Page-1 Sheet.1254 Sheet.656 Database server Sheet.139 Sheet.140 Sheet.141 Person - torso.179 Sheet.180 Sheet.181 Sheet.182 Sheet.183 Sheet.184 Sheet.185 Sheet.186 Sheet.187 Dynamic connector SSL/TLS Connection SSL/TLS Connection Terminal.188 Sheet.189 Sheet.190 Sheet.191 Application server.192 Sheet.193 Sheet.194 Sheet.195 Sheet.196 Sheet.197 Dynamic connector.209 Sheet.210 Filling out a company health insurance enrollment form at work Filling out a company health insurance enrollment form at work Sheet.212 Health insurance enrollment website Health insurance enrollment website Sheet.213 Health insurance enrollment database Health insurance enrollment database Sheet.214 Straightforward health insurance enrollment over the Web Straightforward health insurance enrollment over the Web Sheet.215 … or so it seems … or so it seems Sheet.217 “The health insurance company’s URL is correct, and my browse... “The health insurance company’s URL is correct, and my browser shows a lock’ icon. I should be safe now!” Database server.223 Sheet.224 Sheet.225 Sheet.226 Person - torso.227 Sheet.228 Sheet.229 Sheet.230 Sheet.231 Sheet.232 Sheet.233 Sheet.234 Sheet.235 Dynamic connector.236 SSL/TLS Connection SSL/TLS Connection Terminal.237 Sheet.238 Sheet.239 Sheet.240 Application server.241 Sheet.242 Sheet.243 Sheet.244 Sheet.245 Sheet.246 Dynamic connector.247 Sheet.248 Filling out a company health insurance enrollment form at work Filling out a company health insurance enrollment form at work Sheet.249 Health insurance enrollment website Health insurance enrollment website Sheet.250 Health insurance enrollment database Health insurance enrollment database Sheet.251 Straightforward health insurance enrollment over the Web Straightforward health insurance enrollment over the Web Slate Device.254 Sheet.255 Sheet.256 Sheet.257 Sheet.258 Sheet.259 Leak #1! The user has an anti-virus that uses its own signing... Leak #1! The user has an anti-virus that uses its own signing certificate to scan all web traffic Sheet.261 Dynamic connector.262 Dynamic connector.263 Sheet.264 Anti-Virus Program Anti-Virus Program Database server.265 Sheet.266 Sheet.267 Sheet.268 Person - torso.269 Sheet.270 Sheet.271 Sheet.272 Sheet.273 Sheet.274 Sheet.275 Sheet.276 Sheet.277 Dynamic connector.278 SSL/TLS Connection SSL/TLS Connection Terminal.279 Sheet.280 Sheet.281 Sheet.282 Application server.283 Sheet.284 Sheet.285 Sheet.286 Sheet.287 Sheet.288 Dynamic connector.289 Sheet.290 Filling out a company health insurance enrollment form at work Filling out a company health insurance enrollment form at work Sheet.291 Health insurance enrollment website Health insurance enrollment website Sheet.292 Straightforward health insurance enrollment over the Web Straightforward health insurance enrollment over the Web Sheet.295 Leak #2! The company uses an SSL Proxy for deep-packet inspec... Leak #2! The company uses an SSL Proxy for deep-packet inspection at part of their Data Loss Prevention Switch.297 Sheet.298 Sheet.299 Sheet.300 Sheet.301 Slate Device.302 Sheet.303 Sheet.304 Sheet.305 Sheet.306 Sheet.307 Leak #1! The user has an anti-virus that uses its own signing... Leak #1! The user has an anti-virus that uses its own signing certificate to scan all web traffic Dynamic connector.308 Dynamic connector.309 Revision cloud Sheet.311 Leak #3! The company’s ISP uses an SSL Proxy for bandwidth co... Leak #3! The company’s ISP uses an SSL Proxy for bandwidth compression … and for advertising Database server.312 Sheet.313 Sheet.314 Sheet.315 Person - torso.316 Sheet.317 Sheet.318 Sheet.319 Sheet.320 Sheet.321 Sheet.322 Sheet.323 Sheet.324 Dynamic connector.325 SSL/TLS Connection SSL/TLS Connection Terminal.326 Sheet.327 Sheet.328 Sheet.329 Application server.330 