The Secret to Secret Management

thanks Maggie well actually I think this is a great segue I just walked in it sounds like you guys were talking a lot about passwords and I spent a lot of my time talking about passwords even though I don't deal with passwords you know I'll explain a little bit why in a little bit so as Maggie said I'm mark Cooper I'm the president of PKI solutions I actually am based here in Portland I started the company about five years ago after leaving Microsoft at Microsoft I spent my time working just in the PGI space so it's been about 20 years now that I've been focused in the public key infrastructure PKI is something that is

kind of very near and dear to me it was one of those technologies when somebody sat me down and said we need you to kind of learn this everyone's afraid of it and no one really understands it that does anyone have that feeling about things like PKI or their types of security yeah you know what I found there's something to be said for understanding and really being passionate about a technology niche it makes it much easier to develop a very deep skill set PKI has really been that one thing for me as much as I like to go around saying I'm the PKI guy when I was at Microsoft I can't really say that Bill Gates came

down and did me the PKI guy I kind of hacked a system accidentally and it wound up replicating throughout Microsoft and my job title changed luckily and my boss was ok with it but I didn't get paid for a little while so I had to get that thick so if you ever saw an office space in the glitch I inflicted the glitch on myself for a little while so PKI solutions we primarily focus on identity and encryption doing training consulting and working with customers to design PKI but it's often driven by a very central problem that you're probably facing your organization's today so today we're really going to be talking about this concept of secrets

secrets kind of vary by organization and what you're trying to protect but they all kind of go back to the same thing from a business to a department or an agency whatever you are working in the odds are you have some piece of information whether it's data or identities or even intellectual property that is a secret to you that you're not trying to openly share with the the world most organizations have something that they need to keep secret sometimes it's passwords sometimes it's the data you're processing sometimes it's just the very nature of what you do so if you ever gone to organizations where there's lots of physical security and there's lots of well defined processes they're

trying to control access to things from a data perspective that becomes much harder so what we wanted to talk about today was trying to define what are some of these secrets that you're most likely already running into in your organization what are some of those challenges as well as what are some of the things that you could be doing to address those secrets so some of the things I wanted to talk about today let's take a look at what we're currently seeing in the landscape and it's not meant to be a real in-depth overview of the IT landscape but just to kind of give you a foundation of what we want to talk about but talk about what

those typical secrets are and I want to share some solutions and options with you that you could actually explore today so I didn't want this just to be a nice abstract talk on secrets and no concepts that you should do I want to give you some options that you can actually walk away with and actually consider if you're not already using some of these in your organization so in the landscape that we have today most organizations are either currently being affected because secrets are being leaked out of the organization or they're actively trying to do something to prevent that does anyone actually suffered any type of a loss of data or identities or passwords that you know of

whew how many people think maybe you have but you just don't know yeah that's kind of what most organizations kind of function under either you have or you suspect maybe you have most organizations there is a eventualities the concepts of what information people are after changes from year to year I've been in the IT space for 30 years early in my career we used to say the only people that were subject to potentially hacking or federal agencies people with patents and IP and hidden secrets and formulas like Coke and you could say well we're not coca-cola we don't have some secret recipe we don't need to worry about IT security no one's after my information

that's kind of completely changed now is interesting for me years ago having heard about healthcare information one of the most valuable pieces of information that hackers are after so what we may be facing today is going to be very different tomorrow the management of these secrets is also changing but the concepts that we're dealing with now different than five or ten years ago moving things into the cloud and hosted services and managed services years ago it used to be we kept all that stuff in house we had physical barriers we had well-defined protections we weren't taking our data and sticking out on the Internet it used to be even where I worked at organizations and

corporate IT where we would say if anything was coming from the Internet and touching our environment we didn't want them to access our critical information maybe you can connect to get email now organizations are a wholesale shifting a lot of information into the cloud and not giving a whole lot of thought about what are we putting up there and how are we protecting it so the landscape is changing we're no longer being tasked with how do we build walls and keep people out it's how do we put things out in the world and hope and prevent people from reading it and it takes one Mis configuration now it used to be if it was sitting on your server

