SafeNet - Data Protection Company


Published on

Konferencia Virtual Info jeseň 2011

SafeNet, Ondrej Valent
Video k tejto prezentácii si môžete pozrieť na:

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SafeNet - Data Protection Company

  1. 1. SafeNet and NetApp Come Together Next Gen Encryption and Enterprise Key Management SafeNet and NetApp have teamed to provide an unparalleled combination of security and storage efficiency Ondrej Valent Regional Channel Sales Manager SafeNet, Inc. | 14. 9. 2011© SafeNet Confidential and Proprietary
  2. 2. Agenda I. Introduction Who is SafeNet Why are we here today NetApp + SafeNet relationship Overview of Products StorageSecure Overview Real world customer deployments Understanding and Architecting a Unified Key Management Strategy KeySecure Overview 8 Steps to Designing a Centralized Key Management Infrastructure© SafeNet Confidential and Proprietary 2
  3. 3. Proven Leader. Trusted to Protect. SafeNet protects: > the most money that moves in the world. 80% of all electronic intrabanking transfers -- $1 trillion a day > the most digital identities in the world. Most PKI identities for governments and F-100 companies > the most high-value software in the world. 80 million hardware keys; more than any other vendor > the most classified information in the world. The largest deployment of government communications security Global Footprint with more than 25,000 customers in 100 countries© SafeNet Confidential and Proprietary 3
  4. 4. Data Protection – It’s in the Lifecycle SafeNet persistently protects information at critical point in its lifecycle, empowering customers to efficiently adapt to change and act on opportunity. • Protecting the identities of users, applications, and servers • Securing the transactions they perform • Enabling data ownership and control by encrypting data when it is created, accessed, shared, stored, and moved • Encrypting the critical communication paths on which data travels© SafeNet Confidential and Proprietary 4
  5. 5. SafeNet Data Protection Portfolio Summary Data Encryption and Control Communication Protection – Identity Protection - Transaction and Identity – DataSecure, High-Speed Network Authentication Protection - HSM StorageSecure, KeySecure Encryption Offering the broadest range The most secure, and World’s first and only SafeNet high-speed of authenticators, from easiest to integrate unified platform that network encryptors smart cards and tokens to application & transaction delivers intelligent data combine the highest mobile phone auth—all security solution for protection and control for performance with the managed from a single enterprise and government ALL information assets easiest integration and platform management. > The industry’s only > Market leader in > Data-centric, persistent > Solutions for Ethernet, unified authentication enterprise-grade HSMs protection across data SONET up to 10Gb platform offering > Industry innovator in centers, endpoints, and > Best-in-class Security customers the freedom payment HSMs into the cloud Management Center to adapt to changing > Centralized policy, key environments > Widest portfolio of > Zero bandwidth loss, platforms and solutions management, logging, low- latency encryption > The market leader in and auditing certificate-based token > Delivered over 75,000 > Unparalleled leverage HSMs— the most in the > Integrated perimeter across classified and authentication data leakage prevention industry COTS communication > Unique technology > Appliance-based, protection (FIPS 140-2 offerings with client-less > Only leading HSM with the option of keys proven scalability, and Level 3) tokens, high-assurance high performance solutions, and more ALWAYS in Hardware© SafeNet Confidential and Proprietary 5