Sheet.331 Sheet.332 Sheet.333 Sheet.334 Sheet.335 Dynamic connector.336 Sheet.337 Filling out a company health insurance enrollment form at work Filling out a company health insurance enrollment form at work Sheet.338 Health insurance enrollment website Health insurance enrollment website Sheet.339 Straightforward health insurance enrollment over the Web Straightforward health insurance enrollment over the Web Sheet.340 Leak #2! The company uses an SSL Proxy for deep-packet inspec... Leak #2! The company uses an SSL Proxy for deep-packet inspection at part of their Data Loss Prevention Switch.341 Sheet.342 Sheet.343 Sheet.344 Sheet.345 Slate Device.346 Sheet.347 Sheet.348 Sheet.349 Sheet.350 Sheet.351 Leak #1! The user has an anti-virus that uses its own signing... Leak #1! The user has an anti-virus that uses its own signing certificate to scan all web traffic Dynamic connector.352 Dynamic connector.353 Revision cloud.354 Sheet.355 Leak #3! The company’s ISP uses an SSL Proxy for bandwidth co... Leak #3! The company’s ISP uses an SSL Proxy for bandwidth compression … and for advertising Revision cloud.356 Sheet.357 Leak #4! The health insurance company uses a Content Distribu... Leak #4! The health insurance company uses a Content Distribution Network for fast, regional communications. The Flexible SSL plan was the cheapest option Sheet.359 Sheet.360 Sheet.361 No SSL!!! No SSL!!! Database server.362 Sheet.363 Sheet.364 Sheet.365 Person - torso.366 Sheet.367 Sheet.368 Sheet.369 Sheet.370 Sheet.371 Sheet.372 Sheet.373 Sheet.374 Dynamic connector.375 SSL/TLS Connection SSL/TLS Connection Terminal.376 Sheet.377 Sheet.378 Sheet.379 Application server.380 Sheet.381 Sheet.382 Sheet.383 Sheet.384 Sheet.385 Dynamic connector.386 Sheet.387 Filling out a company health insurance enrollment form at work Filling out a company health insurance enrollment form at work Sheet.388 Health insurance enrollment website Health insurance enrollment website Sheet.389 Straightforward health insurance enrollment over the Web Straightforward health insurance enrollment over the Web Sheet.390 Leak #2! The company uses an SSL Proxy for deep-packet inspec... Leak #2! The company uses an SSL Proxy for deep-packet inspection at part of their Data Loss Prevention Switch.391 Sheet.392 Sheet.393 Sheet.394 Sheet.395 Slate Device.396 Sheet.397 Sheet.398 Sheet.399 Sheet.400 Sheet.401 Leak #1! The user has an anti-virus that uses its own signing... Leak #1! The user has an anti-virus that uses its own signing certificate to scan all web traffic Dynamic connector.402 Dynamic connector.403 Revision cloud.404 Sheet.405 Leak #3! The company’s ISP uses an SSL Proxy for bandwidth co... Leak #3! The company’s ISP uses an SSL Proxy for bandwidth compression … and for advertising Revision cloud.406 Sheet.407 Leak #4! The health insurance company uses a Content Distribu... Leak #4! The health insurance company uses a Content Distribution Network for fast, regional communications. The Flexible SSL plan was the cheapest option Certificate server Sheet.412 Sheet.413 Sheet.414 Sheet.415 Sheet.416 Sheet.417 Leak #5! The hosting provider uses a load balancer/SSL accele... Leak #5! The hosting provider uses a load balancer/SSL accelerator. The connection is now plain text from here on the database Sheet.421 Database server.422 Sheet.423 Sheet.424 Sheet.425 Person - torso.426 Sheet.427 Sheet.428 Sheet.429 Sheet.430 Sheet.431 Sheet.432 Sheet.433 Sheet.434 Dynamic connector.435 SSL/TLS Connection SSL/TLS Connection Terminal.436 Sheet.437 Sheet.438 Sheet.439 Application server.440 Sheet.441 Sheet.442 Sheet.443 Sheet.444 Sheet.445 Dynamic connector.446 Sheet.447 Filling out a company health insurance enrollment form at work Filling out a company health insurance