CSOL 510 Final Assignment Marc Leeka

EXECUTIVE SUMMARY

The data stored in our organizations network is valuable and must be protected from those who
can profit greatly if our defenses are breached. Those attackers can target multiple access points
to our data and we must protect every one, whether an attack is executed or not. There are huge
financial penalties if an attack were to be successful and corporate officers could be charged
criminally. The organization could lose goodwill if any attack were successfully and we might
lose government contracts. It is possible our liability insurance would not cover negligence.

There are multiple areas of encryption that would increase the security of date assets if there
were a breach. Implementation in some areas can be inexpensive and relatively brief. Full
implementation, particularly more sophisticated authentication, would be more difficult,
expensive and time consuming.

To protect our data assets and to fully comply with government recommendations and legal
requirements, we must implement all areas of encryption.

OBLIGATIONS AND THREATS

The vast array of computer data stored throughout our organization is a valuable corporate asset
that, if it were to be revealed to an outside entity, could subject the organization to legal and
public relations consequences. First and foremost, clients and customers trust our organization to
safely secure the confidential information we retain regarding them. The information may be
personal, such as personal health information, or transactional, such as when and what
procedures were performed and how much our organization reimbursed the provider. In any
event, any breach of the data confidentiality would likely result in huge federal fines. HHR and
HIPAA allow a $50,000 fine per violation (or per record) and up to $1.5 million per year for
violations of an identical provision. Furthermore, violations can also carry criminal charges that
can result in jail time. We would likely be subject to the maximum fines due to willful neglect
because, as a large, professional organization, the government would assume that we had a
thorough understanding of published HIPAA guidelines and the resources to comply with the
law. Our contracts with the government for ACA reimbursement, third parties and even liability
insurance companies all specify HIPAA compliance.

Our liability also extends to the remote providers who have access to the data we retain. It is
important to note that almost two-thirds of recent data breaches have involved a business
associate. California law requires that non-affiliated service providers contractually agree to take
reasonable or appropriate measures to protect shared personal information, however that
agreement does not shield us legally from the full consequences of a data breach even if the
provider is fully responsible for the breach.

Data breaches are in the top three of incidents that affect a companys reputation. One recent
survey also reported that breaches have a major impact on customer fears about identity theft. 1

A Target financial statement revealed their 2013 data breach gross expenses initially totaled
$252 million, insurance compensation brought that down to $162 million, and further tax

1
CSOL 510 Final Assignment Marc Leeka

deductions yielded a final $105 million. Subsequent fines added $39 million and some sources
speculate the total fines could end up totaling $1 billion or more in damages before all is said and
done. The security breach was considered so severe that the CEO felt compelled to resign. 2, 3

Even if our data security is breached, having sufficient safeguards in place can dramatically
mitigate the scope of damage and potential penalties. Our organization should anticipate future
attacks on the integrity of our data safekeeping. It is not a case of will it happen, it is when
will they try again? In the world of black market, medical information has a higher value than
credit card information. One reason medical data is coveted by thieves is that it has more lasting
value than other types of information. Once the bad guys get their hands on it, its difficult for
the victim to do anything to protect themselves. While a stolen credit card can be cancelled and
fraudulent charges disputed, the process for resolving medical ID theft is not as straightforward. 5

Encrypting data isnt a 100% solution to the issue of data breaches. However, unencrypted data
has been the major reason behind the majority of healthcare data breaches. 6

The HIPAA Security Rule is made up of three parts and this proposal will focus on the Access
Control Standard found in Technical Safeguards 164.312(a)(2)(iv). These specifications are not
optional but required. Full coverage by our insurance policy in the event of data breach is
contingent on our corporations adherence to established and published recommendations. The
cost of compliance is humble compared to the cost of negligence. 7, 8

ROLL OUT

Given the benefits that encryption offers, only 45% of US organizations have an encryption
strategy in place. Why is the number so low when data breach incidents are widely reported
every week and the consequences are so great? 9

Getting encryption to work in the enterprise is a significant undertaking. Effective encryption

requires many things, including the following: 10
Attention to detail
Good design
Good project management
Comprehensive documentation
Responsible ownership

Many companies are simply not willing to commit sufficient time and effort, a short-sighted and
ultimately poor strategy if one were to recognize the multiple existing and constantly growing
threats to data security.