  6. 6. From the Data Center to the Edge, to the CloudSolutions that Extend Trust and Control into Virtualized Environments ProtectDB ProtectFile Database ProtectApp File Servers Application/ Web Servers HSM ProtectZ Mainframe KeySecure PKI Infrastructure Certificate Authority DataSecure StorageSecure Brocade NetApp (NSE) (BES) (FAS) Data Encryption ProtectFile ProtectDrive & Control eSafe High Speed Encryption Endpoint Protection 1 Communication Protection Communication Protection Cloud Solutions Protect VVolume ProtectVInstance Authentication & Access Management Secure Cloud-based Storage Secure Virtual Instance Control Identity Protection HSM DataSecure, ProtectApp, ProtectDB, Secure Cloud Identities Secure Cloud Application Data and Transactions HSE Authentication & Access Management Secure Cloud Communications Secure Authentication for Cloud Services© SafeNet Confidential and Proprietary 6
  7. 7. …So Why Are We Here?Why NetApp and SafeNet? Storage Leadership Security Leadership  Established market for DataFort and  Introduce replacements for the EOA LKM, licensed Decru technology to DataFort E-series and Lifetime Key SafeNet to build continued next-gen Manager (LKM) appliances products  Largest installed base of storage encryption appliances +  Global security leader, proven data protection expertise  Standards-based KMIP KM  Established channel and sales platform—supports BES, NSE, organizations heterogeneous environments  Universal Storage encryption NetApp and SafeNet – The leaders in storage and security have joined forces to introduce the next generation of storage security and key management solutions.© SafeNet Confidential and Proprietary 7
  8. 8. NetApp Security Offering© SafeNet Confidential and Proprietary 8
  9. 9. © SafeNet Confidential and Proprietary 9
  10. 10. Now for the fun part…let’s get into the technology Storage Encryption and Key Management© SafeNet Confidential and Proprietary
  11. 11. Network-Based Storage Encryption Compliant, Fast, Transparent, Cost Effective • FIPS 140-2 Level 3 validation meets PCI, HIPAA, Meet Regulatory and government data security requirements for Requirements data at rest • Encrypt data at wire speeds No Performance • No impact to existing applications Impact • Have no requirement for additional CPU overhead • Plug seamlessly into current IT environment Ease of Installation • Realize zero downtime or disruption to workflow • No need for modifications to hosts, servers, applications, or forklift upgrades to storage Scalability • As data grows, scale cost-effectively© SafeNet Confidential and Proprietary 11
  12. 12. SafeNet Next Generation, Drop-in Upgrade for NetApp E-Series DataFort and LKM StorageSecure is the industry’s only unified platform for securing data across the entire enterprise StorageSecure integrates transparently into network-based file and block Encryption (NAS and IP-SAN) environments, and protects stored data with high-speed encryption, strong access controls, authentication, and tamper-proof auditing: 1 to 10Gbps throughput Industry standard protocols Multiple 10GE interfaces Low latency, wire-speed encryption and decryption engine Clustering for high reliability and availability KeySecure delivers enterprise wide key management© SafeNet Confidential and Proprietary 12
  13. 13. StorageSecure—Typical Data Flow StorageSecure Encrypted Data Cleartext Data StorageSecure© SafeNet Confidential and Proprietary 13
  14. 14. StorageSecure Storage Encryption Storage Encryption Data written to storage Cryptainer1 Storage Cryptainer2 Cryptainer3 StorageSecure Data read from storage Clients/ Hosts Authentication/Storage VPN AES-256 Encrypted ACL Enforcement Compartmentalization IPSec*/SSL (NAS) Mitigates insider threats Supports AD/NIS/LDAP Information sharing Crypto-signed logging* Secure Key Management *deferred until release 1.1© SafeNet Confidential and Proprietary 14
  15. 15. StorageSecure Advantages Transparent Deployment No agents or application/database changes Native support for NFS, CIFS, iSCSI Transparent rekeying* enables zero downtime deployment Negligible Performance Impact Supports multi-gigabit line rate speeds Minimal latency (~150 microsecond) with ‘Cut-through Crypto’ Tape: Hardware-based compression before encryption Hardware-based Security Clear-text keys never leave secure hardware Stringent certification: FIPS 140-2 Level 3 compliant (validation in process) Trusted by sensitive military, intelligence, banking customers Secure Enterprise-wide Key Management Simple, yet secure key sharing for availability and information sharing KeySecure for automated enterprise-wide mgmt© SafeNet Confidential and Proprietary *Deferred to release 1.1 15
