Reconsidering PKI and its Place in Your Enterprise Encryption Strategy

Similar documents
Acano solution. Security Considerations. August E

Is Your SSL Website and Mobile App Really Secure?

TMW01 Managing and Deploying BYOD Identity Solutions with a Microsoft PKI

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Passing PCI Compliance How to Address the Application Security Mandates

TOP SECRETS OF CLOUD SECURITY

Security. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October Page 1 of 9

If you can't beat them - secure them

SSL BEST PRACTICES OVERVIEW

Security Architecture Whitepaper

Where every interaction matters.

Deploying Firewalls Throughout Your Organization

A Guide to Common Cloud Security Concerns. Why You Can Stop Worrying and Start Benefiting from SaaS

End-to-end Secure Cloud Services a Pertino whitepaper

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

BEST PRACTICES FOR SECURE REMOTE ACCESS A GUIDE TO THE FUTURE

Mobile Application Security

Protecting Your Organisation from Targeted Cyber Intrusion

A Decision Maker s Guide to Securing an IT Infrastructure

Chapter 10. Cloud Security Mechanisms

Public Key Infrastructure (PKI)

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Security and the Internet of Things (IoT)

Getting a Secure Intranet

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Security Goals Services

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Top 7 Tips for Better Business Continuity

Guide to Evaluating Multi-Factor Authentication Solutions

Why self-signed certificates are much costlier and riskier than working with a trusted security vendor

Capturing the New Frontier:

A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS

Module 1: Facilitated e-learning

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Recommended IP Telephony Architecture

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

The Key to Secure Online Financial Transactions

CLOUD COMPUTING SECURITY CONCERNS

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Building Trust in a Digital World. Brian Phelps, BSc CISSP Director of Advanced Solutions Group EMEA Thales UK, Ltd.

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Database Security, Virtualization and Cloud Computing

Overview Most of the documentation out there on the transition from SHA-1 certificates to SHA-2 certificates will tell you three things:

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

PULSE SECURE FOR GOOGLE ANDROID

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications

End-to-End Secure Cloud Services. Pertino Perspective

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Security Issues with Integrated Smart Buildings

Locking down a Hitachi ID Suite server

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Implications for the Honeywell Enterprise Buildings Integrator User Community

SSL and Browsers: The Pillars of Broken Security

Auditing the Security of an SAP HANA Implementation

Secure Mobile Solutions

Securing Mobile Apps in a BYOD World

Secure SSL, Fast SSL

More effective protection for your access control system with end-to-end security

Security Controls for the Autodesk 360 Managed Services

Securing the mobile enterprise with IBM Security solutions

Building the Lync Security Eco System in the Cloud Fact Sheet.

Vidder PrecisionAccess

Keyword: Cloud computing, service model, deployment model, network layer security.

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Enterprise effectiveness of digital certificates: Are they ready for prime-time?

HTTPS is Fast and Hassle-free with CloudFlare

Guideline on Safe BYOD Management

White Paper. Enhancing Website Security with Algorithm Agility

Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge

SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD

90% of data breaches are caused by software vulnerabilities.

Basic Vulnerability Issues for SIP Security

ITL BULLETIN FOR JANUARY 2011

The Network and The Cloud: Addressing Security And Performance. How Your Enterprise is Impacted Today and Tomorrow

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

BMC s Security Strategy for ITSM in the SaaS Environment

Effective Penetration Testing Netwerk Guardian LLC

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model

Data Protection: From PKI to Virtualization & Cloud

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Transcription:

Reconsidering PKI and its Place in Your Enterprise Encryption Strategy 150820_oml_v1p Public Omlis Limited 2015

Contents Introduction 2 Smartphone, IoT and Fragmented Platforms Bring Challenges and Inconsistencies to PKI 3 Cost and Complexity 4 Transitioning into the Future 5 Omlis: Reducing Complexity, Mitigating Risk and Cutting Costs 6 References 7 Contributors 7 1