It may take two or three years to complete all the activities involved for complex encryption
deployment scenarios. This is primarily due to internal political sensitivity, application testing
and workflow or database use modifications. Multiple experts recommend that organizations
break their encryption projects into smaller, more manageable portions, while keeping the bigger
picture in mind when deploying solutions to address their encryption requirements. This

2
CSOL 510 Final Assignment Marc Leeka

combines both tactical and strategic planned implementation which helps to ensure the overall
success of the endeavor. 11

Our deployment will follow the simple guidelines provided by Ben Rothke: 12
Define your requirements
Know where your sensitive data resides
Create detailed implementation plans

POLICIES

Our corporate policies are the rules and regulations we establish in compliance with regulations
and laws. I earlier listed federal regulations and state law regarding the security of private health
information and potential financial, criminal and goodwill penalties for not complying. The
institution of encryption mechanisms is not a substitute for comprehensive policies and control.
Effective encryption, however, can protect the organization when other breaches occur. For
example, we have security policies on who can access confidential patient information. An
employee in our accounting division can see information only related to accounting matters,
whereas a physician can see medical history and cannot view accounting information. With
proper encryption controls and standards we have an additional layer of security to prevent an
accounting employee from easily impersonating a physician. Furthermore encryption offers
additional security if an employee were to try to copy protected data and attempt to read it or
transfer it.

ANALYSIS

We have previously analyzed the organizations encryption needs and answered these questions:
12

How do we protect data from loss and exposure?

How do we prevent access to the system itself?
How does software need to access the files after encryption?
How can data to be transported securely and via what means?
How much user burden is acceptable?
How strong does the encryption need to be?
Do we need to match the solution to the hardware?
Review of regulatory, contractual and organizational policies.

Encryption must be supported by policies, documentation and a formal risk management

program. Policies must be endorsed by management; communicated to end-users, business
partners and other parties that handle sensitive data. If a partner or customer cannot meet our
organizations policies, then we simply do not give them access to data (the My way or the
Highway policy). An example would be a partner without a current browser would be
prohibited from accessing data from our server.

Before starting the project, we also recognize the inherit weaknesses in securing wireless
devices. Most wireless users want an internet connection to browse the network, therefore we
will provide internet access only (no corporate data access) to wireless devices and isolate those

3
CSOL 510 Final Assignment Marc Leeka

users in a way that makes it difficult for them to see our network. Wireless laptop and tablet
users who require access to network data will be required to use an Ethernet patch cable which
will make their device indistinguishable from the computer workstations.

FIVE STAGE DATA SECURITY PLAN

Security enhancements to the network and data storage that are readily available, inexpensive
and can be implemented quickly and with little difficulty.
Identify stored information (called data at rest) and data moving between devices (called
data in transit). Choose hash functions and MACs for our data in transit to enforce integrity
and other security policies.
Identify data exchange between our web-based clients and providers to our web servers.
Choose an Internet Key Exchange protocol.
Establish a Kerberos key server which provides a mechanism for trusted third party
authentication for clients and servers.
PKI implementation, but this is the most complicated an intricate stage of our data security
project and comes with lots of caveats.

STAGE ONE: EASY, INEXPENSIVE, USUALLY NON-TECHNICAL FIXES

We will initially employ the easiest-to-implement and least expensive security controls as part of
our system architecture, particularly where the absence of such controls would make the
subsequent cryptographic controls less effective. NIST SP800-53 revision 4 (Appendix F:
Security Catalog) summarizes the non-encyptographic security controls we can employ. Some of
these security improvements include network segmentation and virtual servers (using Microsoft
Hyper-V or VMware). Most data breaches are employee-generated, therefore strict enforcement
of our network Group Policies and Roles often provides greater protection than the added
encryption protections. Internet Protocol security (IPsec) uses cryptographic security services to
protect communications over Internet Protocol (IP) networks. Our Microsoft Windows server
operating system and Active Directory allow us to implement IPsec policy through Group
Policy. Our two corporate firewalls are self-managed and have been configured for the security
recommended by government publications. Per government recommendation, we will confirm
all device firmware is current and establish an inventory with periodic review for future firmware
updates.

STAGE TWO: DATA DISCOVERY

Previously we conducted an enterprise-wide audit of where PHI and other corporate data
elements were stored.

4
CSOL 510 Final Assignment Marc Leeka

Security does not start or stop with cryptographic design and there is no one size fits all or even
one size fits most when it comes to data encryption. The method and type of encryption we
decide to use is one that must be based on requirements specific to our organization and the type
of data. In each of our recommendations, however, we will choose encryption based upon federal
government recommendations with proven encryption algorithms and encryption key lengths
with anticipated durability for a minimum of 10 years.

