nopchai tangtritham symantec (thailand)...

Building Trust & Cloud Ready Infrastructure

Nopchai Tangtritham

Symantec (Thailand) LtdSymantec (Thailand) Ltd.

Computing Historyp g y

Cloud Computing (Truth behind the Hype) 2

Merging Functionalityg g y

3

10 Years

2011• 5.6 B Mobile Connections2011

• 2B With Internet Access 2012

TabletsAre The Rage• 2B With Internet Access 2012

• 1.1 Trillion in Mobile Revenues

2014• ~2 5 Mobile Consumers

2013• 150M Tablets Shipped Voice

RecognitionBecomes • 2.5 Mobile Consumers

2016• 44B Mobile App

2015• 1B Smartphones

2017

BecomesUseful

Downloads

2018• Wearable Devices

2017• Sensors on achip = cheap

LTE IsWidespread

• Wearable Devices

Sources in Order:InternetWorldStats.com, March 2011; IDC, June 2011; ABI Research, April 28, 2011; Gartner, August 4, 2011; Yankee Group, June 2011;

Juniper Research, June 2011; Juniper Research, June 2011; Source: Wireless Intelligence, July 2011

Connectivity & Mobility change Security Landscapey y g y p

5

What is missing piece to Build Trust InfrastructureIdentity !!

“O th I t t“O th I t t k ’ d ”k ’ d ”“On the Internet, no“On the Internet, no--one knows you’re a dog”one knows you’re a dog”

ตวัอยาง Case ในเมืองไทย

7

Underground Economyg y

8

Common issues with PasswordPasswords No Longer Offer Sufficient Protection

Password Password change/recovery is top access problem

• 55% of enterprises report this is #1 issue for users

Too many passwords for

l t

• 87% of enterprises need users to have 2 or more passwords for access to resourcesemployees to

rememberfor access to resources

• 66% have 6+ password policies!

• 1 in 5 users default toWeak passwords still the norm

• 1 in 5 users default to simple passwords

• Only 30% require strong auth• 54% had a breach in last year

9

Source: Forrester Research, Florida State University, Imperva

• 54% had a breach in last year

Strong Authentication Is Critical to Protecting Assets

Cryptographically enhanced credentials ensure trusted access

Something You Know Something You Have

OTP passwords alternativesUsername/PasswordsMother’s Maiden NameTransaction History

OTP passwords alternatives(risk‐based or symmetric key cryptography)

Or Digital Certificate

(public key cryptography)

10

(public key cryptography)

A Strategic Approach to Authenticationg pp

S mantec™ VIPS mantec™ VIP

Symantec™ VIP Provides Flexible Strong Authentication Options

Symantec™ VIPSymantec™ VIP

Standalone OTP Standalone OTP CredentialsCredentials OutOut‐‐ofof‐‐BandBand Strong Strong

Device IDsDevice IDsRisk Risk BasedBased

ken

top

d d vice

on

ardw

are Tok

obile, D

eskt

Software

Embe

dded

SMS

Voice Call

Email

Client‐based

Device ID

ientless Dev

ID

Intelligent

Authe

nticatio

Ha

M

C

Cli A

11

Symantec Validation & ID Protection (VIP) Easy to Use & Deploy, Multiple VIP Credentialsy p y, p

Mobile Phone CredentialsSMS OTP /

Voice Enabled Pass-code / Embeded

345231345231Software Token

OTP Security Token

OTP Security Card

12

Out‐of‐Box Integration With Existing Applications

Windows Logon Wi-Fi Logon (802.1X) Outlook Web Access Citrix / VMware ViewOut oo eb ccess C t / a e e

Secure Remote Access

Identity Manager / Application Unix PAM

Validation SDK also available

Identity Manager / Application Unix PAM

Symantec™ VIP Intelligent Authentication

14

How Risk‐based “Intelligent Authentication” WorksCombining Passwords With Device ID And Risk Analysis

Evaluate…• Do we know this device?

• Is this device trustworthy?

Complex Device ID

Device Reputation Is this device trustworthy?

• Is the user behavior suspicious?

