Two Become One Conference Keynote: Encryption and Key Management
•
1 like•90 views
Keynote address by Erol Dogan (Pre-Sales Consultant – ME) at Two Become One Conference held on 20th November 2019 at Movenpick Hotel, Karachi Pakistan. The conference was hosted by Access Group in collaboration with its strategic global partner and data protection leader - Thales. It includes how Thales eSecurity broad range of market-leading data protection products are designed to help an organization safeguard its most sensitive information and business processes while complying with regulations and industry mandates. It covers Thales products at a high level and presents the use cases as well.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Two Become One Conference Keynote: Encryption and Key Management
Similar to Two Become One Conference Keynote: Encryption and Key Management (20)
Recently uploaded
Recently uploaded (20)
Two Become One Conference Keynote: Encryption and Key Management
- 1. www.thalesesecurity.com KEYNOTE: Encryption and Key Management By Erol Dogan (Pre-Sales Consultant – ME)
- 2. 2 Digital transformation is happening across all industries
- 4. 4 Securing your digital transformation by encrypting everything Structured and unstructured data at rest In motion and in use Within and across devices Process, platforms and environments
- 5. 5 Securing your digital transformation with strong key management High assurance certified key storage Centrally manage keys and policies Comprehensive API and protocol support Role-based management and monitoring
- 6. 6 Thales customers Finance Technology Healthcare Payments Government Energy Retail Manufacturing
- 8. 8 Thales eSecurity product portfolio Big data security Tokenization with data masking Application encryption Transparent file & database encryption Cloud encryption gateway Batch data transformation Key management as a Service KMaaS Data protection hardware Data protection software payShield Payment HSM Vormetric Data Security Manager SafeNet HSE Data in Motion Encryption SafeNet Luna General purpose HSM
- 9. 9 HSMs Secure Things we Use Every Day!
- 10. 10 Introducing SafeNet Luna HSM 7 Network HSM PCIe HSM Best-in-Class Performance Industry Leading Security
- 11. 11 Performance Approx. 10 times faster than Luna HSM 6 Operation Luna HSM 7 tps Luna HSM 6 tps RSA 2048 Sign 10,000 1,200 ECC P256 Sign > 20,000 2,000 Improved Latency Operation Luna HSM 7 tps Luna HSM 6 tps AES-256 CBC 20,000 3,900 AES-256 GCM 19,000 3,600 Small packet encryption Signing
- 12. 12 payShield – the #1 selling payment HSM in the world Proven, scalable payment system security Card and mobile application support for all major card schemes Secures over 80% of the world’s POS transactions Reduces operating costs Mobile Point of Sale (mPOS) Transaction processing Mobile provisioning Host Card Emulation (HCE) Card issuance Point-to-point encryption (P2PE) protects payment data and reduces merchant PCI DSS scope PIN block translation and card data validation to authorize transactions for any card scheme Secure element key management and application personalization Secure mobile contactless payments at the point of sale Secure EMV card data preparation and PIN generation
- 13. 13 The many places payShield is used Mobile payment application registration and personalization (HCE) Secure element key management EMV card data preparation/ personalization PIN generation and distribution PIN block translation Validating card data and cryptograms mPOS reader key management Securing card data and PINs in transit (P2PE) Transaction processing Mobile provisioning Card issuance Mobile card acceptance payShield
- 14. 14 The Vormetric Data Security Platform Enabling compliance, breach protection and secure digital transformation A single scalable platform for data- at-rest security Centralized policy and key management and easily expanded to new use cases for low TCO Digital transformation security for data migrating to cloud, big data, and container environments Transparent encryption Application encryption Encryption gateway Tokenization and data masking Key management KMaaS
- 15. 15 The many places Vormetric products are used Transparent file encryption Application-layer encryption Tokenization Static data masking Dynamic data masking Cloud storage encryption Key management as a service Privileged user access control Access audit logging Batch data encryption and tokenization Orchestration and automation support Secure key management
- 16. 16 File access polices can be very granular. User access can be controlled by application, allowed operations, time and the file or resource they attempt to access. Supports controls for users and groups from the System level as well as LDAP/AD, Hadoop and Container environments – Including Privileged users Access Policy #1 User: HR-Group App: ERP Opp: Read Only Time: Any Resources: Any Block access and log attempt Vormetric Transparent Encryption Vormetric Transparent Encryption - Granular Access Controls Process and user aware file access policies Who HR ERP Directory User Application / Process Group: SystemAdmin Process: Cat command What: Read File Time: 2PM 11/14/2014 Where: HR ERP Directory Operations When Read Write File permission, etc.. Time Operations Directory File Type File Name Drive Device/Disk Group: HR App: ERP What: Read File Time: 2PM 11/14/2014 Where: HR ERP Directory Authorized User Root User Group: Finance App: IE 9.0 What: Read File Time: 5pm 11/14/2014 Where: HR ERP Directory Unauthorized User Limit system (even Root!), Hadoop, storage, container and other administrators access to data without impeding their work.