in your data center if someone couldn't physically get in your building your information was protected it's only the employee that may steal something now it's sitting in Azure that's sitting in AWS and hopefully someone doesn't miss configure something very different landscape so from a concept of secrets secrets are often associated either with information or data and every organization is a little different as far as how they're managing secrets but the things that we typically see are things like passwords and it's one of those things that dislike this session before lots of talks about passwords how do we make sure our users don't have weak passwords in many ways that's managing the secret how do we

make sure that their secret isn't so easy to guess that someone else is out there impersonating them also how do we make sure it's not so complex that they can't possibly remember their own password we also have issues around encryption most of you probably have some type of encryption you're doing in your organization whether it's encryption of files maybe your entire disk of a BitLocker it could be data encryption but you're doing some type of encryption it may be embed inside an application but most of us know that if there's a checkbox to encrypt it must be more secure but we're not often giving a lot of thought to how is that encryption being protected where are those keys

but those underlying secrets potentially become a big issue anyone remember the the Sony hack from well is it ten years ago now so one of the most interesting stories for me out of that wasn't so much of the the information about the celebrities and all the dish and the salary there was a code signing certificate that was in that trove and did anyone ever hear the story about this code signing cert so there's some irony if you go back 20 years Sony had some really bad publicity around 2000 they were putting a rootkit into all of their music CDs remember this so they were used to signing code they were putting these things on their CDs well

when the Sony hack went out it wasn't the same certificate but it was along the same lines their code signing certificate with the private key and password we're in the information that was disclosed now it's not necessarily that embarrassing but the interesting thing is a researcher took that code signing cert and signed a piece of malware and then send it to a buddy saying hey look what Sony is up to well the story got away from me the buddy didn't realize it was a joke he simply saw hey here's the piece of malware signed by Sony what was Sony up to that's really bad from a reputation standpoint now there wasn't a lot of mainstream press covering that but

that's just an example of Secrets getting out and unintentionally affecting the reputation of an organization other places that we're looking at things like crypto wallets people doing bitcoins and other types of digital currencies all of that information goes back to maintaining some secret that is your digital wallet we see the same things with API keys a lot of the cloud providers now aren't necessarily using passwords but they have some type of a token or an API that allows one application to talk to another application it might as well just be called the passwords if you go into a screen it says okay paste your private API key here your private token change the label to password because

that's all they're really doing it's just a password well all of those secrets need to be managed somehow now things like passwords we've got nice established practices for but not a lot of people are thinking about how are we managing these encryption keys how are we managing these tokens what are we doing to get ahead of this problem so there's a couple of things that I often work with customers to try to figure out is in order to get your handle around the secrets part of the problem is trying to figure out what secrets do you have and it's not that they've necessarily done a great job obscuring this information it's a lot of time they just don't know what it is you

sit down and say what types of encryption keys do you have what types of API keys do you have how are your applications working and a lot of times they go I don't know so a lot of this is actually just effort trying to figure out what types of secrets are we using and how are we going to go about man so a couple of things that we need to do one try to figure out what secrets what types of keys you have I have gone into large organizations where I expected the IT shop to have a pretty good handle on here's our systems no they don't and the discussion often goes here's what we

should do but you're probably not going to do you should have a list of what all these critical systems are and let's go figure out what types of encryption they're doing what types of keys they're using what types of tokens they have and the IT the security the director the VP goes hey I don't know don't know what it is so I go okay let's take this as a more practical approach what makes your business function if you're a bank the ability for tellers to take money in and do wire transfers and ATMs you should be able to at least establish what's your critical thing what keeps the lights on makes your widgets now we don't know

that either and this is happening everywhere I go so if we want to talk about responsible security and managing data correctly if you don't even have an accurate idea of where you're doing encryption and what that data is there's no way you can get ahead of this and then you start scattering this stuff up into cloud managed services offsite services how are you ever going to figure these things out you have to start somewhere if you can't identify every system figure out what you do know touch what you can know there's an old saying how do you eat an elephant one bite at a time it's gonna take a while to get through all of it and if you don't know what all

