Chris Olive - Vormetric
Encryption In The Enterprise Twin Cities Oracle User’s Group Chris Olive, Sales Engineer – Vormetric, Inc.
www.Vormetric.com
Agenda Modern Encryption & Cryptography What Should Be Encrypted and Why Encryption in Enterprise Architecture Tokenization Versus Application Encryption Key Management Handling Oracle TDE The Vormetric Encryption Platform Solution Q&A
Modern Encryption & Cryptography Hashes/Hashing – Not encryption but used in cryptography Computationally independent
Symmetric Keys – Based on a secret key Stream Ciphers: RC4, Fish, Pike, Rabbit, etc. (many others) Block Ciphers: DES, 3DES, Blowfish, RC5, AES, IDEA, etc. (many others) Primary focus here on block ciphers and AES has popular attention right now
Asymmetric Keys – Based on key pairs Examples: RSA, DSA, others Most popular right now is RSA and based on PKCS#1 Generally used for short messages and key exchange
Protocols using Asymmetric Keys S/MIME, PGP, OpenPGP, SSL, TLS, Bitcoin, others
Certificates – Metadata around a public key Data-In-Motion vs. Data-At-Rest
Strength of Algorithms For AES-128: 2128 combinations of the key Brute force of ½ of the key combinations (2127) at 1,000,000,000 per second would take approximately 10,000,000,000,000,000 (quadtrillion) years
For AES-256: 2256 combinations of the key Brute force of ½ of the key combinations is infinitely more than AES128. (Not enough space on this slide for the zeros!)
There are known attacks that cut down on these numbers: Related Key, Known Key Distinguishing, Key Recovery, Tau Statistic, Side-Channel
NIST (National Institute of Standards & Technology) Approval should be sought Some vendors use algorithms that aren’t NIST approved
What should be encrypted and why? Focus here is on Data-At-Rest (DAR) High motivation for Data-In-Motion to be always encrypted Recent push for all Web sites to use SSL/TLS Should be considered “inside” all organizations as well, not just on the perimeter BUT! Causes issues with traffic and layer 7 inspection – huge issue right now
Two lines of thought around encryption of DAR: Encrypt (only) sensitive data Encrypt everything
Encrypting “only sensitive data” has issues: What defines “sensitive”? The definition tends to change and move over time. What is actually “sensitive”? Actual sensitive data tends to change and move. All the above tends to be expensive both in time and in money. Meanwhile your data continues to grow/shift/move and remain exposed. Constantly trying to hit a moving target.
Encrypt Everything Recommendation now is to encrypt everything Why? Easy to do now whereas in the past it was much harder – all main obstacles have been removed! Initial, On-Going, Transparency, Keys Commercial solutions now make encryption ubiquitous Data is the real gold: It used to be only financial payloads were considered valuable – now ALL data is valuable! Data should be protected the moment it’s born – then doesn’t have to be analyzed for sensitivity (since now ALL data has become sensitive.) The cost of data analysis and classification is reduced or evaporates altogether.
“All data is valuable when married to the right economy”
Encryption In Enterprise Architecture Laptop
SSL/TLS App
Web
Security
Complexity
End Point/DLP
App/Token Database Server
DB
Storage/FDE Storage
Tokenization Versus Encryption Tokenization & Encryption are related: Tokens are essentially format preserving encryption (best vaultless) Tokens are encrypted in commercial tokenization solutions (vaulted) Typically used in PCI compliance scenarios where servers are “taken out of scope”
Commercial tokenization solutions tend to come with data masking capabilities Encryption used to be non-format preserving (non-FPE) Generally lead or leads to changes to database schemas as… Encrypted values would inflate and not preserve format SSN is a great example
Most commercial encryption products have or are coming out with FPE In tokenization, same token always returned; in encryption you don’t want this!
Sample Tokenization Versus Encryption Current commercial tokenization solutions usually come in two flavors: Vaulted/Stateful: Tokens stored in a backend database and encrypted – more secure but not as performant Vaultless/Stateless: Tokens stored in memory and encrypted – very performant but not as secure
Home-grown tokenization solutions are all over the map. Sample token table versus encryption: SSN
Tokenized
Encrypted
123-45-6789
345-11-0011
iegh0caediemahNg
451-23-4561
565-04-2231
iec4Lai0AinooLoh
106-23-4560
452-09-3451
Ahv0quaaseoG8hua
Considerations Tokenization & Application Encryption Full Data Analysis Data Points: Do you know every data element – size, where, etc.? Application Matrix: Do you know every application touching every one of those data elements? Searching: Will it break searching, especially for encryption? Software Architecture: Generally executed by software architect(s) with little to no security experience or know how
Time To Implement Relative to full, robust SDLC Unit, integration, customer, performance, QA and Production, usually governed by change management PER APPLICATION
Both easier if done earlier in the SDLC or green field
Key Management Most point solutions have little or no key management Great example: Encrypting a MacBook hard drive
Without access to keys, your data is toast! This is the premise behind Ransomware, right?!
