This slide shows the breadth of our data protection solutions and how they follow the information.... Worth noting though, that it’s the management and auditing information that needs to be centralised and consolidated! – Hence the ‘back again’ comment!
First, security needs to be considered as a strategic initiative from the top down going beyond minimal compensating control to meet compliance to a true competitive advantage. If an organization has safeguarded the customer’s data privacy and their intellectual property, then the risk of bad press, competitive infiltration or other malicious activity will keep them focused on their core competency instead of doing expensive, time-consuming damage control due to a breach.Additionally, defining protection policies that address the needs of the stakeholders and users with productivity in mind means an in depth knowledge of the data is required. Where is it, who needs access and when? Next, you need to think like a criminal and know where your threats may come from. It is very possible it may be someone sitting in the cubicle next to you. Now you can proactively take t he steps necessary to protect your data throughout it’s lifecycle.
Maintain control over as many data types from a single platform to ease management, reduce risk, and improve proof of compliance.Create points of trust to eliminate points of vulnerability by using a platform that supports separation of duties for administrators and defines granular access policies by role.Leverage a hardened platform with the highest level of security for a commercial solution that offers flexibility for a heterogeneous environment.Consider a platform based on proven security standards versus proprietary or custom solutions that limit coverage and introduce gaps in securityConsider a platform that can support both encryption and tokenization methodologiesPick a platform that supports best practices for lifecycle key management across as many data types as possible and plan for key management across your enterprise.Select a solution that make proof of compliance easy whether you are subject to an audit or conducting a self assessment.
While local mandates continue to expand to include more stringent requirements for data privacy and intellectual property protection – organizations looking to thrive in a global community should consider worldwide compliance requirements. Further evidence that data protection is taken very seriously across the globe.
With DataSecure at the heart, sensitive data is protected from the data center to the endpoints to the cloud – both structured and unstructured
Heterogeneous Database EncryptionCentralized access control and encryption for Oracle, Microsoft SQL Server, IBM DB2 and TeradataGranular ProtectionProtect an entire database or specific columns within the database in order to streamline transparent performanceProven AlgorithmsAchieve the highest level of database security by using proven cryptographic algorithms such as 3DES, DES and AESBroad Platform SupportOffering centralized control across databases on Microsoft Windows, Linux, Solaris, HP-UX, AIX, or IBM z/OS environmentsSupport native encryption for key storage/manangement
Heterogeneous Application EncryptionCentralized access control and encryption for data in the application layer of solutions like ERP, HR and CRM (Note – could require SI assistance with application customization experience)Granular ProtectionDefine thresholds of operation for privileged users in order to safeguard against malicious or negligent threatsProven AlgorithmsAchieve the highest level of application security by using proven cryptographic algorithms such as 3DES, DES, AES,RSA (signatures and encryption), RC4, SHA-I, SHA-2Broad Platform SupportOffering centralized control for web and application servers from Oracle, IBM, BEA, IIS, Apache, Sun ONE, JBoss, SAP and platforms such as Microsoft Windows, Linux, and IBM z/OS
Flexible usesSafeNet ProtectZ software can be called from any programming language that follows IBM OS standards. The calling application can encrypt or decrypt any information and return it to the appropriate storage device. In addition to protecting production applications, you can use ProtectZ to facilitate testing of new applications, new software releases, or simply to improve data throughput.Efficient encryptionDataSecure can help move large amounts of sensitive data in and out of data stores rapidly by encrypting or decrypting specific fields in bulk within the flat files that can contain millions of records. By focusing on select fields, you can encrypt and decrypt data efficiently, in a fraction of the time that it might take for the entire file. DataSecure also can be used to encrypt the entire binary files when you do not need field-level granularity.Information securedYou chose your mainframe environment to deliver high levels of performance and reliability for your most important applications and data. By adopting SafeNet ProtectZ, you gain a robust security solution that matches the power of your mainframe environment.
