SafeNet Enterprise Key and Crypto Management


Published on

With SafeNet, organizations can centrally, efficiently, and securely manage cryptographic keys and policies—across the key management lifecycle and throughout the enterprise. SafeNet's data center protection solutions are designed to secure all of the sensitive information that is stored in and accessed from enterprise data centers, including patient records, credit card information, social security numbers, and more.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • DataSecure ApplianceCentralizedpolicy- and cryptographickeymanagmentHigh-performance encryption Integrated management interfacesHardened Linux appliance FIPS and Common Criteria certifiedConnector Software Connects DataSecure capabilities to applications, databases, file servers, desktops/laptops, mainframes, network sharesLoad balancing, health checking, connection pooling , SSL
  • Column Encryption GuidelinesThe ability to encrypt a column depends on the relationship between the column and its table.Below is a list of roles that columns can play and their effect on encryption.• Identity column – Cannot be encrypted.• Primary key – Primary keys are dropped during migration. You must manually recreateprimary keys if you want to preserve the conditions established by the primary keys. If theprimary key is not referenced in a foreign key constraint, you should verify that the key is notreferenced implicitly as a foreign key before encrypting.• Foreign key – To encrypt a foreign key, you must manually drop the constraints prior to datamigration. After migration, you can re-establish them.• Indexed columns – Indexed columns can be encrypted, however, the sort order of theencrypted data will not be consistent with the sort order of the plaintext data.You should also evaluate the constraints placed on your columns, as these values may affect thedata migration process. Below is a list of constraints and their effect on encryption.• Join constraints – Confirm that the columns you are encrypting are not part of a joinconstraint. If you are encrypting a column that is part of a join constraint, you should encryptboth columns.• Unique constraints – When encrypting a column with a unique constraint, that constraint isdropped during the data migration process. If you want to retain the unique constraint afterencryption, you should manually recreate the unique constraint. You cannot use field-level IVson a column with unique constraints. Instead, you should choose one IV for the entire column.• Check constraint – To encrypt a column with a check constraint, you must drop the checkconstraint.Additional rules apply to the following topics:• Default values – Columns with a default value assigned to them cannot be encrypted. This isbecause the default constraint adds plaintext data to the column. Applications accessing thatdata then try to decrypt plaintext data, yielding unexpected results.• NULL values – NULL values are not encrypted by ProtectDB. If a migrated column containsNULL values, those values remain unencrypted in the resulting encrypted column. When adatabase query yields a NULL value, no cryptographic process is required, so ProtectDB doesnot interact with the DataSecure for that query.• Columns referenced in triggers on the table – These columns can be encrypted; however,all triggers on the table must be disabled before migration and re-enabled after the migration.• Encrypted columns – The columns that are currently encrypted cannot be encrypted.• Tables containing LONG or LONG RAW columns – If a table in an Oracle database contains acolumn of type LONG or LONG RAW, you can migrate data in that table; however, you cannotcreate views and triggers against this table, due to a limitation in Oracle. This is an importantconsideration if you want to automate subsequent insert, update, and select calls on theencrypted data.
  • SafeNet Enterprise Key and Crypto Management

    1. 1. 1 Enterprise Key and Crypto Management Safenet KeySecure & DataSecure Yves Van Tongerloo Regional Sales Manager Belgium and Luxembourg
    2. 2. 2 What We Do SafeNet delivers comprehensive data protection solutions for persistent protection of high value information.
    3. 3. 3 Where We Are A global footprint: 1600+ employees across 25 countries
    4. 4. 4 Who we are SafeNet: Key facts We protect the most money that moves in the world, $1 trillion daily We protect the most digital identities in the world. (+ 35 million identities) We protect the most classified information in the world FOUNDED 1983 REVENUE +450m EMPLOYEES +1,600 - 26 countries > 550 crypto engineers OWENERSHIP Private GLOBAL FOOTPRINT +25,000 Customers in 100 countries ACCREDITED Products certified to the highest security standard over 130 FIPS certificates Recognised by Gartner as the Leader for Authentication
    5. 5. 5 Sensitive Data is Everywhere. So are we.