the systems are at least figure out what you do if you're managing an email system if you're managing a github whatever repositories you have at least put down on a spreadsheet and say let's figure these things out and when you get that done you'll find out what that next thing is but you have to start somewhere the other thing is you need some way of controlling access to those systems and to those private secrets if you don't have a way of protecting and managing those secrets there's nothing that you can do from an inventor standpoint or from a documentation standpoint or security if you can't control access if you bring all your secrets into one place and you can't

control them what have you just created a honeypot you have created a very attractive place on your network for someone to attack so don't bring all these things together without some plan of how you're going to protect them and control access the other thing is try to figure out what types of permissions you have out there who is able to create these keys who's able to make these connections who's changing secrets who's implementing these secrets these could be functioning at user levels they could be machines applications and processes or services there may be a whole set of applications that you don't have visibility of there are either affecting or changing these secrets or unintentionally divulging information

about them so you really need to know what's that play here and again like I said if you can't get a grasp of what all of those systems are and let all of those applications and process these are start with what you can identify that core list and then grow from there the other thing that we need to do once we start tracking down what types of keys and API is we are are using is trying to figure out how they're using and what that normal pattern is one of the difficulty thing or difficult things that we have is detecting abnormal use if I know I have a particular key and that token should only be used between

these two applications and suddenly it starts being used somewhere else or coming off of the internet or being sent to a cloud service those things are something that I want to detect the good thing is a lot of these secrets tend to be static when we start looking at things like encryption keys these tend to be things that are long-lived one of the benefits of not using passwords is these secrets if well-managed can be valid for longer periods of time so there was a question earlier about passwords of no 30 days 90 days 60 days why do we change them so frequently because they're so easily guessed or so easily worked around these secrets when

we start to talk about encryption keys have theoretical lifetimes of hundreds of thousands if not millions of years well if I have information that is statically protected by these keys I should be able to define some type of pattern about where is the information being decrypted and where is it going one of the fundamental things I try to work with customers on is yes protect your network we don't want attackers coming into our network buyed rather you define your network as one that if somebody was on your network there's nothing they can really get to if you encrypt your information if you protect your host and protect your secrets I in theory could have someone wandering around my network

and not have to worry about my data being divulged now that takes a lot of discipline a lot of effort but if you build to that level you're not doing this Twinkie approach have you have you heard of the Twinkie security model if you put all your protecting your firewalls and all your antivirus and all your SSL scanning on the perimeter your network you breached that little soft yellow leaf filling and you get the very soft creamy center of that Twinkie if you puncture that little exterior hole there's nothing protect you once they get inside if you start managing your data where it's encrypted at all times you're practicing defense and death you're making sure that your secrets and

your data are protected the other thing that we need to do is if we're going to start managing our secrets is having a plan of attack of what are we going to do if one of our secrets or the data that they protect has become compromised inevitably there's going to be attacks there's going to be loss of information regardless of what you do one of the challenges that we have is that we can protect against the scenarios that we can define it's the undefined scenarios that we're not going to be prepared for how many people in this room are kind of your network or systems administrator or cyber engineer like you have some role in your organization when it comes to

security okay everyone that just raise your hand you're my worst nightmare because you have your hands in all of these systems do you know the passwords the systems you've got the scanning systems you are the ones that your organization trusts but how do we make sure that organizations aren't trusting the wrong person a lot of organizations will say well we've we trust our administrators we've never had a problem okay what about the next hire what about that next person you bring in and they're gonna have all the same access you do so some of the things that we can do are actually implementing things like two-person integrity where certain types of secrets can only be accessed if two

people are present so there are some times where we have to define how are we going to protect ourselves against ourselves so trying to figure out where our secrets are kept as I said there's the application approach there's also just looking in all the different platforms that we are using in our organizations to find where these keys are at obviously there's the on-premises our servers or applications our PCs don't forget those things that are outside of that central data center it's not always just our server sitting in a data center or sitting in a rack that we can physically go up and touch and say I have some type of data here some type of

encryption our user systems there's often things throughout the organization it has some type of data that needs to be protected we all kind of have heard stories about laptops that get stolen and there's some spreadsheet that somebody had downloaded information so it's not just our main servers that have this information now we have the complexities of things like cloud and managed services I've even had customers where they have information that's kind of not quite in either one its on-premises but they don't own it and they don't manage it so all of those types of managed services where maybe there's a third-party vendor that has equipment or server or data sitting on your network that has your secrets or

