Secure Data Transfer with PKI. FRCC Spring Compliance Workshop April 14-16, 2015

Size: px

Start display at page:

Download "Secure Data Transfer with PKI. FRCC Spring Compliance Workshop April 14-16, 2015"

Sharon Hodges
8 years ago
Views:

1 Secure Data Transfer with PKI FRCC Spring Compliance Workshop April 14-16, 2015

2 Change of Process Change in how you submit evidence to FRCC Compliance Automate the handling and decryption of received data by FRCC Compliance Provide detailed feedback ( s) to the sender Active logging of all activity related to transfer of data Provide ready access to FRCC public keys 2

3 New Process Enhancements Hardware Encryption of storage used for securing evidence data Enabling additional firewall for network access Software Public Key Infrastructure (PKI) Management Software - Gpg4Win (Both FRCC & Entity Requirement) FRCC front facing secure transfer point ServU (by Solarwinds) Procedure Removal of manual process in handling of encrypted data Low cost solution small up front cost to FRCC w/minimal yearly maintenance cost $0 cost to entity 3

4 What is PKI Public Key Infrastructure Is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates 4

5 Secure Data Transfer Using PKI FRCC is enhancing security & robustness of systems by: Requiring the use of encryption Using a simple key management solution Creating a simple transfer process 5

6 Public Key Exchange Location When encrypting data the only required key to use in the encryption process is FRCC s public key which can be downloaded from here: ce/frcc Public Key Storage 6

7 Gpg4Win: New Transfer Software Evidence preparation for transfer to FRCC New software to be used by entity Gpg4Win Handles/Manages Private/Public Keys Encrypts, Combines, Compresses all data/evidence into single file required for transfer 7

8 Gpg4Win: Details on Software GNU Privacy Guard for Windows ( Gpg4Win ) is encryption software for files and s Enables users to securely transport s and files with the help of encryption and digital signatures Encryption protects the contents against an unwanted party reading it Digital signatures make sure that it was not modified and comes from a specific sender Gpg4win supports both relevant cryptography standards, OpenPGP and S/MIME (X.509) Software included with Gpg4win is Free Software Additional information can be found at - 8

9 SERVU: Transfer & Storage Infrastructure(TSI) ServU is the software being used for FRCC front facing secure transfer point Designed for all business types and sizes Secure transfer of sensitive business files over IPv4 & IPv6 networks Centralize and manage file transfers remotely from the Web Automate file transfer operations, which saves time, resources and reduces human error Simplify file upload & download from Web client and mobile devices Transfer large files (>2GB) easily with drag-and-drop UI Limits the duration of data in your DMZ network 9

10 Transfer & Storage Infrastructure(TSI) (cont d) Uses FRCC.COM account access no new logins needed Controlled Access: Active Directory and Security Group you can only access your own folder Detailed training sessions to be provided by FRCC: May 5, 2015 & May 18,

11 Current Vault & Entity Secure File Transfer The current two links from the FRCC.COM/Compliance website below: Will change to a single link titled: FRCC Secure Transfer & Storage Infrastructure Online June 30,

12 New - FRCC Secure TSI 12

13 TSI Display Shown After Sign-in 13

14 TSI - Transfer Folders When accessing FRCC s Transfer site Select correct transfer folder Selection based on data sensitivity m XYZ FileArea XYZ File Area Entity Secure File Transfer Folder Secure Vault Secure Vault For Most Sensitive Data Secure Working Secure Working For Sensitive Data 14

15 Types of Evidence/Information Submitted Folder Labeled XYZ File Area NEW Entity Secure File Transfer Folder Primarily used for FRCC to provide info to the registered entity, but could be used to submit general correspondence to the FRCC 15

16 Types of Evidence/Information Submitted Folder Labeled Secure Vault Most Sensitive evidence/information such as Firewall Rules (redacted) Network topologies including IP s or other documentation with extensive network address information Cyber vulnerability assessment results or reports containing specific vulnerabilities Physical Security Perimeter drawings Read only access, data will not be removed from the vault 16

17 Types of Evidence/Information Submitted Folder Labeled Secure Working Sensitive evidence/information such as All other sensitive/confidential evidence/information submitted by registered entity Includes both O&P and CIP information Can be transferred and used on encrypted laptops etc. Will be removed/deleted from laptops etc. after use 17

18 TSI - Required Naming Conventions for Transfer Use proper naming conventions of encrypted file prior to transfer XXXXX.ONP.YYYY-MM-DD.001.gpg File extension is added during creation Package number of file (001 to 999) The first 5 characters of the file name are for the Entity Acronym, if an acronym is only 3 characters, please add an underscore _ as the 4 th and/or 5th character Evidence, Audit, or Request Date Evidence Type (CIP, ENF, ONP, TFE, RAM) Proper naming allows for automation of FRCC data/evidence handling 18

19 Process Diagram 19

20 Future Training Session Topics Impacts and Process of Transferring Data/Evidence to and from the FRCC Compliance Group Learn how to obtain public and private keys Learn How to Install and Use Gpg4Win Use Proper Naming Conventions for Each File Submitted Understand How to Select Transfer Folder by Sensitivity Level Accessing the New Transfer Site 20

21 Important Dates PKI Training Webinars May 5, 2015 May 18, 2015 CIP Workshop May 11,12,13, 2015 Open Public Key Repository June 19, 2015 New Secure Transfer Website - Online June 30,

22 Questions? 22

FRCC Secure Transfer & Storage Infrastructure. Training for new data transfer process

FRCC Secure Transfer & Storage Infrastructure Training for new data transfer process Training Objects Understand the changes in regards to the data transfer process using PKI Installation Key management