OAAIS Enterprise Information Security

1
EncryptionOAAIS Products and Services

• Sean J. Schluntz
• UCSF Enterprise Information Security
• March 12, 2008

2
Welcome

• People say you need to encrypt your data to keep
  it safe but there is a lot that isnt understood
• OAAIS is preparing to offer two encryption
  solutions to the Campus, but we need to tell you
  what problems those solutions actually solve
  and what they dont

3
What is Encryption?

• Encryption is the science of transforming
  intelligible information into unintelligible in a
  way that you can reverse
• On computers this is done with mathematical
  equations

4
There Are TwoTypes of Encryption

• Symmetric
• A single key is used to encrypt and decrypt the
  information
• Asymmetric
• A pair of keys are created
• A public key which can be used to encrypt data
• A private key which can be used to decrypt data

5
What DoesEncryption Do?

• Like a lock it prevents people without the proper
  key from accessing information
• How well it protects depends on the type of
  encryption and the quality of the key
• It also depends on the other measure you take to
  protect your information

6
What DoesntEncryption Do?

• It is not the magic end of all of your security
  problems
• It does not replace passwords
• It does not protect you from viruses, key loggers
  or malware that might damage, modify or copy your
  information

7
What Else DoesntEncryption Do?

• Most Importantly
• It does not guarantee information security

8
So Whats It Good For?

• In conjunction with standard practices
• Run antivirus and antimalware software
• Run a host based firewall
• Keep your system patched
• It provides a final layer of security making your
  data that much harder to be accessed without
  permission

9
What Can You Use Encryption For?

• Data At Rest
• File/Content Encryption
• A single file
• A block of data (text in a database entry)
• Volume Encryption
• A file which contains a file system and one or
  more files
• Whole Disk Encryption

10
What Else Can You Use Encryption For?

• Data In Transit
• Message Encryption
• Technically file/content encryption but it is
  attached to an email message
• Stream Encryption
• SSL (Secure Web Sites)
• VPN (IPSEC)

11
What Types Of Encryption Does OAAIS Support?

• Tumbleweed - Available Now
• Tumbleweed is not encryption in the same since as
  Pointsec and PGP, but it does provide a valuable
  information protection service
• Pointsec Pilot in April, Available in May
• PGP Pilot in May, Available in June

12
What Is Tumbleweed?

• Tumbleweed is an email gateway
• That means it only works on the email that goes
  through it
• Tumbleweed is a secured email storage system
• It captures messages flagged for protection
• The recipient receives an email informing them
  that there is a secure message waiting on the
  Tumbleweed server
• The recipient can then view the message on
  Tumbleweed with their password (which has to be
  prearranged)

13
What is Pointsec?

• Pointsec is symmetric encryption software
• http//www.checkpoint.com/products/datasecurity/pc
  /index.html
• Pointsec is available for the following platforms
• Windows 2000 Service Pack 4
• Windows XP Professional (32bit)
• Windows XP Tablet PC Edition
• Window Vista Enterprise, Ultimate and Business
  (32bit)

14
What Does Pointsec Do?

• Provides whole disk encryption
• Encrypts everything except for the boot sector of
  the hard disk
• Your documents, settings, cache, swap space and
  slack space are all protected

15
What Is PGP?

• PGP is asymmetric encryption software
• http//www.pgp.com
• PGP stands for Pretty Good Privacy
• PGP Pilot in May, Available in June
• Windows 2000 Service Pack 4
• Windows XP (32bit)
• Windows XP Tablet PC Edition 2005 (requires
  attached keyboard)
• Window Vista (32/64bit)
• Mac OS X 10.4.x and 10.5.x
• Free implementations are available for many other
  platforms

16
What Does PGP Do?

• Provides volume encryption
• An encrypted file that pretends to be a disk, you
  can place these on your hard disk, on network
  shares or on removable media

17
What Does PGP Do?

• Provides email encryption
• Allows you to encrypt email messages and files
  using other peoples public keys so they are the
  only people who can open the message
• Many PGP key servers are available on the
  Internet to store public keys many
  implementation of PGP will automatically retrieve
  those keys for you
• You can also use your private key to sign
  messages this provides a method for your remote
  readers to prove the authenticity of the message

18
What Does PGP Do?

• Provides email encryption
• Allows you to encrypt email messages and files
  using other peoples public keys so they are the
  only people who can open the message
• Many PGP key servers are available on the
  Internet to store public keys many
  implementation of PGP will automatically retrieve
  those keys for you
• You can also use your private key to sign
  messages this provides a method for your remote
  readers to prove the authenticity of the message

19
What Does PGP Do?

• Optionally Provides NetShare
• PGP NetShare enables teams to securely share
  documents on file servers by automatically and
  transparently encrypting the files for
  fine-grained group access
• http//www.pgp.com/products/netshare/index.html
• Only works with Windows Server and Windows
  clients
• The cost of NetShare depends on the number of
  servers and the number of clients involved
• Come and see us if you are interested in learning
  more

20
Questions?
Keep up-to-date by watching the Encryption page
on the OAAIS site http//security.ucsf.edu/EIS/N
ames/Encryption.html