Digital Certificates

Digital Certificates

We do most of our transaction digitally right from our Banking transaction to our Mobile eCommerce transaction, or IOT based transaction etc., hence to do a secure digital transaction we use the digital certificate. Digital Certificate is a certificate issued by a Certification Authority validating the individual or organisation. The Certificates validates that a website or mobile transaction platform is trusted and safe.

Some of the important things to look out are:

-  Who issued the certificate?

-  Who the certificate is issued to.

-  Valid to

-  Public Key 

-  Digital Signature.

Certificate are used for identification and encryption which grants the right to access information or other services online. It includes ensuring the identity of all parties involved. They include public key that is used of encryption of data like email document, secure web transaction etc.

Public Key Infrastructure (PKI): As mentioned above PKI is also known as trusted hierarchy, public key infrastructure is a system of Digital certificates, Certification Authorities (CA’s) and other registration authorities (RA’s) used to verify and .authenticate the validity of parties involved in an internet transaction.

Digital Signature: A Digital Signature is based on asymmetric cryptography. Digital Signature has a Hash function which represents the digital signature which is mathematical value for that certificate. It’s a one-way process using a private key to generate a digital signature, the same can be checked by using a public key for Decryption which again is a mathematical value and outcome should be the original Hash value which would ascertain that the certificate is not altered or damaged. If the hash value is not correct, it would mean that the certificate is corrupt or is tampered with. 

A private key is paired with the Public key; however, the private key is stored separately.

A certificate includes the certificate holder's public key, information about individual, computer, or organisation to which the certificate is issued, information about certification authority (CA), the date of issue and expiry of certificate and the serial number of certificate.

Certification Authority: Certificate is essentially a file with data in it. Hence the trust model work in certification to validate the data and Certification Authority role is important. The Certification Authority does the checks before issuing the certificate and that it’s trusted. The Certification authorities certify and create an electronic document that is a Digital certificate that verifies individuals and organization are who they say they are. Hence is also important that Certification Authority is also a Trusted Source. The organization can have an additional level of certification authority normally followed is Root SA and child SA trust model. 

A CA essentially is a hierarchical system composed of software, hardware, procedures, policies and administrators who validate the request and generates certificates. 

Now with sources of the transaction happening over Mobile & IOT apart from Web Digital Certificate has high importance for security while we do digital transactions.

Hardware Security Architecture.

Hardware Security Architecture.

Hardware security is an important aspect, firstly any one who is using machine today is getting some form of protection from hardware, secondly there are more security oriented properties that are coming in new chips in market in couple of years, and thirdly there are important properties that can only be build on hardware and software can build on those.

Machines today are connected and vulnerable to cyber threat. The type of threats we have are Memory corruption, data disclosure, code injection, control flow diversion, return oriented programming. The types of method attacker today can use are Type – Instruction, data, pointer, Extent – Base, Bounds and Ownership – component, access right. Architecture grantees that every thing would be right.

A lot of security issue we face today is because of the hardware security Architecture issues. Originally Multics was a machine designed for security, however machines that we have today security is an after thought. Multics was originally a project between MIT, which was designing things, General electric who was making hardware and Bell labs who was the user. However bell labs got little nervous and wanted some thing that work then and they designed a much simpler system on a less expensive piece of hardware and the system was called Unix, which was a trimmed down, lesser feature output of Multics. Unix was later widely used and is the predecessor of Linux and variety of system we used today.

In this transition what we lost was the idea of segmentation, we lost the idea of rings. What it carried forward was some ideas from Multics, ideas of permission and level of privileges, which in most machines that's just at the kernels as against user made distinction in Multics. Multics was programmed in a higher level language called PL/1, whereas Unix moved to a very low-level language called C, which is also the reason of lot of problem we face today.

Multics had some very important, very high leverage usage particularly in defense system. It work on fundamental three principles, first of these is of complete mediation, Secondly, separate privileges, and thirds principle is of least privileges. The fundamental principle was to do its job most of the time the Kernel does not need to read your data, segmentation at memory and use of access control rings.

Multics was much earlier a project in MIT, the idea of which was to develop a computer utility which could share its very expensive resources and people could access these resources. And the next leap today, which is now taking forward Multics is Cloud computing a network computing of all different kind of client server architecture.

The other things thats happening is at processor level it can make sure that only high users can access high data and thing that’s coming now is is fat pointer which means that every pointer to the memory is bounded above and below which bounds of the object which the pointer is pointing into and Intel has a feature MPX which helps enforce this property.

GDPR Summit London 2017

I today attended GDPR Summit 2017 in London, I am intrigued by GDPR as it gives power and rights to common citizens and many countries are following the same. As one of the speakers put it IT  has  led societies transformation and evolution however it has to now be balanced or normalized with other aspects of life. GDPR is primarily meant for the good of the citizen, and the society, the purpose of GDPR is to make sure that companies use personal information with the consent of individual which can be their employees (current, past or people they might have interviewed), suppliers and customers. The Individual would have the right to take back their consent as and when required and their data would be deleted from company’s system. 

The deterrent for GDPR non-compliance is not just the 4% or 20 million Euro fine but also the fact that the companies can also be barred by the regulator from processing data temporarily or even permanently. The positive side is making Data ethics a competitive advantage.

