The Next Generation in Enterprise Security

converseoncologistInternet and Web Development

Aug 7, 2012 (4 years and 8 months ago)

355 views

The Next Generation in Enterprise Security

Presented by William Tabor and Howard Hellman

(954) 970
-
9828

BillT@DataQuestTech.com

HowardH@DataQuestTech.com



Agenda


Problems with Clear Text Communication


Virtual Security Network (VSN)



Public/Private Key Infrastructure


Digital Right Management


User Identification


Certificate Authority


Services

CASTLE TECHNOLOGY


Walls (Firewalls)


Draw Bridge (Tunnels)


Moats (DMZs)

HISTORY

HISTORY

The battle for Troy

proved that

this
does not

work


HISTORY

80% of all theft

occurs from the

inside

INTERNAL

COMMUNICATION

Is data clear text?

INTERNAL COMMUNICATION

PROBLEMS WITH CLEAR TEXT COMMUNICATION




Instant messaging



Email



Accounting information


INTERNAL COMM


INSTANT MESSAGING

EXAMPLE #1


The CEO and personnel director of a medium
-
sized company were messaging
each other about potential layoffs.


This information exchange was detected by individuals within the IT department,
and news of the discussion spread through the enterprise unchecked, well before
any decisions could be made.




INTERNAL COMM


INSTANT MESSAGING

EXAMPLE #2


Two writers for a well
-
known daytime drama were messaging each other regarding
a significant plot change.


A tabloid reporter intercepted their conversation and printed his scoop.


The show subsequently dropped 15 ratings points. Each point translates into
advertising revenue of between $10 and $15 million.








INTERNAL COMM


EMAIL


EXAMPLE #3


A car manufacturer spent $240 million on researching and developing an
innovative, advanced engine design.


The company emailed the design to production plant, but the email was intercepted
by a competing manufacturer.


The competitor promptly put the new engine design into production, beating the
developer to market


without having to pay a single euro into R&D!


PKI

Public/Private Key Infrastructure

idTRUST


PKI INFRASTRUCTURE


WHY IS A PKI INFRASTRUCTURE NECESSARY?


Optional key generation


Validate initial identities



Issuance, renewal and termination of certificates



Certificate validation



Distribution of certificates



Secure archival and key recovery



Generation of signatures and timestamps



Establish and manage trust relationships

WHAT HAS BLOCKED PKI FROM GLOBAL USE?



Cost


PKI Integration with vertical application base



CA portability and interoperability


idTRUST


PKI INFRASTRUCTURE


PUBLIC/PRIVATE KEY GENERATION

LOCAL APPLICATION


ERP, CRM, SCM….


BROWSER


WebSphere Portal


Linux (PHP)


REMOTE SERVER COMMUNICATIONS


Generate a

Public/Private

Key Pair

WHY USE CRYPTOGRAPHY?

Cryptography can be applied to the following information categories:



Information at rest



Information in transit


Cryptography is used to enable information:



Privacy


information cannot be read



Integrity


information cannot be modified



Authentication


information proof of ownership



Non
-
repudiation


cannot deny involvement in transaction


ASYMETTRIC KEY CRYPTOGRAPHY

Different keys (secrets) are used for both the encryption and decryption processes:

Public Key

Cipher

Ciphertext

information

Cleartext

Private Key

Cipher

J9%B

8^cBt

Ciphertext

Asymmetric key

“public key”

Asymmetric key

“private key”

Decryption Process

Encryption Process

Asymmetric key cryptography is characterized by the use of two independent
but mathematically related keys

J9%B

8^cBt

Digital Rights

Digital Rights Management

DIGITAL RIGHTS

WHAT IS DIGITAL RIGHTS?


Gives us the ability to . . .


Assign ownership to documents or data


Ensure that data has not been altered during transfer


Provide authentication


CURRENT METHOD



Username and password


Card and PIN


RSA Token


Biometrics


USER IDENTIFICATION

TOMORROW’S SECURITY TODAY



Secure user authentication


PKI


Application firewalls


Dynamic Tunnels


NEXT GENERATION SECURITY

PROVIDER OF SECURE SYSTEM SOLUTIONS



Public Key Infrastructure (PKI) Services


IdM Device


Dynamic Encryption Tunnel


DQT Application Firewall


Secure Tech


VPN and File Transfer


DATAQUEST TECHNOLOGIES’ SOLUTIONS

Virtual Security Network (VSN)


VIRTUAL SECURITY NETWORK (VSN)



Next Generation of VPN Technology


VSN is comprised of 4 components

(1) Application Firewall

(2) Dynamic Encryption Tunnel

(3) ID Trust Card


(4) Digital Certificate


Public and Private Key Pair

Application Firewall

DQT Application Firewall



Linux Base Firewall using SE Linux


Allows only authorized access to server


Can Exist in LPAR or P5 Partition


National Security Administration (NSA) Technology



Dynamic Encryption Tunnel Server


Provides communication layer through the Application
Firewall


Multiple Levels of Encryption Available


128,256 and 3DES


Proprietary 2048bit obscure algorithm


Multiple Tunnel Layers Available


Replace VPN or ride on Top of VPN


Can exist in LPAR or p5 Partition


Must have public/private key pair to access tunnel


Layers on top of any existing protocols 128SSL, WEP


Low CPU drain


Compresses MP4 Video/Data Streams

IDTRUST CARD™

ID TRUST CARD FEATURES & CHARACTERISTICS



Similar to credit card
-
sized “Smart Card,” but also contains on
-
card crypto processor


