nopchai tangtritham symantec (thailand)...
TRANSCRIPT
![Page 1: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/1.jpg)
Building Trust & Cloud Ready Infrastructure
Nopchai Tangtritham
Symantec (Thailand) LtdSymantec (Thailand) Ltd.
![Page 2: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/2.jpg)
Computing Historyp g y
Cloud Computing (Truth behind the Hype) 2
![Page 3: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/3.jpg)
Merging Functionalityg g y
3
![Page 4: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/4.jpg)
10 Years
2011• 5.6 B Mobile Connections2011
• 2B With Internet Access 2012
TabletsAre The Rage• 2B With Internet Access 2012
• 1.1 Trillion in Mobile Revenues
2014• ~2 5 Mobile Consumers
2013• 150M Tablets Shipped Voice
RecognitionBecomes • 2.5 Mobile Consumers
2016• 44B Mobile App
2015• 1B Smartphones
2017
BecomesUseful
Downloads
2018• Wearable Devices
2017• Sensors on achip = cheap
LTE IsWidespread
• Wearable Devices
Sources in Order:InternetWorldStats.com, March 2011; IDC, June 2011; ABI Research, April 28, 2011; Gartner, August 4, 2011; Yankee Group, June 2011;
Juniper Research, June 2011; Juniper Research, June 2011; Source: Wireless Intelligence, July 2011
![Page 5: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/5.jpg)
Connectivity & Mobility change Security Landscapey y g y p
5
![Page 6: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/6.jpg)
What is missing piece to Build Trust InfrastructureIdentity !!
“O th I t t“O th I t t k ’ d ”k ’ d ”“On the Internet, no“On the Internet, no--one knows you’re a dog”one knows you’re a dog”
![Page 7: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/7.jpg)
ตวัอยาง Case ในเมืองไทย
7
![Page 8: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/8.jpg)
Underground Economyg y
8
![Page 9: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/9.jpg)
Common issues with PasswordPasswords No Longer Offer Sufficient Protection
Password Password change/recovery is top access problem
• 55% of enterprises report this is #1 issue for users
Too many passwords for
l t
• 87% of enterprises need users to have 2 or more passwords for access to resourcesemployees to
rememberfor access to resources
• 66% have 6+ password policies!
• 1 in 5 users default toWeak passwords still the norm
• 1 in 5 users default to simple passwords
• Only 30% require strong auth• 54% had a breach in last year
9
Source: Forrester Research, Florida State University, Imperva
• 54% had a breach in last year
![Page 10: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/10.jpg)
Strong Authentication Is Critical to Protecting Assets
Cryptographically enhanced credentials ensure trusted access
Something You Know Something You Have
OTP passwords alternativesUsername/PasswordsMother’s Maiden NameTransaction History
OTP passwords alternatives(risk‐based or symmetric key cryptography)
Or Digital Certificate
(public key cryptography)
10
(public key cryptography)
![Page 11: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/11.jpg)
A Strategic Approach to Authenticationg pp
S mantec™ VIPS mantec™ VIP
Symantec™ VIP Provides Flexible Strong Authentication Options
Symantec™ VIPSymantec™ VIP
Standalone OTP Standalone OTP CredentialsCredentials OutOut‐‐ofof‐‐BandBand Strong Strong
Device IDsDevice IDsRisk Risk BasedBased
ken
top
d d vice
on
ardw
are Tok
obile, D
eskt
Software
Embe
dded
SMS
Voice Call
Client‐based
Device ID
ientless Dev
ID
Intelligent
Authe
nticatio
Ha
M
C
Cli A
11
![Page 12: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/12.jpg)
Symantec Validation & ID Protection (VIP) Easy to Use & Deploy, Multiple VIP Credentialsy p y, p
Mobile Phone CredentialsSMS OTP /
Voice Enabled Pass-code / Embeded
345231345231Software Token
OTP Security Token
OTP Security Card
12
![Page 13: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/13.jpg)
Out‐of‐Box Integration With Existing Applications
Windows Logon Wi-Fi Logon (802.1X) Outlook Web Access Citrix / VMware ViewOut oo eb ccess C t / a e e
Secure Remote Access
Identity Manager / Application Unix PAM
Validation SDK also available
Identity Manager / Application Unix PAM
![Page 14: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/14.jpg)
Symantec™ VIP Intelligent Authentication
14
![Page 15: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/15.jpg)
How Risk‐based “Intelligent Authentication” WorksCombining Passwords With Device ID And Risk Analysis
Evaluate…• Do we know this device?
