management – It’s like Icing without the cake
pdac-f03-encryption_without_key_management_-_its_like_icing_without_the_cake_final
pdac-f03-encryption_without_key_management_-_its_like_icing_without_the_cake_final
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
SESSION ID:<br />
PDAC-F03<br />
Encryption <strong>without</strong> key<br />
<strong>management</strong> <strong>–</strong> <strong>It’s</strong> <strong>like</strong> <strong>Icing</strong><br />
<strong>without</strong> <strong>the</strong> <strong>cake</strong><br />
Saikat Saha<br />
Sr. Principal Product Manager<br />
Database Security<br />
Oracle Corporation<br />
Tony Cox<br />
Director, Strategy & Alliances<br />
Cryptsoft<br />
#RSAC
<strong>Icing</strong> Without The Cake<br />
#RSAC<br />
Encryption and related security technologies<br />
Highly important, mandated and exciting!<br />
Key Management<br />
Absolutely critical, but boring.<br />
2
Agenda<br />
#RSAC<br />
Encryption - Core to Data Security<br />
Key Management Challenges and Regulations<br />
What is Key Management?<br />
KMIP Fundamental and Evolution (1.0, 1.1 & 1.2)<br />
KMIP Implementation and Interoperability<br />
KMIP Future (1.3, 1.4 & beyond)<br />
How to “Apply”?<br />
3
Encryption - Core to Data Security<br />
#RSAC
Encryption <strong>–</strong> <strong>the</strong> icing<br />
#RSAC
Encryption is Everywhere<br />
#RSAC<br />
Encryption is critical to data security<br />
- Data-at-rest<br />
- Data-in-transit<br />
Data-at-rest Encryption<br />
- Application encryption<br />
- Database encryption<br />
- File encryption<br />
- Disk/Storage encryption<br />
Encryption is mainstream now!<br />
6
Management Challenges: Proliferation<br />
#RSAC<br />
Primary Data Center<br />
Failover Data Center<br />
7
Key Management Challenges and Regulations<br />
#RSAC
#RSAC<br />
The Challenges of Key Management<br />
Management<br />
• Proliferation of encryption wallets and keys<br />
• Authorized sharing of keys<br />
• Key availability, retention, and recovery<br />
• Custody of keys and key storage files<br />
Regulations<br />
• Physical separation of keys from encrypted data<br />
• Periodic key rotations<br />
• Monitoring and auditing of keys<br />
• Long-term retention of keys and encrypted data<br />
9
Regulatory Drivers<br />
#RSAC<br />
PCI DSS v3.1<br />
April 2015<br />
3.5 Store cryptographic keys in a secure form (3.5.2), in <strong>the</strong> fewest<br />
possible locations (3.5.3) and with access restricted to <strong>the</strong> fewest<br />
possible custodians (3.5.1)<br />
3.6 Verify that key-<strong>management</strong> procedures are implemented for<br />
periodic key changes (3.6.4)<br />
And more!<br />
10<br />
10
Regulatory Drivers contd…<br />
#RSAC<br />
HIPAA <strong>–</strong> The US Health Insurance Portability and Accountability<br />
act (HIPAA) of 1996<br />
HITECH <strong>–</strong> Health Information Technology for Economic and<br />
Clinical Health (HITECH) act<br />
164.312 (a)(2)(iv) 164.312 (e)(2)(ii) 164.312(e)(2)(i) 164.312(c)(2)<br />
Encryption and Decryption, Integrity, Mechanism to Au<strong>the</strong>nticate<br />
electronic health information<br />
164.312 (a)(2)(iv) 164.312 (e)(2)(i)<br />
Encryption and Decryption, Integrity Controls<br />
Effective Key <strong>management</strong> and protection must be demonstrated<br />
to support <strong>the</strong> encrypted state of data<br />
11<br />
11
Regulatory Drivers contd…<br />
#RSAC<br />
GDPR : Global Data Protection Regulation<br />
EEA : European Economic Area Controller<br />
ARTICLE 30: ENCRYPTION AND PSEUDONYMISATION<br />
The controller and <strong>the</strong> processor ... as appropriate: <strong>the</strong><br />
pseudonymisation and encryption of personal data<br />
ARTICLE 28: Each controller and, if any, <strong>the</strong> controller's representative,<br />
shall maintain a record of processing activities under its<br />