Great Key Management needs to be: Centralized Easy to manage but still… SECURE!
All types of keys: SSL/TLS, CAs, other generated keys generally from symmetric or asymmetric algorithms – like OpenSSL, ssh-keygen, key appliance, etc.
TDE With Vormetric – Key Agents
Vormetric DSM acts as Network HSM for Database Master Encryption Keys Vormetric Key Agent is installed on the database server
TDE Tablespace Encryption Key
Key Agent*
SSL Network Connection
TDE Master Encryption Key
Oracle / Microsoft TDE Database
Encrypted Data Files TDE Tablespace Encryption Key
Encrypted Data Files
12
* PKCS-11 for Oracle and MSCAPI for MSSQL
Commercial Key Management Generally implement KMIP or should (Key Management Interoperability Protocol) When deployed as hardware appliances, can also house HSMs or Hardware Security Managers Necessary for FIPS-140-2 and FIPS-140-3 compliance (gov’t) Tamper-proof
Capable of at least storing, reporting and alerting (expirations) on keys stored in the device Solutions in the industry vary in complexity and pricing
Questions & Answers
Vormetric Data Security Simplifying Data Security for the Enterprise John Murakami - Regional Sales Manager Chris Olive – Sales Engineer
www.Vormetric.com
Vormetric Customers
Founded 2001 Customers Include 17 of the Fortune 30 Top names in Banking, Retail, Outsourcing, Manufacturing & Insurance Used by the US Government including US Intelligence Community IP Protection, Compliance, Client Data & Consumer Information Protection Recently acquired by Thales
Leverage Existing Investments
“Vormetric gives our customers best in class security controls needed for compliance, data breach protection and for safeguarding critical intellectual property through powerful data-at-rest encryption.” Rod Hamlin Vice President
Copyright 2015 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
One Platform – One Strategy Data-at-rest security that follows your data
• Physical • Virtual • Outsourced Enterprise Data Centers
Private, Public, Hybrid Clouds
• Sources • Nodes • Analytics Remote Servers
Big Data
Vormetric Encryption Use Cases
Database Encryption Usage: Encrypt Tablespace, Log, and other DB files Common Databases: Oracle, MSSQL, DB2, Sybase, Informix, MySQL…
Unstructured Data Encryption
Cloud Encryption
Usage: Encrypt and Control access to any type of data used by LUW server
Usage: Encrypt and Control Access to data used by Cloud Instances
Common Data Types: Logs, Reports, Images, ETL, Audio/Video Recordings, Documents, Big Data…
Common Cloud Providers: Amazon EC2, Rackspace, MS Azure
Examples: FileNet, Documentum, Nice, Hadoop, Home Grown, etc…
Vormetric Data Security Tools
Data Encryption
Access Control
Encrypts file system data transparently to:
Firewall-like access controls for data access
Applications Databases Storage Infrastructure
Integrated Key Management High Efficiency Encryption
Separate data access from data management for systems privileged users(root, SA, etc…)
Key Management Key Management for Vormetric keys and 3rd Party Encryption Products Provide Network HSM for other encryption solutions PKCS#11 (Oracle 11gR2) EKM (MSSQL 2008 R2)
Audit Granular data access logging Denied Access Events Expected Access Events
Vormetric Transparent Encryption Protects structured/unstructured data Encryption with integrated key management Policy-based access control Security Intelligence Privileged Users
Approved Processes and Users
*$^!@#)( -|”_}?$%-:>>
John Smith 401 Main Street
Encrypted & Controlled
Vormetric Security Intelligence Logs to SIEM
Clear Text
User User Application Application Database Database
DSM DSM Vormetric Data Security Manager
Allow/Block Encrypt/Decrypt
File Volume File Volume Systems Managers Systems Managers Storage Storage
*$^!@#)( -|”_}?$%-:>>
virtual or physical appliance
Server
Cloud Admin, Storage Admin, etc
Big Data, Databases or Files
Transparent data protection for any app, OS, data type, and storage
Vormetric Application Encryption Encrypts specific fields or columns in files and databases
Privileged Users *$^!@#)( -|”_}?$%-:>>
Vormetric Security Intelligence Logs to SIEM
Vormetric Data Security Manager on Enterprise premise or in cloud virtual or physical appliance
root
user
DBA
John Smith 401 Main Street
User Database Application Database
DSM
Approved Users
SA
File Systems
Volume Managers
Storage
Allow/Block Encrypt/Decrypt
Name: Jon Dough SS: if030jcl PO: Jan395-2014
Big Data, Databases or Files
Cloud Provider / Outsource Administrators
*$^!@#)( -|”_}?$%-:>>
Vormetric Application Encryption Workflow www.shopping.com Web Server
1
Workflow: 1. User submits personal information to purchase items. 2. Web server sends personal information to application server. 3. Application calls into Vormetric Application Encryption (VAE) library to encrypt data. (NOTE: VAE obtains keys from the DSM only once) 4. VAE returns the value back to the application. 5. Application then stores the encrypted value in the database server.
