1 Enterprise Key and Crypto Management Safenet KeySecure & DataSecure Yves Van Tongerloo Regional Sales Manager Belgium and Luxembourg [email protected]
Jan 12, 2015
1
Enterprise Key and Crypto ManagementSafenet KeySecure & DataSecure
Yves Van Tongerloo
Regional Sales Manager Belgium and Luxembourg
2
What We DoSafeNet delivers comprehensive data protection solutions for persistent protection of high value information.
3
Where We AreA global footprint: 1600+ employees across 25 countries
4
Who we are
SafeNet: Key facts
We protect the most money that moves in the world, $1 trillion daily
We protect the most digital identities in the world.(+ 35 million identities)
We protect the most classified information in the world
FOUNDED
1983
REVENUE
+450m
EMPLOYEES
+1,600 - 26 countries> 550 crypto engineers
OWENERSHIP
Private
GLOBAL FOOTPRINT
+25,000Customers in100 countries
ACCREDITED
Products certifiedto the highest security standardover 130 FIPS certificates
4
Recognised by Gartner as the Leader for Authentication
5
Sensitive Data is Everywhere. So are we.
6
SafeNet Crypto Foundation
Cloud & Virtual DataCenters
ProtectV
SNMP, NTP, SYSLOG
Web/ApplicationServers
Databases
ProtectApp
Tokenization Manager
DataSecure / KeySecureEnterprise Crypto Management
ProtectDB
Application Servers
7
ProtectV – Data Protection for the Physical and Virtual DataCenter and the Cloud
8
ProtectV: Throughout the Data Lifecycle
Every day that you power on VMs or start up a server, ProtectV makes it efficient, fast, and automated
You must be authenticated and authorized to launch
All data and VMs/servers are encrypted
Every time you delete a key, it “digitally shreds” the data, rendering all copies of VMs inaccessible
Every copy of VM in storage or backup is encrypted
Power On
Start
Daily OperationsSnapshot/image
Delete
1
2
34
5
9
Anatomy of Securing Your Data in the Physical/Virtual or Cloud Environment
KeySecure DataSecure3
ProtectV Manager2
ProtectV Client1
Protected Virtual Machines
ProtectV Client is installed on your VMs or your servers in your datacenter.
ProtectV Manager is a virtual machine that runs as a VM in a VMware environment.
KeySecure/DataSecure is a hardened, tamper-resistant high-assurance enterprise key management solution in a hardware or virtualized platform
Protected Volumes
Hypervisor
Storage
Protected on-premise servers in physical datacenter
10
ProtectV: How It Works
© SafeNet Confidential and Proprietary
Select machines with sensitive data
Centrally set and apply security policies
Tell client machines to encrypt data with the right key
Authenticate before VM is launched
Clients get the encrypt command and key—and start encrypting the data!
1
2
3
4
5
ProtectV Manager
ProtectV Client
KeySecure
11
SafeNet ProtectV on Instances
Cloud/Virtual Servers
Cloud/Virtual Storage
Encrypted Instance• AES 256
• Pre-Launch Authentication
• Policy + Key Management
• Protected Volumes
ProtectV Protection• OS does not boot without authentication• Entire instance encrypted, protecting OS• Attached volumes encrypted• Supports thin provisioning critical to cloud• Encrypt all data written to disk• Central Key Management for strong control• Resists brute-force attacks on keys• Supports protected snapshots
12
ProtectV and Scaling in Large Environments
Cloud APIs and Web Services• Authentication Automation• Bulk operations
CentralizedManagement
SafeNet ProtectV Manager• Provides centralized management• Supports either customer premise or cloud deployments• Manages and coordinates ProtectV Security• Open APIs to cloud management
SafeNet KeySecure/DataSecure (on Premise)• Centralizes key management for persistence and flexibility• Secure key creation and storage• Key archiving and shredding• Easy integration with ProtectV Manager
13
ProtectV Deployment Scenario
PrivatePublic
On Premise
ProtectV Manager (High Availability)
Enterprise Key Manager (High Availability)
ProtectV Solution Components:• ProtectV Client• ProtectV Manager• Enterprise Key Manager
ProtectV Client
14
DataBase Encryption with Protect DB
15
Crypto Service Level Encryption
Encrypt only sensitive columns
DML transparent
Eventually not DDL transparent
APP LAYER
OS LAYER
CryptoService
OS LAYER
DB LAYER
+ SafeNet enhancements: Keys in Hardware, millions of keys,key migration, audit trail, LDAP & MS-AD integration
App Server
DB Server
Ext.
