cryptography as a service

Cryptography As A ServiceBarclays Crypto Application Gateway and Beyond

23rd May 2013George French – BarclaysDan Cvrcek – Smart Architects

Unrestricted distribution

Unrestricted distribution 2 | Cryptography as a Service 23rd May 2013

Cryptography As A Service

Application Cryptography

Interface

ApplicationCryptographyAudit Logging

ApplicationAuthentication

BCAG / CSG Service

Vendor HSM

interfaces

Application Key Management

Cryptography Policy

Enforcement

Key Management

Operationsand Audit

Applications

HSMs

Beginning … Cryptography and BusinessRequirement Solution lead time

Encrypt data (... and decrypt possibly) day

Secure key generation and management, recovery

months

Decryption after 30 years, huge data collections (tera bytes), multiple application support, integration

> year

Support and recovery after incidents Multiply by 2+

As surprising as it may sound there are very few security products that would actually work and could be managed with a small operationalteam. The main culprits: - integration, scalability, reliability, support


Crypto Service Must Provide For …• Audit

Cryptography is deployed as a control to mitigate a risk it is therefore necessary to be able to demonstrate that the control is effective.

• Cryptographic Management• The problem with cryptography is the decryption process.• NEVER GIVE DEVELOPERS OPTIONS WHEN ENCRYPTING DATA

• Centralised Management• Small teams even in multinational companies

• Monitoring of usage / capacity• BAU operational tasks• Security audits• Information for business units


Problem Space for The Use of Cryptography

Business

•Capturing Business Requirements

•Provision of a defined operational model

•Project/Bespoke development•Testing


What we are trying to manage


Business

• Capturing Business Requirements

• Provision of a defined service

• Risk Mitigation• Bullet

Build

•Requires Specialised knowledge•Meet requirements•Internal governance and standards compliance

•Infrastructure build•Change management




Business

• Capturing Business Requirements.

• Provision of a defined service.


•Hardware Utilisation•Project model delivers variances•Patch and Security Vulnerability Management

•Operation impact of outages•“Non-functional” Requirements

Operation• Requires Specialised knowledge

• Meet requirements• Internal governance

and standards compliance

• Infrastructure build• Change management

Build




Business




Operation

• Hardware Utilisation• Project model delivers

variances• Patch and Security

Vulnerability Management

• Operation impact of outages

Build

• Requires Specialised knowledge

• “The usual suspects”• Internal governance


Compliance

•Regulatory and scheme compliance

•Internal Audit•Customer Due diligence




Business




Operation

• Hardware Utilisation• Project model delivers

variances• Patch and Security

Vulnerability Management

• Operation impact of outages

Build

• Requires Specialised knowledge

• “The usual suspects”• Internal governance


Compliance

• Regulatory and scheme compliance

• Internal Audit• Customer Due

diligence



... I know nothing short of impossible but here we go

BCAG Cryptographic Approach

Separating use from management and configuration – Use (business units):

Request system authentication credentials (e.g., password);

Do Crypto – e.g., Api.Encrypt(“CC_Number”, “ME”, “Main_DB”, <transaction>)

– Management (BU and Crypto Operations): Policy – what business functions (e.g., encrypt credit

card number), how many parties (DB, web app, middleware, …).

– Technical (Crypto Operations): how many keys, algorithms, crypto modes, key

lengths, key validity, and so on. Unrestricted distribution 10 | Cryptography as a Service 23rd May 2013

BCAG Business Approach

Pay for what you use– Centralised use of resources (people, hardware, network,

…) HSMs used “per operation”, not “per project”.

– Commissioning of cryptographic system components by Crypto Operations

skills; volume; and single place for deployment and management ->

strategy. Decoupling components (i.e., HSM) from applications

– Eliminate vendor lock-in; and– Introduce service-based architecture with replaceable

products. Unrestricted distribution 11 | Cryptography as a Service 23rd May 2013

What Does It Look Like – Architectural Blocks

Business

Crypto support(1st line)Solution support(2nd line)

Product support(3rd line)


System Mechanics - OnboardingAdministrative process for enrolling new business application to BCAG

1. Capture Business Requirements– The most difficult part as the business does not

usually have a structured description of cryptographic requirements

2. Convert BR to policy specification– Semi-automated process that generates a BCAG

policy definition3. Amend BCAG access control with new “user” privileges4. Key generation and deployment (manual or semi-

automatic process)5. Use. Unrestricted distribution 13 | Cryptography as a Service 23rd May 2013

Mechanics - Operation

And 3 pieces of information that have to align:1. Authentication details = username and password2. Policy = username and authorised operations and key locator data3. Crypto Key definitions = key value and key locator data


Doing Crypto - Key Lookup• Traditionally

• Key Label = Key Value• You change a key value, you get a new key label• The new key label has to be propagated to all

applications using the old key• BCAG Approach

• Structured key locators: user, function, base_function, from, to

• Algorithm for locating keys• Dynamic, as it does not use 1:1 mapping but lookup

algorithm• Efficient – 2 layers of caching of recently used keys


Key Lookup – BCAG


Beyond• Large data processing; we talk about

• Daily encryption of giga and terabytes of data• Protection of archives with 100,000s of DB tables

• Composite cryptography• Grouping cryptographic operations into transactions

that require specific order of operations• Breach of a transaction is a potential data

compromise• Centralised key management

• Replacement of manual key loading to HSMs with an automatic process to minimise human errors and increase security


Beyond … banking• Platform for mobile app cryptography• Platform for financial services for future applications

• Providing API and system for banking transactions to developers without actually building a bank

• Being able to build own virtual Central Bank with a few button clicks

• All this requires something like BCAG to:• Access to payment schemes (VISA, MasterCard)• Strong cryptographic system able to ensure pre-defined

security properties (like cheating, counterfeiting … within the model of a virtual world)

• In some cases compliance with financial regulations


Thank you for your attention!

[email protected]@Barclays.com

Security Policy – Two AbstractionsUse - Visible for Business Units

• Users • just names, possibly with domain (e.g., LDAP)• And authentication options (specs for tickets)

• User groups – just names• Alias – just names for required crypto operations

Manage - Internal to Crypto Management• Params – the technical bit, e.g.

• [PARAMS CookieParams]• ManagedEncryption=false• Cipher=AES• KeySize=128• ModeOfOperation=CBC• IV=Random • Padding=NoPad


Doing Crypto - Key Lookup as You Know It


cryptography as a service

Documents

banks use cryptography

beginning cryptography

crypto service

business enabler

use of cryptographyproblem

problem space

key rollover

multiple application