• No results found

KEY MANAGEMENT: Truths and Consequences

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "KEY MANAGEMENT: Truths and Consequences"

Copied!
38
0
0

Loading.... (view fulltext now)

Download now ( 38 Page )

Full text

(1)

FOUNDATION SECURITY TECHNOLOGIES

TRUSTED2| EMBEDDED| INTEROPERABLE

01000011010100100101100101010000010101000101001101001111010001100

Date:07/2015

(2)

Copyright © 2015 Cryptsoft Pty Ltd

2

Abstract

KEY MANAGEMENT: Truths and Consequences

The imperative to encrypt data has driven the strong and sustained growth in the Enterprise Key Management market.

Gaining accurate knowledge and clear insight into this market is a significant challenge both for vendors and end-users. Publically accessible information is littered with half-truths, misdirection and creative marketing content. Failing to distil reality from fantasy will undermine your ability to make the critical decisions you need stay competitive.

This session will provide you with the inside information about what was, what is and what will be in the next 18 months of Enterprise Key Management."

(3)

Enterprise Key Management:

Truths: Where the encryption imperative came from

(4)

Copyright © 2015 Cryptsoft Pty Ltd

4

Human (ID10T) Errors

In

1990

, a laptop containing plans for the first Gulf War was stolen from the boot of a car in west London. The computer contained detailed information about how the military planned to remove Saddam

Hussein's forces from Kuwait.

In March

2000

a laptop was stolen from the Kent home of John Spellar, who as Armed Forces minister was responsible for Britain's nuclear secrets and the military’s role in Northern Ireland.

In December

2007

– only months after the HMRC fiasco – it emerged that the names, addresses and phone numbers of 3 million driving test

candidates were lost on a computer hard drive which went missing in the US.

This week (

2011

), it was announced that GCHQ, the government

eavesdropping centre, had tightened its security processes after losing hundreds of items of sensitive equipment worth £1million

(5)

Security Breaches

(6)

Copyright © 2015 Cryptsoft Pty Ltd

6

Surveillance

(7)

Legislation

(8)

Copyright © 2015 Cryptsoft Pty Ltd

8

Solution

(9)

Enterprise Key Management:

Truths: Opposing views

(10)

Copyright © 2015 Cryptsoft Pty Ltd

10

Opposing Views

Yes

Enterprise Key

Management is the

solution

No

Enterprise Key

Management is not

the solution

(11)

Opposing Views

Yes

We have Enterprise

Key Management

and are committed

to the solution

We have a solution

but we don’t want

you to know about it

No

Enterprise Key

Management is not

the solution

We don’t really have

a solution, but we’d

like to pretend that

we do

(12)

Copyright © 2015 Cryptsoft Pty Ltd

12

(13)

Enterprise Key Management:

Truths: Development of Enterprise Key Management

(14)

Copyright © 2015 Cryptsoft Pty Ltd

14

Encryption is easy

Deploying encryption solutions is easy

Encryption is now ubiquitous

Encryption is fast (AES-NI, line rate, encrypting HBAs, et.al)

Encryption libraries are easily supported Encryption is in hardware

Encryption is in software

Encryption is cheap and easy to use

In 1990, a laptop containing plans for the first Gulf War was stolen from the boot of a car in west London.

(15)

Key management is difficult

Encryption key usage and proliferation is growing Balancing security with accessibility is hard

Management costs are increasing

Different keys have different usage requirements

Key management is critically important

Management

Key

Problem

(16)

Copyright © 2015 Cryptsoft Pty Ltd

16

Enterprise Key Management is the solution

What is the solution?

Open standard under open management (OASIS)

Successful transition from standard into products

Designed by the industry’s most experienced vendors

Deployed in wide range of products from multiple vendors Active on-going standards development / evolution

Multiple independent interoperable implementations

Externalise the problem from your domain Use open vendor neutral standards

Leave it to specialist security vendors Use independent conformance testing programs

Avoid platform and technology lock-in

Avoids vendor lock-in

Enterprise Key

Management

Key

Management

Problem

(17)

Enterprise Key Management:

Truths: Status of the current market - Who, What Where?

(18)

Copyright © 2015 Cryptsoft Pty Ltd

18

Where is enterprise key management used?

Enterprise Key

Management

 Identification

 Mobile Devices

 Tape Libraries

 Disk Arrays

 Flash Arrays

 HSMs

 Virtual Devices

 Health Devices

 Satellite

 Automotive

(19)
(20)

Copyright © 2015 Cryptsoft Pty Ltd

20

(21)

Key Management – Embedded in major sector products

Security &

Infrastructure

 Key Managers

 Hardware security modules

 Encryption Gateways

 Virtualization Managers

 Virtual Storage Controllers

 Network Computing Appliances

Cloud

 Key Managers

 Compliance Platforms

 Information Managers

 Enterprise Gateways and Security

 Enterprise Authentication

 Endpoint Security

Storage

 Disk Arrays, Flash Storage Arrays, NAS Appliances

 Tape Libraries, Virtual Tape Libraries

 Encrypting Switches

 Storage Key Managers

 Storage Controllers

(22)

Copyright © 2015 Cryptsoft Pty Ltd

22

How is enterprise key management being used in storage?

