Metro Midrange Systems Association

September 18, 2008

Introduction to encryption and data security

1
Data security

 Why we should protect sensitive information

 What information do we need to protect
 How do we go about securing it
 What is encryption and how is it used

2
Why should we protect sensitive
information?

Regulations require it (PCI, HIPAA, GLBA, Privacy

notification)
Penalties are severe for not protecting it (PCI,
Privacy notification)
Stakeholders want to protect their investments
(Sarbanes-Oxley)
Customers expect it

3
Regulations
Payment Card Industry (PCI)
Privacy Notification (state laws requiring notification
of data loss)
Health Insurance Portability and Accountability Act
(HIPAA)
Gramm Leach Bliley Act (GLBA)
Sarbanes-Oxley (SOX)
… and more

4
The regulatory environment is evolving to
include broader definitions of sensitive data,
larger penalties for non-compliance, and more
specific requirements for data security.

Expect new federal regulations, stronger PCI

requirements, and more stringent state laws on
privacy notification.

5
What information do we need to
protect?

Credit card information for PCI data security

Personally identifiable information (PII) for Privacy

Notification and other regulations

6
• Personally Identifiable
Information or PII
– First Name
– Last Name
– Former Name
– Maiden Name
– Address
– Birth date
– Drivers license number
– Health insurance number
– Checking account number
– PIN codes
– And a lot more!

7
Credit card information

Credit card number (encrypt or hash)

Track 1 and Track 2 data (do not store)
CVV, CVV2, CID security code (do not store)
Account name (encrypt or hash)

8
Personally identifiable information

Take a very broad view of what constitutes PII:

Any and all information that used alone, or
combined with other information that you may not
have, can be used to verify the identity of an
individual.

9
Name, former name, maiden name, mother’s maiden
name
Address, city, state, zip code
Social security number
Credit card, debit card, checking account, health
insurance number
Driver’s license, identify card, military ID
Home phone number, work number
Favorite pet’s name
PIN codes, passwords, prompts
eBay and PayPal account numbers

10
Data security is disruptive technology.

We need to re-think how we design databases

and application systems, how we process and
store information, and how we monitor access
to information.

Prepare executive management for the work

ahead.

11
How do we go about securing credit
card and PII?
Don’t panic
Start with an assessment
Avoid point solutions
Data moves across platforms
Data crosses Enterprise boundaries
Remove sensitive data where possible
Develop good data security partners
12
Start with an assessment

A formal assessment will be required to pass an

audit.
A formal assessment is a necessary input to data
security project plans.
Use self-assessment software and guides to start.
Engage application and data security partners.
An assessment will help you with future rounds of
data security requirements.

13
Where does sensitive data live?
- Database and flat files
- IFS / QNTC / NFS files
- Backup tapes
- Save files
- On the network
- In the air (WiFi)
- Reports
- Program memory
- Laptops
- PDAs, cell phones, thumb drives

14
Components of an assessment

Locate and document sensitive data.

Identify all internal servers and applications that
use and store sensitive data.
Document data flows inside the organization.
Document data flows to and from vendors,
customers, and employees.
Identify compliance monitoring and reporting points.

15
Avoid point solutions
Tape
Call Center
CRM

Laptop & PC
Query and BI

16
Point solutions:

Do not solve the problem of securing data at rest or

in motion.
By themselves will not solve the regulatory
requirements.
May make the overall implementation more
complex.
However: Point solutions can provide immediate
relief for specific problems.

17
Data flows inside the Enterprise

18
Data flows to vendors, customers,
employees
Banks Employees

Customers

Service Providers Partners

19
Engage with software vendors

Contact your software vendors to discuss PCI,

Privacy Notification, etc.
Get a statement of strategic direction and planned
release dates.
Understand their approach to encryption – does it
meet basic criteria for strong encryption?
Your management should engage with software
vendor management to convey the importance of
the requirements.
20
Remove sensitive data where possible

If sensitive data is not needed in a file, remove it.

Review reports for unnecessary information and
remove it.
Review data transfers and terminate when not
needed.
Review query and business intelligence tools to
remove sensitive data.

21
Purge historical data

When historical data is no longer needed, purge it

from the system.

22
What is encryption and how is it used?

Encryption is the process of obscuring information

to make it unreadable without special knowledge.
--- Wikipedia

In practice, encryption refers to well-established

public algorithms that have undergone, and
continue to undergo, extensive review by
cryptography and data security specialists, and
which meet certain accepted criteria.

23
1 3

AES
4
2

24
Symmetric and Asymmetric encryption

Symmetric encryption uses one shared secret (an

encryption key) that is shared between two parties.

Asymmetric encryption uses two different, but

related, encryption keys – one for encryption and
one for decryption. This is sometimes called
public/private key encryption.

25
Symmetric encryption for field security

Generally, symmetric key encryption is used for

field level security in database systems because it
is much more efficient.
Asymmetric encryption may be used to fetch a
symmetric key but is almost never used for data
encryption tasks.

