What do you want to know about Cryptography in the Enterprise ?
I am working on a presentation entitled "Lessons Learned Deploying and Managing Enterprise Cryptosystems". I will be presenting this at Information Security World 2008. In the 45 minutes I have for the presentation, it is my goal to touch on several key lessons learned in my work with cryptographic controls over the past several years. Cryptosystems is a broad topic, and can include not only techniques (encryption, digital signatures, timestamps), but also key management and implementation issues. There is a lot of material that I have available to draw from, and I want to make sure that the presentation includes the most valuable and relevant points that it can. After giving a presentation, there is almost nothing more disappointing than reviewing the feedback forms only to find out what people really wanted to know. This is especially disappointing if it is material you could have easily included...
I would love to know what kinds of questions you have and would like to see addressed.
In addition to your question, please provide a little context, such as:
- What are the drivers for your use of cryptographic controls (data protection, compliance, etc.)?
- Will your deployment be externally audited?
If you are reluctant to post your question here, you can post it as a comment on www.artofinfosec.com. There is a blog entry with this title.
Cheers,
Erik
Good Answers (9)
James M
Experienced Technology Executive and Innovator
Best Answers in: Enterprise Software (23), Software Development (22), Using LinkedIn (14), Offshoring and Outsourcing (12), Information Security (12), Professional Networking (8), Web Development (6), Blogging (4), Non-profit Management (3), Computers and Software (3), Air Travel (2), Job Search (2), Event Marketing and Promotions (2), Personnel Policies (2), Advertising (2), Events Marketing (2), Business Development (2), Writing and Editing (2), Ethics (2), Starting Up (2), Computer Networking (2), Commercial Real Estate (1), Freelancing and Contracting (1), Mentoring (1), Conference Planning (1), Government Policy (1), Staffing and Recruiting (1), Customs, Tariffs and Taxes (1), Criminal Law (1), Contracts (1), Corporate Law (1), Property Law (1), Direct Marketing (1), Viral Marketing (1), Lead Generation (1), Corporate Governance (1), Planning (1), Project Management (1), Personal Investing (1), Wealth Management (1), Career Management (1), Wireless (1)
Talk more about integration into enterprise applications. Talk about how you had an external auditor come in and hand it to you by breaking everything. Tell a story about what industry analysts didn't tell you before going down this path.
linkedin@jamesmcgovern.com
Rick L
Chief Information Security Officer, Published Author & Advisor
Best Answers in: Information Security (9), International Law (1), Antitrust Law (1), Professional Organizations (1), E-Commerce (1), Information Storage (1)
Discuss how you implemented monitoring to prove compliance with encryption, like with TLS, etc.
Discuss the hard decisions that had to be made balancing the pain of encryption key management vs the reward.
Discuss the benefits of key escrow and how important it is to the historical data receovery in legal cases, etc.
Discuss the steps you took to integrate encryption into existing applications by not using a hardcoded key.
These points would interest me.
From the past feedback forms I've reviewed from the event I'm involved in, I would recommend focusing on the practical (what worked, more importantly what didn't work), and providing sources (URLs)where our audience can get more information. The responses from Rick and James are focused good examples of the practical application of technoloy.
I'd be interested in what some of the organizational blockades or barriers are to adoption of encryption at various layers (e.g.: do you have a fully developed plan for implementing IPSec for certain high-value assets at your organization backed up by solid risk assessment data and accurate threat modeling that's been flat-out rejected for some reason? why?)
I would like to know how difficult is to convince a customer (mostly HQ without any technical background) about necessity of solution. It may be perhaps a little bit out of scope of your presentation, but sometimes it is very difficult to explain them why your solution is best fit and come to the right compromise.
Hello Erik,
It's a good topics. I believe now that the next step will be using Cryptography inside Entreprise like: Database Encryption, File Encryption, Transport Encryption (IPSec, SSH, TLS) and XML / SOAP.
The question is what about Strong Authentication. Can you build a Cryptographic system without Strong Authentication? Does make sens to encrypt Data if you are not sure about the identity of the Data's owner ?
Sylvain
I would be interested in a description of the cost-benefit analysis for encryption. It seems to me that there are levels or degrees of cryptographic control, both technically and procedurally. Like any other security measure, it is not practical to apply the absolute best possible cryptographic controls to all data, yet it seems that the decision to use encryption is often binary and not cost-benefit driven.
I've always found that good business managers appreciate a cost-benefit analysis of alternative solutions in a business case. Providing that for encryption solutions would have practical value for IS practitioners.
I am not 100% sure that this is on topic or out of scope for your talk, but for me the hardest problem around cryptographic controls is managing the keys to the de-encryption in a safe, and opperationally efficient manner. For example, and probably the most pervasive problem for me, is to manage the certificates that contain the public and private keys for the encyptions.
In particular, how to anticipate the expiration of these certs, containing the keys, and what to do with audit data that might be necassarily stored in an encypted state, but later, much later must be decypted. The provisioning of these certs, the management of them when they expire, and the secure ability to use them, potentially even after they have expired is significant. Even if the answer is to always purchase permanent certs if encryption is to be done persistently as a best practice seems to be somewhat obscure to the engineering community.
Another topic, perhaps not 100% relevant, is how to optimize encrypting large chunks of data with standard tools. For me the details of how one creates and manages the safe encryption algorithms is not of particular interest, but what to look for in a minimally safe algorithm is significant. i.e. why are some algorithms acceptable and others not, beyond the usual use at least 128 bit encyption.
Cheers
Skip Snow
AJ aj@prolifics.com A
Infrastructure Practice Director (MQ, WebSphere brand administration) at Prolifics ►MyLink500.com ►TopLinked.com
Best Answers in: Ethics (1), Professional Networking (1), Using LinkedIn (1)
I am interested in types of tools and support systems that are useful for managing/providing and then verifying the installation of SSL certificates.
For example for IBM's MQ product, I have found a tool called SSLCHECK to be very helpful.