your data and main I may be something that you're touching on a daily basis so what are those other things that your vendors or partners or solution providers are putting in your facility what types of information do they have we obviously have things like flash drives how many organizations have some type of policy against flash drives I'm seeing this more and more don't bring the flash drive in if it tried to plug in in we're not gonna recognize it either a central flash drive you have to take it to a central location cutting off those types of places from an organizational standpoint flash drives are nice and convenient but usually means informations going somewhere that

we can't track the other thing is encode any developers in the room okay please don't put secrets and passwords and tokens and api's into your code I can't see them I can't manage them and I don't know they were there the other thing is despite your best intentions they never get updated in the next release I've seen software people where people have said you know what we're just gonna change this every couple of weeks with a new release it's never gonna matter and then eventually that manufacturer either ceases to update the product or a new developer comes in and goes I don't want to break anything so I'm not gonna change all those old keys I'm gonna

leave them in there you cannot obscure your code enough to make any secrets or passwords safe inside of code if it's statically defined somewhere someone's gotta find it it also makes it very difficult from a centralized management if I want to increase or rotate Keys or track those encryption tokens if it's inside of your code and I'm not looking at your code I may not even know it's there so one of the challenges that we often come up with is organizations that say I get it we want to protect this information we want to encrypt the information I understand what you're going for but I don't know how to do this this is kind of your typical chart

for any type of project you could plug in any name here you know the more secure and the more robust it is the more time the more cost you know the old adage you can have it fast and secure but it's not gonna be cheap and you can take any - but you can't have all three so from a project perspective you can sit here you can graph this all out here's what I really do with customers ice down and I say do you want to be the carrot or do you want to be the stick you have to make a decision or your vendors going to drive your security in your secrets management or do you define

them and what that comes back to is you can say what can all of my existing applications do and whatever they can all do that's my security if they all can provide sha-1 hashes and they have passwords of eight lengths a character link that must be the best security I can do and pat myself on the back and I move on or I take the other approach I say let's define what I want my security look like I want all of my applications to be using X if you're gonna stick with passwords you come up with your password complexity if you're going to use PGP you define what that complexity is if you're going to use encryption and

private keys you define what that is and you may not be able to tell your vendor I want you to do this today but you set your goal you say okay it's 2018 by 2021 I want all of my applications to meet this standard you must be able to support symmetric keys you must be able to support whatever that is and you define your vendors and you say if you want to continue to sell your product to us you have three years to meet this if you can't meet this goal you will be replaced so you may not even be able to affect the security today but you can at least define what that eventualities and

you may even have several tiers there you may have that one year goal three year goal five year goal then make sure that's part of your organizational approach if your organization that does RFPs or some type of application verification before you bring the product in make sure that standard is in there so if you expect to be using sha-256 hashing for something make sure that's part of your vendor evaluation part of your your application verification process and if it doesn't say you failed that part either fix it give us a commitment to do it or we're gonna find another product so organizations need to proactively define what they want their security to be 8 and you

can all do that it's a matter of is that one year is that five years or ten years obviously the less purchasing power you have the smaller you are smaller your budget you may have to have a longer tail to get to that standard if you're a large organization you can throw your money around and go to organizations like Amazon or Microsoft or sa P and say if you want to continue in our organization we have a two-year standard you must be able to take all your encryption keys and have them centrally managed so you can define these things so from a security perspective the other thing that you can define is how security you want this to be is this

going to be just a simple centralized you're gonna take all those secrets all those passwords and centralize them in one place and not necessarily improve upon the security but they're going to be in an auditable location or do you want to ramp this up a little bit so from the limited access standpoint we're really talking about how do we identify these secrets and then somehow control them anyone using things like LastPass or other types of password faulting scenarios so this is an example of kind of limited access you can put all those secrets in there not great for things like encryption keys and API keys but for passwords and you can somewhat control that access so in that case

