Listen to our podcast episode featuring Entrust industry experts to discover how agencies leverage HSM encryption to store, protect and manage cryptographic keys.
Anthony Jimenez
Welcome back to CarahCast the podcast from Carahsoft, the Trusted Government IT Solutions Provider, subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host from the Carahsoft production team. On behalf of Entrust and Carahsoft, we would like to welcome you to today's podcast focused around utilizing HSMs to protect your cryptographic keys and adding a robust layer of security to prevent attackers from finding those keys. Andrew Sheedy, digital security consultant at Entrust, and David low global vice president of professional services discuss establishing a Root of Trust within your organization.
Andrew Sheedy
Hi everybody, my name is Andrew Sheedy, I am with the Entrust global center of excellence. My specialty is PKI have been in the PKI and credentialing space for close to 20 years supporting federal agencies, and some state and local council as well. And today, what we're going to talk to you about is protecting the keys that safeguard your organizational citizen corporate data, kind of set the stage here, that corporate data. And this can be extrapolated to other types of data in an organization, whether it's IP, citizen data, student data, certainly any kind of personally identifiable data that is confidential to the organization, we want to make sure it's protected. That's the crown jewels of the organization, we need to take steps to protect that data. And there are a variety of different techniques for doing that. And today, what we're going to do is we're going to focus on data encryption as a way of protecting that data. So a little bit about encryption. Most of you probably know this, but it is a process. Typically a mathematical algorithm through which data is encoded, processed, and resulting ciphertext is generally concealed or inaccessible to unauthorized users. So in a symmetric key situation, one key will decrypt data. In an asymmetric scheme, you require the private key to decrypt data. But it's a very, very mature technology, there's obviously two different types of it's a very, very mature technology, and well understood to protect data it protects, it also enhances the security of communication between client apps and servers. So the application of encryption can be for data in motion. And for data at rest. We understand that the threats are just about everywhere. So we've got insider threat, we've got external threat, malicious actors, nation, state attacks, etc. And sometimes those things intersect. And they use a variety of different techniques. I think all of us had been through enough security training at this point in our careers, and been exposed to enough material breaches that we understand that there are a variety of different ways of attacking infrastructure of organizations who are trying to protect data, right, one of the things that we need to make sure we're doing obviously, in this kind of goes to a Zero Trust type of paradigm, we need to assume that we've been breached. And we need to make sure that we are protecting data from all types of threats. This is done using encryption. So the top five drivers for using encryption, interestingly, right, first and foremost, to protect personal information, to protect information against specific identified threats. So to me, those are two parts of the same coin. Intellectual property, again, is extremely important, confidential data that organizations need to protect compliance. You know, some people view that as checking a Box, but there are very real penalties as most of you probably know, to unauthorized breaches. And then obviously, to limit the liability from breaches or inadvertent disclosure. So to me, the last two, there are sort of part of the same story. How do you keep data secure? And how do you how do you make sure that it stays encrypted, you've got to make sure that you're securing your keys. And we're gonna get into that a little bit about how you do that with Entrust solutions. But it's critical to make sure that those keys are protected by any means necessary for securing the infrastructure, communications and applications and for any of the keys being used for authentication, authorization and encryption. So these, this really goes to a Zero Trust paradigm, where we want to make sure that we're verifying explicitly at the time of access. We're authenticating everyone in a strong fashion, including workloads, devices and humans, and that all data is encrypted, unless the user has access to a key that allows decryption of that data. And you know, we want to protect keys because obviously if especially in symmetric situations, a single compromised key can expose the data. I want to talk about a case study real quickly here that kind of demonstrates what we're going to talk about. So just a spoiler alert, we're going to talk to you a little bit about hardware security modules, which are very, very strong cryptographic devices, they've got modules inside of them that are designed to withstand a great deal of external pressure, and protect keys to a very, very high level. Oftentimes, and I encounter this quite a bit in the work that I do here at Entrust is that, you know, encryption of databases may be well understood encryption of data at rest may be well understood. But what may not be well understood is securing an enterprise PKI with a hardware security module, and I'm just going to walk through a case study this was a large North American manufacturer that is a customer of ours was not prior to this. But what ended up happening was their certificate authority infrastructure, their PKI was run on premise, and was compromised by a malicious actor using known exploit tools. These tools were published and presented at BlackHat in 2021. Ultimately, the attack was successful. Because the customer did not deploy a hardware security module to protect their route in issuing cas. What ended up happening was the malicious actor was able to compromise the network. Initially, they were able to export the signing keys of the root CA, which was basically an authoritative certificate authority for their Active Directory infrastructure. As a result, the user was able to stand up a rogue ca in their environment, and then was able to serve actual authentication requests to users get a copy of the Active Directory database, and reverse engineer passwords and Kerberos tokens for our Kerberos tickets sorry for authentic user authentication. So it was a real disaster for this customer. When we were brought in by a third party. At that point, our recommendation was to we had to essentially take down the PKI. So we revoked all of the certificate authority certificates. We deployed with best practices a new route and new issuing CAS with HSM this time, and proper architecture and proper tuning. We had to push out in the new CA certificates and all new endpoint and subscriber certificates were reissued. This took a period of six weeks, I think, from beginning to end. So it was not a quick solution. The conclusion coming out of this is that, you know, for very, very straightforward, best practices, and all vendors in the security space will recommend this is to deploy HSMs for your critical infrastructure, especially your trust anchors in your organization, I am going to pass over to David Low for the second part of the presentation.
