The Next Generation in Enterprise Security

1
The Next Generation in Enterprise
Security Presented by William Tabor and Howard
Hellman (954) 970-9828 BillT_at_DataQuestTech.com How
ardH_at_DataQuestTech.com
2
Agenda

• Problems with Clear Text Communication
• Virtual Security Network (VSN)
• Public/Private Key Infrastructure
• Digital Right Management
• User Identification
• Certificate Authority
• Services

3
HISTORY

• CASTLE TECHNOLOGY
• Walls (Firewalls)
• Draw Bridge (Tunnels)
• Moats (DMZs)

4
HISTORY

• The battle for Troy
• proved that
• this does not work

5
HISTORY

• 80 of all theft
• occurs from the
• inside

6
INTERNAL COMMUNICATION

• Is data clear text?

7
INTERNAL COMMUNICATION

• PROBLEMS WITH CLEAR TEXT COMMUNICATION
• Instant messaging
• Email
• Accounting information

8
INTERNAL COMM INSTANT MESSAGING

• EXAMPLE 1
• The CEO and personnel director of a medium-sized
  company were messaging each other about potential
  layoffs.
• This information exchange was detected by
  individuals within the IT department, and news of
  the discussion spread through the enterprise
  unchecked, well before any decisions could be
  made.

9
INTERNAL COMM INSTANT MESSAGING

• EXAMPLE 2
• Two writers for a well-known daytime drama were
  messaging each other regarding a significant plot
  change.
• A tabloid reporter intercepted their conversation
  and printed his scoop.
• The show subsequently dropped 15 ratings points.
  Each point translates into advertising revenue of
  between 10 and 15 million.

10
INTERNAL COMM EMAIL

• EXAMPLE 3
• A car manufacturer spent 240 million on
  researching and developing an innovative,
  advanced engine design.
• The company emailed the design to production
  plant, but the email was intercepted by a
  competing manufacturer.
• The competitor promptly put the new engine design
  into production, beating the developer to market
  without having to pay a single euro into RD!

11
PKI
Public/Private Key Infrastructure
12
idTRUST PKI INFRASTRUCTURE

• WHY IS A PKI INFRASTRUCTURE NECESSARY?
• Optional key generation
• Validate initial identities
• Issuance, renewal and termination of
  certificates
• Certificate validation
• Distribution of certificates
• Secure archival and key recovery
• Generation of signatures and timestamps
• Establish and manage trust relationships

13
idTRUST PKI INFRASTRUCTURE

• WHAT HAS BLOCKED PKI FROM GLOBAL USE?
• Cost
• PKI Integration with vertical application base
• CA portability and interoperability

14
PUBLIC/PRIVATE KEY GENERATION

• LOCAL APPLICATION
• ERP, CRM, SCM.
• BROWSER
• WebSphere Portal
• Linux (PHP)
• REMOTE SERVER COMMUNICATIONS

15
WHY USE CRYPTOGRAPHY?

• Cryptography can be applied to the following
  information categories
• Information at rest
• Information in transit
• Cryptography is used to enable information
• Privacy information cannot be read
• Integrity information cannot be modified
• Authentication information proof of ownership
• Non-repudiation cannot deny involvement in
  transaction

16
ASYMETTRIC KEY CRYPTOGRAPHY

• Different keys (secrets) are used for both the
  encryption and decryption processes

Cleartext
Ciphertext
Public Key Cipher
Private Key Cipher
Ciphertext
information
J9B 8cBt
J9B 8cBt
Asymmetric key public key
Asymmetric key private key
Asymmetric key cryptography is characterized by
the use of two independent but mathematically
related keys
17
Digital Rights

• Digital Rights Management

18
DIGITAL RIGHTS

• WHAT IS DIGITAL RIGHTS?
• Gives us the ability to . . .
• Assign ownership to documents or data
• Ensure that data has not been altered during
  transfer
• Provide authentication

19
USER IDENTIFICATION

• CURRENT METHOD
• Username and password
• Card and PIN
• RSA Token
• Biometrics

20
NEXT GENERATION SECURITY

• TOMORROWS SECURITY TODAY
• Secure user authentication
• PKI
• Application firewalls
• Dynamic Tunnels

21
PROVIDER OF SECURE SYSTEM SOLUTIONS

• Public Key Infrastructure (PKI) Services
• IdM Device
• Dynamic Encryption Tunnel
• DQT Application Firewall
• Secure Tech VPN and File Transfer

22
DATAQUEST TECHNOLOGIES SOLUTIONS
Virtual Security Network (VSN)
23
VIRTUAL SECURITY NETWORK (VSN)

• Next Generation of VPN Technology
• VSN is comprised of 4 components
• (1) Application Firewall
• (2) Dynamic Encryption Tunnel
• (3) ID Trust Card
• (4) Digital Certificate
• Public and Private Key Pair

24
Application Firewall

• DQT Application Firewall
• Linux Base Firewall using SE Linux
• Allows only authorized access to server
• Can Exist in LPAR or P5 Partition
• National Security Administration (NSA) Technology

25
Dynamic Encryption Tunnel Server

• Provides communication layer through the
  Application Firewall
• Multiple Levels of Encryption Available
• 128,256 and 3DES
• Proprietary 2048bit obscure algorithm
• Multiple Tunnel Layers Available
• Replace VPN or ride on Top of VPN
• Can exist in LPAR or p5 Partition
• Must have public/private key pair to access
  tunnel
• Layers on top of any existing protocols 128SSL,
  WEP
• Low CPU drain
• Compresses MP4 Video/Data Streams