Maintains protected storage for public/private keys, digital certificates and digital
signatures to be used during authentication process


Executes cryptographic operations (verifies fingerprint)


Works in conjunction with card operating system (COS)


IDTRUST CARD™

HOW THE IDENTITY TRUST CARD WORKS



User enrolls in the Biometric process Card maintains encrypted hash copy of
user’s fingerprint in EEPROM



When user wishes to authenticate him/herself, he/she simply places the correct
finger on the e
-
field sensor


The fingerprint is scanned, hashed and encrypted


The crypto processor compares the fingerprint sample to the stored value on the
external device


Neither the fingerprint hash or the private key leave the USB device


Card typically returns success or failure status to system


CRYPTO
-
PROCESSING CHIP LAYOUT

VCC

Reset

Clock

GND

I/O

32
-
bit

Microprocessor

(Microcontroller)

RAM 2K Bytes

ROM 32K+ Bytes

EEPROM 64K+ Bytes

Crypto

Accelerator

(Processor)

ISO 7816 Family of

Smart/Crypto Card

Standards, i.e., power,

Clock & I/O Bus

IDTRUST CARD™

CARD CUSTOMIZATION CAPABILITIES



Multiple processors (4,6,8, etc.)


Mix and match 8, 16 and 32 bit processors for focused tasks


Memory (inter
-
processor and processor specific)


Multiple custom data structure (application and processor)


Potentially contact
-
based and contact
-
less cards


BIOMETRIC READERS


Optical Sensor


Low Resolution


Easily Fooled


Image Template


Capacitive Sensor


3D image


Fooled with piece of wood and silly puddy


E
-
Field Sensor


Fingerprint template is minutia based


Stored as a hash algorithm

USER IDENTIFICATION



Crypto
-
processor card


Biometrics on card


ACLU friendly



DATAQUEST TECHNOLOGIES’ SOLUTIONS

USER IDENTIFICATION SUMMARY



Crypto
-
processor card


Biometrics on card


PKI data on card


DATAQUEST TECHNOLOGIES’ SOLUTIONS

PKI PRODUCT SUITE

idSAFE


A platform to ensure transport and management of data in transit (Secure VPN)


idVOTE


A product enabling Internet voting via secure voter authentication


idSEAL


A smart encryption tool enabling the user to encrypt and decrypt individual files

DATAQUEST TECHNOLOGIES’ SOLUTIONS

GOLD CA

Internal External Certificate Authority

INDUSTRY
-
SPECIFIC APPLICATIONS

Master

Trust

Centers

Organizations

Departments,

Groups,

Regional

Centers

DataQuest

Master Trust

Center

(Security Level 1, 2, 3)

Small

business

Level 1, 2

Finance

Level 1

Level 1, 3

Level 1, 2, 3

Level 1

Level 1, 2

Healthcare

Medical records

database

Level 3

Level 1, 2, 3

Level 1

Third Party
Master Trust

Center

Certificate

interoperability

(depends on level of trust)

Trust Center

Trust Center

Trust Center

Small

business

Small

business

Geographic

(Regional)

Trust Center

Trust Center

Trust Center

Trust Center

Trust Center

Trust Center

DATAQUEST TECHNOLOGIES’ SOLUTIONS

Works in P5 System

Firewall

Hypervisor

Linux

Application

Firewall

Dynamically resizable

1

CPUs

1

CPUs



Certificate Authority


Virtual I/O
paths

Tunnel Application

AIX 5L

Application
Server

6

CPUs

Ethernet

sharing

Virtual I/O
server
partition

Storage

sharing

1

CPU

SECURITY DOORS

PROFESSIONAL SERVICES


Public Key Infrastructure Planning and Implementation Services


Biometric smart card, trust center and PKI integration


Secure application design, development and implementation


Enterprise security services


Disaster Recovery Services


Linux Application Tuning on zSeries and pSeries


Enterprise Linux Deployment


Custom software and consulting services


Technical support (hotline and on
-
site)


Project management


Training and education


Security Inventory Service


Security Policies and Procedures Guide Development


Security Audit/Assessment Service


Security Vulnerability Service


Security Implementation Service


SECURITY SERVICES

SECURITY AUDIT SERVICE

TASK: REVIEW EXISTING CORPORATE SECURITY
PRACTICES AS THEY PERTAIN TO

. . .




Day
-
to
-
day enterprise computing:



Perimeter security (authentication, identity and authorization)



Information at rest



Information in transit (distributed computing, file transfer, etc.)



Business applications software and email usage



Mobile computing



Management security directives



Corporate security policy and procedure guidelines



Compliance with appropriate legislation



SECURITY AUDIT SERVICE

DELIVER DOCUMENTS DECLARING STATE OF EXISTING
SECURITY PREPAREDNESS



An inventory document defining the current sate of enterprise security methods,
techniques, corporate compliance and usage



A document defining next steps in the overall process of defining a current
corporate security strategy and implementation plan:



Requirements analysis document



Security architecture document



Security products and implementation plan


EDUCATIONAL SERVICES (TECH TRAINING)


Modern Security Practices


Authentication/Perimeter
Security


Trust Center and PKI
Integration



Secure Distributed Architectures


Linux


AIX


VMS


True
-
64


Wintel




Secure Middleware Integration



CORBA



DCE


Tivoli Identity Manager


Tivoli Access Manager



Programming Languages



C



Java/JavaScript



Perl


DATAQUEST TECHNOLOGIES’ SOLUTIONS

Questions?