Cryptography As A Service
description
Transcript of Cryptography As A Service
![Page 1: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/1.jpg)
Cryptography As A ServiceBarclays Crypto Application Gateway and Beyond
23rd May 2013George French – BarclaysDan Cvrcek – Smart Architects
Unrestricted distribution
![Page 2: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/2.jpg)
Unrestricted distribution 2 | Cryptography as a Service 23rd May 2013
Cryptography As A Service
Application Cryptography
Interface
ApplicationCryptographyAudit Logging
ApplicationAuthentication
BCAG / CSG Service
Vendor HSM
interfaces
Application Key Management
Cryptography Policy
Enforcement
Key Management
Operationsand Audit
Applications
HSMs
![Page 3: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/3.jpg)
Beginning … Cryptography and BusinessRequirement Solution lead time
Encrypt data (... and decrypt possibly) day
Secure key generation and management, recovery
months
Decryption after 30 years, huge data collections (tera bytes), multiple application support, integration
> year
Support and recovery after incidents Multiply by 2+
As surprising as it may sound there are very few security products that would actually work and could be managed with a small operationalteam. The main culprits: - integration, scalability, reliability, support
Unrestricted distribution 3 | Cryptography as a Service 23rd May 2013
![Page 4: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/4.jpg)
Crypto Service Must Provide For …• Audit
Cryptography is deployed as a control to mitigate a risk it is therefore necessary to be able to demonstrate that the control is effective.
• Cryptographic Management• The problem with cryptography is the decryption process.• NEVER GIVE DEVELOPERS OPTIONS WHEN ENCRYPTING DATA
• Centralised Management• Small teams even in multinational companies
• Monitoring of usage / capacity• BAU operational tasks• Security audits• Information for business units
Unrestricted distribution 4 | Cryptography as a Service 23rd May 2013
![Page 5: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/5.jpg)
Problem Space for The Use of Cryptography
Business
•Capturing Business Requirements
•Provision of a defined operational model
•Project/Bespoke development•Testing
Unrestricted distribution 5 | Cryptography as a Service 23rd May 2013
What we are trying to manage
![Page 6: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/6.jpg)
Problem Space for The Use of Cryptography
Business
• Capturing Business Requirements
• Provision of a defined service
• Risk Mitigation• Bullet
Build
•Requires Specialised knowledge•Meet requirements•Internal governance and standards compliance
•Infrastructure build•Change management
Unrestricted distribution 6 | Cryptography as a Service 23rd May 2013
What we are trying to manage
![Page 7: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/7.jpg)
Problem Space for The Use of Cryptography
Business
• Capturing Business Requirements.
• Provision of a defined service.
• Risk Mitigation• Bullet
•Hardware Utilisation•Project model delivers variances•Patch and Security Vulnerability Management
•Operation impact of outages•“Non-functional” Requirements
Operation• Requires Specialised knowledge
• Meet requirements• Internal governance
and standards compliance
• Infrastructure build• Change management
Build
Unrestricted distribution 7 | Cryptography as a Service 23rd May 2013
What we are trying to manage
![Page 8: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/8.jpg)
Problem Space for The Use of Cryptography
Business
• Capturing Business Requirements.
• Provision of a defined service.
• Risk Mitigation• Bullet
Operation
• Hardware Utilisation• Project model delivers
variances• Patch and Security
Vulnerability Management
• Operation impact of outages
Build
• Requires Specialised knowledge
• “The usual suspects”• Internal governance
and standards compliance
Compliance
•Regulatory and scheme compliance
•Internal Audit•Customer Due diligence
Unrestricted distribution 8 | Cryptography as a Service 23rd May 2013
What we are trying to manage
![Page 9: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/9.jpg)
Problem Space for The Use of Cryptography
Business
• Capturing Business Requirements.
• Provision of a defined service.
• Risk Mitigation• Bullet
Operation
• Hardware Utilisation• Project model delivers
variances• Patch and Security
Vulnerability Management
• Operation impact of outages
Build
• Requires Specialised knowledge
• “The usual suspects”• Internal governance
and standards compliance
Compliance
• Regulatory and scheme compliance
• Internal Audit• Customer Due
diligence
Unrestricted distribution 9 | Cryptography as a Service 23rd May 2013
What we are trying to manage
... I know nothing short of impossible but here we go
![Page 10: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/10.jpg)
BCAG Cryptographic Approach
Separating use from management and configuration – Use (business units):
Request system authentication credentials (e.g., password);
Do Crypto – e.g., Api.Encrypt(“CC_Number”, “ME”, “Main_DB”, <transaction>)
– Management (BU and Crypto Operations): Policy – what business functions (e.g., encrypt credit
card number), how many parties (DB, web app, middleware, …).