• Is this device trustworthy?
Complex Device ID
Device Reputation Is this device trustworthy?
• Is the user behavior suspicious?
• Are there other potential threats?
p
User Behavior
Actionable Risk ScoreActionable Risk Score…and respond•• Low Risk:Low Risk: Grant access without an•• Low Risk:Low Risk: Grant access without an additional challenge
•• High Risk:High Risk: Challenge user via Out‐Of‐Band authentication process
Symantec™ VIP New Feature Overview – Symantec™ VIP Intelligent Authentication 15
Of Band authentication process
![Page 16: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/16.jpg)
Risk Score Computation ‐ Thresholdp
Configurable Risk Threshold
Below Threshold
Default = 50Above Threshold
User challenge
5050
No user challenge
Low Risk High Risk00 100100
Ri k i li d b ll t t th fi l i k
Symantec™ VIP New Feature Overview – Symantec™ VIP Intelligent Authentication 16
•Risk score is normalized on a bell curve to compute the final risk score
![Page 17: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/17.jpg)
Identifying Risky Authentication Eventsy g yUser Logs In From Home Using Work Laptop
Sunnyvale United StatesSunnyvale United StatesSunnyvale, United StatesSunnyvale, United StatesIP:IP: 6666..135135..192192..123123OS:OS: Windows Windows 77Browser:Browser: Firefox Firefox 55..00
Known device IDKnown device ID
Location agrees with historyLocation agrees with history
Unchanged device profileUnchanged device profile
Low Risk, No ChallengeLow Risk, No Challenge
Symantec™ VIP Intelligent Authentication – Technology Overview 17
![Page 18: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/18.jpg)
Identifying Risky Authentication Events
Mumbai MaharashtraMumbai Maharashtra
y g yUser Travels to India with Same Laptop
IP:IP: 202202..138138..101101..165165OS:OS: Windows Windows 77Browser:Browser: Firefox Firefox 55..00
Mumbai, Maharashtra Mumbai, Maharashtra
Known device, valid device IDKnown device, valid device ID
Unexpected behaviorUnexpected behavior
Unchanged device profileUnchanged device profile
Medium Risk, Challenge UserMedium Risk, Challenge User
Symantec™ VIP Intelligent Authentication – Technology Overview 18
![Page 19: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/19.jpg)
Identifying Risky Authentication Eventsy g yUser Upgrades Firefox While at Hotel in India
Mumbai MaharashtraMumbai MaharashtraMumbai, Maharashtra Mumbai, Maharashtra IP:IP: 202202..138138..101101..165 165 OS:OS: Windows Windows 77Browser:Browser: Firefox Firefox 66..00aa22
Known device, valid device IDKnown device, valid device ID
Known IP address and locationKnown IP address and location
Profile change, Firefox updateProfile change, Firefox update
Low Risk, No ChallengeLow Risk, No Challenge
Symantec™ VIP Intelligent Authentication – Technology Overview 19
![Page 20: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/20.jpg)
Identifying Risky Authentication Events
GuangzhouGuangzhou GuandongGuandong
y g yHacker #1: Attacking from China
Guangzhou, Guangzhou, GuandongGuandongIP:IP: 6161..145145..127127..128128OS:OS: Windows Windows 77Browser:Browser: Firefox Firefox 55..00
Unknown device, no device IDUnknown device, no device ID
Difficult travel from prior loginDifficult travel from prior login
Unchanged device profileUnchanged device profile
High Risk, Challenge UserHigh Risk, Challenge User
Symantec™ VIP Intelligent Authentication – Technology Overview 20
![Page 21: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/21.jpg)
VIP Transaction Monitoring
PKI Overview 21
![Page 22: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/22.jpg)
Risk‐based Example: Transaction Man‐in‐the‐Middle AttackTransaction Man‐in‐the‐Middle Attack
Attack is Executed From Users Compromised Machine
From: A From: ATo: B
Amount: $5,000To: C
Amount: $15,000
Thanks!