The stake holders in organisation GDPR implementation are Legal, Human Resource, Information Technology and Marketing. DPIA – Data privacy impact assessment under article 35 of GDPR is another aspect. High-risk processing activity under article 35(7)a of GDPR processing is an important factor. Employee consultation and survey for the customer is recommended. Also in case of cloud computing the responsibility would be with the controller. Some of the addition to Article 30 include article 7, article 15-19, article 20, article 32, article 44 – 46.

Data Privacy Officer is the mandatory position for all companies, and privacy officer and Data privacy officer is two different roles. Data Privacy officer can also be a part-time role. Another aspect was right to be forgotten, and the fact that ERP does not delete the data but red flags it and the data do not pop up in the system but resides in the system is understood. Hence analyzation and tokenization of data are recommended. In tokenization audit, trail and Login function match should be conducted analyzed and blocked.

Another aspect of data privacy came out on Application security and IoT – Internet of things. While Application security primarily included session hijacking, phishing, etc., IoT can also lead to a possible source of infiltrating into the network and accessing the data. Hence Application level and IoT security are an important aspect. Security monitoring is another key aspect function of data privacy. Cloud is another area where need for security  was  emphasized. While Ben Westwood - Data protection Officer of  eBay explained the complexity involved in data privacy management for an eCommerce company.

Marketing is further another function that gets impacted by GDPR, email campaign, cookies tracking, search engine optimisation can no longer be conducted without the consent of the customer, and customer consent form should be simplified for the understanding of an ordinary computer or smart phone user. It was also acknowledged that the Personal data of non-corporate users is almost around 80% of the data under GDPR which is processed by companies, while 20% is the employee data and hence solutions need to be planned and designed basis same. 

It was acknowledged that countries like India, Singapore, Hong Kong have also adapted data privacy apart from Europe. Countries like South Africa have their own data privacy law POPI.

The IT adaptation in every individual life has penetrated to a large extent, in fact, it has impacted the way we live our lives and conduct our business, and this has rapidly involved in past 15  to 20 years and needs some form of governance hence idea to bring principles and ethics into the equation. The intent and heart to introduce GDPR is in the right place and companies would need to live with this new reality and comply. However to over seeing GDPR regulation would require highly intellectual indivituals with high integrity and conviction as there is possibility of alternative narrative been given and they would have to distinguish between narrative in interest of people and society against vested interested.

Security Operations Centre (SOC)

Security Operations Center:

A Security operations center (SOC) is that facility or multiple facilities of an organization or an organization’s service provider having qualified people using string set of technology solution and a strong set of process. The operation conducted by a SOC is of continuous monitoring, analyzing and responding to security posture and the threat to an organization.

The Three tenant of a Security Operating Center are People, Process and System. The harmonic synchronization of the three provides the organization with Visibility, Analysis, and Action.

- People: Includes trained people with certification, knowledge and vendor specific experience and skills.

- Process: Includes preparation, analysis, recovery, identification, containment, learning and knowledge retentions & transfer.

- System: Includes the End Point Protection, Perimeter Security, Data Center Security, Forensics and Incident Detection Management.

This allows for Data Aggregation, Data Analysis and 360 degree real time dashboard for the organization to detect, prevent and respond to any threat at the same time to do Forensics.

https://youtu.be/uj8PuaXyygU

The SOC operation typically can be broken up into Monitoring, Analyzing and Responding to Insider threat and that too of outsider threat.

-    The insider threat would typically be from employees or value chain partner like supplier and buyers. And organization would want the SOC to monitor Identity & Access Manager (IAM), Privileged Access Manager (PAM), Active Directory, Data Leakage Prevention(DLP), Compliance tools, etc.

-    The Outsider Threat is monitoring of Network Security – Firewall, Network IPS, Network Security Appliance for Email, The Web, etc., End Point Security, Data Center Security, NAC, Network Access Control.

A typical SOC would have some form of SIEM – Security Incident Event Monitoring and a Log collector to collect log from various security tools at various sites and some for security intelligence.

However, the security landscape has changed SIEM alone is no more as effective since the security and digital landscape has evolved. The threat landscape now also includes Social Engineering, Mobile devices & BYOD – Bring your own device has new challenges and threat thrown at the organization for application and content security. IoT – Internet of things present new form of security challenges, Industrial Security & Physical Security are as important as IT- Information technology security. And cloud migration brings new form of security integration challenges at least in short term. There is a lot happening outside the organization echo system in their industry and deep dark web which can affect the organization, its IT & Industrial asset, intellectual property and bring down their operation.

An organization should look at the tool and solution that address these new challenges to security in their Security Operating Center. All this requires to look into various facets of security, and this would involve data monitoring inside and outside of organization which is structured and unstructured at the same time would be in high volumes, varsity, and velocity hence organization or their service provider would need Artificial Intelligence (AI) to help them.

Future looking SOC would not just monitor IT, but also OT  (Operational Technology /Industrial) asset should have various advance treat analytics solution embedded along with threat intelligence, Integrated real-time dash board along with Forensic capabilities to allows access to the SOC provider customer in case organization use a third party SOC. Most importantly the SOC should be global and be having redundancy. It is imminent that Artificial intelligence is plugged to the SOC and the organization ties up with the external academics research center to get updates on research being carried out in the Security landscape.