– Technical (Crypto Operations): how many keys, algorithms, crypto modes, key
lengths, key validity, and so on. Unrestricted distribution 10 | Cryptography as a Service 23rd May 2013
![Page 11: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/11.jpg)
BCAG Business Approach
Pay for what you use– Centralised use of resources (people, hardware, network,
…) HSMs used “per operation”, not “per project”.
– Commissioning of cryptographic system components by Crypto Operations
skills; volume; and single place for deployment and management ->
strategy. Decoupling components (i.e., HSM) from applications
– Eliminate vendor lock-in; and– Introduce service-based architecture with replaceable
products. Unrestricted distribution 11 | Cryptography as a Service 23rd May 2013
![Page 12: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/12.jpg)
What Does It Look Like – Architectural Blocks
Business
Crypto support(1st line)Solution support(2nd line)
Product support(3rd line)
Unrestricted distribution 12 | Cryptography as a Service 23rd May 2013
![Page 13: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/13.jpg)
System Mechanics - OnboardingAdministrative process for enrolling new business application to BCAG
1. Capture Business Requirements– The most difficult part as the business does not
usually have a structured description of cryptographic requirements
2. Convert BR to policy specification– Semi-automated process that generates a BCAG
policy definition3. Amend BCAG access control with new “user” privileges4. Key generation and deployment (manual or semi-
automatic process)5. Use. Unrestricted distribution 13 | Cryptography as a Service 23rd May 2013
![Page 14: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/14.jpg)
Mechanics - Operation
And 3 pieces of information that have to align:1. Authentication details = username and password2. Policy = username and authorised operations and key locator data3. Crypto Key definitions = key value and key locator data
Unrestricted distribution 14 | Cryptography as a Service 23rd May 2013
![Page 15: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/15.jpg)
Doing Crypto - Key Lookup• Traditionally
• Key Label = Key Value• You change a key value, you get a new key label• The new key label has to be propagated to all
applications using the old key• BCAG Approach
• Structured key locators: user, function, base_function, from, to
• Algorithm for locating keys• Dynamic, as it does not use 1:1 mapping but lookup
algorithm• Efficient – 2 layers of caching of recently used keys
Unrestricted distribution 15 | Cryptography as a Service 23rd May 2013
![Page 16: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/16.jpg)
Key Lookup – BCAG
Unrestricted distribution 16 | Cryptography as a Service 23rd May 2013
![Page 17: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/17.jpg)
Beyond• Large data processing; we talk about
• Daily encryption of giga and terabytes of data• Protection of archives with 100,000s of DB tables
• Composite cryptography• Grouping cryptographic operations into transactions
that require specific order of operations• Breach of a transaction is a potential data
compromise• Centralised key management
• Replacement of manual key loading to HSMs with an automatic process to minimise human errors and increase security
Unrestricted distribution 17 | Cryptography as a Service 23rd May 2013
![Page 18: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/18.jpg)
Beyond … banking• Platform for mobile app cryptography• Platform for financial services for future applications
• Providing API and system for banking transactions to developers without actually building a bank
• Being able to build own virtual Central Bank with a few button clicks
• All this requires something like BCAG to:• Access to payment schemes (VISA, MasterCard)• Strong cryptographic system able to ensure pre-defined
security properties (like cheating, counterfeiting … within the model of a virtual world)
• In some cases compliance with financial regulations
Unrestricted distribution 18 | Cryptography as a Service 23rd May 2013
![Page 20: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/20.jpg)
Security Policy – Two AbstractionsUse - Visible for Business Units
• Users • just names, possibly with domain (e.g., LDAP)• And authentication options (specs for tickets)
• User groups – just names• Alias – just names for required crypto operations
Manage - Internal to Crypto Management• Params – the technical bit, e.g.
• [PARAMS CookieParams]• ManagedEncryption=false• Cipher=AES• KeySize=128• ModeOfOperation=CBC• IV=Random • Padding=NoPad
Unrestricted distribution 20 | Cryptography as a Service 23rd May 2013
![Page 21: Cryptography As A Service](https://reader035.fdocuments.in/reader035/viewer/2022062814/56816858550346895dde860e/html5/thumbnails/21.jpg)
Doing Crypto - Key Lookup as You Know It
Unrestricted distribution 21 | Cryptography as a Service 23rd May 2013