• Are there other potential threats?

p

User Behavior

Actionable Risk ScoreActionable Risk Score…and respond•• Low Risk:Low Risk: Grant access without an•• Low Risk:Low Risk: Grant access without an additional challenge

•• High Risk:High Risk: Challenge user via Out‐Of‐Band authentication process

Symantec™ VIP New Feature Overview – Symantec™ VIP Intelligent Authentication 15

Of Band authentication process

Risk Score Computation ‐ Thresholdp

Configurable Risk Threshold

Below Threshold

Default = 50Above Threshold

User challenge

5050

No user challenge

Low Risk High Risk00 100100

Ri k i li d b ll t t th fi l i k

Symantec™ VIP New Feature Overview – Symantec™ VIP Intelligent Authentication 16

•Risk score is normalized on a bell curve to compute the final risk score

Identifying Risky Authentication Eventsy g yUser Logs In From Home Using Work Laptop

Sunnyvale United StatesSunnyvale United StatesSunnyvale, United StatesSunnyvale, United StatesIP:IP: 6666..135135..192192..123123OS:OS: Windows Windows 77Browser:Browser: Firefox Firefox 55..00

Known device IDKnown device ID

Location agrees with historyLocation agrees with history

Unchanged device profileUnchanged device profile

Low Risk, No ChallengeLow Risk, No Challenge

Symantec™ VIP Intelligent Authentication – Technology Overview 17

Identifying Risky Authentication Events

Mumbai MaharashtraMumbai Maharashtra

y g yUser Travels to India with Same Laptop

IP:IP: 202202..138138..101101..165165OS:OS: Windows Windows 77Browser:Browser: Firefox Firefox 55..00

Mumbai, Maharashtra Mumbai, Maharashtra

Known device, valid device IDKnown device, valid device ID

Unexpected behaviorUnexpected behavior


Medium Risk, Challenge UserMedium Risk, Challenge User


Identifying Risky Authentication Eventsy g yUser Upgrades Firefox While at Hotel in India

Mumbai MaharashtraMumbai MaharashtraMumbai, Maharashtra Mumbai, Maharashtra IP:IP: 202202..138138..101101..165 165 OS:OS: Windows Windows 77Browser:Browser: Firefox Firefox 66..00aa22

Known device, valid device IDKnown device, valid device ID

Known IP address and locationKnown IP address and location

Profile change, Firefox updateProfile change, Firefox update

Low Risk, No ChallengeLow Risk, No Challenge


Identifying Risky Authentication Events

GuangzhouGuangzhou GuandongGuandong

y g yHacker #1: Attacking from China

Guangzhou, Guangzhou, GuandongGuandongIP:IP: 6161..145145..127127..128128OS:OS: Windows Windows 77Browser:Browser: Firefox Firefox 55..00

Unknown device, no device IDUnknown device, no device ID

Difficult travel from prior loginDifficult travel from prior login


High Risk, Challenge UserHigh Risk, Challenge User


VIP Transaction Monitoring

PKI Overview 21

Risk‐based Example: Transaction Man‐in‐the‐Middle AttackTransaction Man‐in‐the‐Middle Attack

Attack is Executed From Users Compromised Machine

From: A From: ATo: B

Amount: $5,000To: C

Amount: $15,000

Thanks!

Selling VIP for Channel Partners

22

Preventing a Transaction Man‐in‐the‐Middle AttackgProhibits invalid transaction even if machine infected

From: ATo: B

From: ATo: C

Amount: $5,000 Amount: $15,000

From: ATo: CTo: C

Amount: $15,000

Argh!

Selling VIP for Channel Partners 23

Public Key Infrastructure (PKI) &Public Key Infrastructure (PKI) & Symantec MPKI Introduction

PKI Overview 24

4 หลักสาํคญัของ Trust Infrastructureญเราตองการ Mechanism ทีร่องรบั...