enrollment form at work Sheet.448 Health insurance enrollment website Health insurance enrollment website Sheet.449 Straightforward health insurance enrollment over the Web Straightforward health insurance enrollment over the Web Sheet.450 Leak #2! The company uses an SSL Proxy for deep-packet inspec... Leak #2! The company uses an SSL Proxy for deep-packet inspection at part of their Data Loss Prevention Switch.451 Sheet.452 Sheet.453 Sheet.454 Sheet.455 Slate Device.456 Sheet.457 Sheet.458 Sheet.459 Sheet.460 Sheet.461 Leak #1! The user has an anti-virus that uses its own signing... Leak #1! The user has an anti-virus that uses its own signing certificate to scan all web traffic Dynamic connector.462 Dynamic connector.463 Revision cloud.464 Sheet.465 Leak #3! The company’s ISP uses an SSL Proxy for bandwidth co... Leak #3! The company’s ISP uses an SSL Proxy for bandwidth compression … and for advertising Revision cloud.466 Sheet.467 Leak #4! The health insurance company uses a Content Distribu... Leak #4! The health insurance company uses a Content Distribution Network for fast, regional communications. The Flexible SSL plan was the cheapest option Certificate server.468 Sheet.469 Sheet.470 Sheet.471 Sheet.472 Sheet.473 Sheet.474 Leak #5! The hosting provider uses a load balancer/SSL accele... Leak #5! The hosting provider uses a load balancer/SSL accelerator. The connection is now plain text from here on the database Dynamic connector.476 Dynamic connector.477 Switch.478 Sheet.479 Sheet.480 Sheet.481 Sheet.482 Sheet.483 Leak #6! The hosting data center uses virtual local area netw... Leak #6! The hosting data center uses virtual local area networks, with spanning ports for diagnostics Sheet.485 Database server.486 Sheet.487 Sheet.488 Sheet.489 Person - torso.490 Sheet.491 Sheet.492 Sheet.493 Sheet.494 Sheet.495 Sheet.496 Sheet.497 Sheet.498 Dynamic connector.499 SSL/TLS Connection SSL/TLS Connection Terminal.500 Sheet.501 Sheet.502 Sheet.503 Application server.504 Sheet.505 Sheet.506 Sheet.507 Sheet.508 Sheet.509 Dynamic connector.510 Sheet.511 Filling out a company health insurance enrollment form at work Filling out a company health insurance enrollment form at work Sheet.512 Health insurance enrollment website Health insurance enrollment website Sheet.513 Straightforward health insurance enrollment over the Web Straightforward health insurance enrollment over the Web Sheet.514 Leak #2! The company uses an SSL Proxy for deep-packet inspec... Leak #2! The company uses an SSL Proxy for deep-packet inspection at part of their Data Loss Prevention Switch.515 Sheet.516 Sheet.517 Sheet.518 Sheet.519 Slate Device.520 Sheet.521 Sheet.522 Sheet.523 Sheet.524 Sheet.525 Leak #1! The user has an anti-virus that uses its own signing... Leak #1! The user has an anti-virus that uses its own signing certificate to scan all web traffic Dynamic connector.526 Dynamic connector.527 Revision cloud.528 Sheet.529 Leak #3! The company’s ISP uses an SSL Proxy for bandwidth co... Leak #3! The company’s ISP uses an SSL Proxy for bandwidth compression … and for advertising Revision cloud.530 Sheet.531 Leak #4! The health insurance company uses a Content Distribu... Leak #4! The health insurance company uses a Content Distribution Network for fast, regional communications. The Flexible SSL plan was the cheapest option Certificate server.532 Sheet.533 Sheet.534 Sheet.535 Sheet.536 Sheet.537 Sheet.538 Leak #5! The hosting provider uses a load balancer/SSL accele... Leak #5! The hosting provider uses a load balancer/SSL accelerator. The connection is now plain text from here on the database Dynamic connector.539 Switch.540 Sheet.541 Sheet.542 Sheet.543 Sheet.544 Sheet.545 Leak #6! The hosting data center uses virtual local