Heterogeneous File TypesSupports encryption for a wide variety of data types such as spreadsheets, documents, images, PDFs, and moreInteroperabilityMicrosoft Windows Terminal Server, Offline Folder Synchronization, DFS (Distributed File System), Global Catalog, and NovellGranular ProtectionSecure at the file or folder level and establish rights for privileged users in order to safeguard against malicious or negligent threatsProven AlgorithmsFIPS 140 Level 2 AES Broad Platform SupportOffering support for Windows and Linux operating systems, Microsoft, Novell, Netware & Unix (Samba)
To move files into and out of C:\\Encrypted Docs\\ you will need to be a user with Encrypt & Decrypt access.
When logged in as a user with Backup & Restore Ciphertext access the file can be opened but is scrambled. This user could run applications that backup important files without being able to read the sensitive information.
Log in as a User with No Access, any user other than one used in the previous examples in this case, the contents of the folder are not even visible.
In order to maintain ownership and control of your sensitive information throughout its lifecycle – SafeNet provides a centralized platform to define and syndication protection policies by data type, by location, by role, and even by time of day. No you can enforce who and what has access to which information when and where.We are able to offer this control by leveraging standards like FIPS and KMIP for encryption and lifecycle key management with government grade security.Next, having visibility into how your policies are controlling your sensitive information means make continuous refinement for compliance and for growth as you adapt to the ever changing business environment.And finally, applying a persistent protection for your sensitive data enables you the flexibility to extend protection beyond your data centers and endpoints into the cloud – driving further flexibility to manage costs, efficiencies and productivity.
No single admin can compromise the systemM of N – multiple credentialSplit knowledge & dual controlMaybe use the diagram from Key Man WP
DataSecure offers lifecycle key management such as generate, rotate to destroy for all of the data types covered including heterogeneous databases, applications and files. The access policies defined by role are enforced with key management and separation of duties required by most protection mandates are supported. Note: Tape storage support today is via 3rd party partners such as Unisys, SecurityFirst, and of course there is HP which is more indirect
Data Center protection focuses on the data stored and accessed from databases, applications and file servers enforcing protection with corporate driven policies and access controls managed with DataSecure and the suite of ProtectDB, ProtectApp, ProtectFile…
SafeNet DataSecure platform Technological leadership in protecting the information lifecycleMarko BobinacInsert Your NamePreSales Engineer Eastern EMEAInsert Your Title21.02.2012Insert Date
The Data Protection CompanyProtecting high value information inthe worlds most complex environmentsSolutions for persistently protecting information asit moves through its lifecycleProtection that evolves with the customer needs 3
What We DoYou manage the world’s most sensitive, high-valuedata. Our mission is to protect it. 5
SafeNet Data Protection Product Portfolio Identities Transactions Data Communications Data Encryption High-Speed Authentication HSM and Control Network Encryption Offering the broadest Offering The most SafeNet’s DataSecure – a SafeNet high-speed range of authenticators, secure, and easiest to Universal platform network encryptors from smart cards and integrate technology for delivering intelligent data combine the highest tokens to mobile phone securing PKI identities protection and control for performance with a unified auth—all managed from and transactions. information assets management platform a single platform
ProtectDB Databas ProtectFile e ProtectApp File Servers Key Secure SAM Application/ ProtectZ Web Servers Mainframe HSM Email Gateways PKI Infrastructure Datasecure Certificate Authority Data Encryption Storage EncryptionSelf Encrypting HDs & Control Web Gateways eSafeEndpointProtection 1 Firewalls / SSL VPNs High Speed Encryption Communication Protection Protection NAS Communication Protection Cloud / External IT Solutions ProtectApp DataSecure Authentication & Access Management Identity Protection Secure Cloud Storage &Applications HSM HSE Cryptographic Keys Public and Private Virtualized Application Security Cloud Infra Protection Authentication & Access Management SRM SaaS Access to Cloud-Based Apps Software Rights Management Software as a Service