• Authentication– มั่นใจในIdentity ของผูใชหรือแอพพลิเคชัน

C fid ti lit• Confidentiality– ขอมูลมีความเปนสวนตัว (secret is secret)

I t it• Integrity– มั่นใจวาขอมูลไมถูกปลอมแปลงแกไข

• Non Repudiation• Non-Repudiation– ขอมูลไมสามารถถูกปฏิเสธความรับผิดชอบ (signature ถูกสรางโดยเจาของ

Private Key เทานั้น)

Presentation Identifier Goes Here 25

Everything you wanted to know aboutEverything you wanted to know about keys, cryptography…etc

Cryptography & PKI 101

PKI Overview 26

Symmetric Cryptographyy yp g p y

EncryptingTo: The Bank

From: Tom Jones

Date: 31 Dec 12

Pl t f

*> *ql3*UY#~00873/JDI

c4(DH: IWB(883

LKS9UI29 9 d fi+ Algorithm+

Please transfer One Million Dollars

from account 1234567 to account 7654321,

TomJones

LKS9UI29as9eeasdofiqw9vijhas9djerhp7goe.>(*Y23k^wbvlqkwcyw83

zqw-_89237xGyjdc

Biskdue di7@94

*> *ql3*UY#~00873/JDI

c4(DH: IWB(883

To: The BankFrom: Tom Jones

Date: 31 Dec 12

Decrypting:

c4(DH: IWB(883


zqw- 89237xGyjdc

Date: 31 Dec 12



+ + Algorithm


q _ yj

Biskdue di7@94

,

TomJones

Asymmetric Cryptographyy yp g p yมีการใช Key เปนคู (Public/Private Key) เรยีกวา Key pair

Encrypting:To: The Bank

From: Tom Jones

Date: 31 Dec 99

*> *ql3*UY#~00873/JDI

c4(DH: IWB(883

+ Algorithm+

yp g

Public key



TomJones


zqw-_89237xGyjdc

Biskdue di7@94

+ Algorithm+

*> *ql3*UY#~00873/JDI

To: The BankFrom: Tom Jones

Decrypting:

Private keyc4(DH: IWB(883


zqw 89237xGyjdc

Date: 31 Dec 99


from account 1234567 to account 7654321

+ + Algorithm

y

2828

zqw-_89237xGyjdc

Biskdue di7@94

to account 7654321,

TomJones

One Way Hashy

• Hash เปนกระบวนการนําขอมูลมาผาน hashing algorithmalgorithm

• ผลลพัธที่ไดคอื “fingerprint” ของขอมูลที่มีขนาดคงที่ (ปกติเปน 128 หรือ 160 บิท)เปน 128 หรอ 160 บท) – อาจเรียกวา digest

• คลายกบั CRC แตมีความ Advance กวาคลายกบ CRC แตมความ Advance กวา• มักใชในการตรวจสอบความสมบูรณของขอมูล (Integrity)• ตัวอยาง• ตวอยาง

– MD5, SHA-1


One Way Hash ‐ Integrityy g y

Please Send 1 000 widgets

D4 21 F5 3D 22 9A CC B7 3C AA E2 DC 12 1A Hashing1,000 widgets

@ $4 eachA1 CB

Message digestMessage digestD4 21 F5 3D 22 9A

algorithm

D4 21 F5 3D 22 9A CC B7 3C AA E2 DC

12 1A A1 CBSend

suppli

Please Send 1,000 widgets

D4 21 F5 3D 22 9A CC B7 3C AA E2 DC 12 1A

A1 CBHashing

algorithm

to ier

, g@ $4 each

D4 21 F5 3D 22 9A

0

CC B7 3C AA E2 DC 12 1A A1 CB

One Way Hash ‐ Digital signature (Integrity)y g g ( g y)

Please Send 1 000 id D4 21 F5 3D 22 9A CC1,000widgets

@ $4 each

D4 21 F5 3D 22 9A CC B7 3C AA E2 DC 12 1A

A1 CBHashing

algorithm

Signing algorithm

Senders Private key gPrivate key

Digital Signature001010110101001011011010110110

31

ยังเหลอือกี 1 ปญหา:ญ

Q เราจะรและมั่นใจไดอยางไรวา PublicQ. เราจะรูและมนใจไดอยางไรวา Public Key นี้เปนของใคร?