    6. 6. 6 SafeNet Crypto Foundation Cloud & Virtual DataCenters ProtectV  SNMP, NTP, SYSLOG Web/Application Servers Databases ProtectApp Tokenization Manager DataSecure / KeySecure Enterprise Crypto Management ProtectDB Application Servers
    7. 7. 7 ProtectV – Data Protection for the Physical and Virtual DataCenter and the Cloud
    8. 8. 8 ProtectV: Throughout the Data Lifecycle Every day that you power on VMs or start up a server, ProtectV makes it efficient, fast, and automated You must be authenticated and authorized to launch All data and VMs/servers are encrypted Every time you delete a key, it ―digitally shreds‖ the data, rendering all copies of VMs inaccessible Every copy of VM in storage or backup is encrypted Power On Start Daily OperationsSnapshot/image Delete 1 2 34 5
    9. 9. 9 Anatomy of Securing Your Data in the Physical/Virtual or Cloud Environment KeySecure DataSecure3 ProtectV Manager2 ProtectV Client1 Protected Virtual Machines ProtectV Client is installed on your VMs or your servers in your datacenter. ProtectV Manager is a virtual machine that runs as a VM in a VMware environment. KeySecure/DataSecure is a hardened, tamper-resistant high-assurance enterprise key management solution in a hardware or virtualized platform Protected Volumes Hypervisor Storage Protected on-premise servers in physical datacenter
    10. 10. 10 ProtectV: How It Works © SafeNet Confidential and Proprietary Select machines with sensitive data Centrally set and apply security policies Tell client machines to encrypt data with the right key Authenticate before VM is launched Clients get the encrypt command and key— and start encrypting the data! ProtectV Manager ProtectV Client KeySecure
    11. 11. 11 SafeNet ProtectV on Instances Cloud/ Virtual Servers Cloud/ Virtual Storage Encrypted Instance •AES 256 • Pre-Launch Authentication • Policy + Key Management • Protected Volumes ProtectV Protection • OS does not boot without authentication • Entire instance encrypted, protecting OS • Attached volumes encrypted • Supports thin provisioning critical to cloud • Encrypt all data written to disk • Central Key Management for strong control • Resists brute-force attacks on keys • Supports protected snapshots
    12. 12. 12 ProtectV and Scaling in Large Environments Cloud APIs and Web Services • Authentication Automation • Bulk operations Centralized Management SafeNet ProtectV Manager • Provides centralized management • Supports either customer premise or cloud deployments • Manages and coordinates ProtectV Security • Open APIs to cloud management SafeNet KeySecure/DataSecure (on Premise) • Centralizes key management for persistence and flexibility • Secure key creation and storage • Key archiving and shredding • Easy integration with ProtectV Manager
    13. 13. 13 ProtectV Deployment Scenario Private Public On Premise ProtectV Manager (High Availability) Enterprise Key Manager (High Availability) ProtectV Solution Components: • ProtectV Client • ProtectV Manager • Enterprise Key Manager ProtectV Client
    14. 14. 14 DataBase Encryption with Protect DB
    15. 15. 15 Crypto Service Level Encryption  Encrypt only sensitive columns  DML transparent  Eventually not DDL transparent APP LAYER OS LAYER Crypto Service OS LAYER DB LAYER + Keys in Hardware, millions of keys, key migration, audit trail, LDAP & MS-AD integration App Server DB Server Ext. Procs DataSecure
    16. 16. 16 ProtectDB  Column based, encryption only where needed  Supports heterogeneous DB environments  Encryption offload from DB server  PCI-DSS compliancy supported  Supports key migration process  Oracle domain index can be used  Oracle RAC configuration supported  Per instance max. ~2500 Enc Ops under real DB runtime conditions  Supported data types: BFILE, BLOB, CHAR, CLOB, DATE, DECIMAL, LONG, LONG RAW, NCHAR, NUMBER, NUMERIC, NVARCHAR2, VARCHAR, VARCHAR2  Mostly DML transparent  Not DDL transparent