  16. 16. StorageSecurefor NAS environments© SafeNet Confidential and Proprietary © 2008 NetApp. All rights reserved. 16 16
  17. 17. NAS Infrastructure Without StorageSecure • Data accessible by default – need ` appropriate ACLs to deny access • Replicas, backups represent additional exposure points     ACLs  • Single factor admin authentication, inconsistent role separation (e.g., root, ? domain admin, super-user can access data) Cleartext • Audit logs susceptible to tampering Cleartext Cleartext Cleartext • Data ‘mixing’ concerns on consolidated Cleartext Cleartext Cleartext Cleartext storage • Data on old disks is easily accessible  without sanitization Cleartext  Cleartext Cleartext Cleartext STORAGE BACKUP ADMIN ADMIN© SafeNet Confidential and Proprietary 17
  18. 18. NAS Infrastructure With StorageSecure • ACL enforcement –second level ACLs on ` StorageSecure needed to allow access • Replicas, backups automatically secured – encryption keys provide single point of control ACLs     • Dual factor DF admin authentication, fine grained role separation StorageSecure  • Cryptographically signed audit logs capture F2>:P; <F3><B F2>:P; admin actions, user access 1><9F> <F3><B <97>^Q 1><9F> <BA><E <97>^Q <BA><E • Cryptographic data separation, even on shared physical disks • Data on old disks is secure withoutAUDIT  F2>:P; encryption keysLOGS <F3><B 1><9F>  <97>^Q <BA><E STORAGE BACKUP ADMIN ADMIN © SafeNet Confidential and Proprietary 18
  19. 19. Deployment Use Cases StorageSecure on the Road© SafeNet Confidential and Proprietary 19
  20. 20. StorageSecure Use Case Snapshot Conversation Mapping Encryption-enabled separation Isolate Data in Multi- 1 tenant Environments of data in shared virtual environments Protect Compliant Data Encrypt Data in Real-Time at 2 (Maintain PCI Posture) the Point of Capture/CreationWorld Leading Bank Encrypt Data in Primary & Protect Offline Data 3 Secondary Storage Before in Archives Writing to Tape Destroy Data Securely or Destroy Encryption Keys at 4 Repurpose Storage Any Point of the Data Lifecycle © SafeNet Confidential and Proprietary 20
  21. 21. StorageSecure Use Case #1: Data Isolation and Separation of Duties Customer 1: web app db Customer 2: Cryptainer1 Cryptainer2 and/or Bank Office 1: NAS Cryptainer3 Customer Support StorageSecure Cryptainer4 Bank Office 2: Headquarters© SafeNet Confidential and Proprietary 21
  22. 22. StorageSecure Use Case #2: Protect Compliant Data Networked Applications web app db Mobile Workers Storage (Disk and Tape) Encrypted Encrypted Corporate Offices StorageSecure NAS Address global data Military Applications protection mandates: PCI-DSS, GLBA, SB1386, Basel II, DoD 5015.2, HIPAA, SEPA, SOX, etc.© SafeNet Confidential and Proprietary 22
  23. 23. StorageSecure Use Case #3: Archival Protection Networked Applications web app db Mobile Workers Primary Storage Secondary Storage Corporate Offices StorageSecure NAS Military Applications NAS Encrypted Encrypted Encrypted© SafeNet Confidential and Proprietary 23
  24. 24. StorageSecure Use Case #4: Secure Data Destruction Networked Applications web app db Mobile Workers Storage (Disk and Tape) Encrypted Encrypted Corporate Offices StorageSecure NAS “Data in Danger “© SafeNet Confidential and Proprietary 24
  25. 25. Understanding and Architecting a Unified Key Management Strategy© SafeNet Confidential and Proprietary
  26. 26. Customer Problem Web/Application Servers “Pockets” of Encryption Domains Database Servers Multi-vendor silo-ed systems Platform-specific solutions Fragmented policy and key Mainframes management File Operational Inefficiencies Shares “Spreadsheet” key management Manual audit reviews Audit Deficiencies & Failures Storage Regular key rotation Standards adherence (NIST 800-57, PCI-DSS, etc.) Cloud/Virtualization “Open” Clients Laptop/Desktops© SafeNet Confidential and Proprietary 32