Cryptography as an IT Service 3rd Party Technologies Storage Secure KMIP Appliance HSM Appliance Certificate Infrastructures File Shares Nat. IDs AMI Tape E-Signatures MeteringBackups Network Storage E-Passports Protect Protect Storage Infrastructure Protect V Manager Virtual Appliance Authentication Manager Data Secure Virtual Instances Appliance Virtual Storage Management Center Protect Cloud **##**&Virtual Infrastructure High Speed Protect Encryptors Tokenization Identities Protect Applications Protect Data Centers File Servers Data Transfer Databases Mainframes 8
The Magic Quadrant for User Authentication challengers leaders Ability to execute niche players visionaries Completeness of vision As of January 2012
DataSecure: The Foundation of Data Encryption & ControlInsert Your NameInsert Your TitleInsert Date
Six Best Practices in DataProtection & Compliance1. Security — Not Just Compliance2. Define your Corporate Policies3. Involve the Stakeholders4. Know your Data5. Understand your Threats6. Determine where to Protect your Data 11
Seven Methodologiesfor Data Encryption & Control1. Maintain Control Over Data Types2. Create Points of Trust for Administration and Policy3. Leverage a Secure, Hardened Platform for Heterogeneous Environment4. Chose Standards Based Security when Possible5. Select a Flexible Platform for Encryption and Tokenization6. Pick a Solution with Key Management Best Practices7. Ensure Proof of Compliance is Easy 12
Worldwide Compliance Requirements• Canadian Electronic • Basel II Capital Accord • PCI (WW) Evidence Act• PCI Data Security Standard • AIPA (Italy) (WW) • GDPdU and GoBS (Germany)• CA SB1386 et al • NF Z 42-013 (France)• HIPAA (USA) • EU Data Protection Directive • Electronic Ledger• FDA 21 CFR Part 11 • Financial Services Storage Law (Japan)• GLB Act • Authority (UK) • 11MEDIS-DC (Japan)• Sarbanes-Oxley Act (USA) • UK Data Protection Act • Japan PIP Act 13
SafeNet Data Encryption & Control Protecting sensitive data throughout its lifecycle... wherever it residesIn Data Centers On Endpoints ProtectDB Tokenization• Applications • Desktops 0000 000 00• Databases • Laptops Databases ProtectZ• File Servers • Removable Media ProtectApp• Mainframes Mainframes DataSecure Platform ProtectFile Server WebAppServersIn the Cloud Cloud ProtectDrive ProtectFile• Persistent, secured cloud storage for structured & unstructured data File Servers ProtectDrive 14
DataSecure Platform Appliance solution for • High-performance encryption • Simplified cryptographic key and policy management • Hardened Linux kernel • FIPS and Common Criteria certified • High Availability Combined with connectors (software) • Connectors for applications, databases, file servers, and stations. • Secures the connection to the appliance (connection pooling, SSL).
Core Benefits of SafeNet DataSecure Centralized encryption and key Authentication, authorization, and Security Hardware-based solution management auditing High performance encryption Batch processing for massive Performance offload amounts of data Local encryption capabilities Support for heterogeneous Support for open standards and Range of enterprise deployment Flexibility environments APIs models Simplified appliance-based Manageability approach Web management console CLI (command line interface) Enterprise clustering and Load balancing, health checking, Geographically distributed Availability replication and failover redundancy
Security Centralized Policy Management • Security administrators control data protection policy • Keys created and stored in a single location • Dual Administrative Control • Separation of Duties • Logging, Auditing and Alerts FIPS & Common Criteria Certified Solution • FIPS 140-2 Level 2 & CC EAL2 Certified • Keys are stored in the appliance • Different types of encryption available: AES, 3DES, RSA ... • Certificate authority to manage its integrated SSL access Authentication & Authorization • Multi-factor authentication possible between DS <> db or application. • Access control: Granularity of crypto policy, by key, by schedule, etc. • Support for LDAP
Performance Encryption Offload • Optimized, high-performance hardware • Frees up database and application servers • Latency less than 300 microseconds per request Local Encryption Option • Configurable for hardware offload or local encryption Batch Processing • Perform batch encrypts/decrypts for high performance • More than 100k TPS • Batch tools include: • Transform Utility • ICAPI (SafeNet API protocol) • Easy integration into existing applications Perf. Average - 15 minutes to encrypt 5,000,000 records in 16 octects (char) on MS SQL with x 1 i430 in AES256
Flexibility Heterogeneous Environments • Comprehensive enterprise solution • Web, Application, Database, Mainframe or File Server • Data Center or Distributed Environments • Open Standards-based APIs, cryptographic protocols Scalability • Models with capacity from 2,500 TPS to 100,000 TPS • Clustering further increases capacity and redundancy • Licensing structure enables cost-effective build-out