you're taking a lot of their secrets out of those post-it notes and emails and no text files are around and putting it in someone of a controlled fashion doesn't work for a lot of other types of technologies the other option is we start looking at how do we encrypt some of these secrets how can we take our API keys how can we take our symmetric keys our passwords or tokens whatever we have and encrypt them beyond just a password manager this is going to take more effort there are technologies out there where we can manage this information but if you think about LastPass or some other type the password vaulting scenario and you expand it to include

things that are than passwords going along those lines the other thing that we do is we can move beyond that start looking at how we actually manage these secrets how do we actually control the changing of the secrets changing and rolling of keys how do we actually control access to them so if you've looked at things like cyber-ark anyone using cyber-ark okay okay you can see kind of a much smaller subset if you don't know what tools like cyber-ark are these are ones where people don't even have access to the secrets LastPass you put the password in there if you want it you could look at it you can copy out you can all that fill some form you see the

password you can divulge it things like cyber-ark you don't even see the password you connect into a server well you actually go to cyber-ark cyber-ark signs into the server for you you never see it so there are ways of increasing the security of that information so a couple things that we need to watch for when we talk about why do we want to be concerned about secrets management or if you're going to go back to your organization how do you convince someone that you should spend the time tracking these applications down managing the passwords why is it worth that investment the problems that we run into is when we start looking at accounts or our networks getting compromised

ultimately means there's something on our network or something about our organization that can get divulged if you're an organization perhaps like a university where you dis let anyone connect in odds are there's still parts of your network that you don't want people getting to you're always going to have something that you don't want compromised is anyone in an organization where you don't care who looks at what I mean like anyone not usually the case most of the time when we were put together as even a cooperative or an education institution there's still something that we need to keep away from other people so when we have poor management of those secrets passwords encryption keys we face divulging that

information we have things like data breaches and outages now this moves beyond just in from it's been divulged it means our organization perhaps isn't even able to function we're down for a period of time we can't function as a business we can't have bank tellers working students can't get onto online courses it affects us materially it also has a direct cost you have to go fix it if you're one of those people that said you're part of the security team guess what you get to do on the weekend you get to go in and fix this so there's a direct cost to not doing this and this is one where organizations will often time take the

short-sighted approach they'll say well it's gonna cost me X dollars to go out and buy something it's gonna cost me X dollars for you to go out and inventory all these systems and then we're gonna go out and spend five thousand twenty thousand fifty a hundred thousand dollars on something to manage this there you go I'm not worried about that but what's the cost when there is an outage like what happens on a per minute basis and some organizations this is a real easy calculation you go to Amazon and they could probably tell you each second that their site doesn't function they lose X dollars so that becomes a real easy metric hey if I can buy a

solution that we can estimate saves us X amount of time or prevents a certain type of outage then it's worth the investment that's much harder and other types of organizations but that's one way of kind of positioning these types of technologies the other one loss of reputation any one I don't want to say track but the story about Symantec Verisign so Symantec years ago bought Verisign Verisign being a certificate issuer in the public internet space Symantec Verisign didn't necessarily have theft of their secrets but they had a big impact in reputation they were found to be issuing certificates they shouldn't and it's not the first company that's ever been caught this way but from a

reputation standpoint if you think about things like certificates in the public space their only business is selling a reputation if you trust Symantec Verisign then you trust every certificate the issue in their case they'd lost their reputation and that business essentially went bankrupt now I got bought by digi cert and got turned into the the the digi cert portion of certificates but the net result is the same most of us if you suffer a strong enough risk excuse me if you suffer the loss of information or have a outage that is significant enough to affect your reputation some organizations can cease the function many of them will be able to recover but there again is a

cost to the impact to that reputation so a couple of things that you can do as far as centralizing your secrets one is try to figure out how you can define some type of private centralized repository once you know what those applications are what types of secrets you have in your environment whether they're just passwords encryption keys api's once you know what those things are there is probably some type of centralized technology that you can use to protect that and I'm going to share a few different options for you but bringing those together is going to be that limited access scenario the LastPass analogy if we can at least bring them together we can control

access to it we can restrict access into those privates in a number of different ways when we talk about things like cyber arc if we're going to be protecting passwords by eliminating the human element of seeing the passwords we can even control the fact that in order to get on cyber arc you have to have two-factor or maybe phone factor we're going to increase the identity protection of who's getting to the secret and then how they're using the secret the other one and this is one that comes up quite a bit and a lot of organizations overlook this separate your data and your secrets your data and your encryption keys do not look to things like AWS and Azure and say oh