There are many different encryption types to consider, each with its own set of advantages and
disadvantages. Our three server-based storage areas will be encrypted. This is where data is
encrypted at creation and this is the first level of data security. If the data storage device is
compromised either accidentally or maliciously, the encryption renders it unreadable.

Considerations:
Can increase processing overhead up to 50%
Requires additional processing power/expense
Highly secure and well-suited to active data files
Large-scale data encryption can be unwieldy and impact performance

We will implement AES-CBC encryption (cipher block chaining) to enforce confidentiality (or
we can also use the newly NIST-standardized AES-GCM). In addition to all server drives being
encrypted, we will encrypt all corporate workstation drives. Although data is not stored on
workstations and enforced through Active Directory Group Policies, this is a one-time
deployment that protects a workstation in the event it is stolen (or the hard drive is removed and
stolen). All portable computers have already been encrypted in the event of theft. The USB ports
on workstations have been disabled at the BIOS level and AD Group Policies enforce that policy.

We continue to evaluate appliance-based encryption for our corporate data storage. In those
devices, data leaves the host unencrypted, but then goes to dedicated appliance for encryption.
After encryption, the data enters network or storage device. This is the quickest to implement but
can also be the easiest to bypass:

Considerations:
Costly
Not easily scalable
Good quick fix - for extensive data storage encryption, cost and management complexity of
encrypting in-band can increase significantly

5
CSOL 510 Final Assignment Marc Leeka

The User and Provider data is an SQL server. Special DBMS considerations: 12, 13
DBMS-based encryption may be vulnerable when encryption keys used to encrypt data are
stored in the database table inside the database, and only protected by native DBMS access
controls
Users who have access rights to encrypted data often have access rights to the encryption-
decryption keys. This creates security vulnerabilities because encrypted text is not separated
from means to decrypt it. It also doesn't provide adequate tracking or monitoring of suspicious
activities
Key management and administration capabilities come as built-in features of the product

STAGE THREE: INTERNET KEY EXCHANGE

The Internet Key Exchange (IKE and IKEv2) protocol, described in RFC 2409, is the primary
key management protocol standard which is used in conjunction with the IPsec standard. IPsec
can be configured without IKE, but IKE enhances IPsec by providing additional features,
flexibility, and ease of configuration.

VPN devices and wireless access points managed their own key exchange.

Traffic on the corporate LAN uses IPsec which simplifies and automates the IKE key exchange
mechanism. We will deploy an IPsec policy through Group Policy and use the Kerberos Active
Directory option because it is the quickest and easiest method for management and
troubleshooting. IPsec runs over our segmented network with smart L3 switches.

IPsec can also be implemented on the VPN device. The VPN users run a VPN client and are
configured using a pre-shared key. The VPN client software supports the Kerberos extension.

STAGE FOUR: KERBEROS IMPLEMENTATION

Our Corporate LAN is a Microsoft OS with Active Directory. The Kerberos Key Distribution
Center (KDC) is integrated with other Windows Server security services that run on the Domain
Controller. The KDC uses the domains Active Directory Domain Services database (it stores the
user ID and encrypted password hash authentication credentials) as its security account database.

The KDC performs two service functions: the Authentication Service (AS) and the Ticket-
Granting Service (TGS). Clients request a key; the KDC authenticates the client based on the
user ID and password; the client receives a key; the client authenticates to the data server and/or
other service servers, such as the User and Provider Data SQL server. The service or machine
you request access to never communicates directly with the KDC.

Kerberos (guidelines RFC 1510 and RFC4430) provides a mechanism for trusted third party
authentication for clients and servers.

Kerberos is an all-or-nothing solution. If Kerberos is used on the network, any unencrypted

password transferred to a non-Kerberos aware service is at risk. To secure a network with

6
CSOL 510 Final Assignment Marc Leeka

Kerberos, one must either use Kerberos-aware versions of all client/server applications that
transmit passwords unencrypted, or not use any such client/server applications at all.

Since KDCs store secret keys for every user and server on the network, they must be kept
completely secure. If an attacker got administrative access to the KDC, she would have access to
the resources of the Kerberos realm. We have our Domain Controller running by itself in a
Hyper-V server, and the DC hosts the Active Directory and Kerberos services. Our security
shortlist includes:
Our server must be physically secure.
The operating system should be up to date with all the latest patches applied.
There should be no user accounts on the machine except for the Kerberos administrator.
There should as few processes as possible running on the server other than the Kerberos key
server services.
Furthermore, if the KDC ever goes down, no one can obtain a new key and keys recently
issued will soon expire. We need an additional machine to serve as a Backup Domain
Controller in case there is a hardware problem or a network outage.