    17. 17. 17 ProtectDB in Action User Tom User Bob WebServer Application Server Database - field encrypted with Key X 12345678 0xEED95… query response 12345678 Tom can access Key X, Bob cannot X DataSecure
    18. 18. 18 ProtectDB – Database Migration Summary CUSTOMER Name Account SSN Address City Irwin Fletcher 000234 12345678 411 Main Street Santa Barbara Josh Ritter 000115 11112222 1801 21st Ave San Francisco CUSTOMER_ENCRYPTED Name Account SSN Address City SSN_NEW Irwin Fletcher 000234 NULL 411 Main Street Santa Barbara 0xEED95DB7751… Josh Ritter 000115 NULL 1801 21st Ave San Francisco 0x21010B370F87… CUSTOMER (View) Name Account SSN Address City Irwin Fletcher 000234 12345678 411 Main Street Santa Barbara Josh Ritter 000115 11112222 1801 21st Ave San Francisco
    19. 19. 19 Data Encryption with ProtectApp
    20. 20. 20 Application Level Encryption  Addresses wide range of confidentiality threats  Granular encryption control  Not application transparent APP LAYER OS LAYER Crypto Service Crypto API OS LAYER DB LAYER App Server DB Server + Keys in Hardware, millions of keys, versioned keys, audit trail, LDAP & MS-AD integration DataSecure
    21. 21. 21 ProtectApp  Focusses application development in C/C++/C#, .NET, Java  User auth against DataSecure (with MS-AD, LDAP)  Supports versioned keys and re-encryption  Full logging/auditing on client and DataSecure  Bulk enc/dec calls
    22. 22. 22 ProtectApp in Action User Tom User Bob WebServer Application Server 12345678 0xEED95… query Response 0xEED95… Tom can access Key X, Bob cannot Database - field encrypted with Key X X DataSecure
    23. 23. 23 Supported Algorithms Encryption and Decryption with Symmetric Keys • AES • DES • DESede (triple DES) • SEED • RC4 Encryption and Decryption with Asymmetric Keys • RSA Message Authentication Codes (MACs) • HMAC-SHA1 • HMAC-SHA256 • HMAC-SHA384 • HMAC-SHA512 Digital Signatures • RSA
    24. 24. 24 Format Preserving Tokenization
    25. 25. 25 Tokenization with Encryption  Replace sensitive data with non-sensitive token  Reduces audit scope drastically  Only small pieces of data (CCnums, PANs, etc.) APP LAYER OS LAYER OS LAYER DB LAYER + Keys in Hardware, millions of keys, key migration, audit trail, LDAP & MS-AD integration App Server DB Server Token Manager Crypto Service Token DB DataSecure
    26. 26. 26 Tokenization in Action Customer Token Vault Database {Hash,Token,Enc(PAN)} Tokenization Manager Application Server Sensitive Information (Token) Sensitive Information (Clear) PAN Token PAN Token Enc(PAN),Hash PAN Hash,Token,Enc(PAN) Token Other Systems Database DataSecure
    27. 27. 27 Deploying SafeNet Tokenization Manager
    28. 28. 28 Tokenization  Applicable for small pieces of data (SSN, PANs, CCnums)  Some integration work needed (with API or Web service)  No changes to existing databases, 3rd party applications  Token preserves original data format and fits into original field  Made for PCI-DSS compliancy   Reduces scope of audits  Bulk Tokenization  Luhn Check
    29. 29. 29 Token Format  Data format and representation can be preserved  Token’s may be generated using a variety of formats: Random First_Two_Last_Four Sequential First_Six_Last_Four Last_Four Fixed_Nineteen First_Six Fixed_Twenty_Last_Four  Or, token format can be user-defined vie Reg-Ex
    30. 30. 30 Token Format Examples
    31. 31. 31 Thank You! SafeNet Universal Protection Universal Data Protection from Data Center to Cloud