they can host my data and I can put my key up there somehow one way or the other that's going to get affected I am still an advocate today that says if you want to put data up in AWS great encrypt the heck out of it keep the key in your control now things like a sure they have some options for different technologies to have key Balt they also have options where you can bring your own key has anyone heard of bring your own key for different scenarios so bring your own key this is where you create some type of an encryption key on your premises either in a piece of hardware or a piece of

software the key is in your possession the data that is encrypting can be stored wherever you would like rather than relying on that manufacturer or that provider to generate and store the key for you now that key and the data are in the same place and only takes one miss configuration for that key to be divulged so Microsoft's got a number of solutions around bring your own key when you look to different technology providers see if they have some type of bring your own key solution protect the key on your own site the other thing is think about how your data is going to be encrypted ideally we want that encrypted at all times a lot of providers and

software will simply say yes you can encrypt the data but what does that mean are they encrypting it just when the system is running is it just encrypted at rest is it encrypted just on the drive what about how the data gets moved from one place to the other because remember it's not just the data that they're going to be moving but if they're using your API tokens or other pieces of secret information how is that getting moved from one place to the other the other things that we have here is thinking about administrative and Technology Solutions what I mean by this is there's a technology way of approaching these things and then there's an administrative one one I'm

not a fan of writing policies that say don't do stupid things with secrets and passwords people that are going to do stupid things with them are not going to be following your policy one I have a firm belief that human beings have an innate way of finding the simplest way of defeating anything that you come up with the post-it note password is a great example of this how do I get around my IT department making me do my password on a regular basis and this is not a new thing with passwords that are complex in 16 characters 30 years ago people were still doing post-its now it was piece paper and scotch tape but it

was still a way of how do I remember this information human beings and I see this even in organizations where we define a very strong security posture around a PKI two people are going to be present there's going to be an auditor there's gonna be a camera and they are on top of their game a day we deploy come back a year later two years later they have found every possible way to stick to the letter of the law but not quite really be doing what they need to do auditors that come in they're supposed to be supervising people and what they're doing or playing candy crush on their phone are they present yeah did they sign a log that says that

those people were there yeah did they actually watch what was going on yeah it was any value so people will innately just find the easiest way that's why we have software to prevent people from rolling passwords you make me change my password every 90 days what am I gonna do I'm just gonna go back and forth between the two passwords so you find some way of preventing that so humans have a great way of finding out what is the simplest way I can do something so there is not going to be a comprehensive way where you can say I can expect my people to always be on the top of their game every time so for the most part I

don't want to put the burden of this on to people and say your responsibility you have to keep this information secure so for me if I'm going to give it a responsibility or I'm going to give you access to there I need to verify that the old trust but verify I need to actually make sure that this information isn't being sent around so I've got all my passwords and all my keys in one place go take a look at the audit lock who's looking at this what are they doing with it where's that information going so you can't just assume that because you've centralized it that the problems gone away the other options is think about how are

you going to secure that centralized repository if this is something you're building yourself how are you going to protect access to that if you're building a repository work all your passwords are for the organization but you let people use their password to get to the repository that's not a very strong way of going about so I try to think about things of if I'm going to be protecting information how do I protect it at least at that same level or higher than what's in there so a couple of things that you can look at today so things that you could go out to protect the secrets in your organization so obviously being the PKI guy I'm a fan of

