HIPAA Security Regulations: Assessing Vendor Capabilities and Negotiating Agreements re: PKI and Security



Similar documents
How To Understand And Understand The Security Of A Key Infrastructure

UNDERSTANDING PKI: CONCEPTS, STANDARDS, AND DEPLOYMENT CONSIDERATIONS, 2ND EDITION

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

TELSTRA RSS CA Subscriber Agreement (SA)

encryption keys, signing keys are not archived, reducing exposure to unauthorized access to the private key.

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Public Key Infrastructure for a Higher Education Environment

Department of Defense PKI Use Case/Experiences

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

PKI: Public Key Infrastructure

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY. July 2011 Version 2.0. Copyright , The Walt Disney Company

Lecture VII : Public Key Infrastructure (PKI)

SSL BEST PRACTICES OVERVIEW

Introduction to Public Key Technology and the Federal PKI Infrastructure 26 February 2001

Case Study for Layer 3 Authentication and Encryption

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Certificate Policies and Certification Practice Statements

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

X.509 Certificate Revisited

A Noval Approach for S/MIME

NIST Test Personal Identity Verification (PIV) Cards

Unique Challenges in Architecting a Healthcare PKI that Spans Public and Private Sectors

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Government Smart Card Interagency Advisory Board Moving to SHA-2: Overview and Treasury Activities October 27, 2010

NIST ITL July 2012 CA Compromise

Department of Defense INSTRUCTION. SUBJECT: Public Key Infrastructure (PKI) and Public Key (PK) Enabling

Securing Distribution Automation

Visa Public Key Infrastructure Certificate Policy (CP)

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

PKI Uncovered. Cisco Press. Andre Karamanian Srinivas Tenneti Francois Dessart. 800 East 96th Street. Indianapolis, IN 46240

Ericsson Group Certificate Value Statement

Overview. SSL Cryptography Overview CHAPTER 1

Public-Key Infrastructure

Operating a CSP in Switzerland or Playing in the champions league of IT Security

Chapter 4 Virtual Private Networking

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

RSA Digital Certificate Solution

Certification Practice Statement

Security + Certification (ITSY 1076) Syllabus

Public Key Infrastructure. A Brief Overview by Tim Sigmon

CERTIFICATE POLICY KEYNECTIS SSL CA

Danske Bank Group Certificate Policy

Egypt s E-Signature & PKInfrastructure

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

7 Key Management and PKIs

Understanding digital certificates

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

SECURITY IN ELECTRONIC COMMERCE MULTIPLE-CHOICE QUESTIONS

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Class 3 Registration Authority Charter

StartCom Certification Authority

Microsoft vs. Red Hat. A Comparison of PKI Vendors

Deploying Smart Cards in Your Enterprise

Intelligence Community Public Key Infrastructure (IC PKI)

What Are They, and What Are They Doing in My Browser?

Certification Practice Statement

KIBS Certification Practice Statement for non-qualified Certificates

Registration Practices Statement. Grid Registration Authority Approved December, 2011 Version 1.00

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

CERTIFICATION PRACTICE STATEMENT. EV SSL CA Certification Practice Statement

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Biometrics, Tokens, & Public Key Certificates

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 11: Active Directory Certificate Services

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

How To Make A Trustless Certificate Authority Secure

Certificate Authorities and Public Keys. How they work and 10+ ways to hack them.

Applying Cryptography as a Service to Mobile Applications

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Neutralus Certification Practices Statement

Information Blue Valley Schools FEBRUARY 2015

Certificate Policy KEYNECTIS SSL CA CP. Emmanuel Montacutelli 12/11/2014 DMS_CP_KEYNECTIS SSL CA CP_1.2

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004

Grid Computing - X.509

Internet Banking Internal Control Questionnaire

Expert Reference Series of White Papers. Fundamentals of the PKI Infrastructure

Axway Validation Authority Suite

Committee on National Security Systems

BMC s Security Strategy for ITSM in the SaaS Environment

WiMAX Public Key Infrastructure (PKI) Users Overview

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

The Costs of Managed PKI:

EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support

VeriSign Trust Network Certificate Policies

- X.509 PKI SECURITY GATEWAY. Certificate Policy (CP) & Certification Practice Statement (CPS) Edition 1.1

Microsoft Trusted Root Certificate: Program Requirements

DigiCert Certification Practice Statement

Chapter 7 Managing Users, Authentication, and Certificates

I N F O R M A T I O N S E C U R I T Y

TR-GRID CERTIFICATION AUTHORITY

Transcription:

HIPAA Security Regulations: Assessing Vendor Capabilities and Negotiating Agreements re: PKI and Security March 2, 2001 Cy D. Ardoin, Ph.D.