Availability Moscow Clustering • Keys and policy are shared/replicated DataSecure Cluster among DataSecures in a global cluster Load Balancing • Connector software can load balance across a group of appliances • Multi-tier load balancing enables transparent fail over to Saint Petersburg alternate appliance(s)
Positioning of the SafeNet DataSecure ® SafeNet ProtectApp Tokenization 0000 000 00 Application and Web Servers SafeNet ProtectDB Databases Mainframes SafeNet File Servers ProtectFile ProtectZ SafeNet DataSecure SCALABLE FOR GROWTH 21 • Configurations to meet your needs — today and in the future • Extend invest over data types as needed • Scalable to address growth
ProtectDB Use Case Use Case Steps CRM1. Cleartext values passed via database 0000 000 00 server to DataSecure Credit card2. DataSecure returns encrypted values to Value the database server (Encrypted value can be shared across the organization in other environments in a persistently encrypted format)3. Transform Utility can be used to support Transform Utility high performance batch processing 0000 000 00Supported Databases Encrypted Value• Oracle, Microsoft SQL Server, IBM DB2 & Teradata DataSecure• Supports native database encryption key storage/management 0000 000 00 0000 000 00Algorithms 0000 000 00• 3DES, DES, and AES 0000 000 00Supported Platforms 0000 000 00 Credit card 00 0000 000• Windows, Linux, Solaris, HP-UX, AIX, or IBM z/OS Value 22
DataBase protection with native encryption Heterogene database environments – Oracle, MS SQL, IBM DB2……. The information should not be visible to the DBA. (accessible vs. visible) The cryptographic load often requires a hardware upgrade Transparent native encryption requires an upgrade of the software versions Access to the logs is not secure, and their reading complex (unfiltered) Native platforms are not certified, "certifiable" (FIPS, CC) The cryptographic keys are used in a non-secure buffer The keys are not sequestered except with the use of an HSM, but only for the MasterKey Resources are not shared & key rotation process is binding
ProtectApp Use Case Use Case Steps1. Cleartext value passed via DataSecure application layer to DataSecure 0000 000 00 0000 000 002. DataSecure returns encrypted value Encrypted Cleartext3. Encrypted value can be shared with Value E-Commerce Value heterogeneous applications & (Java or .Net) Application databaseSupported Web & Application Servers• Oracle, IBM, BEA, IIS, Apache, Sun ONE, JBossAlgorithms• 3DES, DES, AES, RSA (signatures and CRM ERP encryption), RC4, SHA-I, SHA-2 Application ApplicationSupported Platforms• .NET, MSCAPI, PKCS#11, JCE, ICAPI, XML• Windows, Linux, or IBM z/OS Customer Database 24
ProtectZ Features for Database & ApplicationsRunning on IBM Mainframes Granular Protection • Retain ownership of data on IBM z/OS mainframes Applications in databases and applications Proven Algorithms • Achieve the highest level of database and application security by using proven cryptographic algorithms combined with strong identity and access-policy protection such as AES, DES and DESede Broad Support • Flexible support for APIs such as ICAPI & JCE, DataSecure application support for Cobol, RPG, assembler for environments such as CICS, TSO or batch and data storage in DB2, IMS, VSAM, DASD Data Type Support • Coverage for data types such as BIGINT, CHAR, Databases DATE, DECIMAL, INTEGER, SMALLINT, TIME, TIMESTAMP, and VARCHAR 25
ProtectFile for Servers Features Use Case Steps File Network-attache Server1. Document encrypted by DataSecure Servers based on corporate policy2. Protected file or folder stored on file server in data center Intellectual3. Only privileged users can Property access, view, modify, or delete protected filesInteroperability with Privileged• RIS, SMS, Tivoli, TNG, Active Directory and multi- Users factor authenticatorsAlgorithms• FIPS 140 Level 2 AESSupported Platforms DataSecure• Windows and Linux operating systems, Microsoft, Novell, Netware & Unix (Samba) 26
ProtectFile Sample Policies• Create policies that align to lines of business• Granular policies can be defined to control access to authorized users Finance Managers – gets full Call center reps can encrypt credit access to confidential financial card numbers for phone orders spreadsheets Outside Auditors – get access to Customer contracts sent to the call sensitive files remotely and center are saved to a shared file offline, but need to get re- server by the Call Center reps where authorized by IT every 30 days to they are automatically encrypted regain access. (Policy can be and strict access control is applied. configured based on any set amount of time.) Market analysts are able to access IT Administrators – they get access and share their competitive analysis to perform routine maintenance, on seasonal opportunities in the but cannot see any files that have Finance folder, but only see cipher been encrypted (IT sees only text if they try to click on the cipher text). spreadsheet with analyst salary information.
