Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography As A Service

Published byNathan Murphy Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography As A Service"— Presentation transcript:

1 Cryptography As A Service
Barclays Crypto Application Gateway and Beyond 23rd May 2013 George French – Barclays Dan Cvrcek – Smart Architects Unrestricted distribution

2 Cryptography As A Service
Key Management Applications Application Cryptography Interface Audit Logging Authentication BCAG / CSG Service Vendor HSM interfaces Application Key Management Cryptography Policy Enforcement Why Do Banks Use Cryptography - Traditionally as a control to mitigate risk Legal Regulatory Scheme Governance Reputation Interoperability - Recently Business Enabler for new tech The real value is to reduce the burden on existing systems to “enable more to be done” HSMs Operations and Audit 2 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

3 Beginning … Cryptography and Business
Requirement Solution lead time Encrypt data (... and decrypt possibly) day Secure key generation and management, recovery months Decryption after 30 years, huge data collections (tera bytes), multiple application support, integration > year Support and recovery after incidents Multiply by 2+ As surprising as it may sound there are very few security products that would actually work and could be managed with a small operational team. The main culprits: - integration, scalability, reliability, support 3 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

4 Crypto Service Must Provide For …
Audit Cryptography is deployed as a control to mitigate a risk it is therefore necessary to be able to demonstrate that the control is effective. Cryptographic Management The problem with cryptography is the decryption process. NEVER GIVE DEVELOPERS OPTIONS WHEN ENCRYPTING DATA Centralised Management Small teams even in multinational companies Monitoring of usage / capacity BAU operational tasks Security audits Information for business units 4 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

5 Problem Space for The Use of Cryptography
What we are trying to manage Business Capturing Business Requirements Provision of a defined operational model Project/Bespoke development Testing Why Do Banks Use Cryptography - Traditionally as a control to mitigate risk Legal Regulatory Scheme Governance Reputation Interoperability - Recently Business Enabler for new tech The real value is to reduce the burden on existing systems to “enable more to be done” 5 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

6 Problem Space for The Use of Cryptography
What we are trying to manage Business Capturing Business Requirements Provision of a defined service Risk Mitigation Bullet Build Requires Specialised knowledge Meet requirements Internal governance and standards compliance Infrastructure build Change management “The usual suspects” Securely building data structures Data migration Secure clustering Access control Applications Use of vendor APIs Lack of understanding in the use of cryptography Problem with support for key rollover and data migration. Implementation issues Threading API credentials Hardware Vendor lock-in Bespoke development of processes and procedures that are specific to the vendors products. Under utilisation of hardware Due to the HA requirements of standard patterns and the requirement for application segregation based on the current deployed HSM products. Cost 6 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

7 Problem Space for The Use of Cryptography
What we are trying to manage Business Capturing Business Requirements. Provision of a defined service. Risk Mitigation Bullet Requires Specialised knowledge Meet requirements Internal governance and standards compliance Infrastructure build Change management Build Hardware Utilisation Project model delivers variances Patch and Security Vulnerability Management Operation impact of outages “Non-functional” Requirements Operation Management and support issues of device Location of HSMs HSMs are located in the Data Centres, access is restricted Manual intervention required Change configurations Key change (LMK) Collection of Diagnostic Information 7 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

8 Problem Space for The Use of Cryptography
What we are trying to manage Business Capturing Business Requirements. Provision of a defined service. Risk Mitigation Bullet Build Requires Specialised knowledge “The usual suspects” Internal governance and standards compliance Operation Hardware Utilisation Project model delivers variances Patch and Security Vulnerability Management Operation impact of outages Compliance Regulatory and scheme compliance Internal Audit Customer Due diligence 8 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

9 Problem Space for The Use of Cryptography
What we are trying to manage Business Capturing Business Requirements. Provision of a defined service. Risk Mitigation Bullet Build Requires Specialised knowledge “The usual suspects” Internal governance and standards compliance Operation Hardware Utilisation Project model delivers variances Patch and Security Vulnerability Management Operation impact of outages Compliance Regulatory and scheme compliance Internal Audit Customer Due diligence ... I know nothing short of impossible but here we go 9 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

10 BCAG Cryptographic Approach
Separating use from management and configuration Use (business units): Request system authentication credentials (e.g., password); Do Crypto – e.g., Api.Encrypt(“CC_Number”, “ME”, “Main_DB”, <transaction>) Management (BU and Crypto Operations): Policy – what business functions (e.g., encrypt credit card number), how many parties (DB, web app, middleware, …). Technical (Crypto Operations): how many keys, algorithms, crypto modes, key lengths, key validity, and so on. It is possible to provide cryptographic solutions by providing two of the points e.g. API and a cryptographic provider or Crypto provider and Key management The first implementations of hardware based cryptography required bespoke vendor APIs to support applications. The next stage was the addition of simple Key Management functionality which again was vendor specific. This is the situation that we find ourselves in today with three separate Key Management systems that do not interoperate without manual key management operations taking place. It is worth noting that a number of standards (de facto and Standards Bodies) have been developed, but they deal with specific instances of cryptography, business sectors or products e.g. PKCS#1 – 16 Various uses of RSA based Asymmetric based cryptography from RSA Labs X Exchange and use of Asymmetric keys from ANSI MSCAPI Cryptographic support for Microsoft applications from Microsoft BSAFE Cryptographic toolkits provider from RSA Control Vectors Key Management from IBM LMK Variants Key Management from Thales ACL Key Management from nCipher GSS-API API Framework from IETF X9.24 pt1/2 Key Management (Banking) from ANSI With any of the APIs described above there is the problem of vendor implementation and vendor lock-in, coupled with the reluctance of vendors to build solutions that support high levels of integration between other vendor’s products and services. This gives raise to the following issues: If we standardise on specific vendor then either the bespoke APIs or Key management implementations of the vendor will need to be integrated into applications. Change of vendor would require a change to applications. Reliant on sole provider It is possible for applications to adopt certain standards (e.g. PKCS#11); to try and de-couple vendor specific Application API implementations. In the case of PKCS#11 this would decouple the application API but there would still be a reliance on the vendor’s implementation and key management solution. Also the wholesale adoption general encryption APIs such as PKCS#11 do not allow for the deployment of business specific cryptographic mechanisms i.e. for the banking sector PIN block translation, CVV generation etc. In order to be vendor agnostic, a different approach to the provision of cryptography is required. To address this the HSM Farm was developed. 10 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

