Securing Data in the Mobile Business Environment

1
Securing Data in the Mobile Business Environment

• Doug Harriss

2
Introduction

• Today's organisation, be it commercial or Public
  Sector, is radically different to that of even a
  few years ago.
• Data leakage and theft is the increasing
  problem.
• Has your security infrastructure kept pace with
  this change?

3
History of Data Security (Cryptography)

• Data loss its been in the media almost every
  day over the last few months
• But its nothing new . . . . .

4
History of Cryptography

• Encryption dates as far back as 1900 B.C in Egypt
• Julius Caesar(100-44 B.C.) used a simple
  substitution shift cipher
• The alphabet is shifted so that the original
  letter is substituted for a different one
• A B C D E F G H I J K L M N O P Q R S T U V W X Y
  Z
• M N O P Q R S T U V W X Y Z A B C D E F G H I J K
  L
• e.g. Julius Caesar becomes Vgxuge Omqemd

5
History of Cryptography (continued)

• Mary Queen of Scots Cipher alphabet and
  codewords
• WWII Code Machines
• Germanys Enigma Machine
• Britains Bletchley Park Station X

6
History of Modern Cryptography

• 1970s
• 1976 DES standardized
• 1976 Public key cryptography introduced
• 1977 RSA cipher introduced
• 1980s Stronger ciphers (128 bit) introduced
• 1990s Integration of cryptography into
  commercial applications
• Post Year 2000
• AES standardized to replace DES

7
Whats Changed over the last decade?

• The predominance of the internet
• Mobile communications
• Greater computer power
• Greater bandwidth
• The demand for access to data wherever the user
  may be and wherever the data is
• Organisations need to be far more open
• With this openness comes risk

8
Whats Changed over the last decade?

• Our IT infrastructure is more
• Accessible
• Powerful
• Cheaper
• Mobile
• Smaller
• Easier to use
• Vulnerable
• There is REAL value in our data in the wrong
  hands

9
The Internet

• The internet has enabled organisations to
  communicate both internally and externally more
  cheaply and easily than ever before
• Open standards for connectivity have driven the
  take-up of the internet
• Success has fed on success we can not work
  without it

10
Mobile Communications

• Cheaper costs of network traffic
• GPRS / 3G / Mobile Broadband for data traffic
• Powerful laptops
• Powerful PDAs

11
We Now Have - Greater Computer Power

• More CPU power, disk space, memory.
• Better network communications.
• Todays laptop is far more powerful than the
  average desktop of just a few years ago.
• More capability, more risk - unless managed

12
We Also Now Have - 22nd January 2008

• In an email to top civil servants, Sir Gus
  O'Donnell said "From now on, no unencrypted
  laptops or drives containing personal data should
  be taken outside secured office premises.
• "Please ensure that this is communicated
  throughout your organisation and delivery bodies
  and implemented immediately, and that steps are
  taken to monitor compliance.

13
Breaching the Perimeter

• Mobile devices, by nature, are breaching the
  business perimeter
• Users are able to take data out of the business
  environment to their customers and to wherever
  they want or need to work
• How is this data being taken out, is it secure?

14
Managing the de-perimeterised Business

• Traditional security controls were concerned with
  preventing the organisations data from being
  leaked to the outside world
• Access controls were put into place to make it
  hard for unauthorised users to access data, let
  alone copy it!
• The new demand is to ensure that the data is
  protected adequately when in the outside world

15
USB Memory sticks the real capacity

• USB memory sticks are taken for granted in the
  business world, most of us have at least one.
• 4GB memory stick c.20 four drawer filing
  cabinets!
• Potential serious data leakage.
• Accidental or malicious it happens

16
The Data Protection Act

• Data held by an organisation must be
• Secured against accidental loss, destruction or
  damage and against unauthorised or unlawful
  processing
• Data held outside of the organisation is
  especially vulnerable to the above threats.

17
What are the Threats?

• Large volumes of sensitive data can be easily
  held on laptops and USB based devices
• It is often hard to control the movement of data
  on to these devices and to know when it has
  occurred
• Data held outside of the perimeter is
  potentially subject to alteration and
  unauthorised dissemination
• Ease of use, not data protection has driven much
  software design

18
Addressing the Threats

• Data security controls, to be effective, must be
  either transparent to the user or very easy to
  use
• It is human nature to find an easy way (HMRC).
• User Awareness - users must understand why
  security is required.
• Deploy a solution to encrypt ALL data held on
  mobile devices with no user decision.
• Do I Encrypt this YES / NO Not a sustainable
  model.

19
UK Government Information Assurance -CESG

• The UK Government has developed security polices
  for the protection of data under the UK
  Governments Technical Authority on Information
  Assurance the Communications Electronics Security
  Group (CESG) within GCHQ
• CESG run the CESG Assisted Products Scheme (CAPS)
  to enable products to be cryptographically
  verified by CESG to Her Majestys Government
  (HMG) cryptographic standards and formally
  approved for use by HMG and other appropriate
  organisations.