Credit Card#
2
Credit Card#
Application Server
3
Credit Card#
VAE Agent
Application
DSM Encrypted Keys
4
Encrypted Credit Card#
5
Encrypted Credit Card#
Database, Big Data or File Storage
Vormetric Confidential
Vormetric Data Security Manager (Key Management)
Vormetric Tokenization w/ Dynamic Data Masking use case 1
3
Request
4 DSM
Accounts Payable
REST API
0544-4124-4325-3490
App Servers
6 Mask Data Sent
7
Response
Vormetric Token Server
2 1234-4567-6789-1234
Customer Service
5 AD/LDAP Server
1234-4567-6789-1234
Database (production data tokenized)
Token Vault ((CC)e, Token) Lookups
Credit Card Token or mask
Slide No: 24
Copyright 2015 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
Vormetric Cloud Gateway Encrypting and controlling SaaS data Q2 2015
DSM Security Intelligence
Personal Computers
Servers Slide No: 25
Future
Mobile Devices
Vormetric Cloud Gateway
Enterprise
SaaS Copyright 2015 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
One Platform – One Strategy Data-at-rest security that follows your data
• Physical • Virtual • Outsourced Enterprise Data Centers
Private, Public, Hybrid Clouds
• Sources • Nodes • Analytics Remote Servers
Big Data
Questions?
www.Vormetric.com
Agenda Modern Encryption & Cryptography What Should Be Encrypted and Why Encryption in Enterprise Architecture Tokenization Versus Application Encryption Key Management Handling Oracle TDE The Vormetric Encryption Platform Solution Q&A
Modern Encryption & Cryptography Hashes/Hashing – Not encryption but used in cryptography Computationally independent
Symmetric Keys – Based on a secret key Stream Ciphers: RC4, Fish, Pike, Rabbit, etc. (many others) Block Ciphers: DES, 3DES, Blowfish, RC5, AES, IDEA, etc. (many others) Primary focus here on block ciphers and AES has popular attention right now
Asymmetric Keys – Based on key pairs Examples: RSA, DSA, others Most popular right now is RSA and based on PKCS#1 Generally used for short messages and key exchange
Protocols using Asymmetric Keys S/MIME, PGP, OpenPGP, SSL, TLS, Bitcoin, others
Certificates – Metadata around a public key Data-In-Motion vs. Data-At-Rest
Strength of Algorithms For AES-128: 2128 combinations of the key Brute force of ½ of the key combinations (2127) at 1,000,000,000 per second would take approximately 10,000,000,000,000,000 (quadtrillion) years
For AES-256: 2256 combinations of the key Brute force of ½ of the key combinations is infinitely more than AES128. (Not enough space on this slide for the zeros!)
There are known attacks that cut down on these numbers: Related Key, Known Key Distinguishing, Key Recovery, Tau Statistic, Side-Channel
NIST (National Institute of Standards & Technology) Approval should be sought Some vendors use algorithms that aren’t NIST approved
What should be encrypted and why? Focus here is on Data-At-Rest (DAR) High motivation for Data-In-Motion to be always encrypted Recent push for all Web sites to use SSL/TLS Should be considered “inside” all organizations as well, not just on the perimeter BUT! Causes issues with traffic and layer 7 inspection – huge issue right now
Two lines of thought around encryption of DAR: Encrypt (only) sensitive data Encrypt everything
Encrypting “only sensitive data” has issues: What defines “sensitive”? The definition tends to change and move over time. What is actually “sensitive”? Actual sensitive data tends to change and move. All the above tends to be expensive both in time and in money. Meanwhile your data continues to grow/shift/move and remain exposed. Constantly trying to hit a moving target.