Procs
SafeNetProtectDB
DataSecure
16
ProtectDB Column based, encryption only where needed Supports heterogeneous DB environments Encryption offload from DB server PCI-DSS compliancy supported Supports key migration process Oracle domain index can be used Oracle RAC configuration supported Per instance max. ~2500 Enc Ops under real DB runtime
conditions Supported data types: BFILE, BLOB, CHAR, CLOB, DATE,
DECIMAL, LONG, LONG RAW, NCHAR, NUMBER, NUMERIC, NVARCHAR2, VARCHAR, VARCHAR2
Mostly DML transparent Not DDL transparent
17
ProtectDB in Action
User Tom
User Bob
WebServerApplication Server
Database - field encrypted with Key X
12345678 0xEED95…
query
response12345678
Tom can access Key X, Bob cannotX
DataSecure
18
ProtectDB – Database Migration Summary
CUSTOMERName Account SSN Address City
Irwin Fletcher 000234 12345678 411 Main Street Santa Barbara
Josh Ritter 000115 11112222 1801 21st Ave San Francisco
CUSTOMER_ENCRYPTEDName Account SSN Address City SSN_NEW
Irwin Fletcher 000234 NULL 411 Main Street Santa Barbara 0xEED95DB7751…
Josh Ritter 000115 NULL 1801 21st Ave San Francisco 0x21010B370F87…
CUSTOMER (View)Name Account SSN Address City
Irwin Fletcher 000234 12345678 411 Main Street Santa Barbara
Josh Ritter 000115 11112222 1801 21st Ave San Francisco
Before Migration
AfterMigration
19
Data Encryption with ProtectApp
20
Application Level Encryption
Addresses wide range of confidentiality threats
Granular encryption control
Not application transparent
APP LAYER
OS LAYER
CryptoService
Crypto API
OS LAYER
DB LAYER
App Server
DB Server
+ SafeNet enhancements: Keys in Hardware, millions of keys,versioned keys, audit trail, LDAP & MS-AD integration
encryp
t
decryp
t
SafeNetProtectApp
DataSecure
21
ProtectApp
Focusses application development in C/C++/C#, .NET, Java
User auth against DataSecure (with MS-AD, LDAP)
Supports versioned keys and re-encryption Full logging/auditing on client and DataSecure Bulk enc/dec calls
22
ProtectApp in Action
User Tom
User Bob
WebServerApplication Server
12345678 0xEED95…
query
Response0xEED95…
Tom can access Key X, Bob cannot
Database - field encrypted with Key X
X
DataSecure
23
Supported Algorithms
Encryption and Decryption with Symmetric Keys
• AES• DES• DESede (triple DES)• SEED• RC4
Encryption and Decryption with Asymmetric Keys
• RSA
Message Authentication Codes (MACs)
• HMAC-SHA1• HMAC-SHA256• HMAC-SHA384• HMAC-SHA512
Digital Signatures • RSA
24
Format Preserving Tokenization
25
Tokenization with Encryption
Replace sensitive data with non-sensitive token
Reduces audit scope drastically
Only small pieces of data (CCnums, PANs, etc.)
APP LAYER
OS LAYER OS LAYER
DB LAYER
+ SafeNet enhancements: Keys in Hardware, millions of keys,key migration, audit trail, LDAP & MS-AD integration
App Server DB Server
TokenManager
CryptoService
Token DB
enc, dec
store, retrieve
SafeNetTokenization
DataSecure
26
Tokenization in Action
Customer
Token Vault Database {Hash,Token,Enc(PAN)}
Tokenization Manager
Application Server
Sensitive Information (Token)
Sensitive Information (Clear)
PAN
Token
PAN Token
Enc(PAN),Hash
PAN
Hash,Token,Enc(PAN)
Token
Other Systems
Database
DataSecure
27
Deploying SafeNet Tokenization Manager
28
Tokenization
Applicable for small pieces of data (SSN, PANs, CCnums) Some integration work needed (with API or Web service) No changes to existing databases, 3rd party applications Token preserves original data format and fits into original
field Made for PCI-DSS compliancy Reduces scope of audits Bulk Tokenization Luhn Check
29
Token Format Data format and representation can be preserved
Token’s may be generated using a variety of formats:
Random First_Two_Last_Four
Sequential First_Six_Last_Four
Last_Four Fixed_Nineteen
First_Six Fixed_Twenty_Last_Four
Or, token format can be user-defined vie Reg-Ex
30
Token Format Examples
31
Thank You!
SafeNet Universal ProtectionUniversal Data Protection from Data Center to Cloud