area netw... Leak #6! The hosting data center uses virtual local area networks, with spanning ports for diagnostics Sheet.547 Leak #7! The health insurance website is hosted in a virtual ... Leak #7! The health insurance website is hosted in a virtual machine Sheet.548 Sheet.549 Sheet.550 Sheet.551 Sheet.552 Sheet.553 Sheet.554 Sheet.555 Sheet.556 Sheet.557 Sheet.558 Sheet.559 Protecting Data At Rest – Encrypted Database Protecting Data At Rest – Encrypted Database Sheet.560 Encryption Key: Hardware HSM? Expensive, not all hosting prov... Encryption Key: · Hardware HSM? Expensive, not all hosting providers support them · Provided through SSL??? · Always visible within the database processes Sheet.561 Sheet.563 Protecting Data At Rest – Encrypted Database Protecting Data At Rest – Encrypted Database Sheet.564 Encryption Key: Hardware HSM? Expensive, not all hosting prov... Encryption Key: · Hardware HSM? Expensive, not all hosting providers support them · Provided through SSL??? · Always visible within the database processes Sheet.565 Sheet.566 The gentleman on the right is your new System Administrator The gentleman on the right is your new System Administrator Sheet.567 Sheet.568 Sheet.569 Sheet.570 Sheet.571 Sheet.574 Sheet.572 / Xeni Jardin / 9:25 am Wed Oct 5, 2016 FBI arrests "Shadow B... / Xeni Jardin / 9:25 am Wed Oct 5, 2016 FBI arrests "Shadow Brokers" leak suspect charged with theft of NSA cyberweapons Sheet.573 Sheet.575 Rectangle.66 Rectangle.67 Rectangle.68 Rectangle.69 Sheet.580 Best Practices of the HIPAA and the PCI: 1) Encrypt Data in M... Best Practices of the HIPAA and the PCI: 1) Encrypt Data in Motion 2) Encrypt Data at Rest Database server.581 Sheet.582 Sheet.583 Sheet.584 Person - torso.585 Sheet.586 Sheet.587 Sheet.588 Sheet.589 Sheet.590 Sheet.591 Sheet.592 Sheet.593 Dynamic connector.594 SSL/TLS Connection SSL/TLS Connection Terminal.595 Sheet.596 Sheet.597 Sheet.598 Application server.599 Sheet.600 Sheet.601 Sheet.602 Sheet.603 Sheet.604 Dynamic connector.605 Sheet.606 Filling out a company health insurance enrollment form at work Filling out a company health insurance enrollment form at work Sheet.607 Health insurance enrollment website Health insurance enrollment website Sheet.608 Straightforward health insurance enrollment over the Web - Wi... Straightforward health insurance enrollment over the Web - With Encrypted Payload Sheet.609 Leak #2! The company uses an SSL Proxy for deep-packet inspec... Leak #2! The company uses an SSL Proxy for deep-packet inspection at part of their Data Loss Prevention Switch.610 Sheet.611 Sheet.612 Sheet.613 Sheet.614 Slate Device.615 Sheet.616 Sheet.617 Sheet.618 Sheet.619 Sheet.620 Leak #1! The user has an anti-virus that uses its own signing... Leak #1! The user has an anti-virus that uses its own signing certificate to scan all web traffic Dynamic connector.621 Dynamic connector.622 Revision cloud.623 Sheet.624 Leak #3! The company’s ISP uses an SSL Proxy for bandwidth co... Leak #3! The company’s ISP uses an SSL Proxy for bandwidth compression … and for advertising Revision cloud.625 Sheet.626 Leak #4! The health insurance company uses a Content Distribu... Leak #4! The health insurance company uses a Content Distribution Network for fast, regional communications. The Flexible SSL plan was the cheapest option Certificate server.627 Sheet.628 Sheet.629 Sheet.630 Sheet.631 Sheet.632 Sheet.633 Leak #5! The hosting provider uses a load balancer/SSL accele... Leak #5! The hosting provider uses a load balancer/SSL accelerator. The connection is now plain text from here on the database Dynamic connector.634 Switch.635 Sheet.636 Sheet.637 Sheet.638 Sheet.639 Sheet.640 Leak #6! The hosting data center uses virtual local area netw... Leak #6! The