responsibility<br />
EEA 54a: Methods to restrict processing of personal data could include ...<br />
making <strong>the</strong> selected data unavailable to users or temporarily<br />
removing published data from a website<br />
12<br />
12
Encryption is <strong>the</strong> easy part<br />
#RSAC<br />
Security<br />
Surveillance<br />
Key Points<br />
• Encryption is easy, fast, ubiquitous<br />
• Encryption is inexpensive<br />
Encryption<br />
Deploying encryption solutions is easy<br />
Regulatory<br />
Legislative<br />
Encryption is now ubiquitous<br />
Encryption is in software<br />
Encryption is in hardware<br />
Encryption libraries are easily supported<br />
Encryption is cheap and easy to use<br />
Encryption is fast (AES-NI, line rate, encrypting HBAs, et.al)<br />
13
Key <strong>management</strong> is hard<br />
#RSAC<br />
Key Points<br />
• Key loss results in data loss<br />
• Key compromise results in data compromise<br />
Key <strong>management</strong> is critically important<br />
Key<br />
Management<br />
Problem<br />
Management costs are increasing<br />
Balancing security with accessibility is hard<br />
Encryption key usage and proliferation is growing<br />
Different keys have different usage requirements<br />
Management of encryption keys and seed records is technically difficult<br />
14
KMIP is <strong>the</strong> solution<br />
#RSAC<br />
Key Point<br />
What is <strong>the</strong> solution?<br />
• KMIP is <strong>the</strong> solution to your key<br />
<strong>management</strong> problem<br />
- Leave it to specialist security vendors<br />
- Use independent conformance testing programs<br />
- Avoid platform and technology lock-in<br />
Designed by <strong>the</strong> industry’s most experienced vendors<br />
Active on-going standards development / evolution<br />
- Externalise <strong>the</strong> problem from your domain Deployed in wide range of products from multiple vendors<br />
- Use open vendor neutral standards<br />
Successful transition from standard into products<br />
- Avoids vendor lock-in<br />
Open standard under open <strong>management</strong> (OASIS)<br />
Multiple independent interoperable implementations<br />
15
What is Key Management?<br />
#RSAC
Key Management - <strong>the</strong> <strong>cake</strong><br />
#RSAC<br />
Lifecycle <strong>management</strong><br />
Key storage<br />
Cryptographic services<br />
Standards compliance<br />
Attributes / Metadata<br />
Au<strong>the</strong>ntication<br />
Audit & reporting<br />
Policy<br />
17
What is Key Management?<br />
#RSAC<br />
Lifecycle <strong>management</strong><br />
Minimum operation set <strong>–</strong> Create,<br />
Register, Destroy, Rekey<br />
KMIP has a very rich set of<br />
operations (40+ operations)<br />
KMIP Specifies NIST 800-57 states<br />
and transitions<br />
18
What is Key Management?<br />
#RSAC<br />
Key storage<br />
Simple flat file<br />
Detailed register<br />
Secured (kek or keystore encryption)<br />
Offload (HSM/EKM)<br />
19
What is Key Management?<br />
#RSAC<br />
Attributes / Metadata<br />
KMIP allows for an almost unlimited<br />
number of attributes per key<br />
(object)<br />
Multiple attribute types<br />
Custom attribute types (usually best avoided)<br />
20
What is Key Management?<br />
#RSAC<br />
Au<strong>the</strong>ntication<br />
User access<br />
Device access<br />
Admin access<br />
KMIP Clients<br />
21
What is Key Management?<br />
#RSAC<br />
Cryptographic Services<br />
Provide a richer set of functionality<br />
KMIP operations include:<br />
Encrypt & Decrypt<br />
Sign & Verify<br />
Hash, MAC & MAC verify<br />
Supplement or replace HSMs<br />
22
What is Key Management?<br />
#RSAC<br />
Audit & Reporting<br />
Used to answer a range of questions:<br />
How many keys?<br />
Of what type?<br />
Used for what?<br />
Used how often?<br />
Used by who/what?<br />
