1 / 25

Security SIG

Security SIG. August 19, 2010 Justin C. Klein Keane jukeane@sas.upenn.edu. Identity Finder. Identity Finder case study at http://www.educause.edu/Resources/IdentityFinderCaseStudy/206909 Identity Finder console is an important part of SAS deployment. IDF Console.

azriel
Download Presentation

Security SIG

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security SIG August 19, 2010 Justin C. Klein Keane jukeane@sas.upenn.edu

  2. Identity Finder Identity Finder case study at http://www.educause.edu/Resources/IdentityFinderCaseStudy/206909 Identity Finder console is an important part of SAS deployment

  3. IDF Console Runs on a Windows Server machine Requires a MS SQL back end Communicates with clients over port 80 Clients encrypt data to the server Reported issues with running connection over 443

  4. Console Considerations • Balance security and privacy • Collect no more data than you need! • Expect assumptions of big brother • It is possible to have multiple IDF configurations • Don't propagate toxic data • Be mindful of e-discovery and other legal requirements (HIPPA, FERPA, etc.)

  5. Client Configuration Client installer must be bundled with rudimentary configuration Defaults for behavior IP address of server

  6. Client Behavior Client will connect to server after installation to retrieve configuration Be sure client configs are system wide If config is stored in userland it will get overwritten when the client is upgraded Client “checks in with console” and will report scan statistics Client communication to server is invisible

  7. Client Considerations • You may not want some features • Some features may prove dangerous • Licensing considerations when scanning shares • Choose a safe place for Quarantine option • Make sure users encrypt results • How can you easily manage client configs? • The console

  8. Console Features Policy definitions which can be assigned to groups Reporting on scans and remediation Tracking of client machines Global ignore lists to avoid repeat false positives

  9. Using the Console Console interface is web based Requires Microsoft Silverlight plug-in in the latest editions Users can be assigned privileges to access and use the console

  10. Console View

  11. Historical Tracking

  12. Generating Reports

  13. Policy per Machine

  14. Policy Controls Settings

  15. Ignore Lists

  16. User Settings

  17. Encryption PGP (whole disk, file and folder, net share) TrueCrypt AxCrypt GPG Enigmail

  18. PGP Commercial software Supported by PGP Universal Server Universal Serval allows for: Key escrow and recovery Public key lookup Policy configuration and customization Central registration authority when installing Integration into AD structure

  19. TrueCrypt - http://www.truecrypt.org Free Open Source Software (FOSS) Can do whole disk encryption for Windows Can do file volume encryption for Windows, Mac, and Linux Can do removable media encryption for Windows, Mac, and Linux (interoperably) Allows USB stick encrypted to be used on any platform with TrueCrypt installed Version 7 has full GUI support on Linux

  20. AxCrypt - http://www.axantum.com/axcrypt/ Free Open Source Software AES 128 bit key encryption Windows only (32 and 64 bit support) Supports encrypting files Can create self decrypting archives Does auto re-encryption Provides secure shredding Adds encrypt and shred to right click menu And more...

  21. GPG Enigmail GPG is GNU Privacy Guard Fully open source interoperable with PGP standard Available for Linux, Windows and Mac Can be used for key management, public key encryption, encrypting files and folders, and digital signatures

  22. Enigmail Thunderbird Plugin Adds OpenGPG functions to email

  23. Enigmail - Built in Key Manager

  24. Enigmail - Features (and Drawbacks) Automatic encryption to recipients with keys Automatic decryption Digital signatures and verification Encryption/decryption of attachments Not the easiest system to understand or use Manual key distribution is burdensome

  25. Issues with Encryption Key escrow for recovery in case user forgets a password is CRITICAL! Damage of encrypted store will totally destroy it Speed and efficiency is reduced Users have to understand how to use technology properly Most useful encryption is not transparent Does not protect data in use

More Related