hosting data center uses virtual local area networks, with spanning ports for diagnostics Sheet.641 Leak #7! The health insurance website is hosted in a virtual ... Leak #7! The health insurance website is hosted in a virtual machine Sheet.642 Encrypted Payloads! Encrypted Payloads! Sheet.650 We Now Have the Tools: Single Page Applications Crypto Object... We Now Have the Tools: · Single Page Applications · Crypto Object in the Browser Document Object Model (DOM) · Elliptical Curve Cryptography · Ephemeral Diffie-Hellman Key Exchange · Libsodium Sheet.652 Sheet.653 Sheet.654 Sheet.655 Sheet.659 "NO" sign Sheet.661 Sheet.662 "NO" sign.665 Sheet.666 Sheet.667 "NO" sign.668 Sheet.669 Sheet.670 "NO" sign.674 Sheet.675 Sheet.676 "NO" sign.677 Sheet.678 Sheet.679 "NO" sign.680 Sheet.681 Sheet.682 "NO" sign.683 Sheet.684 Sheet.685 "NO" sign.686 Sheet.687 Sheet.688 Sheet.1232 Sheet.1233 Sheet.1234 Sheet.1235 Sheet.1236 Sheet.1237 Microsoft SQL Server 2016 Microsoft SQL Server 2016 Sheet.1238 Sheet.1239 Rectangle Sheet.1241 Sheet.1242 Proxy Re-Encryption – Enables Sending Encrypted Information O... Proxy Re-Encryption Enables Sending Encrypted Information Out of the Cloud Without Ever Exposing Plain Text Sheet.1246 Sheet.1247 Copies of the slides and the talking points may be downloaded... Copies of the slides and the talking points may be downloaded from the Formularity website: https://formularity.com Sheet.1248 Flexible Arrow Data Data Database Sheet.1251 Data Data Sheet.1252 {?} {?} Sheet.1253 Stop Lying to Your Customers - The Cloud is Neither Private o... Stop Lying to Your Customers - The Cloud is Neither Private or Secure or (What Your Customers Need to Do for Privacy and Security and How You Can Help Them) James BradWhitehead Chief Scientist Formularity USENIX LISA 2016 Presentation Sheet.1255 Database server.1256 Sheet.1257 Sheet.1258 Sheet.1259 Person - torso.1260 Sheet.1261 Sheet.1262 Sheet.1263 Sheet.1264 Sheet.1265 Sheet.1266 Sheet.1267 Sheet.1268 Dynamic connector.1269 SSL/TLS Connection SSL/TLS Connection Terminal.1270 Sheet.1271 Sheet.1272 Sheet.1273 Application server.1274 Sheet.1275 Sheet.1276 Sheet.1277 Sheet.1278 Sheet.1279 Dynamic connector.1280 Sheet.1281 Filling out a company health insurance enrollment form at work Filling out a company health insurance enrollment form at work Sheet.1282 Health insurance enrollment website Health insurance enrollment website Sheet.1283 Straightforward health insurance enrollment over the Web Straightforward health insurance enrollment over the Web Sheet.1284 Leak #2! The company uses an SSL Proxy for deep-packet inspec... Leak #2! The company uses an SSL Proxy for deep-packet inspection at part of their Data Loss Prevention Switch.1285 Sheet.1286 Sheet.1287 Sheet.1288 Sheet.1289 Slate Device.1290 Sheet.1291 Sheet.1292 Sheet.1293 Sheet.1294 Sheet.1295 Leak #1! The user has an anti-virus that uses its own signing... Leak #1! The user has an anti-virus that uses its own signing certificate to scan all web traffic Dynamic connector.1296 Dynamic connector.1297
1
  1. Title Slide
  2. Working Definition
  3. Safe Harbor
  4. Inquirying Minds
  5. Simple Enrollment
  6. Leak 1
  7. AV Cert
  8. Leak 2
  9. Leak 3
  10. Leak 4
  11. Cloudflare
  12. Leak 5
  13. SSL Accelerator
  14. Leak 6
  15. Spanner Port
  16. Leak 7
  17. VMs
  18. Rowhammer
  19. Hostile Environment
  20. Spying
  21. SysAdmin
  22. Insider Threat
  23. NSA
  24. ShadowBroker
  25. Inquiry revisited
  26. ColumnEncrypted
  27. TablespaceEncrypted
  28. Encrypted Payload
  29. Solves the Problem
  30. We have the Technology!
  31. Still Need SSL
  32. Homomorphic Encryption
  33. Homomorphic Encryption Definition
  34. CryptDB
  35. Always Encrypted
  36. Proxy Re-Encryption
  37. Closing