Transcript MikeFleckOWASP_Presentation

Protecting Data
From The Web Tier
Mike Fleck
CEO
CipherPoint Software, Inc.
[email protected]
@CipherPointSW
888-657-5355
OWASP
3-22-2012
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Agenda
Why does this matter?
Drivers for data protection
Shifting application architectures
Common data encryption challenges
Why Infosec struggles to keep up
Why protect data from the web tier
A web tier data protection architecture
Questions
OWASP
2
Why Does This Matter?
Shift in thinking about security control
effectiveness from network > application > data
Auditors recognize value of encrypting data
“higher in the stack”
Applications moving to 3-tier web architecture
Cloud data protection = encrypting @ web tier
Web tier affords a unique place from which to
apply data encryption and access controls to
application data and unstructured content
OWASP
3
Data Protection Drivers
Compliance: PCI DSS,
HIPAA/HITECH, GLBA, state breach
laws
Native platform controls are
generally inadequate to secure
against insider threats, including IT
admins
Given current threat climate w/
APTs and determined attackers,
need that last line of defense for
stored data
“69% said that
complying with data
protection and privacy
regulations was the
main driver behind use
of encryption”
Ponemon 2010
Enterprise Encryption
Study
OWASP
4
Enforcing “Need to Know”, “Least Privileges”
PCI DSS
 7.1.1 Restriction of access rights to privileged user IDs to least
privileges necessary to perform job responsibilities, Audit procedure
= Confirm that access rights for privileged user IDs are
restricted to least privileges necessary to perform job
responsibilities.
HIPAA/HITECH
 HIPAA requires access control to limit access to those with valid need to
know, encryption is an addressable requirement
GLBA
 Access control required to limit access to authorized individuals,
encryption for NPI required
OWASP
5
PCI Assessment Failings
OWASP
6
Most Challenging Compliance Requirements
OWASP
7
Sources of Compliance & Security Pain
OWASP
8
Sea Change in Security Control Placement
http://movetheworld.files.wordpress.com/2008/01/evolution-of-security-controls-graph-only.png
OWASP
9
App Architecture, Delivery Models Changing
Clientserver
3 Tier, web
based apps
On
premise IT
Cloud
OWASP
10
Today’s Data Encryption Challenges
Effective threat protection = higher level insertion
point
 Low level insertion (FDE, Bitlocker) only protect media loss/theft
 Application insertion = best threat protection, not common from
app vendors, hard to DIY & get right
Key management
 “it’s 2am, on a Saturday, we have to restore an encrypted file from
2008, where the @#!&% is the encryption key”
 Silo’ed or centralized
 Making it easy: operationalizing compliance requirements for key
rotation, key lifecycle, information lifecycle
OWASP
11
More Key Management
OWASP
12
Data Encryption & Access Control Challenges
for Web Apps, & SaaS Delivery
Where can/should we insert?
How do we afford protection for data stored in
cloud/SaaS?
How can enterprises retain control of keys for
data stored in cloud/SaaS services?
How to keep IT admins at cloud service
providers from viewing sensitive data?
OWASP
13
Policy Enforcement @ Web Front End
Need to know
Need to manage
WFE Policy
Enforcement Point
Shared Services
Admin
P
E
P
Application
Servers
End users
Front-end Servers
Database Admin
Database Server
Web Server Admin
OWASP
14
Visibility @ WFE for Security Decisions
What:
Who:
Cipherpoint\csmith
Where:
https://www.covert.com/HR/payroll
OWASP
15
Security Control Possibilities
Selectively encrypt information for specific users,
or URI destinations
Unstructured files
Fields in web forms
Apply access controls for user groups
Enforce need to know for IT admins
Apply sophisticated access controls for
authorized users
Time of day, excessive file downloads, strange
download locations, etc.
OWASP
16
WFE Encryption & Access Control
Previously had to either convince your app
vendor to add this capability, or DIY
In either case, odds are poor for:
getting key management right, and
making the encryption easy to use, easy to manage
Ubiquitous web application architectures opens
up encryption & access control platform
possibilities at the WFE
OWASP
17
Use Cases
Web-based collaboration portals, on premise,
e.g. SharePoint, ECM systems
 Sensitive information protection such as HR data, IP, business
plans
 Compliance regulated data, e.g. PII, NPI, ePHI
Where outsiders are the new insider threat:
Cloud collaboration platforms, Google Docs, Box.net,
et al
Any SaaS application…
OWASP
18
About CipherPoint
 Incorporated 2010
 1st provider of transparent content
encryption for Microsoft SharePoint
 Insider threat protection
 Separation of duties
 Mass market pricing
 Building a cloud collaboration security
platform
OWASP
19
Questions?
OWASP
20