STAGE FIVE: PKI IMPLEMENTATION

We will use both publicly-issued and self-issued certificates for our PKI architecture.

We have already purchased a standard, public certificate and installed it in our web server. The
web server establishes a secured, bidirectional tunnel that moves data between our web server
and customers (they use an internet browser), and our web server and providers (they also use an
internet browser). Internet browser software usually comes preloaded with intermediary
certificates issued and signed by most of the well-known Certificate Authorities. Our web server
certificate came from one of the large, public issuers (Symantec, etc.) and that company manages
revocations. We are responsible for protecting the private key used to generate our certificate.

The remote workers use a VPN for connection to the inner firewall. VPN devices manage their
own key exchanges.

The Microsoft Server OS comes with all the tools necessary to manage our self-signed PKI
implementation but it involves lots of steps. The deployment in our corporate LAN farm of
virtual servers will require installation and configuration of:
A Windows 2012 R2 PKI Root Server
A Windows 2012 R2 PKI Issuing/Enterprise Server
Certificate Revocation Lists (CRLs) published through IIS configured through an Exchange
Client Access Server (CAS)
Certificate Web Enrollment

Whereas the prior stage encryption implementations were not expensive and required modest
resources, key exchange is not plug-and-play. Key self-signed certificates require careful design
and planning, then extensive work to implement correctly. This is where we slow down and
carefully plan the implementation.

7
CSOL 510 Final Assignment Marc Leeka

The two most terrifying words to those involved in encryption are key management (KM). Many
encryption failures are due to ineffective KM processes. To stress the importance of KM: the IT
Compliance Institute notes that 80% of 22 SAP testing procedures related to encryption are about
KM. In a study released last month, respondents rated the overall pain associated with
managing keys within their organization. 53% of respondents rate KM at a fairly high pain level.
Reasons: 14
no clear ownership of the key management function
lack of skilled personnel
isolated or fragmented key management systems

Because our encryption effort is driven primarily by compliance requirements, KM becomes yet
even more important. A compliant organization must be able to demonstrate the security of its
entire KM lifecycle, from key generation, storage, renewal, and destruction. Effective KM is as
important as protecting the data itself.

Effective KM policy and design considerations include: 15

How many keys will we need?
Where are keys stored?
Who has access to keys?
How will we manage keys?
How will we protect access to encryption keys?
How often should keys be changed?
What if key is lost or damaged?
How much key management training will we need?
How about disaster recovery?

We also must incorporate encryption as part of our Disaster Recovery/Business Continuity Plan.
Encryption functionality must be available 24 x 7.

CONCLUSION

As mentioned previously, an effective encryption roll-out requires a strategic approach. There

are two main considerations when adopting a more enterprise-wide approach to encryption. They
are: 16

Make sure that users and administrators can use the system transparently and simply in
concert with other operational processes
Ensure that the organization can track and demonstrate that encryption requirements are
effective and being carried out properly

Achieving this across all the areas where I have shown encryption is used is a major and
daunting task. When creating an encryption strategy, there is different encryption for different
scenarios requiring different approaches. A data backup encryption approach will be quite
different from a mobile device encryption, and messaging encryption will be different from
database encryption.

8
CSOL 510 Final Assignment Marc Leeka

We will initially employ the easiest-to-implement and least expensive security controls
including network segmentation and virtual servers using Microsoft Hyper-V. We will
implement IPsec policy through Group Policy. We will inventory all devices and confirm that
all firmware updates are current.
We will apply block ciphers to stored information (called data at rest) and data moving
between devices (called data in transit) with the appropriate mode and key size to
implement a confidentiality policy. Our prior research has determined AES-128, with a
security level of 128 bits, meets all federal and legal requirements (NIST 800-111, NIST 800-
11, NIST 800-21 and NIST 800-57). AES-128 is acceptable for government use through
2030. We have the option of converting to AES-256, a more difficult encryption to break, but
its implementation might be more difficult to integrate with our current applications and
processing the additional encryption would require as much as 40% additional CPU time.
Implementation will require that we make changes to our IDS/IPS scanner.
We will apply hash functions and MACs for our data in transit to enforce integrity and other
security policies. Our prior research has determined HMAC-SHA-256 to be the optimum
choice for our organization because it meets all federal and legal requirements (FIPS-198,
NIST 800-107 and NIST SP 800-107).
For our web-based clients and providers, we will implement an Internet Key Exchange (IKE
and IKEv2) protocol (government recommendation RFC 2409) as our primary key
management protocol standard which is used in conjunction with the IPSec we implemented
at the servers. IPsec can be configured without IKE, but IKE enhances IPsec by providing
additional features, flexibility, and ease of configuration. We use an RSA encryption standard
(NIST SP 800-56B rev 1 and FIPS PUB 186-4) for key establishment and digital signatures.
We will establish a Kerberos key server which provides a mechanism for trusted third party
authentication for clients and servers. Our Kerberos guidelines are RFC 1510 and RFC4430.
We will implement PKI but this is the most complicated an intricate stage of our data security
project. The publicly-issued web server certificate is already in place. We require time,
planning and patience to fully implement the self-signed certificates, a project that may easily
take two or three years.

