Building Trust in a Digital World
Brian Phelps, BSc CISSP
Director of Advanced Solutions Group EMEA
Thales UK, Ltd.
2 Global incidents
www. pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml
Equivalent of 117,339 incoming
attacks per day, everyday
Total number of detected incidents
- growth of 66% CAGR
3 And more targeted
www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
2015
2014
4 How Much is Data Worth?
At the end of April, there were 270 reported breaches with
102,372,157 records compromised!
Source- Identity Theft Resource Center
5 Trust in a digital world…
Smart phones Smart grid Smart vehicles
eCommerce eGovernment eCitizen
6 Trust Management is a central problem to solve
Organizations are losing control over their application environment
Clouds, consumer devices (BYOD), remote connected devices , fragmented workforce - emphasis moves from ‘control’ to ‘trust’
Targeted attacks drive need for data neutralization
Mobile, remote devices and cloud services increase attack surface
Privacy requirements drive need for data protection – wherever it resides
Increased scrutiny and governance drives need to prove trust as well as simply establish it
Dynamic business relationships requires trust to be dynamic
Federated, transitory and anonymous relationships create the need for new trust models and technologies
Virtualized and shared environments
Need for trust varies by application but infrastructure is increasingly shared
Scale and dynamics of “connected everything” forces automation of trust properties
Manual controls are no longer practical or cost effective
7 Crypto is the key to establish and enforce trust
Identity and
Access Controls
Data Confidentiality
and privacy
Data Integrity and
Non-Repudiation
8
Key
Management
The role of cryptography
SSL
Network encryption
Digital rights
management
Tape encryption Database
encryption Application-level
encryption
Server-file encryption
SAN switch
encryption
Tokenization Disk encryption
Point of sale
encryption (P2PE)
encryption
Payments
processing
Public Key
Infrastructure
Credential
management
Payment card
issuance
Strong
authentication
Password
protection
Document
signing
Signed email
Code signing
DNSSEC Audit & log
signing
Identity and
Access Controls
Data Confidentiality
and privacy
Data Integrity and
Non-Repudiation
9
Thales e-Security | CONFIDENTIAL
10 The ‘pain’ of key management
“Please rate the overall “pain” associated with key
and certificate management in your organization”
Source: 2015 Global Encryption and Key Management Trends Study - Ponemon Institute (April 2015)
0%
5%
10%
15%
20%
25%
30%
35%
1-2
(Minor)
3-4 5-6 7-8 9-10
(Severe)
55%
11 What makes key management hard?
Source: 2015 Global Encryption and Key Management Trends Study - Ponemon Institute (April 2015)
12 What’s at stake?
The secrecy of keys underpins trust
– if keys are stolen or misused, data is compromised
The availability of keys keeps systems running
– lost keys can destroy data and bring services to a standstill
Lifecycle management of keys is costly
– complexity, delays and errors can quickly escalate
Key management is under intense scrutiny
– policies, controls and reporting simplify audits and compliance
13
Trusted Platform
Modules (TPM)
protect desktop apps
Hardware secures applications everywhere
Secure Elements
and SIMs protect
mobile apps
Hardware Security
Modules (HSM) protect
server based apps
14
So, what’s changing?
15
Mobile payments
16 Mobile Payments – from Buzzwords to Business
The race is finally on ! Mobile acceptance versus mobile payments
Retail versus Person to Person
Disruptors versus incumbents
mPOS
EMV
NFC SE
HCE
TSM
Mobile Payments Mobile Commerce
17 Knocking down the barriers
1. Convincing consumers to give it a try
2. Preparing the cardholder data
3. Equipping phones to protecting the data
4. Delivering the data to the phone
5. Enabling merchants to read the phones
6. Enabling user to easily authorize transactions
7. Encouraging consumers to make it a habit
18 Simple ecosystems are good
Barrier
Apple Android
Apple Pay SE/TSM HCE
1. Convincing consumers to give it a try Apple Phone
manufacturer,
wallet provider
Issuer
2. Preparing the cardholder data Card
brands
Issuer Issuer
3. Equipping phones to protecting the
data
Apple Phone
manufacturer or
carrier (SIM)
Issuer
(cloud)
4. Delivering the data to the phone Apple Carrier or 3rd
party
Issuer
5. Enabling merchants to read the
phones
NFC NFC NFC
6. Enabling user to easily authorize
transactions
Apple Wallet provider Issuer
7. Encouraging consumers to make it a
habit
Apple ? Issuer
19 Mobile Payments
Thales PayShield HSM’s
significant player across the
mobile payments ecosystem
International roll-out in 2015…
2015 campaign to
target Android market
through new HCE
capability in payShield
and ASAP partners
Our blog – www.thales-esecurity.com/blogs/2014/september/apple-enables-mobile-payments
20
Thales e-Security | CONFIDENTIAL
Keys in the cloud
21 Amazon Key Management
$1
per key
per month
$0.03
per 10,000
operations
22 HSMs in the cloud
“The Key Vault service performs all cryptographic operations
on HSM-protected keys inside Hardware Security Modules.
