Implementing UT System Security Practices Bulletin SPB

1
Implementing UT System Security Practices
Bulletin (SPB) 1

• June 13, 2007

2
Security Briefing

• Introduction
• Security Practice Bulletin Cam Beasley
• Managed Public Key Infrastructure Charlie Scott
• Investigation of Encryption Solutions Glen
  Martin
• Discussion

3
Security Practice Bulletin

• What is a Security Practice Bulletin?
• New policy document type from UT System
• Allows UT System to respond quickly to emerging
  security problems
• Supplement to UTS-165
• Anticipate additional bulletins in the future

4
Security Practice Bulletin

• What is the first Security Practice Bulletin?
• Security Practice Bulletin 1 Encryption
  Practices for Portable and Privately Owned
  Computing Devices
• Effective June 1, 2007
• UT Austin contributed feedback
• The bulletin addresses two areas
• Establishes encryption as a requirement for
  portable devices
• Establishes rules for ensuring that encrypted
  data is not permanently lost

5
Security Practice Bulletin

• Specific requirements
• Do not copy or store sensitive digital data on
  portable devices when possible
• Data owners can approve storage on a portable
  device
• Data so stored must be encrypted using
  ISO-approved methods
• Encrypted data must be recoverable
• Exceptions are possible but must be approved by
  data owner

6
Security Practice Bulletin

• Recommendations
• Avoid copying or storing sensitive digital data
  on portable devices when possible
• Central options are available with WebSpace
  (limited quota)
• Austin Disk connections will be secure October
  15, 2007
• If you determine that storage on a portable
  device is essential
• Use common physical security measures
• Encrypt
• Ensure that data is recoverable
• Document the approval by the data owner
• Exceptions are possible but must be approved
• Use the exception request process
  http//www.utexas.edu/its/policies/opsmanual/excep
  tion.php

7
Security Practice Bulletin

• What is ITS doing to support UT?
• Communications
• Security Briefing Meeting
• Web site with best practices
• Letter to faculty
• Implementing managed Public Key Infrastructure
• Investigating enterprise-level encryption
  technologies

8
Questions About The Bulletin
9
Managed PKI Charlie Scott, ISO

• Public Key Infrastructure
• Business Justification
• Legal/Policy Requirements
• Architecture, Process Overview
• Key Decisions
• What Has Been Implemented

10
Public Key Infrastructure

• In a nutshell PKI is an infrastructure that
  supports the use of digital certificates to
  provide confidentiality, integrity, and
  authentication services

11
mPKI Business Justification

• Campus-wide solution needed
• Students, faculty, and staff currently forced to
  make their own choice -- including the choice to
  do nothing
• Upcoming projects may utilize PKI
• Meets legal and policy requirements

12
mPKI Legal/Policy Requirements

• Personal signing keys must not be escrowed, per
  TAC 203.44
• PKI facilitates compliance with UTS-165, Section
  11.3.3
• Encryption keys shall be escrowed to facilitate
  data recovery
• UT System Security Bulletin 1 requires
  encryption of Cat-I data stored on laptops

13
mPKI Architecture, Process Overview

• User process
• Request a certificate via TRAC
• Pick up a certificate via certificate delivery
  Web form
• Revoke/Recover a certificate via
  Revocation/Recovery Web form

14
(No Transcript)
15
mPKI Key Decisions

• E-mail must be in UT hosted domains
• Department sponsors must approve certificate
  request -- no personal purchases
• Users must have ID-proofed entitlement in their
  EID record
• Request to revoke and recover certificates must
  go through the Information Security Officer
• Recovery of an encryption key requires 2
  authorized administrators to complete
• one from ISO, one from ITS Systems

16
mPKI What Has Been Implemented

• Registration Authority
• TRAC Integration
• Revocation and Recovery Audit Tracking
• Pilot Testing
• Submitted a request for central funding for
  certificates awaiting review
• Timeline to finish pilot and implement resulting
  changes July 31, 2007

17
Questions
18
Encryption Options-Glen Martin, WES

• What do we want in encryption technology
• Technologies on the market
• What ITS is investigating

19
Enterprise-level Encryption Technology

• Desired features
• Multi-platform support
• No single product covers all platforms
• Support for mPKI x509 certificates and tokens
• To leverage key escrow in our mPKI infrastructure
  for simplified recoverability
• Minimal deployment complexity
• Minimal impact on the end-user

20
Encryption Technologies on the Market
21
Solutions Under Investigation

• Software
• SafeBoot preliminary findings
• Not working with certificates on tokens
• Works with passwords
• Proving to be problematic
• Pointsec
• PGPDisk
• Timeline
• Testing Whitepaper July 31, 2007

22
Questions/Discussion
23
Helpful Links

• UT System Audit Office Information Security
  Function http//utsystem.edu/ciso/
• ITS Encryption Best Practices http//www.utexas.ed
  u/its/encrypt
• Available by June 15