Access Level – sample I User with Encrypt & Decrypt permissions
Access Level – sample II User with Backup & Restore Ciphertext permissions
Access Level – sample III User with No Access permissions
Information preview: StorageSecure New appliance (March 2012) for protecting Storage Supports any kind of NAS (CIFS, NFS) 1Gb/s - 10Gb/s of file encryption Transparent – works on network layer Not a replacement for ProtectFile – decision depends on what fits you best as DataSecure offers wider range of solutions! 32 32
Tokenization Manager Use Case1. Sensitive data comes Payment Backoffice Small Enterprise in through a application support Market Application consumer system2. Sensitive data is passed to Tokenization Manager3. Tokenization encrypts the sensitive data, stores it and returns a token Tokenization Manager4. Payment application passes tokens to Tokenization Manager to request original data it needs for bank transaction DataSecure PCI5. Tokenization decrypts and Auditor returns sensitive data6. PCI Auditor only needs to inspect tokenized database and active applications
Maintain Ownership and Controlwith DataSecure Centralized tool to create granular protection policies and control who and what has access to sensitive data when and where Standards-based encryption with the highest level of security in a commercial platform Logging, auditing and reporting capabilities provide visibility for enforcement, refinement and compliance Persistent protection as data moves within data centers, out to endpoints and into the cloud 34
Protection for different Data Types INDUSTRY DATA TYPES One platform to protect: Healthcare Patient Records Financial Account Info Services • Personal Identifiable Retail Credit Cards InformationManufacturing Design Specs Energy Land Surveys • Payment & Transactional Government Soc. Sec # Tax ID Data DataSecure • Intellectual Property Key Management Policy Management Control Administration • Non-public Information FileServers Applications Databases Cloud 35
DataSecure Supports Separation of Duties DataSecure is the foundation of data encryption & control by securing a wide array of data types under one platform that: Provides tools for the SECURITY administration, enforcement, monitoring, and report of data protection solution Establishes distinct roles so no single administrator can compromise the system Administration for key and policy management requiring ―m of n‖ credentials 36
Key Management throughout Lifecycle Oracle DB SQL DB DB2 DB Database Administrator Legal Manager Finance IT Manager Manager for Tape HR Storage Manager Security Officer Generate, Certify, Backup, Activate, Deactivate, Rotate, Compromise, Destroy 37
Summary Tokenization Manager SafeNet 000 ProtectApp Data Center Protection 0 000 00 Application and • Designed to secure all of the Web Servers SafeNet ProtectDB sensitive information that is SafeNet ProtectFile File Servers Databases stored in and accessed from Laptop Mainframes enterprise data centers SafeNet ProtectZ • Protecting the structured data SafeNet ProtectDrive SafeNet DataSecure stored in databases, SCALABLE applications, and mainframe FOR GROWTH environments as well as the unstructured data kept in file The Solution Suite Includes: servers • ProtectDB • With DataSecure driving • ProtectApp central enforcement of • ProtectZ corporate policies and access • ProtectFile control • Tokenization Manager 38
Unrivaled Customer Success with Some of theWorld’s Most Respected and Admired CompaniesFinancialTechnologyHouseholdBrandsRetail 39
firstname.lastname@example.org Thank youInsert Your NameInsert Your TitleInsert Date