26
IDTRUST CARD

• ID TRUST CARD FEATURES CHARACTERISTICS
• Similar to credit card-sized Smart Card, but
  also contains on-card crypto processor
• Maintains protected storage for public/private
  keys, digital certificates and digital signatures
  to be used during authentication process
• Executes cryptographic operations (verifies
  fingerprint)
• Works in conjunction with card operating system
  (COS)

27
IDTRUST CARD

• HOW THE IDENTITY TRUST CARD WORKS
• User enrolls in the Biometric process Card
  maintains encrypted hash copy of users
  fingerprint in EEPROM
• When user wishes to authenticate him/herself,
  he/she simply places the correct finger on the
  e-field sensor
• The fingerprint is scanned, hashed and encrypted
• The crypto processor compares the fingerprint
  sample to the stored value on the external device
• Neither the fingerprint hash or the private key
  leave the USB device
• Card typically returns success or failure status
  to system

28
CRYPTO-PROCESSING CHIP LAYOUT
29
IDTRUST CARD

• CARD CUSTOMIZATION CAPABILITIES
• Multiple processors (4,6,8, etc.)
• Mix and match 8, 16 and 32 bit processors for
  focused tasks
• Memory (inter-processor and processor specific)
• Multiple custom data structure (application and
  processor)
• Potentially contact-based and contact-less cards

30
BIOMETRIC READERS

• Optical Sensor
• Low Resolution
• Easily Fooled
• Image Template
• Capacitive Sensor
• 3D image
• Fooled with piece of wood and silly puddy
• E-Field Sensor
• Fingerprint template is minutia based
• Stored as a hash algorithm

31
DATAQUEST TECHNOLOGIES SOLUTIONS

• USER IDENTIFICATION
• Crypto-processor card
• Biometrics on card
• ACLU friendly

32
DATAQUEST TECHNOLOGIES SOLUTIONS

• USER IDENTIFICATION SUMMARY
• Crypto-processor card
• Biometrics on card
• PKI data on card

33
PKI PRODUCT SUITE

• idSAFE
• A platform to ensure transport and management of
  data in transit (Secure VPN)
• idVOTE
• A product enabling Internet voting via secure
  voter authentication
• idSEAL
• A smart encryption tool enabling the user to
  encrypt and decrypt individual files

34
DATAQUEST TECHNOLOGIES SOLUTIONS
GOLD CA Internal External Certificate Authority
35
INDUSTRY-SPECIFIC APPLICATIONS
Third Party Master Trust Center
Certificate interoperability
Master Trust Centers
(depends on level of trust)
(Security Level 1, 2, 3)
Organizations
Departments, Groups, Regional Centers
Level 1, 2
Finance
Healthcare
Level 1, 2, 3
Level 1, 2, 3
Level 1, 3
Level 3
Level 1
Level 1
Level 1
Level 1, 2
Medical records database
36
DATAQUEST TECHNOLOGIES SOLUTIONS
Works in P5 System
Dynamically resizable
Linux Application Firewall

1 CPUs
1 CPU
6 CPUs
1 CPUs
Certificate Authority
Tunnel Application
Virtual I/O server partition
AIX 5L Application Server
Storagesharing
Ethernet sharing
Virtual I/O paths
Hypervisor
37
SECURITY DOORS
38
PROFESSIONAL SERVICES

• Public Key Infrastructure Planning and
  Implementation Services
• Biometric smart card, trust center and PKI
  integration
• Secure application design, development and
  implementation
• Enterprise security services
• Disaster Recovery Services
• Linux Application Tuning on zSeries and pSeries
• Enterprise Linux Deployment
• Custom software and consulting services
• Technical support (hotline and on-site)
• Project management
• Training and education

39
SECURITY SERVICES

• Security Inventory Service
• Security Policies and Procedures Guide
  Development
• Security Audit/Assessment Service
• Security Vulnerability Service
• Security Implementation Service

40
SECURITY AUDIT SERVICE

• TASK REVIEW EXISTING CORPORATE SECURITY
  PRACTICES AS THEY PERTAIN TO . . .
• Day-to-day enterprise computing
• Perimeter security (authentication, identity and
  authorization)
• Information at rest
• Information in transit (distributed computing,
  file transfer, etc.)
• Business applications software and email usage
• Mobile computing
• Management security directives
• Corporate security policy and procedure
  guidelines
• Compliance with appropriate legislation

41
SECURITY AUDIT SERVICE

• DELIVER DOCUMENTS DECLARING STATE OF EXISTING
  SECURITY PREPAREDNESS
• An inventory document defining the current sate
  of enterprise security methods, techniques,
  corporate compliance and usage
• A document defining next steps in the overall
  process of defining a current corporate security
  strategy and implementation plan
• Requirements analysis document
• Security architecture document
• Security products and implementation plan

42
EDUCATIONAL SERVICES (TECH TRAINING)

• Modern Security Practices
• Authentication/Perimeter Security
• Trust Center and PKI Integration
• Secure Distributed Architectures
• Linux
• AIX
• VMS
• True-64
• Wintel

• Secure Middleware Integration
• CORBA
• DCE
• Tivoli Identity Manager
• Tivoli Access Manager
• Programming Languages
• C
• Java/JavaScript
• Perl

43
DATAQUEST TECHNOLOGIES SOLUTIONS
Questions?