David Low
Good afternoon, folks. Thanks. I'm David Low, I run the professional services organization worldwide, for Entrust for the digital security division. And a big portion of that is working with customers who are using encryption to protect all kinds of information all over the world in lots of different environments, everything from military contractors to state local educational sector to commercial sector, to some of the largest tech companies that you probably have sitting on your desk or in your pocket. So I want to talk a little bit about some little bit of the technology and a little bit of sort of the practical application of, of minding your keys. One of the things that we talked to our customers about is when you store keys and software has entered sort of talked about how that was done. In that case study, it is pretty easy to find software keys that are in storage. If you happen to know the operating system you happen to know or have access to the file system, it's pretty easy to scan those environments and find software keys. So sometimes when people see the case studies and think oh, you know, that's a one in a one in a billion shot. That'll never happen to us. You know, it's got to be some high-level state actor that's doing something like this. You know, these tools are available freely online. It doesn't take a team of PhDs to do this stuff. So it is pretty easy to spot crypto within an environment where we think about cryptography. There's a saying is you know, crypto is easy. It's key management that's hard. And that's because it's not you know, the crypto algorithms have been around for a long time, there's new ones that are coming to, you know, deal with a post quantum threat, there is sort of one thing that they all have in common. And that's, you know, they need keys to operate, whether it's a single key for symmetric cryptography or two keys for asymmetric cryptography, you have to be able to securely create those keys, you have to be able to store them securely manage access to them understand metadata about those keys, what are they for? When do they expire? Who's had access to them? Right, because if I don't understand any of that, if I just leave the keys laying around, it's, you know, essentially the equivalent of locking the front door and just putting the key under a rock out front, or under the mat or up on the windowsill or under the plant, right, there's a couple of places people look for it. And generally, it's in one of those places. So you really want sort of a lockbox for those keys to be able to say, hey, look, you know, only certain people are going to be able to access those keys at certain times for certain reasons. And you know, it's not this isn't just a personal opinion thing, or an interest opinion thing. You know, we see that really coming from a variety of sources, right. So Microsoft, NIST, and lots of other organizations will tell you that it is really super important to be able to protect your keys, the hardware that Andrew referenced earlier clinical, the hardware security module, or an HSM is a piece of hardware that provides physical protection for the keys, it provides random key material to be able to create keys to begin with, and is something that we see in majority of organizations that are seriously using cryptography as a trust anchor as a way to make sure that those keys are used, where they're supposed to be used to make sure that they're protected, and to make sure that they're not subject to being stolen. So if for some reason, let's see, I'm using a key to protect the file system, or a file or a database table, if that file or database tables compromised, someone steals it like it's encrypted. If I've got that key that protects that stored separately in a hardware security module, then I would need to compromise that as well to have access to the data rather than say, you know, storing the key in a database, and then someone compromises the database and gets both the key and encrypted data, you would think that that's not very common practice, I will tell you that in the real world, we see all kinds of interesting key management and key security methods that are used. Unfortunately, not all of them are very secure. So we highly recommend storage of keys within the hardware security module. I think you know, some of the some of the important things to consider as you think about using an HSM, in particular, obviously, you want something that is certified. So we are just handed out FIPS certified. And you'll find that true for most hardware security modules, Common Criteria certified, probably nobody in the audience is over in Europe. But that's a very important certification there, as well as the ability to consume the HSM either as a typical on-premise piece of hardware or in the cloud as a service that's backed by that same hardware. And that allows you some flexibility. If you do have areas where you want to shore up your security, you want to move keys, or start creating them in hardware, not software, being able to stand that up as a service pretty quickly without having to physically acquire the hardware is very helpful for a lot of our customers. And it is important to think about all the places that your organization uses cryptography. We talk to a lot of customers, and they will say, oh, yeah, we know, we know where we're using crypto, well, we use it, you know, we have our SQL Server database, we have an Oracle database, we encrypt those. We've got a PKI that we use to issues certificates for our wireless network and our laptops. And we've got a an HSM behind that. And then yeah, I think we use