Selling VIP for Channel Partners
22
![Page 23: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/23.jpg)
Preventing a Transaction Man‐in‐the‐Middle AttackgProhibits invalid transaction even if machine infected
From: ATo: B
From: ATo: C
Amount: $5,000 Amount: $15,000
From: ATo: CTo: C
Amount: $15,000
Argh!
Selling VIP for Channel Partners 23
![Page 24: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/24.jpg)
Public Key Infrastructure (PKI) &Public Key Infrastructure (PKI) & Symantec MPKI Introduction
PKI Overview 24
![Page 25: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/25.jpg)
4 หลักสาํคญัของ Trust Infrastructureญเราตองการ Mechanism ทีร่องรบั...
• Authentication– มั่นใจในIdentity ของผูใชหรือแอพพลิเคชัน
C fid ti lit• Confidentiality– ขอมูลมีความเปนสวนตัว (secret is secret)
I t it• Integrity– มั่นใจวาขอมูลไมถูกปลอมแปลงแกไข
• Non Repudiation• Non-Repudiation– ขอมูลไมสามารถถูกปฏิเสธความรับผิดชอบ (signature ถูกสรางโดยเจาของ
Private Key เทานั้น)
Presentation Identifier Goes Here 25
![Page 26: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/26.jpg)
Everything you wanted to know aboutEverything you wanted to know about keys, cryptography…etc
Cryptography & PKI 101
PKI Overview 26
![Page 27: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/27.jpg)
Symmetric Cryptographyy yp g p y
EncryptingTo: The Bank
From: Tom Jones
Date: 31 Dec 12
Pl t f
*> *ql3*UY#~00873/JDI
c4(DH: IWB(883
LKS9UI29 9 d fi+ Algorithm+
Please transfer One Million Dollars
from account 1234567 to account 7654321,
TomJones
LKS9UI29as9eeasdofiqw9vijhas9djerhp7goe.>(*Y23k^wbvlqkwcyw83
zqw-_89237xGyjdc
Biskdue di7@94
*> *ql3*UY#~00873/JDI
c4(DH: IWB(883
To: The BankFrom: Tom Jones
Date: 31 Dec 12
Decrypting:
c4(DH: IWB(883
LKS9UI29as9eeasdofiqw9vijhas9djerhp7goe.>(*Y23k^wbvlqkwcyw83
zqw- 89237xGyjdc
Date: 31 Dec 12
Please transfer One Million Dollars
from account 1234567 to account 7654321,
+ + Algorithm
Presentation Identifier Goes Here 27
q _ yj
Biskdue di7@94
,
TomJones
![Page 28: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/28.jpg)
Asymmetric Cryptographyy yp g p yมีการใช Key เปนคู (Public/Private Key) เรยีกวา Key pair
Encrypting:To: The Bank
From: Tom Jones
Date: 31 Dec 99
*> *ql3*UY#~00873/JDI
c4(DH: IWB(883
+ Algorithm+
yp g
Public key
Please transfer One Million Dollars
from account 1234567 to account 7654321,
TomJones
LKS9UI29as9eeasdofiqw9vijhas9djerhp7goe.>(*Y23k^wbvlqkwcyw83
zqw-_89237xGyjdc
Biskdue di7@94
+ Algorithm+
*> *ql3*UY#~00873/JDI
To: The BankFrom: Tom Jones
Decrypting:
Private keyc4(DH: IWB(883
LKS9UI29as9eeasdofiqw9vijhas9djerhp7goe.>(*Y23k^wbvlqkwcyw83
zqw 89237xGyjdc
Date: 31 Dec 99
Please transfer One Million Dollars
from account 1234567 to account 7654321
+ + Algorithm
y
2828
zqw-_89237xGyjdc
Biskdue di7@94
to account 7654321,
TomJones
![Page 29: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/29.jpg)
One Way Hashy
• Hash เปนกระบวนการนําขอมูลมาผาน hashing algorithmalgorithm
• ผลลพัธที่ไดคอื “fingerprint” ของขอมูลที่มีขนาดคงที่ (ปกติเปน 128 หรือ 160 บิท)เปน 128 หรอ 160 บท) – อาจเรียกวา digest
• คลายกบั CRC แตมีความ Advance กวาคลายกบ CRC แตมความ Advance กวา• มักใชในการตรวจสอบความสมบูรณของขอมูล (Integrity)• ตัวอยาง• ตวอยาง