A Digital Certificates ที่เซ็นรับรองโดยA. Digital Certificates ทเซนรบรองโดยTrusted Certification Authority!y

CertificationAuthority

32

รูจกั Digital Certificates, Digital Identitiesู g , g• Certificate เชื่อมโยง “public key” กับเจาของนั้นๆ

– User หรอื Device Certificate

– มีขอมูลเกีย่วกับเจาของ

– ขอมูลเกีย่วกับผูออกใบรับรอง

การใชงาน (Key Usage)– การใชงาน (Key Usage)

– Validity and Expiration Dates

– มีความเปนมาตรฐาน (X.509 , PEM ฯลฯ)

– มีทัง้ Required & Optional Fields

– จัดเก็บอยูใน User Device หรอื Smart Card

• ความมั่นคงปลอดภัยขึ้นอยกับขนาดกญแจความมนคงปลอดภยขนอยูกบขนาดกุญแจ– ทัว่ไป 1024, 2048 bit

• มักถูกเซ็นรับรองโดย 3rd party(CA ในที่นี้) ซึ่ง ทําหนาที่ตรวจสอบตัวตนเจาของ ใ ั ป ใ ปCertificate ใหแลว (ตัดปญหาใบ Cert ปลอม)

33

Requirements for a Trusted PKI

Security Services & Key Recovery

SecureInfrastructure

Policy &Practices

Certificate Software & H d

ServiceApplication& Hardware Availability

ppIntegration

Risk & LiabilityManagement

ApplicationConsulting

UserSupport

Hardware and software are just one piece of the puzzleA PKI requires: technology, people, facilities, applications, policy, and procedures

34

p y, p

CA is the trust point but can also be targeted even a Professional g

PKI Overview 35

Building & Enable PKI with Symantec

PKI Overview 36

Symantec Powered PKIy

TrustWise

NetherlandsIceland

South Korea

Greece

United Kingdom

Italy

Spain

Germany

West East Hermes

Japan

India

Philippines

Israel

Greece

Malaysia

WestVery Large

Data ProcessingCustomer China

KuwaitVietnam

Brazil

Malaysia

Chile

South Africa

Argentina

Australia

WiMAX Industry

Root

External Certificate Authority

Cable Industry

Root

Adobe CDS 2004

Adobe Approved

Federal SharedServiceP id

Gatekeeper

2000SAFE2009

CertiPath2005Operator

2009(ECA)1999

Operator2003

Approved Trust List

2009

Provider2006

2000 2009 2005

37

Global National PKI ProgramsBackground

+ E-Government Programs Launching Across The Globe+ ICAO Standard Is Driving E-Passport Programs

+ ID Standards Are Driving Adoption Of National ID, Health Identity, Tax Filing and Other Card Programs

Key Projects

ID Standards Are Driving Adoption Of National ID, Health Identity, Tax Filing and Other Card Programs+ Countries Have Elected To Set Up Root CA Capabilities Under National Infrastructure

+ Business Cases Continue To Evolve

National PKI Projects

+ Certified Country CAs: Egypt

+ Greek National PKI E-Government Program Tax Filing Program

+ Kuwait National PKI National ID Program

+ Tax ID Card Programs: Brazil India

Success Factors Local Partners

Germany Netherlands Greece

+ German Health Card Program+ Dutch Taxi Identity Program

+ Inter-government support for standards established market+ Government mandates and next generation e-gov programs

drive the market+ Partners must demonstrate financial stability, ability to scale, and

completeness of solution drive adoption+ Commitment to local implementation partners

38

Symantec Managed PKIy gLowers Cost and Reduces Complexity

Build Your Own (In-house) PKI

PKI S ft Trust &Train

Symantec Managed PKI Services

vs.Servers

Secure Databases

PKI Software Trust &Train IT Personnel

Lower total cost of ownershipTrust & Train Operational

Your PKI Administrator

Firewalls

FacilityDatabases

C t d l it f i h l ti

Accreditations

Proven, reliable infrastructure and secure operation

Fast deployment in state-of-the-art secure datacenter

pPersonnel

Cost and complexity of in-house solution mitigates benefits

Proven scalability 24/7 support Binding SLAs

Accredited PKI back-end and policy (KPMG & WebTrust)