Forms <strong>the</strong> basis of compliance reporting<br />
23
What is Key Management?<br />
#RSAC<br />
Policy<br />
Authorisation<br />
Scheduling<br />
Compliance enforcement<br />
24
What is Key Management?<br />
#RSAC<br />
Standards compliance<br />
Minimum standards (NIST etc)<br />
Ideal = KMIP<br />
Open standard under open <strong>management</strong> (OASIS)<br />
Active standards development / evolution<br />
Designed by <strong>the</strong> industry’s most experienced vendors<br />
Deployed in wide range of products from multiple<br />
vendors<br />
25
KMIP Background and Evolution<br />
#RSAC
KMIP Request / Response Model<br />
#RSAC<br />
Enterprise Key<br />
Manager<br />
Response<br />
Header<br />
Symmetric Key<br />
Unique<br />
Identifier<br />
Key<br />
Value<br />
Request<br />
Header<br />
Get<br />
Unique<br />
Identifier<br />
Name: XYZ<br />
SSN: 1234567890<br />
Acct No: 45YT-658<br />
Status: Gold<br />
Unencrypted data<br />
Encrypting Storage<br />
@!$%!%!%!%%^&<br />
*&^%$#&%$#$%*!^<br />
@*%$*^^^^%$@*)<br />
%#*@(*$%%%%#@<br />
Encrypted data<br />
Host<br />
27
Au<strong>the</strong>ntication<br />
#RSAC<br />
Au<strong>the</strong>ntication is external to <strong>the</strong> protocol<br />
All servers should support at least<br />
TLS V1.0<br />
Au<strong>the</strong>ntication message field contains <strong>the</strong> Credential Base<br />
Object<br />
Client or server certificate in <strong>the</strong> case of TLS<br />
Host<br />
SSL/TLS<br />
Enterprise Key Manager<br />
@!$%!%!%!%%^&<br />
*&^%$#&%$#$%*!^<br />
@*%$*^^^^%$@*)<br />
%#*@(*$%%%%#@<br />
Identity<br />
certificate<br />
@!$%!%!%!%%^&<br />
*&^%$#&%$#$%*!^<br />
@*%$*^^^^%$@*)<br />
%#*@(*$%%%%#@<br />
Identity<br />
certificate<br />
28
KMIP Fundamentals<br />
#RSAC<br />
29
KMIP Fundamentals<br />
#RSAC<br />
Message Encoding<br />
Binary Tag-Type-Length-Value format<br />
Optional JSON and XML encoding in<br />
KMIP 1.2 30
KMIP Specification Development<br />
#RSAC<br />
OASIS KMIP 1.0 <strong>–</strong> Oct 2010<br />
Full NIST life-cycle support<br />
Symmetric, PublicKey, PrivateKey,<br />
Certificate, SecretData, SplitKey, Opaque<br />
Small set of profiles<br />
OASIS KMIP 1.1 <strong>–</strong> Jan 2013<br />
DiscoverVersions, ReKeyKeyPair<br />
Fresh and Object Group Member<br />
QueryExtensionList, QueryExtensionMap<br />
OASIS KMIP 1.2 <strong>–</strong> May 2015<br />
PGP Key Object Type<br />
Alternative Name<br />
Cryptographic Services<br />
Attestation<br />
Create/Join SplitKeys<br />
External Key Handling (MDO)<br />
HTTPS transport<br />
JSON and XML encoding<br />
Profiles with test cases<br />
31
KMIP Progression<br />
#RSAC<br />
Specifications and Interoperability<br />
KMIP Interoperability Demonstration <strong>–</strong> RSA 2015<br />
Cryptsoft, Dell, HP, IBM, P6R, Fornetix, Thales, Vormetric<br />
KMIP Interoperability Demonstration <strong>–</strong> RSA 2014<br />
Cryptsoft, Dell, HP, IBM, P6R, Safenet, Thales, Vormetric<br />
KMIP Interoperability Demonstration <strong>–</strong> RSA 2013<br />
Cryptsoft, HP, IBM, Quintessence Labs, Townsend Security,<br />
Thales, Vormetric<br />
KMIP Interoperability Demonstration <strong>–</strong> RSA 2012<br />
Cryptsoft, IBM, NetApp, Quintessence Labs, Safenet, Thales<br />
KMIP Interoperability Demonstration <strong>–</strong> RSA 2011<br />
Cryptsoft, Emulex, HDD, HP, IBM, RSA/EMC, Safenet<br />
• KMIP v1.1 OASIS Specification<br />
• KMIP v1.2 Committee Draft<br />
2012<br />
• KMIP v1.2 Scope Agreed<br />
2010<br />
• KMIP v1.0 OASIS Specification<br />
2009<br />
• SKMP renamed Key Management Interoperability Protocol (KMIP)<br />
• Moves to OASIS as <strong>the</strong> KMIP Technical Committee<br />
2007<br />
• Standard Key Management Protocol (SKMP) specification formed<br />
Time<br />
2013<br />
2014<br />
2015<br />
Key Points<br />
• Mature open standard<br />
• Continuous development<br />