11 BCAG Business Approach
Pay for what you use Centralised use of resources (people, hardware, network, …) HSMs used “per operation”, not “per project”. Commissioning of cryptographic system components by Crypto Operations skills; volume; and single place for deployment and management -> strategy. Decoupling components (i.e., HSM) from applications Eliminate vendor lock-in; and Introduce service-based architecture with replaceable products. 11 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

12 What Does It Look Like – Architectural Blocks
Business Crypto support (1st line) Solution support (2nd line) Product support (3rd line) 12 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

13 System Mechanics - Onboarding
Administrative process for enrolling new business application to BCAG Capture Business Requirements The most difficult part as the business does not usually have a structured description of cryptographic requirements Convert BR to policy specification Semi-automated process that generates a BCAG policy definition Amend BCAG access control with new “user” privileges Key generation and deployment (manual or semi-automatic process) Use. 13 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

14 Mechanics - Operation And 3 pieces of information that have to align:
Authentication details = username and password Policy = username and authorised operations and key locator data Crypto Key definitions = key value and key locator data 14 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

15 Doing Crypto - Key Lookup
Traditionally Key Label = Key Value You change a key value, you get a new key label The new key label has to be propagated to all applications using the old key BCAG Approach Structured key locators: user, function, base_function, from, to Algorithm for locating keys Dynamic, as it does not use 1:1 mapping but lookup algorithm Efficient – 2 layers of caching of recently used keys 15 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

16 Key Lookup – BCAG 16 | Cryptography as a Service 23rd May 2013
Unrestricted distribution

17 Beyond Large data processing; we talk about
Daily encryption of giga and terabytes of data Protection of archives with 100,000s of DB tables Composite cryptography Grouping cryptographic operations into transactions that require specific order of operations Breach of a transaction is a potential data compromise Centralised key management Replacement of manual key loading to HSMs with an automatic process to minimise human errors and increase security 17 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

18 Beyond … banking Platform for mobile app cryptography
Platform for financial services for future applications Providing API and system for banking transactions to developers without actually building a bank Being able to build own virtual Central Bank with a few button clicks All this requires something like BCAG to: Access to payment schemes (VISA, MasterCard) Strong cryptographic system able to ensure pre-defined security properties (like cheating, counterfeiting … within the model of a virtual world) In some cases compliance with financial regulations 18 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

19 Thank you for your attention!

20 Security Policy – Two Abstractions
Use - Visible for Business Units Users just names, possibly with domain (e.g., LDAP) And authentication options (specs for tickets) User groups – just names Alias – just names for required crypto operations Manage - Internal to Crypto Management Params – the technical bit, e.g. [PARAMS CookieParams] ManagedEncryption=false Cipher=AES KeySize=128 ModeOfOperation=CBC IV=Random Padding=NoPad 20 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

21 Doing Crypto - Key Lookup as You Know It
21 | Cryptography as a Service 23rd May 2013 Unrestricted distribution

Download ppt "Cryptography As A Service"

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
Beyond the Help Desk Getting ahead of the game Mihaela Damian Dan Sexton 11 th July 2013 CSCS > School of Clinical Medicine > University of Cambridge.

Beyond the Help Desk Getting ahead of the game Mihaela Damian Dan Sexton 11 th July 2013 CSCS > School of Clinical Medicine > University of Cambridge.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Dell Compellent and SafeNet KeySecure

Dell Compellent and SafeNet KeySecure
Active Context Tracking™ technology enabling business transaction management in a distributed environment Rocky Mountain CMG Spring? ‘09 Forum.

Active Context Tracking™ technology enabling business transaction management in a distributed environment Rocky Mountain CMG Spring? ‘09 Forum.
Securing the Borderless Network March 21, 2000 Ted Barlow.

Securing the Borderless Network March 21, 2000 Ted Barlow.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean

E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Security in Cloud Computing Presented by : Ahmed Alalawi.

Security in Cloud Computing Presented by : Ahmed Alalawi.
InterSwyft Technology presentation. Introduction InterSwyft brings secured encrypted transmission of SMS messages for internal and external devices such.

InterSwyft Technology presentation. Introduction InterSwyft brings secured encrypted transmission of SMS messages for internal and external devices such.
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.
Computer Associates Solutions Managing eBusiness Catalin Matei, April 12, 2005

Computer Associates Solutions Managing eBusiness Catalin Matei, April 12, 2005
Www.skyboxsecurity.com Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Page  1 SaaS – BUSINESS MODEL Debmalya Khan DEBMALYA KHAN.

Page  1 SaaS – BUSINESS MODEL Debmalya Khan DEBMALYA KHAN.

Similar presentations

Ads by Google