  27. 27. Requirements that Drive Key Management Regulations • PCI, Privacy Regulations impose financial penalties • Proactive security measures have compelling ROI IP Protection • Protect IP, digital assets from insider threat • Strengthen access controls • Consolidation and central management of keys acrossSecurity Best Practices security silos • Strong authentication and admin role separation • Non-repudiable auditing • Secure data disposal Business Trends • Controlled data access with outsourced IT, offshore development centers © SafeNet Confidential and Proprietary 33
  28. 28. An Ideal Enterprise Key Manager Application and web servers Databases File Servers Hardware Mainframes Laptop/mobile Handset SafeNet KeySecure Backup Media > Secure, Centralized Key Management > Data-centric Policy Management Storage > Identity & Access Management > Visibility via Logging, Auditing, Reporting© SafeNet Confidential and Proprietary 34
  29. 29. Best Practices for Enterprise Key Lifecycle Management Create Attribute Secure Modify Distribute ExpireGenerate high Assign Secure keys by Automate key Provide a secure Enable purgeentropy keys permissions and wrapping with rotation and method to and delete key key ownership to secure keys other critical distribute keys upon pre-set privileged users functions for high expiration based on roles Cannot store availability and policies clear text key in Allow key usage Enable external memory attributes to be authenticated modified clients to set and (create/delete/ modify key rotate) by attributes authenticated key owners© SafeNet Confidential and Proprietary 35
  30. 30. A Storage Infrastructure With and Without Secure Key Management and Encryption AUDIT LOGS ACLs F2>:P; F2>:P;   <F3><B Cleartext <F3><B Cleartext ` 1><9F> 1><9F> ? Cleartext Cleartext <97>^Q Cleartext <97>^Q Cleartext <BA><E Cleartext <BA><E Cleartext   ?   ?   ? ?  SECURITY NETWORKING/DOMAIN STORAGE ADMIN ADMIN ADMINGaps inStrong Inconsistent Cryptographic Insiders (admin) Insider manage Backup/replica All data copies Data exposed Data separation,authentication ACLs ACLs, audit logs access but can’t read exposure protected on old disks Secure disposal © SafeNet Confidential and Proprietary 36
  31. 31. Introducing SafeNet KeySecure k460Enterprise Key Management Enterprise Key Management Centrally managed, consolidation of keys Up to 1 million keys per cluster •Secure key replication to multiple appliances High Assurance Level •Active-Active mode of clustering •Redundant, hot-swappable hard drives & power Standard based approach – OASIS KMIP (Key •Heterogeneous solutions: SFNT and non-SFNT devices, applications, databases, storage devices, SANManagement Interoperability Protocol) switches, tape libraries, HSM, network and endpoint devices, etc. Broadest Coverage in Industry NAS - StorageSecure SAN - Brocade Encryption Solutions (BES and FS8/18) KMIP support (NSE/FDE, Quantum Tape Library and other 3rd Party Support) Cloud-enabled © SafeNet Confidential and Proprietary 37
  32. 32. 8 Steps to Designing a Centralized Key Management Infrastructure© SafeNet Confidential and Proprietary
  33. 33. Key Management Design Flow Chart Define Admin Define Security Discover Classify Data Roles & Goals Sensitive Data Locations Responsibilities Map Data Define Data Align Policies to Document and Movement and Restoration Use Business Automate Use Cases Cases Processes Lifecycle Mgmt© SafeNet Confidential and Proprietary 39
  34. 34. In Summary… Next Generation Encryption and Key Management KeySecure acts as a “Glue” for an effective data protection strategy Wide coverage in Storage Encryption – NAS, SAN, DAS & Tape Unified Key Robust, Standards- Streamlined, Manager for based Key Simplified Key Storage, HSMs, Management Lifecycle Mgmt ProtectV Enterprise Key Mgmt for KMIP Compliant Centralized Platform Heterogeneous Environments© SafeNet Confidential and Proprietary 47
  35. 35. Ondrej Valent Regional Channel Sales Manager CEE SafeNet, Inc. | 15. 9. 2011© SafeNet Confidential and Proprietary