2 Agenda Quick View of Security Strategy for Security Quick View of PKI Strategy for PKI

Quick View of Security Range of Attacks 3 Script Kiddy Hacker Industrial Espionage Electronic Warfare Methods Runs tools Good tools Some homegrown Good tools Many homegrown Good tools Most homegrown Motivation Wants to brag about the break-in Anger, Revenge, Profit Profit, Compromise Business, Trade Secrets Profit, Damage Industry, Damage Critical Infrastructure Funding No Funding No Funding Funding proportional to profit potential Funding by foreign government may be proportional to profit Stealth Quick In and Out Stealthy, trying to not be seen Very Stealthy, will not be seen Very Stealthy, will not be seen Avenues Internet mostly, Phone sometimes Internet or Phone Internet, Phone, Social Engineering, Physical, Electronic Internet, Phone, Social Engineering, Physical, Electronic

4 Strategy for Security Establish a Security Program Policy, Procedures, Mechanisms (Security Controls) Assign Authority and Responsibility (Security Officer) Focus on Critical Data (e.g. Medical Records and Financial Data) Train employees and contractors Monitor Activities and Report Problems Periodic Evaluation of the Program Maintain the Security Posture

5 Vendor Capabilities Shop around, meet with three or more vendors Vendor investigation Experience, stability, reputation, independence, etc. More than automated tools - good people are needed Know the methodology to be used Clearly state restriction on behavior and scope of work Penetration tests require protection of both parties Recommendations must be practical Vendors should not play the role of Security Officer

6 Quick View of PKI Public Key Infrastructure Support the implementation of a set of security functions Privacy Non-Repudiation Digital Signatures Authentication Data Integrity

7 Quick View of PKI PKI product vendors Offer several options to implement security functions Entrust VeriSign Xcert Baltimore Netscape

8 Quick View of PKI Certificate Management Functions Key/Certificate Generation Certificate Authority Certificate Format

9 Quick View of PKI Policies and Protocols Security Protocols 60 Hz 50 Hz 220 V Encryption Algorithm 120 V Key Management Policies Key Revocation

10 Strategy for PKI What is the business need for PKI? How do you acquire the services? Major topics to consider in developing a strategy Build or Buy Registration Naming Separate Keys Types of Certificates Tokens Federal PKI and others Number of users

11 Strategy for PKI Develop Requirements as a baseline for vendors Who controls the registration process Who can define the fields in the certificates PKI shall satisfy the Class 3 criteria of the Federal PKI model Define the standards, ITU, IETF, ANSI, PKCS Define the CA requirements CA will support registration, key generation, certificate generation, certificate revocation, certificate renewal, CRL generation and distribution, certificate and RRL archiving, on-demand private key recovery (for encryption keys), certificate and CRL retrieval.

12 Strategy for PKI Specify Algorithms (SHA-1 and PKCS #1 RSA to sign certificates and CRLs) Specify Key Lengths Hierarchy of the PKI (all subscribers fall under a specific subtree of the hierarchy) Certificate generation (X.509 version 3) Define standard certificates (e-mail, encryption, code signing, server, etc) CRL requirements Registration Requirements Archiving Requirements Token Requirements

13 Strategy for PKI Estimate the number of users Get pricing and support data from vendors Compare Vendors to the Baseline Document Develop a PKI Certificate Policy Begin a prototype and staged deployment

14 Don t Forget Interoperability prototype interoperability with other organization Integration PK-enabling applications may be difficult prototype using several vendor products before making a large investment into software development Technical/Usability different environments will have different demands for authentication mechanisms - a single solution for strong authentication will not work in a complex environment

15 A Few References NIST SP 800-12 An Introduction to Computer Security; The NIST Handbook. NIST SP 800-14 Generally Accepted Principals and Practices for Securing Information Technology Systems. NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems. X.509 Certificate Policy For The Federal Bridge Certification Authority (http://www.cio.gov/docs/fbca_policy_document_1-17-01.htm)

16 Mitretek Systems Cy Ardoin Senior Manager Information Security & Privacy Center 7525 Colshire Drive McLean VA 22102-7400 Phone: 703-610-1946 Fax: 703-610-1699 Email: cy.ardoin@mitretek.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information