PKI so public key infrastructure we can do things like identity and data encryption we can move away from passwords we can encrypt information we can get people onto identities are protected with things like UV keys or TPM chips we can make a stronger set of secrets that can't be compromised or at least not as easily start looking at things like password vault so move beyond just password managers now I didn't catch the whole last talk but things like LastPass can do some very basic no password audits and tell you that someone's got a four character password and hasn't been changed for a while but move beyond that moving into some of these vaulting solutions where

the passwords aren't exposed now what's nice about this is when you rely on something like a cyber-ark or some of their vault because there's no human element you're not setting the password you can tell cyber-ark for instance I want you to roll this key every day I want to be 255 characters since no one's actually having to interact with it and copy and paste it and no change that process it's all happening behind the scenes you can have much stronger security but as in my previous slide make sure you know how you're protecting access to the cyber vault if that's going to contain all of the keys to your organization make sure that that's stronger than anything else that

you're doing the other things that you can look at key management systems or kms is becoming a stronger and stronger player in the market there's products from companies like blur metric that's now part of Talas symmetric-key management is what these are designed to do so rather than having all of these passwords and symmetric keys for different applications and different encryptions scattered throughout the organization they all get vaulted in one place when an application like sequel needs decrypt information or some application needs to create something else they check out their key from the kms system they can do whatever they need to do and get to check back in again now the downside is you have to

have a kms solution that integrates with whatever your products are so you kind of go back to the inventory again what has the symmetric keys what needs to be protected how am I going to go about doing that but now by having all of those keys centralized I can define minimum standards do I want a EES encryption symmetric keys what size how often are they rotated who's getting access how do I add it and determine where that data is or other things things like our databases looking at more than just saying okay I bit Lockard my my database or at least my database disk I must be done there are other types of encryption that are possible

things like TDE and always encrypted where the data is encrypted even in the processing space of sequel server so there are applications now where the database at the the table level is encrypted whenever the service is running it's kept encrypted in the memory space all the functionality is an encrypted memory which means even if you were able to blue screen and dump the contents of a server all that data is protected so things like the heartbleed exploit a few years ago with open SSL same type of thing if the keys or the data is in memory there's the possible disclosure of that so always encrypted means we can move away from those models the other things

that you can look at are as your key vault it doesn't work for every solution but with microsoft key vault your keys can be protected in a virtual HSM if you will or a hardware product at Microsoft not every application they have will integrate with it but it's certainly better than putting your encryption keys or other types of C sitting on the blob or just on a server itself they can be checked into the key vault Microsoft rights management server for instance it uses key Balt but it actually has that bring your own key scenario so with RMS if you're protecting office documents and email you can actually generate your own key on a hardware

security module and then that key is transported to Microsoft into the key vault not my biggest recommendation having data and keys in the same place but if you have no choice so one of the other things I'll leave you with is the fact that all of these security things are very easy to kind of paint in black and white terms the approach I often take with customers is we have to be pragmatic about all associated with some type of an organization or a business it has to be worthwhile to that organization to do something we can't just define something as black and white this is the right way of doing it it's the wrong way security is often

associated with some type of a risk and we're trying to mitigate that risk and we can deploy a technology we can put a process in place we can manage who can get access to that information but sometimes our risks are simply mitigated by accepting them and I'm a firm believer in that technology is great and process is great but sometimes it's just a matter of being able to say yes we're aware of the risk and we accept the risk it's when you don't know that you've accepted the risk that you're running to the biggest problems so if you didn't realize that having your keys and your data in the cloud or an application had its secret embedded in the code you

didn't have that full recognition of what that risk was you didn't have all the information to be able to make that decision so I'd much rather it be something where the organization says yes we're aware of it either from a financial standpoint or a risk standpoint we're not going to do anything about it but we're aware of it so that's what I have for you today you questions I can answer for you

and so the way I often frame that question is now how do we what are the best practices around kind of protecting those identities or certificates on something often times it kind of goes back to what I was just talking about this what what risk am i concerned about and an analogy that I use with organizations is Alice in the Wonderland is I kind of start talking about risks and we kind of go down this this rabbit hole and we kind of start talking about are you concerned about this are you concerned about that so in the case of your wireless scenario for instance I would say are you concerned about no a laptop gang stolen and somebody may be

getting on your Wi-Fi network okay you're concerned about that we go down the rabbit hole what about someone deliberately taking a laptop to get on your network very different then something goes missing and someone accidentally gets on the network the other one is corporate espionage eventually you get down that rabbit hole it's aliens beaming information out of your brain and you go okay mark that's a little far and you back up the rabbit hole and you go okay here's all the risks that we were concerned about how do we address those so in your case if we are talking about mobile devices getting onto a Wi-Fi network if I have a deliberate concern about something I may choose to say how