20
CSIA Claims Test Mark

• What is the CSIA Claims Tested Mark?
• The CSIA Claims Tested (CCT) Mark scheme provides
  a government quality mark for the public and
  private sectors based on accredited independent
  testing, designed to prove the validity of
  security functionality claims made by vendors. In
  more colloquial terms, the CCT Mark is designed
  to assure public bodies that a product or service
  does what it says on the box.

21
CSIA Claims Test Mark

• Designed to inspire trust and confidence
• In line with Transformational Government Policy
  and to ensure trust and confidence, Government
  information systems must use appropriate security
  products and services which have a minimum
  assurance of the CCT Mark
• Harvey Mattinson, CSIA - Head of Assurance and
  Standards

22
Securing the Device

• Deploy anti-virus software and firewall
• Encrypt ALL data held on the hard disk
• Choose the product appropriate to your need do
  you require CAPS?
• Full disk encryption secures everything that a
  user stores
• Look for products with third-party
  accreditation/certification (e.g. CTM/FIPS/CAPS)
• Use policy-driven software to control the use of
  devices (e.g. USB, CD writer etc)

23
Securing the Device

• The technology required to secure a mobile device
  is well matured
• The problem areas are becoming well understood
• Find a product that fits your needs, is easy to
  use and integrates well with your environment
• Select a vendor that is responsive to your needs,
  has a pedigree in the marketplace and offers a
  long-term relationship

24
Commercial v Government

• The security threats as seen by the Government
  sector are often different to those seen by the
  private sector
• The Military is often seen as too paranoid by
  other sectors
• Software solutions have had to run in parallel
  with little or no crossover between the two. You
  either bought from a company specialising in
  commercial or government software. The two were
  considered very different.

25
Commercial v Government (cont)

• The Military are concerned with securing data
  while operating in a hostile environment
• Before the internet the private sector rarely
  worked in hostile environments but within the
  Business Perimeter
• The internet is now the private sectors battle
  ground as businesses are de-perimeterised

26
Developing Threats

• Cloning of laptops
• Creation of an entire image of a hard disk
  without the owner knowing.
• Could potentially be done when laptop left
  unattended
• Quick and easy to do with the minimum of software
  and tools
• Almost undetectable
• Solution An encrypted disk would render the
  image useless to those without the correct
  access.

27
Developing Threats

• Wireless technologies
• Bluetooth, infrared and wireless all provide
  opportunities for remote extraction of data from
  a device
• USB-based Removable Media
• Enables copying large amounts of data very
  quickly without any evidence of doing so
• Solution Software that controls the connection
  and use of removable devices including encryption

28
An Approach to Security

• The traditional approach has been to make it very
  hard to get at data both physically and logically
• However once in, the data is freely available
• The de-perimeterised business cannot use this
  approach, as the risks are too high.
• Make the data secure through the use of
  encryption at the lowest level, not on the
  infrastructure

29
Enterprise Threat from Mobile devices

• Mobility of computing devices and capability of
  mobile devices storage, computing power, and
  network access
• Mobile devices have frequent access to enterprise
  networks
• Mobile device use focuses on network access and
  user convenience rather than security
• Growing number of devices larger number of
  potentially lost, stolen or compromised devices
• Devices are targeted for the theft for data, as
  well as for network access.

30
The Theft threat model is changing

• Devices used to be targeted for sale as useable
  laptops / desktops.
• Now additionally, the data is seen as having a
  value. This can be, press coverage, damage to
  the organisation, personal information for
  identity theft.
• Access to the corporate network for malicious
  activity or further data theft offers a bigger
  opportunity.
• The device has increasing value.

31
What Should I Be Considering?

• Develop and implement a workable Security
  Strategy
• Adopt Full Disk Encryption no user decision
• Removable Media Encryption no user decision
• Port Management
• Lock out iPods, cameras and non-standard USB
  Sticks etc
• Use accredited solutions
• CTM
• CESG - CAPS
• FIPS140-2

32
What Should I Be Considering?

• Traditionally we take the data outside the
  business.
• Are there cases when we can take a dataless
  device outside the business and just access the
  data?
• BeCrypts TRUSTED CLIENT allows this. A secure
  and sterile, bootable USB memory stick allowing
  secure remote access to the corporate LAN over
  secure encrypted SSL/VPN.

33
Summary

• The power of modern devices has changed the way
  we work
• A modern security policy needs to take this into
  account
• All businesses now, like the military, work in a
  hostile environment
• Data bearing devices must be secured in new ways
  specific to their use and their environment

34
Thank YouIn an effort to be green please
ask me or email me for further information. If
you would like any data sheets etc. or a copy of
the presentation, I will send these to you
electronically.Doug HarrissPublic
Sectordharriss_at_becrypt.comMobile 07809 391
039Switchboard 0845 838 2050