– MD5, SHA-1
Presentation Identifier Goes Here 29
![Page 30: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/30.jpg)
One Way Hash ‐ Integrityy g y
Please Send 1 000 widgets
D4 21 F5 3D 22 9A CC B7 3C AA E2 DC 12 1A Hashing1,000 widgets
@ $4 eachA1 CB
Message digestMessage digestD4 21 F5 3D 22 9A
algorithm
D4 21 F5 3D 22 9A CC B7 3C AA E2 DC
12 1A A1 CBSend
suppli
Please Send 1,000 widgets
D4 21 F5 3D 22 9A CC B7 3C AA E2 DC 12 1A
A1 CBHashing
algorithm
to ier
, g@ $4 each
D4 21 F5 3D 22 9A
0
CC B7 3C AA E2 DC 12 1A A1 CB
![Page 31: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/31.jpg)
One Way Hash ‐ Digital signature (Integrity)y g g ( g y)
Please Send 1 000 id D4 21 F5 3D 22 9A CC1,000widgets
@ $4 each
D4 21 F5 3D 22 9A CC B7 3C AA E2 DC 12 1A
A1 CBHashing
algorithm
Signing algorithm
Senders Private key gPrivate key
Digital Signature001010110101001011011010110110
31
![Page 32: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/32.jpg)
ยังเหลอือกี 1 ปญหา:ญ
Q เราจะรและมั่นใจไดอยางไรวา PublicQ. เราจะรูและมนใจไดอยางไรวา Public Key นี้เปนของใคร?
A Digital Certificates ที่เซ็นรับรองโดยA. Digital Certificates ทเซนรบรองโดยTrusted Certification Authority!y
CertificationAuthority
32
![Page 33: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/33.jpg)
รูจกั Digital Certificates, Digital Identitiesู g , g• Certificate เชื่อมโยง “public key” กับเจาของนั้นๆ
– User หรอื Device Certificate
– มีขอมูลเกีย่วกับเจาของ
– ขอมูลเกีย่วกับผูออกใบรับรอง
การใชงาน (Key Usage)– การใชงาน (Key Usage)
– Validity and Expiration Dates
– มีความเปนมาตรฐาน (X.509 , PEM ฯลฯ)
– มีทัง้ Required & Optional Fields
– จัดเก็บอยูใน User Device หรอื Smart Card
• ความมั่นคงปลอดภัยขึ้นอยกับขนาดกญแจความมนคงปลอดภยขนอยูกบขนาดกุญแจ– ทัว่ไป 1024, 2048 bit
• มักถูกเซ็นรับรองโดย 3rd party(CA ในที่นี้) ซึ่ง ทําหนาที่ตรวจสอบตัวตนเจาของ ใ ั ป ใ ปCertificate ใหแลว (ตัดปญหาใบ Cert ปลอม)
33
![Page 34: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/34.jpg)
Requirements for a Trusted PKI
Security Services & Key Recovery
SecureInfrastructure
Policy &Practices
Certificate Software & H d
ServiceApplication& Hardware Availability
ppIntegration
Risk & LiabilityManagement
ApplicationConsulting
UserSupport
Hardware and software are just one piece of the puzzleA PKI requires: technology, people, facilities, applications, policy, and procedures
34
p y, p
![Page 35: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/35.jpg)
CA is the trust point but can also be targeted even a Professional g
PKI Overview 35
![Page 36: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/36.jpg)
Building & Enable PKI with Symantec
PKI Overview 36
![Page 37: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/37.jpg)
Symantec Powered PKIy
TrustWise
NetherlandsIceland
South Korea
Greece
United Kingdom
Italy
Spain
Germany
West East Hermes
Japan
India
Philippines
Israel
Greece
Malaysia
WestVery Large
Data ProcessingCustomer China
KuwaitVietnam
Brazil
Malaysia
Chile
South Africa
Argentina
Australia
WiMAX Industry
Root
External Certificate Authority
Cable Industry
Root
Adobe CDS 2004
Adobe Approved
Federal SharedServiceP id
Gatekeeper
2000SAFE2009
CertiPath2005Operator
2009(ECA)1999
Operator2003