am I going to protect that is it going to be just short-lived certificates that are changed on a regular basis if I'm concerned about somebody for instance it could be I don't want my employees bringing their iPads to the office and taking the certificate off of a corporate machine and putting on their iPad to get on the Wi-Fi okay I can just make sure that their key can't be exported so maybe it's sitting inside of a TPM chip so very different scenarios will kind of drive what am I going to do to mitigate that risk some of them maybe I can't do anything about it it's not for instance going out and deploying smart cards for everyone so there's

going to be scales for each type of thing so I look at as every certificate has a key that secret how do I need to protect that key and from what sir so some organizations exactly yeah exactly exactly yeah exactly and Windows you know and and that's a great example of defining what my risk is because for some organizations and that's a question that comes up quite a bit for some of them it simply is that I pad I don't want my employee bringing an iPad or their home laptop onto the Wi-Fi now I just want to make it difficult for them to do that well windows I could say that private keys not exportable now I

will tell you I have a piece of software sitting on this machine that ignores that key or that flag and will let you export any key that's protected by Windows but for that casual employee who's trying to get the laptop on and that option to export the key is greyed out I've mitigated that risk a deliberate attacker no not so much other questions as yes

yeah yeah yeah yeah exactly so so so this is one where sometimes it's a technology solution of if I am set with I've got something that I need to expose and I'm going to need to be able to connect to it and I'm going to obviously want it to authenticate but how do I keep other people from authenticating this is kind of going back to different types of Secrets now obviously we have things like passwords and there's symmetric encryption yeah or symmetric keys one of the nice things is know why I do a lot in the PKI space is that's a great example of how can you attend ik 8 and secure information well actually

sending secret information so the great thing about PKI or frankly things like cybervault or other technologies is the fact that I can authenticate I don't care who's listening because I'm not gonna send you anything secret but yet I can have a very strong identity and very strong access to whatever I'm trying to get now the challenge is often you talk about the mobile device how do I do that on a mobile device and it's been a changing story historically it's been your beer out a lock when a mobile device the military had issues for a long time they had something called a kak sled which was basically like a really thick phone case and they could

put their smart card into this case to read their identity a cat card is really just a PKI smart card you can start looking at things now Yubikey if you've heard of Yubikey they have now a NFC capable Yubikey which means now I can have either a one-time password or a PKI issued identity and key sitting on a flash drive and all I have to do is hold it up and via Bluetooth and NFC that information can be shared I don't need to worry about the form factor than connecting to so there are some newer technologies that enable that mobile scenario a lot of people are faced with how do i implement strong identities without killing mobile

devices yes exactly exactly exactly so now with that Yubikey I can go to a laptop I can go to a physical machine I can go to a server I can hold it near my phone same identity the information that's transferred if I'm doing PKI based certificates I'm descending my certificate improving possession of the private key nothing sensitive is actually sent

yeah so there I would say that some of those problems exist even in physical environments of how do I rotate things when I've got potentially two or more hosts that are dependent on them or maybe the physical versus virtual frankly there's a technology that's been around for a long time inside of Windows for instance that a lot of people still don't leverage to this day things like managed service accounts so historically when we wanted an application or service to run on Windows we created an application account we give it the permissions we get a password well go we'll be really good we'll change the password on a regular basis but we never do because we got to stop it we got to

go where it's at managed service accounts kind of turned out on its head where it's now Active Directory that manages this service account a lot like a computer account so the computer gets assigned hey this is a managed service account change the password on a regular basis and it updates the service now if you've got multiple computers or multiple virtual machines they came out with group managed service accounts so there are starting to become newer technologies where now I could say this service account and it's secret being its password is on twelve different machines and they need to get rotated in the synchronously while group managed service accounts are one way of doing that other things

products like cyber-ark enable a centralized place to say you know what I'm going to have 12 different identities and at some interval I'm gonna go out automatically and update those identities the administrator just interfaces with a cyber-ark for instance so there's kind of different ways of approaching that and oftentimes it's driven by what is that application or that operating system but it does kind of go back to how do I rotate and keep those identities fresh other questions all right well thanks for coming have a great rest of your day

you