enterprise Key Management Infrastructures: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC.
Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.

Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Enterprise Key Management Infrastructure (EKMI) Arshad Noor CTO, StrongAuth, Inc. Chair, EKMI TC – OASIS

Enterprise Key Management Infrastructure (EKMI) Arshad Noor CTO, StrongAuth, Inc. Chair, EKMI TC – OASIS
Enterprise Key Management Infrastructure: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC.

Enterprise Key Management Infrastructure: Understanding them before auditing them Arshad Noor CTO, StrongAuth, Inc. Chair, OASIS EKMI-TC.
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter 9 9-1.

Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.
A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality 2014-06-10.

A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
Enterprise Privacy Architectures Leveraging Encryption to Keep Data Private Karim Toubba VP of Product Management Ingrian Networks.

Enterprise Privacy Architectures Leveraging Encryption to Keep Data Private Karim Toubba VP of Product Management Ingrian Networks.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Similar presentations

Ads by Google