Encrypt Everything Recommendation now is to encrypt everything Why? Easy to do now whereas in the past it was much harder – all main obstacles have been removed! Initial, On-Going, Transparency, Keys Commercial solutions now make encryption ubiquitous Data is the real gold: It used to be only financial payloads were considered valuable – now ALL data is valuable! Data should be protected the moment it’s born – then doesn’t have to be analyzed for sensitivity (since now ALL data has become sensitive.) The cost of data analysis and classification is reduced or evaporates altogether.
“All data is valuable when married to the right economy”
Encryption In Enterprise Architecture Laptop
SSL/TLS App
Web
Security
Complexity
End Point/DLP
App/Token Database Server
DB
Storage/FDE Storage
Tokenization Versus Encryption Tokenization & Encryption are related: Tokens are essentially format preserving encryption (best vaultless) Tokens are encrypted in commercial tokenization solutions (vaulted) Typically used in PCI compliance scenarios where servers are “taken out of scope”
Commercial tokenization solutions tend to come with data masking capabilities Encryption used to be non-format preserving (non-FPE) Generally lead or leads to changes to database schemas as… Encrypted values would inflate and not preserve format SSN is a great example
Most commercial encryption products have or are coming out with FPE In tokenization, same token always returned; in encryption you don’t want this!
Sample Tokenization Versus Encryption Current commercial tokenization solutions usually come in two flavors: Vaulted/Stateful: Tokens stored in a backend database and encrypted – more secure but not as performant Vaultless/Stateless: Tokens stored in memory and encrypted – very performant but not as secure
Home-grown tokenization solutions are all over the map. Sample token table versus encryption: SSN
Tokenized
Encrypted
123-45-6789
345-11-0011
iegh0caediemahNg
451-23-4561
565-04-2231
iec4Lai0AinooLoh
106-23-4560
452-09-3451
Ahv0quaaseoG8hua
Considerations Tokenization & Application Encryption Full Data Analysis Data Points: Do you know every data element – size, where, etc.? Application Matrix: Do you know every application touching every one of those data elements? Searching: Will it break searching, especially for encryption? Software Architecture: Generally executed by software architect(s) with little to no security experience or know how
Time To Implement Relative to full, robust SDLC Unit, integration, customer, performance, QA and Production, usually governed by change management PER APPLICATION
Both easier if done earlier in the SDLC or green field
Key Management Most point solutions have little or no key management Great example: Encrypting a MacBook hard drive
Without access to keys, your data is toast! This is the premise behind Ransomware, right?!
Great Key Management needs to be: Centralized Easy to manage but still… SECURE!
All types of keys: SSL/TLS, CAs, other generated keys generally from symmetric or asymmetric algorithms – like OpenSSL, ssh-keygen, key appliance, etc.
TDE With Vormetric – Key Agents
Vormetric DSM acts as Network HSM for Database Master Encryption Keys Vormetric Key Agent is installed on the database server
TDE Tablespace Encryption Key
Key Agent*
SSL Network Connection
TDE Master Encryption Key
Oracle / Microsoft TDE Database
Encrypted Data Files TDE Tablespace Encryption Key
Encrypted Data Files
12
* PKCS-11 for Oracle and MSCAPI for MSSQL
Commercial Key Management Generally implement KMIP or should (Key Management Interoperability Protocol) When deployed as hardware appliances, can also house HSMs or Hardware Security Managers Necessary for FIPS-140-2 and FIPS-140-3 compliance (gov’t) Tamper-proof
Capable of at least storing, reporting and alerting (expirations) on keys stored in the device Solutions in the industry vary in complexity and pricing
Questions & Answers
Vormetric Data Security Simplifying Data Security for the Enterprise John Murakami - Regional Sales Manager Chris Olive – Sales Engineer
www.Vormetric.com
Vormetric Customers
Founded 2001 Customers Include 17 of the Fortune 30 Top names in Banking, Retail, Outsourcing, Manufacturing & Insurance Used by the US Government including US Intelligence Community IP Protection, Compliance, Client Data & Consumer Information Protection Recently acquired by Thales
Leverage Existing Investments