References
1
Ponemon Institute (2014, April). Aftermath of a Mega Data Breach: Consumer Sentiment. Retrieved on April 24,
2016, from http://www.experian.com/assets/p/data-breach/experian-consumer-study-on-aftermath-of-a-data-
breach.pdf
2
Hackett, R. (2015, March 27). How much do data breaches cost big companies? Shockingly little. Retrieved April
24, 2016, from http://fortune.com/2015/03/27/how-much-do-data-breaches-actually-cost-big-companies-shockingly-
little/
3
Cost of Target's Holiday Season Data Breach: $300 Million. (2015, December 7). Retrieved April 24, 2016, from
http://www.lavasoft.com/mylavasoft/company/blog/cost-of-targets-holiday-season-data-breach-300-million
4
Seals, T. (2015, February 28). Target Breach Costs Could Total $1Bn. Retrieved April 24, 2016, from
http://www.infosecurity-magazine.com/news/target-breach-costs-could-total-1bn/

9
CSOL 510 Final Assignment Marc Leeka

5
Elliot, M. (2015, March 29). Why Thieves Want to Steal Your Medical Records. Retrieved April 24, 2016, from
http://www.cheatsheet.com/personal-finance/why-your-medical-data-is-worth-enough-to-steal.html
6
Yadron, D., & Melinda, B. (2015, February 5). Health Insurer Anthem Didn't Encrypt Stolen Data. Retrieved April
24, 2016, from http://www.wsj.com/articles/investigators-eye-china-in-anthem-hack-1423167560
7
NIST Special Publication 800-66 Revision 1: An Introductory Resource Guide for Implementing the Health
Insurance Portability and Accountability Act Security Rule (October 2008). Retrieved on April 24, 2016, from
http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
8
NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and
Organizations (April 2013). Retrieved on April 24, 2016, from
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
9
Ponemon Institute (2016, February). 2016 Global Encryption Trends Study. Retrieved on April 22, 2016, from
http://images.go.thales-esecurity.com/Web/ThalesEsecurity/%7B5f704501-1e4f-41a8-91ee-
490c2bb492ae%7D_Global_Encryption_Trends_Study_eng_ar.pdf
10
Rothke, B. and Mundhenk, D. (2009, September 10). End-to-End Encryption: The PCI Security Holy Grail.
Retrieved on April 22, 2016, from http://www.csoonline.com/article/2124346/compliance/end-to-end-encryption--
the-pci-security-holy-grail.html
11
Ouellet, E. (December 1, 2008). Tactical Deployment Scenarios for Corporate Encryption. Retrieved on April 22,
2016, from https://www.gartner.com/doc/823314?ref=AnalystProfile&srcId=1-3478922254
12
Rothke, B. (February 27, 2013). RSA Conference 2013 presentation of Deployment Strategies for Effective
Encryption. Retrieved April 22, 2016, from https://www.rsaconference.com/writable/presentations/file_upload/dsp-
w25b.pdf
13
Kenan, K. (2005, October). Cryptography in the Database: The Last Line of Defense 1st Edition. New York:
Addison-Wesley Professional
14
Oracle Database Security Guide, revision 11g (January 2014). Retrieved on April 22, 2016, from
http://docs.oracle.com/cd/B28359_01/network.111/b28531.pdf
15
Rothke, B. and Mundhenk, D. End-to-End Encryption: The PCI Security Holy Grail. Previously cited
16
Ponemon Institute (2016, February previously cited
17
Stamp, P. (2007, March). Adopting An Enterprise Approach To Encryption. Summary retrieved on April 24, 2016,
from https://www.forrester.com/report/Adopting+An+Enterprise+Approach+To+Encryption/-/E-RES41736

10