Encryption Doesn t Always Protect Your Data. Presented by: Joe Sturonas PKWARE

Transcription

1 Encryption Doesn t Always Protect Your Data Presented by: Joe Sturonas PKWARE

2 Agenda Threat Landscape Security Risks Public/Private Keys Digital Signing and Authentication Use Case Q&A

3 Threat Landscape

4 2015 Data Breach Stats Data security events increased by 38% Intellectual property theft increased 56% 2016 Global State of InfoSec Survey Price Waterhouse Cooper $400 million estimated losses from 700 million compromised records 2015 Verizon Data Breach Report Data breaches in healthcare totaled over 112 million records in 2015 Forbes

5 Threat Landscape Evolution Identity Theft Resource Center

6 InfoSec Landscape Advanced Persistent Threat Detection Networks Devices Intrusion Detection Data Leakage Prevention Security Gateways Application Firewalls Full Disk Encryption Applications Information DATA CENTRIC PROTECTION Identity & Access Management Access Control Intrusion Detection Incident & Event Management DNS Security VPN Antivirus Firewalls Mobile Device Management Mobile Application Management Antimalware Endpoint DLP Access Brokers Network Access Control Stateful Pocket Inspection

7 Potential Effects of Sensitive Data Exposure The Three Elements of a Breach 1 They have to get in 3 They have to get it out 2 They have to get to the information

8 IoT (Things, and a lot of them)

9 What happens when InfoSec fails?

10

11 Cyber Defense Matrix Sounil Yu - RSA Conference 2016

12 Security Risks

13 Encryption and Privacy Encryption empowers individuals and organizations to take their privacy into their own hands Protects usernames/passwords, EHR, PII, etc. Protects against thieves, snoops and idiots

14 TSI External attackers, rogue employees, etc. Three letter agencies, the insider threat Users, admins, basically everyone

15 Risks Thieves represent the highest cost in terms of dollars lost and money spent Snoops represent the lowest cost in terms of dollars lost but have the potential to heavily damage reputation and brand Idiots represent mistakes made by everyone that results in sensitive information exposure Risks: Financial penalties Brand reputation Customer confidence Intellectual property

16 Risks Thief Thief Snoop Idiot Snoop Idiot Thief

17 Thieves

18 Snoops

19 Idiots

20 Idiots

21 Public/Private Key Cryptography

22 Public/Private Keys Public Key Encrypting data Authenticating data Private Key Decrypting data Signing data

23 Symmetric Encryption

24 Asymmetric Encryption Sender encrypts data using each recipient s public key Each recipient decrypts with their private key

25 Hybrid Cryptosystem for Unstructured Data

26 Protecting Structured Data Encrypt sensitive fields without having to encrypt the entire database. Length Preserving & Format Preserving (length + format) Cryptography API Cryptography API

27 Digital Signing and Authentication

28 Digital Signing

29 Digitally Signing Data

30 Authenticating Data

31 Use Case

32 Use Case Challenge: Cost Cost effective and reliable solution that would be consistent over several years Data centric security Requirement for persistent authentication and digital encryption Leverage existing infrastructure Find a solution that would work within the existing infrastructure Solution: Cost Maximum reuse of existing infrastructure combined with mature, proven software Data centric security Encryption provides the customer with the level of security and confidence required Leverage existing infrastructure Integrated into the existing network, and MFT solution Encryption Benefits Efficiently manage the disparate platforms used by member banks Minimal disruption on implementation due to reuse of existing infrastructure Helped overcome future cost concerns by providing an option allowing member banks to change their computing environments without impacting the overall cost of the solution Fulfilled the essential requirements surrounding security of the cheque files being transferred

33 Q & A