The service uses Thales nShield HSMs”
Dan Plastina - Microsoft
Our blog – www.thales-esecurity.com/blogs/2015/february/trust-anchors-in-the-azure-cloud
23 Microsoft Azure Key Vault
24
Software
Applications & content
Platform
OS, tools & services
Evolving cloud landscape
Users (service consumers)
Infrastructure
Hardware & networks
25 Evolving cloud landscape
Users (service consumers)
Service providers operating
from the cloud
Enterprises
with
workloads in
the cloud
Enterprises
running
private
clouds
Software
Applications
& content
Platform
OS, tools &
services
Infrastructure
Hardware &
networks
26
CSP
CSP CSP
CSP
Evolving cloud landscape
Users (service consumers)
Private
infrastructure
Private
infrastructure Public infrastructure
Service providers operating
from the cloud
Enterprises
with
workloads
in the cloud
Enterprises
running
private
clouds
Software
Applications
& content
Platform
OS, tools &
services
Infrastructure
Hardware &
networks
27 Evolving cloud landscape
CSP
CSP CSP
CSP
Users (service consumers)
Private
infrastructure
Private
infrastructure Public infrastructure
Service providers operating
from the cloud
Enterprises
with
workloads
in the cloud
Enterprises
running
private
clouds
Software
Applications
& content
Platform
OS, tools &
services
Infrastructure
Hardware &
networks
28 Evolving cloud landscape
CSP
CSP CSP
CSP
Users (service consumers)
Private
infrastructure
Private
infrastructure Public infrastructure
Service providers operating
from the cloud
Enterprises
with
workloads
in the cloud
Enterprises
running
private
clouds
Software
Applications
& content
Platform
OS, tools &
services
Infrastructure
Hardware &
networks
29
Thales e-Security | CONFIDENTIAL
Crypto-currency
30 Cryptocurrency
Our blog – www.thales-esecurity.com/blogs/2015/january/bitcoin-steps-up-to-bank-grade-security
“We looked at every
HSM on the market to
find one that could
support Bitcoin wallets,
and none of them could
do it, so we built it
ourselves {using
codeSafe}. Thales
really came through for
us, and the level of
enthusiasm they have
for our growing industry
is incredible.”
Micah Winkelspecht -
Gem CEO and Founder
31 Digital currency
Public
key
crypto
Bitcoin
Wallets
to store
private
keys
Bitcoin mining
Interface to traditional
payment rails
32 Bitcoin Hacks
“Reports suggested the
site shut down after it
discovered that an
estimated 744,000 bitcoins
- about $350m (£210m) -
had been stolen due to a
loophole in its security.”
33 Bitcoin Hacks
34 What is our value proposition
Private key protection Key derivation for
privacy and scale
‘Multi-signature’ for dual
control security
35
36 IoT Touches EVERYTHING
Asset tracking
Healthcare
Agriculture Building management
Security
Energy Consumer Smart homes & cities
Automotive
National infrastructure
Embedded
Mobile
37 Big Numbers – Big Challenge
38 Market Potential - The Internet of Things
”A development of the Internet in which everyday objects have
network connectivity, allowing them to send and receive
data.” Oxford Dictionary
39 The IoT Has Passed an Inflection Point
According to Cisco Internet
Business Systems Group
(IBSG), the Internet of Things
was born in 2008 when more
“things” were connected to the
Internet than people.
According to Gartner, “By 2020,
the number of smart-phones,
tablets, and PCs in use will
reach about 7.3 billion units. In
contrast, the IoT will have
about 26 billion units at that
time.”
IDC Predicts that IoT will reach
$3 Trillion by 2020.
40 Impact of those “things”
Economic value-add by vertical in 2020 (total value-add $1.9 Trillion)
Source - The Internet of Things, Worldwide Forecast (Gartner Nov 2013)
41 Problems are we trying to solve
Establishing trust between distributed entities
Mutual authentication of devices, processes and users
Credential creation, management, provisioning, validation and revocation
Validating integrity of remote systems
Secure configuration
Secure communications between systems and devices
Network and message level encryption
Message signing and validation – non-repudiation
Protection of data ‘at rest’ and ‘in use’ in
command/control systems
Storage, file, database and application level encryption and tokenization
Multi-platform support for multiple application
environments
Datacenter, cloud, mobile and embedded systems (e.g. Internet of Things)
Support for a wide range of scale and assurance levels
42 The Automobile – the Ultimate Connected Thing
While a lot of the discussions surrounding connected
vehicles focus on safety and anti hacking measures, several
industry strategic positions are clear:
Autonomous vehicles are Job One
Infotainment systems will converge with mobile phones
The connected car will become a payments platform
43 There is an App for that!
Thales e-Security | CONFIDENTIAL
• Unlock and Lock Doors
• Track status of vehicles systems
• Schedule automated commands
• Control the heater/ air conditioner
• Open the sunroof
• Gather GPS data
And its an OPEN SOURCE APP!
44 What about Paying Cars?
Thales e-Security | CONFIDENTIAL
BumperPay Announces $100 Million Series A Funding
• High Speed P2P payments
• Drive Through Services
45