Disk & Flash Arrays, NAS, Storage Operating Systems

 Vaulting master authentication key

 Cluster-wide sharing of configuration settings

 Specific Usage Limits checking (policy)

 FIPS 140-2 external key generation (create, retrieve)

 Multi-version key support during Rekey

 Backup and recover of device specific key sets

Tape Libraries, Virtual Tape Libraries

 External key generation (create, retrieve)

 FIPS 140-2 external key generation (create, retrieve)

 Multi-version key support during Rekey

(23)

Enterprise Key Management:

Truths: The future market

(24)

Copyright © 2015 Cryptsoft Pty Ltd

24

Generally Available and Known Implementations

P r o d u c t s

(25)
(26)

Copyright © 2015 Cryptsoft Pty Ltd

26

Enterprise Key Management:

Consequences: The future market

(27)

Product Development Cycle

Idea Proposal or Business Case Market Requirement Document Product Requirement and Technical Specification Finalising Launch and Market Planning Launch

(28)

Copyright © 2015 Cryptsoft Pty Ltd

28

(29)
(30)

Copyright © 2015 Cryptsoft Pty Ltd

30

What do the end users want?

Truths of the end-user

(31)

End-User Requirements

 Fully interoperable

 Cost effective

 Multi-vendor

 Best-of-breed

 Heterogeneous

 Simpler deployments

 Easier support burden

 Interoperability ‘just works’

 Re-use technology across product types

 Efficient and effective key management

 Has the support of leading vendors

 Open standard

 Standards body oversight

Cumulative

Benefits Strategic Benefits

Business Benefits Technical

Benefits  Enables consumer choice Reduces deployment costs

 Enables pricing competition

 Enables vendor comparisons

(32)

Copyright © 2015 Cryptsoft Pty Ltd

32

Choosing a Enterprise Key Manager Vendor

Truths and Consequences

(33)

KMIP – Linking Key Management Servers and Clients

Server A

Client

Server B Server C Server D Network

Vendor Protocol - A Vendor Protocol - B Vendor Protocol - C Vendor Protocol - D

Server A

Client

Server B Server C Server D Network

(34)

Copyright © 2015 Cryptsoft Pty Ltd

34

Choosing a Enterprise Key Manager Vendor

• Does the vendor participate in open key management standards?

• Does the vendor offer an open standard in their currently shipping servers?

• Does the vendor use the open standard in their key management clients?

• Which other security vendors support the open standard if it isn’t KMIP?

Vendor

Commitment to

Open Standards

• Is the vendor proprietary protocol documented?

• Have customers or other vendors independently implemented the protocol?

• How many variations or versions of the protocol exist and are they forward compatible?

• Which protocol versions are no longer supported?

Vendor Propriety

(35)

Choosing a Enterprise Key Manager Vendor

• Does the vendor provide an SDK for application integration?

• Which programming languages are supported: C, Java, C-Sharp, Other?

• For C SDKs, which platforms are supported?

• Is there support for standard Web integration?

• Is source for the SDK provided or able to be purchased?

Interoperability

• Does the vendor offer support for KMIP 1.0?

• When will KMIP 1.1 be supported?

• When will KMIP 1.2 be supported?

• Which KMIP profiles are supported?

• When is KMIP 1.3 support planned (in draft)

Key Management

Open Standards

Contenders

(36)

Copyright © 2015 Cryptsoft Pty Ltd

36

Choosing a Enterprise Key Manager Vendor

• For the specified standard which other vendors have tested interoperability?

• What functionality was covered by the interoperability testing?

• How was the interoperability testing performed?

• Has independent verification of the testing occurred?

• Can the testing reports be provided for verification?

• Can a customer easily repeat the claimed interoperability testing?

• Are interoperability servers internet accessible for testing?

• Are standard secure Web Proxies supported for navigation of gateways/firewalls?

Application

Integration

(37)

Consequences – Vendors are chosen or not

YES

Interoperate with

numerous leading vendors

Satisfy Customer Demand

NO

Don’t Interoperate with

numerous leading vendors

Don’t Satisfy Customer

Demand

(38)

Copyright © 2015 Cryptsoft Pty Ltd

38

KEY MANAGEMENT: Truths and Consequences

Any Questions?

01000011010100100101100101010000010101000101001101001111010001100

Cryptsoft Pty Ltd

[email protected]

References

Download now ( PDF - 38 Page - 1.31 MB )

Related documents

CCASE: SOL (MSHA) V. FMC DDATE: TTEXT:

The evidence: before the FMC electrician began to soder the lines on the 480 volt air conditioner he turned the electrical switch to "off." (Tr.. The air conditioner could

WINDOWS SPLUNK LOGGING CHEAT SHEET - Win 7 - Win2012

Monitor for Changes to Firewall Rules: Malware and hackers will often modify a firewall rule to allow access to some Windows service or application. These logs are not in the

The Continuous Performance Test (CPT) as an Assessment of. Voluntary Attention in Preschool Children at High Risk for Learning.

In Experiment I, we utilized this CPT to assess the development of voluntary attention in five-year-old preschool children, in addition to eight other diagnostic tests (such as

Annual Survey of Virginia Law: Antitrust and Trade Regulation Law

state law claim for tortious interference with economic relations possessed "'the same defects as those of the antitrust claims.' 43 Therefore, the Fourth

The European Court of Justice and direct taxation: a recent change of direction?

considered whether this legislation was in breach of the freedom to provide services according to Article 49 of the EC Treaty. In its decision, the Court divided the issue into

Fighting Non-Communicable Diseases in Kenya: Why Food Policy Remains Untried

Policy transfer is brought in with the third angle which seeks an understanding of external actors' effect on national policy, and the fourth angle utilizes Narrative Policy

Rock-magnetic properties of topsoils and urban dust from Morelia (>800,000 inhabitants), Mexico: Implications for anthropogenic pollution monitoring in Mexico’s medium size cities

We show that SIRM has a strong correlation with the metal content, for soil samples as well as urban dust, showing the different degrees of pollution according to the IRM