Introduction Three years ago, Gartner made the claim that certificates can no longer be blindly trusted; a statement which seems more and more prophetic as the digital world relentlessly develops its capabilities at a pace which digital certificates struggles to maintain. In an era of SDNs (Software-defined Networks), cloud implementation and lightweight agile solutions, many modern implementations of the certificate-based security methodology known as PKI (Public Key Infrastructure) are beginning to look increasingly outmoded, representing a very manual and increasingly unmanageable approach. PKI has undoubtedly formed an integral part of internet security, but the SSL (Secure Sockets Layer) / TLS (Transport Layer Security) based system is proving increasingly vulnerable under the weight of the latest digital ecosystem. PKI was, at best, acceptable for desktops and laptops operating over closed networks inside corporate firewalls. The mobile revolution has exposed existing cracks, making the commonly accepted methodology look cumbersome and ultimately, unsecure. PKI still has a role to play in the less mission critical aspects of internet security and to start describing it as a legacy architecture may be premature, but an increasingly connected world clearly needs to narrow the scope of its usage. According to research from Ponemon s paper entitled 2015 Cost of Failed Trust Report the number of keys and certificates has grown over 34% to 24,000 per enterprise 1. For PKI to remain effective it must co-exist with powerful, secure and more versatile forms of encryption like that on offer from Omlis. To provide context, it s often stated that we re at the third of the internet s biggest evolutionary stages. We began with the era of mainframes and terminals, before moving to the second evolutionary platform which constituted the client / server model thereby introducing us to internet / LAN (Local Area Network), or Web 2.0 as it was often labeled in the media. This was the climate in which PKI began to thrive, lasting until around 2005 when the net began to take on new dimensions. We re now fully submerged in Platform 3.0, which is defined as an era of mobile, cloud, big data, IoT (Internet of Things), M2M (Machineto-Machine), and BYOD (Bring Your Own Device) which brings with it a unique set of security demands. 2

Omlis is providing a full in-house security solution able to cover all types of mobile devices, wearables and connected appliances where traditional security solutions do not fit. It s the only solution light enough to deploy on any platform and at the same time increase security and fraud prevention for everyone in a highly connected world. Stéphane Roule, Senior Technical Manager at Omlis Smartphone, IoT and Fragmented Platforms Bring Challenges and Inconsistencies to PKI If PKI reached its practical zenith under the narrow platform of laptops and desktops, the IoT and the smartphone could represent the beginning of its demise due to an abundance of devices and operating systems all having different security requirements and equally different capabilities. Connected cars and other pervasive devices, smart cities and especially the smartphone have meant PKI has struggled to maintain any consistent level of security. from version 5.0 (Lollipop) onwards, which is currently deployed on less than 10% of Android devices. At the same time, banks, service providers and software vendors are expected to deliver secure mobile applications to the broadest possible audience on the most Android operating systems. In the most extreme cases some mobile banking apps are still intended to run on Android version 2.3, which only supports SSL3.0 and SHA-1. Security applications and protocols such as SSL / TLS and the hashing functions associated with the SHA (Secure Hash Algorithm) family have become particularly complicated in the delivery of safe and secure mobile commerce. On the Android platform, TLS 1.1 is available from version 4.1 (Jelly Bean) and SHA-256 is only available Aging protocols represent a critical problem in both a commercial and a security sense with Google announcing that they will start penalizing secure HTTP (Hypertext Transfer Protocol) sites where certificate chains are using SHA-1 with validity past January 2017 2. 3

Cost and Complexity Even if PKI users can iron out its most obvious algorithmic weaknesses in their implementation such as migrating their applications to TLS 1.2 and SHA-2, the limiting factor all PKI schemes inevitably share is that they naturally incur a high degree of cost and complexity. This cost is represented not just in the initial capital expenditure, but also in the ongoing total cost of ownership. PKI relies on a variety of moving parts thus vastly reducing the service provider s autonomy over their own security network. Certificate authorities become trusted third parties, providing the actual certificates and offering additional services such as hosted solutions; expensive third party administration is often needed due to the complexity and ongoing needs of the admin process. At the heart of the system, mission critical PKI implementations rely on costly HSMs (Hardware Security Modules) to store and generate keys, which are derived through equally costly and elaborate key generation ceremonies, requiring intensively manual implementation and maintenance programs. This is a particular pain point for companies, as evidenced in Thales 2015 Global Encryption and Key Management Trends Study, where it was revealed that 51% of respondents perceived key management to be the most important feature of an encryption technology solution; 33% found the ongoing management of these keys to be one of the biggest challenges in planning and executing an encryption strategy 3. PKI layers of control: Service Provider On top of this, PKI bears the cost of secure facilities, installation and configuration, complicated audits and a consistent level of staffing for continued maintenance, operation and monitoring. All of these costs form an inherent part of PKI s machinery; unlike Omlis rapidly deployable, low complexity, high security solution. A company with a PKI infrastructure can attempt to reduce complexity by using self-signed certificates but this in turn reduces levels of security and has a negative effect on the company s security profile itself; if a web server detects a self-signed certificate, it ll often display a security alert which is obviously bad public relations. Self-signed certificates once again demonstrate the mismatch of open networks and PKI. Hackers can attempt techniques such as ARP (Address Resolution Protocol) spoofing and DNS (Domain Name System) tampering to intercept traffic and redirect banking users to illegitimate sites or as the basis for DoS (Denial of Service) attacks. Alarmingly, a recent study by IOActive discovered that 40% of the global banking apps which they tested didn t validate the authenticity of SSL certificates 4. According to Ponemon, the total impact of an exploited enterprise mobility certificate is valued at $126m 5. The prevalence of these attacks and the stratospheric costs associated with them have led NIST (National Institute of Standards and Technology) to publish actual industry guidelines entitled Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance. Certificate exchange Certificate Certificate Certificate provided by a trusted third party to the service provider Secure data exchange HSM hosted by the service provider 4