encryption in our PDFs for sensitive documents so that only people with the password can read them. And that's about as far as they think of it. So we often go in and say, all right, well, that may be true. What about your building security system? Right? When you badge in a bad job? who's managing the keys for that? If you're a company that makes products, right? If those products have intelligent devices in them, are you encrypting that data? Are you validating the software that's allowed to run in your environment by digitally signing it? Are you requiring that any messages that go in and out are encrypted or insecure? Are you looking at secure data exchange with other entities outside your environment? Do you do anything on blockchain and not just financial blockchain but contractual blockchains and other technologies that require the use of cryptography. And, you know, I think we have roughly 130 lines sort of checklist on all of these different areas where cryptography can be used in an enterprise. And very often, the folks who own cryptography or in many cases, just the security folks never really kind of stopped to put a list like that together, right? They're not necessarily sure of the footprint. And then once they kind of go through and see that footprint, it's like, yeah, okay, we probably have a lot of keys laying around, because I know we're using encryption out there. And I know, we're not managing those keys centrally, I know, we're not using an HSM for them. I know, we're not using them anywhere really, outside of that product. So yeah, there's definitely some vulnerability there. So it is important to think about all the places you might use cryptography. And, you know, the good news is from an Entrust perspective is we have a very wide variety of customers and partners we work with, to embed that HSM conductivity in that piece of software. So as a example, you know, SQL Server and Oracle, five, Cisco, Palo Alto, all of the you know, sort of the big names have the ability to connect and use our HSMs in the background. So it's built into most of those types of products. One of the challenges that folks have, and we're seeing this now is as they move to the cloud, they're just assuming, well, we'll just do, you know, I'm gonna move to Azure. So Azure has key management, we're just use that when we're in Azure, or, you know, oh, I've got an AWS, I can set up the Key Vault, and I'll just, I'll just set it up that way. The challenge is, is the those things work great in their environments, they don't work really well out of their environments. And what we're finding is a lot of customers are working, not just multicloud, but cross cloud, right? I want to be able to have some portability, I'm gonna be able to move data from one platform to another securely, I don't want to have to think about are my keys locked up? In that particular cloud environment? Can I kind of get them out? Can I move them? Are they going to be susceptible, if that environment is compromised? Am I compromising those keys as well. So a big reason behind using HSM is really isolating those cryptographic operations, and having that separation of duties physically enforced. So you know, if I am the system admin, or my windows, I'm a Windows Domain Admin, and I have the ability to go in and define what keys are used for my certificate authority, or for issuing certificates to my devices that are attached to my domain, that's great, I want to be able to do that. But when I create a new newest certificate for that, I want another party to be involved I want because that's not something I do every day, it's something that requires a lot of trust, right, because any certificate generated off of that is going to be trusted. So I've got to make sure that that is secure, I may want somebody in the cryptographic operations group to get their smart cards out of the safe and, and put them in the reader and validate that he is being issued to me for that purpose, just sort of an example of physical separation of duties. And then, you know, all kinds of interesting things you can do with cryptography and hardware security modules. And I think, you know, the biggest thing to think about really is this is this really is the keys to the kingdom. And I have to make sure they're secure if I don't, particularly if I have things that are the Root of Trust, the root trust for certificate authority that we trust for database encryption, through trust for identity within my enterprise, if that's compromised, and everything underneath that is compromised. So the loss of one key or the compromise of one system can lead to the compromise of an entire enterprise. I think that's, you know, really kind of that some of the material I wanted to close out on. And certainly those wanting more information around our hardware security modules can find us at entrust.com/hsm. I will close out the presentation portion of this by thanking everyone for attending. And I know that there's certainly lots of details you can cover underneath this topic, but we wanted to kind of give a broad brush of why it's important to protect your keys and hardware security module and what the potential impacts can be if those keys aren't compromised.
Anthony Jimenez
Thanks for listening. And thank you to our guests Andrew Sheedy and David Low. Don't forget to like, comment, and subscribe to care cast, and be sure to listen to our other discussions. If you'd like more information on how Carahsoft or Entrust can assist your organization, please visit www.carahsoft.com or email us at entrust@carahsoft.com. Thanks again for listening and have a great day.