• KMIP Technical Committee Face-to-Face<br />
• KMIP v1.2 OASIS Specification<br />
• KMIP Technical Committee Face-to-Face<br />
• KMIP v1.3 Committee Draft<br />
2011<br />
• KMIP v1.1 OASIS Specification Final Committee Draft<br />
32
KMIP Implementation and Interoperability<br />
#RSAC
KMIP Market Adoption<br />
#RSAC<br />
35<br />
KMIP Adoption by Market<br />
Discreet KMIP Implementations<br />
30<br />
25<br />
20<br />
15<br />
10<br />
5<br />
Storage<br />
Security & Infrastructure<br />
Cloud<br />
0<br />
2H-10 1H-11 2H-11 1H-12 2H-12 1H-13 2H-13 1H-14 2H-14 1H-15 2H-15 1H-16<br />
34
KMIP Deployments<br />
#RSAC<br />
Storage<br />
• Disk Arrays, Flash Storage<br />
Arrays, NAS Appliances<br />
• Tape Libraries, Virtual Tape<br />
Libraries<br />
• Encrypting Switches<br />
• Storage Key Managers<br />
• Storage Controllers<br />
• Storage Operating Systems<br />
Infrastructure and<br />
Security<br />
• Key Managers<br />
• Hardware security<br />
modules<br />
• Encryption Gateways<br />
• Virtualization Managers<br />
• Virtual Storage Controllers<br />
• Network Computing<br />
Appliances<br />
Cloud<br />
• Key Managers<br />
• Compliance Platforms<br />
• Information Managers<br />
• Enterprise Gateways and<br />
Security<br />
• Enterprise Au<strong>the</strong>ntication<br />
• Endpoint Security<br />
35
KMIP Interop Testing<br />
#RSAC<br />
KMIP Servers<br />
KMIP Clients<br />
Interop Network<br />
36
KMIP Interop Testing 2016<br />
#RSAC<br />
900<br />
2016 KMIP Interoperability Test Results<br />
800<br />
700<br />
600<br />
Test Cases passed<br />
500<br />
400<br />
300<br />
200<br />
100<br />
0<br />
TTLV HTTPS JSON XML<br />
37
KMIP Interop Testing<br />
#RSAC<br />
25000<br />
Pre-RSA Conference KMIP Interop Test Runs<br />
20000<br />
Completed Test Runs<br />
15000<br />
10000<br />
Test Runs<br />
5000<br />
0<br />
RSA 2012 Tests RSA 2013 Tests RSA 2014 Tests RSA2015 Tests RSA2016 Tests<br />
38
KMIP Conformance<br />
#RSAC<br />
KMIP Conformance Testing program<br />
Run by Storage Networking Industry Association (SNIA) within <strong>the</strong><br />
Storage Security Industry Forum (SSIF) -<br />
http://www.snia.org/forums/ssif/kmip<br />
Program is gaining momentum with tests completed by:<br />
Cryptsoft (1 Server SDK, 1 Client SDK)<br />
HPE (1 Server, 1 tape library)<br />
IBM (1 server)<br />
More in <strong>the</strong> queue….<br />
39
KMIP Future<br />
#RSAC
KMIP 1.3<br />
#RSAC<br />
Adjustments to improve<br />
interoperability<br />
Deprecated Template Managed<br />
Object<br />
Deprecated Default Operation<br />
Policy<br />
Generic Transparent EC Key Types<br />
Query RNG/DRBG information<br />
RNG Attribute<br />
Query options for validation<br />
information (FIPS140,CC)<br />
Query options for profiles<br />
supported<br />
Cryptographic Services streaming<br />
support<br />
One-time Pad<br />
Locate Offset+Limit<br />
Automated client registration<br />
41
KMIP 1.4<br />
#RSAC<br />
Accepted<br />
PKCS#12 key format export<br />
option<br />
Query option for Server<br />
Batch Handling<br />
Batch Undo<br />
Batch Continue<br />
Under discussion<br />
PKCS#12 import<br />
General import/export<br />
Error handling<br />
Certificate Attributes<br />
Multiple CAs<br />
Request/Response Correlation<br />
Sensitive Attribute Handling<br />
42
How to “Apply”?<br />
#RSAC
Encryption and Key Management - Summary<br />
#RSAC<br />
Key Management<br />
Essential<br />
Boring<br />
Standardized<br />
Range of deployment options<br />
Well defined usage<br />
Widely supported industry standard<br />
Encryption and related security<br />
technologies<br />
Mandatory Requirement<br />
Exciting adjectives<br />
Many exciting form factors<br />
Well defined usage<br />
Solutions are widely available<br />
and varied<br />
Many solutions use proprietary<br />
key storage/<strong>management</strong><br />
44
Change language