(We’ll concentrate on Symmetric encryption

because it is at the core of data security).
26
Asymmetric encryption for securing
end point connections
Asymmetric encryption is most commonly used to
secure physically separate end points. Examples
include:
 Web browser and web server (HTTPS)
 VPN client and server
 Secure FTP (SSL encrypted connection)
Often Symmetric and Asymmetric functions are
combined to provide end point security and efficient
encryption.
27
Symmetric encryption for data
Cust Name: ABC Cons
Cust Num: 499513 Encrypt
Prod Num: 212 Qty: 3
Visa 4882 6332 1452 6890

Cust Name: ABC Cons

Field Level Cust Num: 499513
Prod Num: 212 Qty: 3
Encryption F2500C015G06518

Securing Data at its source is the core competency

for Data Security Compliance

28
Symmetric decryption for data
Cust Name: ABC Cons
Cust Num: 499513 Decrypt
Prod Num: 212 Qty: 3
F2500C015G06518

Cust Name: ABC Cons

Field Level Cust Num: 499513
Prod Num: 212 Qty: 3
Decryption Visa 4882 6332 1452 6890

Securing Data at its source is the core competency

for Data Security Compliance

29
Which symmetric algorithm to use?

Advanced Encryption Standard (AES) is the

accepted standard of the National Institute of
Standards and Technology (NIST). It undergoes
regular review by cryptographers and data security
specialists, and provides a mechanism for
independent certification.
See FIPS-197 for technical documentation.

www.nist.gov

30
Modes of encryption
AES encryption always involves some data to be
encrypted, an encryption key, and possibly an
initialization vector. The five NIST-approved modes
of encryption provide different ways of using these
elements. The modes of encryption are:
ECB – Electronic code book
CBC – Cipher block chaining
CTR – Counter
OFB – Output feed back
CFB – Cipher feed back

31
Why modes of encryption matter
Some modes of encryption add extra randomness
to the encryption process. With these modes you
can encrypt the same credit card number with the
same key, but you will get different results. This is
very important in database applications where
fields may be small or predictable, and exist in
many records.
 CBC, CTR and other modes are appropriate
for securing fields in database files.
 ECB is not appropriate because it lacks this
randomness.
32
What are encryption keys?

Encryption keys are the secret part of encryption.

The most commonly used key sizes:
128-bit (16 bytes)
192-bit (24 bytes)
256-bit (32 bytes)
The larger the key the more secure the encrypted
information, and the more processing is used
during encryption.

33
Key management strategies:

Store in source code (very bad)

Store in files without encryption (still bad)
Store in Key Management facility on same system
(better)
Store in external key management facility (better
still)
Store in external key management facility with
FIPS-140 certification (best)

34
How are encryption keys managed?

Because encryption keys are the primary secret,

special applications are used to protect the
encryption key.

These are referred to as Key Management

systems.

35
Key Management systems:

- Enforce Key Manager access rules.

- Create and destroy encryption keys.
- Securely store and retrieve keys.
- Escrow unused keys.
- Authenticate requests for keys.
- Provide a mechanism for retreiving keys.
- Provide compliance reporting on key use.

Often provide a level of physical separation

between key use and key storage.
36
Recommended practices
Modularize data security code to allow future
changes with minimal disruption.
Use appropriate encryption algorithms and modes.
Know the usage rules for encryption modes.
Use appropriate key management and key
distribution practices.
Monitor and report inappropriate access to
encryption keys and sensitive information.

37
Technology considerations
Certifications are important – document the
independent certifications and tests of your vendors
and solutions.
Plan for cross platform support – how will you
encrypt in Windows and decrypt in i5/OS? Linux?
UNIX? Mainframe?
Use best programming practices with encryption –
remove observability, initialize variables, optimize.
Have a key management strategy – know where
you are today and where you will be in the future.
38
Certifications
 AES Validation is an NIST defined certification
process for AES encryption. Normally applied to
data security applications.
 FIPS-140-2 is an NIST defined certification
process for cryptographic modules. Normally
applied to key management systems.
 ISO 17799 is a European standard for security
practices. Covers security policies.
Certifications help insure compatibility, manage
loss investigations, and help limit legal liability.
39
Why certification is important
 Confidence: It is how you will know that
encryption is being done the right way.
 Compatibility: It is how you will know that you
can encrypt and decrypt across server, vendor, and
customer boundaries.
 Risk management: It is how you will defend
yourself in the event of a loss.
 IT investment protection: It is how you will
avoid re-engineering applications.
40
Cross-platform issues
Computer manufacturers and software vendors use
incompatible and proprietary interfaces:
- Microsoft .NET and SQL Server
- Oracle database
- IBM DB2
- Java
- Sun Solaris
- Open SSL
Using a common cross-platform encryption library
will reduce data exposure and minimize
development resources.
41
Performance
Encryption will impact:

 CPU utilization
 Total job run times
 Interactive response time

Be sure to profile your applications and create

Proof-Of-Concept tests. Ask your software vendor
for performance information.
42
Compliance logging
 Log access to sensitive data
 Log user access and authentication denials
 Log application access denials
 Log database / field level access denials
 Log access to configurations (key management,
user controls, system options)
System logs should be secure from modification or
deletion.
43
Securing data in motion

Transfer data that is already encrypted.

Use secure protocols like HTTPS, SSL FTP and
SFTP
Use secure VPN networks.
Use file encryption technology such as Pretty Good
Privacy (PGP).

44
Pitfalls
- Thinking “It won’t happen to us”
- Bypassing assessment
- Not using standard encryption
- Not using certified software
- Not using the correct encryption mode
- Not using Key Management
- Not securing data in motion
- Not using cross-platform technologies
- Not implementing compliance monitoring
- Not securing query and BI tools

45
Thank you

Patrick Townsend
Patrick Townsend & Associates, Inc.
Email: patrick.townsend@patownsend.com
(800) 357-1019
www.patownsend.com

46
Notes:

47