Public Trust vs Private Trust• Public

– Open community

– Consumer Web Applications– Secure Email / Document Signing (e.g PDF)

• Private– Closed community– Private B2B exchanges– Network Access / VPN

– ผูใชตองติดตั้ง root cert ใน Application เอง

• Issuing CAs– ทําหนาที่ออก digital certificates ใหแกผใชปลายทางทาหนาทออก digital certificates ใหแกผูใชปลายทาง

• Symantec MPKI รองรบัทั้งการใชงานแบบ Public & Private– ผูใช MPKI สามารถตั้งไดมากกวา 1 CA

– ขึ้นอยกับการออกแบบและความเหมาะสมใชงาน– ขนอยกูบการออกแบบและความเหมาะสมใชงาน

PKI Overview 40

PKI – Certificates Life Cycle

REQUEST ISSUE USE

y

REQUEST ISSUE

2 3

USE

4

• Present ID• SYMC MPKI confirms id tit f /d i

• Deliver certificate to user/device

C fi

• Authenticate to apps• Encrypt docs/emails

MANAGE

identity of user/device • Configure apps to use cert • Sign docs/emails/transactions

MANAGE• Admin configures certificate policy

• Report, revoke, recover, renew1 5

41

Full Lifecycle Management a Critical Success Factor

• Root of Trust

• Management roles

Everything is built‐in

g

• Tools

• Workflow

• Key Recovery

• Reporting

• Etc.

42 Symantec Confidentia

PKI Platform Across All ApplicationsOut of Box Support for Multiple Use Cases

Secure Email

Digitally signed, encrypted email communications

Secure Remote Access

Strong authentication to networks via VPN

Strong Web Authentication

Authenticate to web apps

Document Signing

Digitally signed documents

I f t t A th ti ti

via a browser including Adobe PDF

Other InitiativesInfrastructure Authentication

Transparent WIFI access orEAP capable wired switch access ++

Other Initiatives• Mobile Device Management

• Multi‐use Smart Cards (HSPD 12/PIV)

43PKI Overview

Deploying Secure Email Certificates

• End User follows link from the enterprise administrator toenterprise administrator to obtain an certificate (S/MIME)

• PKI Client automatically configures Outlookconfigures Outlook

• Sets Signing and Encryption certificate

• Enables Sign and Encrypt optionsEnables Sign and Encrypt options

• User selectively signs and/or encrypt messages*

Symantec Managed PKI Service – Solution Overview 44

* Note: Encrypt requires the recipient’s certificate; this is usually obtained from the AD or Symantec public LDAP directory

Document Signing

• Customer Objectives– Meet legal or business requirement for

tifi d d tcertified documents

– Industry compliance mandates (certain verticals like public sector, SAFE etc)

E Business workflows (e g payroll data– E‐Business workflows (e.g. payroll data, manufacturing specifications etc)

• Special IssuesR i bli t t– Requires public trust

– Integrated with signing appliances like ARX or CoSign if gateway model is preferred

• The S mantec Difference• The Symantec Difference– Cloud based service lowers the TCO

– Automation and application enablement tl i lifi th d igreatly simplifies the end user experience

Symantec Managed PKI Service – Solution Overview 45

Cloud Ready Infrastructure

Cloud Computing (Truth behind the Hype) 46

IT Mega Trendsg

Information Explosion

Social Media Explosion

Threat Landscape

Social Media Explosion

VirtualizationMobileMobile

Consumerization of IT

4747Cloud

Mega‐Trends, and CISO Mega‐Pains

Private Cloud

Security for the Cloud: New Risks & ChallengesNew Risks & Challenges

48Symantec O3: The New Cloud Control Point

OO3Identity & Access Control Layer Control Private

Cloud

Cloud Information Security Layer

Security

Cloud Information Management

LayerCompliance

Layer

Symantec O3: The New Cloud Control Point

49Symantec O3: The New Cloud Control Point

Thank you!Thank you!

h i t t ith @ [email protected]

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

50

nopchai tangtritham symantec (thailand)...

Documents