Approved Trust List
2009
Provider2006
2000 2009 2005
37
![Page 38: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/38.jpg)
Global National PKI ProgramsBackground
+ E-Government Programs Launching Across The Globe+ ICAO Standard Is Driving E-Passport Programs
+ ID Standards Are Driving Adoption Of National ID, Health Identity, Tax Filing and Other Card Programs
Key Projects
ID Standards Are Driving Adoption Of National ID, Health Identity, Tax Filing and Other Card Programs+ Countries Have Elected To Set Up Root CA Capabilities Under National Infrastructure
+ Business Cases Continue To Evolve
National PKI Projects
+ Certified Country CAs: Egypt
+ Greek National PKI E-Government Program Tax Filing Program
+ Kuwait National PKI National ID Program
+ Tax ID Card Programs: Brazil India
Success Factors Local Partners
Germany Netherlands Greece
+ German Health Card Program+ Dutch Taxi Identity Program
+ Inter-government support for standards established market+ Government mandates and next generation e-gov programs
drive the market+ Partners must demonstrate financial stability, ability to scale, and
completeness of solution drive adoption+ Commitment to local implementation partners
38
![Page 39: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/39.jpg)
Symantec Managed PKIy gLowers Cost and Reduces Complexity
Build Your Own (In-house) PKI
PKI S ft Trust &Train
Symantec Managed PKI Services
vs.Servers
Secure Databases
PKI Software Trust &Train IT Personnel
Lower total cost of ownershipTrust & Train Operational
Your PKI Administrator
Firewalls
FacilityDatabases
C t d l it f i h l ti
Accreditations
Proven, reliable infrastructure and secure operation
Fast deployment in state-of-the-art secure datacenter
pPersonnel
Cost and complexity of in-house solution mitigates benefits
Proven scalability 24/7 support Binding SLAs
Accredited PKI back-end and policy (KPMG & WebTrust)
![Page 40: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/40.jpg)
Public Trust vs Private Trust• Public
– Open community
– Consumer Web Applications– Secure Email / Document Signing (e.g PDF)
• Private– Closed community– Private B2B exchanges– Network Access / VPN
– ผูใชตองติดตั้ง root cert ใน Application เอง
• Issuing CAs– ทําหนาที่ออก digital certificates ใหแกผใชปลายทางทาหนาทออก digital certificates ใหแกผูใชปลายทาง
• Symantec MPKI รองรบัทั้งการใชงานแบบ Public & Private– ผูใช MPKI สามารถตั้งไดมากกวา 1 CA
– ขึ้นอยกับการออกแบบและความเหมาะสมใชงาน– ขนอยกูบการออกแบบและความเหมาะสมใชงาน
PKI Overview 40
![Page 41: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/41.jpg)
PKI – Certificates Life Cycle
REQUEST ISSUE USE
y
REQUEST ISSUE
2 3
USE
4
• Present ID• SYMC MPKI confirms id tit f /d i
• Deliver certificate to user/device
C fi
• Authenticate to apps• Encrypt docs/emails
MANAGE
identity of user/device • Configure apps to use cert • Sign docs/emails/transactions
MANAGE• Admin configures certificate policy
• Report, revoke, recover, renew1 5
41
![Page 42: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/42.jpg)
Full Lifecycle Management a Critical Success Factor
• Root of Trust
• Management roles
Everything is built‐in
g
• Tools
• Workflow
• Key Recovery
• Reporting
• Etc.