Omlis Technology has been specifically designed for the mobile world, providing a very high level of security whilst being easy to deploy and manage. Omlis has been able to empower the mobile device in a unique way in order to deliver alternative solutions and create trust for mobile users. Markus Milsted, founder and CEO of Omlis Transitioning into the Future PKI resembles a heavyweight and complex machinery in a world where security solutions are becoming far more fluid. Evolving threats and the perils of open networks mean that the next generation of internet usage demands modular and agile solutions which can be deployed from the cloud, are adaptable in nature and have a number of delivery methods such as EaaS (Encryption as a Service). As much as delivery models need to be adaptable to cross-platform usage, security needs to be consistent, using the most secure protocols and the most suitable key exchange methods. As we move towards network developments such as 5G and concepts such as Li-Fi, Omlis represent a perfectly fluid, adaptable and low cost solution to everyday encryption. Working instead of, or in tandem with a PKI architecture, Omlis offer a genuinely compelling and futureproof answer to some of the most pressing security questions. As much as this forward thinking approach is essential, tying together an expanding network of both legacy and cutting-edge devices is also key to interoperability and inclusion. Omlis ability to unite a disparate set of legacy components with consistent, cross-platform security protocols positions us perfectly as the security method of the future. 5

Omlis: Reducing Complexity, Mitigating Risk and Cutting Costs Omlis wrap authentication and encryption into a single product which greatly reduces the deployment and management efforts we associate with PKI. The service provider is given much more control of their security ecosystem with no overbearing third party dependencies, security is consistent and side channel attacks are effectively mitigated. Unlike PKI, Omlis doesn t require HSMs, third party certificate providers or complex key management procedures. Unique keys are generated at the point of transaction and due to the design of our distributed architecture, actual keys are never sent over the network and are never stored on the client or server side; so even if a MitM (Man in the Middle) attack takes place, the hacker will fail to retrieve any meaningful information due to our unique use of SRP (Secure Remote Password) protocol. This method of generating keys at both ends of the communications channel, means that Omlis never transmit sensitive data in plaintext and information related to transactions keys can be erased from memory as soon as it becomes redundant. Furthermore, our high integrity approach means that SQL (Structured Query Language) injections are made impossible due to compile time and runtime checks, and keylogging is pointless as the input we collect from the keypad is only used for local encryption. Over the last few years PKI has been challenged with the increasingly impossible task of absorbing a fragmented range of devices with a common set of encryption protocols. Rather than settling for patchwork variations of PKI and commissioning improper deployments across the IoT, we need to rethink how we implement security across a range of devices. Omlis has the interoperable qualities which are the hallmark of PKI, but unlike PKI will maintain consistency and unbeatable security across a range of operational requirements. 6

References 1. https://www.venafi.com/assets/pdf/wp/ Ponemon_2015_Cost_of_Failed_Trust_ Report.pdf 2. http://blog.chromium.org/2014/09/graduallysunsetting-sha-1.html 4. http://blog.ioactive.com/2014/01/personalbanking-apps-leak-info-through.html 5. https://www.venafi.com/assets/pdf/wp/ Ponemon_2015_Cost_of_Failed_Trust_ Report.pdf 3. https://www.thales-esecurity.com/company/ press/news/2015/april/2015-globalencryption-and-key-management-trendsstudy-release Contributors The following individuals contributed to this report: Stéphane Roule Senior Technical Manager Paul Holland Analyst Nirmal Misra Senior Technical Manager Jack Stuart Assistant Analyst 7

Omlis Third Floor Tyne House Newcastle upon Tyne United Kingdom NE1 3JD +44 (0) 845 838 1308 info@omlis.com www.omlis.com Omlis Limited 2015

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information