“Vormetric gives our customers best in class security controls needed for compliance, data breach protection and for safeguarding critical intellectual property through powerful data-at-rest encryption.” Rod Hamlin Vice President
Copyright 2015 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
One Platform – One Strategy Data-at-rest security that follows your data
• Physical • Virtual • Outsourced Enterprise Data Centers
Private, Public, Hybrid Clouds
• Sources • Nodes • Analytics Remote Servers
Big Data
Vormetric Encryption Use Cases
Database Encryption Usage: Encrypt Tablespace, Log, and other DB files Common Databases: Oracle, MSSQL, DB2, Sybase, Informix, MySQL…
Unstructured Data Encryption
Cloud Encryption
Usage: Encrypt and Control access to any type of data used by LUW server
Usage: Encrypt and Control Access to data used by Cloud Instances
Common Data Types: Logs, Reports, Images, ETL, Audio/Video Recordings, Documents, Big Data…
Common Cloud Providers: Amazon EC2, Rackspace, MS Azure
Examples: FileNet, Documentum, Nice, Hadoop, Home Grown, etc…
Vormetric Data Security Tools
Data Encryption
Access Control
Encrypts file system data transparently to:
Firewall-like access controls for data access
Applications Databases Storage Infrastructure
Integrated Key Management High Efficiency Encryption
Separate data access from data management for systems privileged users(root, SA, etc…)
Key Management Key Management for Vormetric keys and 3rd Party Encryption Products Provide Network HSM for other encryption solutions PKCS#11 (Oracle 11gR2) EKM (MSSQL 2008 R2)
Audit Granular data access logging Denied Access Events Expected Access Events
Vormetric Transparent Encryption Protects structured/unstructured data Encryption with integrated key management Policy-based access control Security Intelligence Privileged Users
Approved Processes and Users
*$^!@#)( -|”_}?$%-:>>
John Smith 401 Main Street
Encrypted & Controlled
Vormetric Security Intelligence Logs to SIEM
Clear Text
User User Application Application Database Database
DSM DSM Vormetric Data Security Manager
Allow/Block Encrypt/Decrypt
File Volume File Volume Systems Managers Systems Managers Storage Storage
*$^!@#)( -|”_}?$%-:>>
virtual or physical appliance
Server
Cloud Admin, Storage Admin, etc
Big Data, Databases or Files
Transparent data protection for any app, OS, data type, and storage
Vormetric Application Encryption Encrypts specific fields or columns in files and databases
Privileged Users *$^!@#)( -|”_}?$%-:>>
Vormetric Security Intelligence Logs to SIEM
Vormetric Data Security Manager on Enterprise premise or in cloud virtual or physical appliance
root
user
DBA
John Smith 401 Main Street
User Database Application Database
DSM
Approved Users
SA
File Systems
Volume Managers
Storage
Allow/Block Encrypt/Decrypt
Name: Jon Dough SS: if030jcl PO: Jan395-2014
Big Data, Databases or Files
Cloud Provider / Outsource Administrators
*$^!@#)( -|”_}?$%-:>>
Vormetric Application Encryption Workflow www.shopping.com Web Server
1
Workflow: 1. User submits personal information to purchase items. 2. Web server sends personal information to application server. 3. Application calls into Vormetric Application Encryption (VAE) library to encrypt data. (NOTE: VAE obtains keys from the DSM only once) 4. VAE returns the value back to the application. 5. Application then stores the encrypted value in the database server.
Credit Card#
2
Credit Card#
Application Server
3
Credit Card#
VAE Agent
Application
DSM Encrypted Keys
4
Encrypted Credit Card#
5
Encrypted Credit Card#
Database, Big Data or File Storage
Vormetric Confidential
Vormetric Data Security Manager (Key Management)
Vormetric Tokenization w/ Dynamic Data Masking use case 1
3
Request
4 DSM
Accounts Payable
REST API
0544-4124-4325-3490
App Servers
6 Mask Data Sent
7
Response
Vormetric Token Server
2 1234-4567-6789-1234
Customer Service
5 AD/LDAP Server
1234-4567-6789-1234
Database (production data tokenized)
Token Vault ((CC)e, Token) Lookups
Credit Card Token or mask
Slide No: 24
Copyright 2015 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
Vormetric Cloud Gateway Encrypting and controlling SaaS data Q2 2015
DSM Security Intelligence
Personal Computers
Servers Slide No: 25
Future
Mobile Devices
Vormetric Cloud Gateway
Enterprise
SaaS Copyright 2015 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
One Platform – One Strategy Data-at-rest security that follows your data
• Physical • Virtual • Outsourced Enterprise Data Centers
Private, Public, Hybrid Clouds
• Sources • Nodes • Analytics Remote Servers
Big Data
Questions?