42 Symantec Confidentia
![Page 43: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/43.jpg)
PKI Platform Across All ApplicationsOut of Box Support for Multiple Use Cases
Secure Email
Digitally signed, encrypted email communications
Secure Remote Access
Strong authentication to networks via VPN
Strong Web Authentication
Authenticate to web apps
Document Signing
Digitally signed documents
I f t t A th ti ti
via a browser including Adobe PDF
Other InitiativesInfrastructure Authentication
Transparent WIFI access orEAP capable wired switch access ++
Other Initiatives• Mobile Device Management
• Multi‐use Smart Cards (HSPD 12/PIV)
43PKI Overview
![Page 44: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/44.jpg)
Deploying Secure Email Certificates
• End User follows link from the enterprise administrator toenterprise administrator to obtain an certificate (S/MIME)
• PKI Client automatically configures Outlookconfigures Outlook
• Sets Signing and Encryption certificate
• Enables Sign and Encrypt optionsEnables Sign and Encrypt options
• User selectively signs and/or encrypt messages*
Symantec Managed PKI Service – Solution Overview 44
* Note: Encrypt requires the recipient’s certificate; this is usually obtained from the AD or Symantec public LDAP directory
![Page 45: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/45.jpg)
Document Signing
• Customer Objectives– Meet legal or business requirement for
tifi d d tcertified documents
– Industry compliance mandates (certain verticals like public sector, SAFE etc)
E Business workflows (e g payroll data– E‐Business workflows (e.g. payroll data, manufacturing specifications etc)
• Special IssuesR i bli t t– Requires public trust
– Integrated with signing appliances like ARX or CoSign if gateway model is preferred
• The S mantec Difference• The Symantec Difference– Cloud based service lowers the TCO
– Automation and application enablement tl i lifi th d igreatly simplifies the end user experience
Symantec Managed PKI Service – Solution Overview 45
![Page 46: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/46.jpg)
Cloud Ready Infrastructure
Cloud Computing (Truth behind the Hype) 46
![Page 47: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/47.jpg)
IT Mega Trendsg
Information Explosion
Social Media Explosion
Threat Landscape
Social Media Explosion
VirtualizationMobileMobile
Consumerization of IT
4747Cloud
![Page 48: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/48.jpg)
Mega‐Trends, and CISO Mega‐Pains
Private Cloud
Security for the Cloud: New Risks & ChallengesNew Risks & Challenges
48Symantec O3: The New Cloud Control Point
![Page 49: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/49.jpg)
OO3Identity & Access Control Layer Control Private
Cloud
Cloud Information Security Layer
Security
Cloud Information Management
LayerCompliance
Layer
Symantec O3: The New Cloud Control Point
49Symantec O3: The New Cloud Control Point
![Page 50: Nopchai Tangtritham Symantec (Thailand) Ltdpeaoc.pea.co.th/ictsec/download/560320_building_trust... · 2016-06-21 · 10 Years 2011 2011 • 5.6 B Mobile Connections • 2B With InternetAccess](https://reader035.vdocuments.site/reader035/viewer/2022080721/5f7a5098fe2753188c21bd92/html5/thumbnails/50.jpg)
Thank you!Thank you!
h i t t ith @ [email protected]
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
50