- 17. 17 Vormetric Security Intelligence Logs to SIEM John Smith 401 Main Street Clear Text Approved Processes and Users Vormetric Transparent Encryption User Big Data, Containers, Databases, Files, Cloud Storage VTE Agent Allow/Block Encrypt/Decrypt Cloud Admin, Storage Admin, etc *$^!@#)( -|”_}?$%-:>> DSM *$^!@#)( -|”_}?$%- :>> Encrypted & Controlled Privileged Users Server Storage Database Application User File Systems Volume Managers Vormetric Data Security Manager virtual or physical appliance Transparently protects file system and/or volume data-at-rest ▌ No changes to applications or workflows required ▌ Encryption and Key Management – Lock down data ▌ Fine-grained access controls – Only decrypt data for authorized users and processes including system, Active Directory/LDAP, container (OpenShift and Docker) and Hadoop users ▌ Detailed data access audit logs integrate easily with SIEM systems to detect attacks in process
- 18. 18 Thales services Accelerate deployments, learn best practices, and maximize return on your investment in data protection and security solutions PKI professional services Design, deploy and manage world-class PKIs Custom cryptographic solutions Leverage our knowledge to protect your customers Product deployment Complete important data protection projects quickly and correctly Training & certification Learn best practices
- 19. 19 Thales – supporting a wide range of use cases Customer use cases Cloud security Data security IoT security Payments Code signing PKI Tokenization data masking Digital signing Key management App encryption Data encryption Container security Hardware security modules
- 20. 20 Thales – securing your digital transformation Trust and compliance Advanced encryption Strong key management Global service & support
Editor's Notes
- Digital transformation of financial services Financial service providers are changing their approach for interacting with consumers Drive towards increased interaction, personalized service - anytime, anywhere Transformation examples include: Birth of Digital Banks – primary interaction through mobile devices Open APIs – access to financial institution consumer accounts and payment process applications Part of European PSD2 initiative HCE Mobile has taken over the travel industry from mobile communications to customers to now protecting payments in the sky while acquiring wifi technology or buying food or beverages on board aircraft. The back end systems are also improving with more customer profiling and big data analytics. Data security for payments, Authentication for airline travel and protection of analytical data are all important security issues facing the travel industry. The transportation Industry is embracing digital technologies including: Digitally enabled information services will put data at the heart of a logistics business through initiatives such as logistics control towers and analytics as a service, and help in reducing operating costs while improving efficiency of operations Shared logistics capabilities - through shared warehouse and shared transport capabilities, are expected to increase asset utilization in the near future - Critical data will be shared across industries increasing the need for data protection and strong authentication capabilities to keep IP information protected. More than a thousand companies are developing new digital/mobile technologies that should allow consumers to take greater control over their healthcare choices. This combination may disrupt the industry’s migration toward larger, more integrated systems and put almost $300 billion—primarily, incumbent revenues—into play. Organizations are embracing cloud technologies for their data centers – share everything while at the same time moving new workloads and applications to the cloud. Public Private, Hybrid technologies are fast becoming the norm for IT organizations. Amazon is doing over $12Billion in cloud revenue.
- Thales eSecurity can help secure your digital transformation
- We are Thales eSecurity helping secure your digital transformation today by delivering solutions that encrypt everything From structure and unstructured data at rest to data in use and in motion across various devices, platforms and environments
- We are Thales eSecurity helping secure your digital transformation today by delivering solutions with the strongest key management solution
- Snapshot of our customers by vertical
- Hardware Our hardened, tamper-resistant devices support a variety of customer applications to securely manage keys, certs, and more. All of our data protection hardware is certified to standards relevant to their application, including FIPS 140-2 and PCI-DSS. The nShield family of HSMs supports general purpose applications including PKI, TLS/SSL, and code signing, while payShield HSMs are dedicated to protecting keys and validating authentication data used for payment transactions. Our Vormetric DSM delivers key management services for encryption applications, and Datacryptor protects data-in-motion with very low latency. Software The Vormetric Data Security Platform from Thales makes it easy and efficient to manage data-at-rest security across entire organization. Built on a single extensible infrastructure for efficiency and low TCO, the platform features multiple data security products that can be deployed individually or in combination. Solutions support compliance, best practices and data breach prevention with advanced encryption, access control, data access audit logs and key management for platform and third party solutions. With network and end point security more susceptible to compromise than at any time in the past, and with sensitive data increasingly stored outside the traditional bounds of the enterprise in cloud and SaaS environments, The Vormetric product line provides data security wherever information is stored or used with an extensible, integrated solution that meets your needs today, and prepares your organization for the next security challenge or compliance mandate.
- Use Cases include SSL termination, Code signing, Connected Vehicle
- Use this slide to introduce our products at a high level and present the use cases. For a detailed deep dive use the respective product decks. payShield covers all the major card scheme applications that can reside on magnetic stripe, contact chip, contactless chip cards and mobile devices. Thales regularly updates its payShield base software to cover the very latest applications from American Express, Discover, JCB, MasterCard, UnionPay and Visa. A key strength of payShield is that it is pre-integrated with software from all the leading payment application vendors globally, providing issuers, merchants and processors alike with a proven, scalable off-the-shelf solution for all aspects of card/mobile issuing/provisioning and the subsequent payment transaction processing. payShield has been independently certified to the PCI HSM security standard, in addition to FIPS 140-2 Level 3. payShield HSMs are used extensively by issuing banks (to authorize payments), by acquirers (who provide processing services to merchants) and by payment gateways/switches (to route transactions to card networks and translate PIN blocks) for POS transactions and it is in this respect that we estimate that Thales payment HSMs are used somewhere in this ecosystem for about 80% of transactions. The complementary tools such as payShield Manager, CipherTrust Monitor and the Key Management Device (KMD) help our payShield customers to reduce their operating costs by offering more efficient ways to undertake HSM management tasks and by eliminating the need in many cases to visit data centers.
- [Note about presenting this – the presenter can use this slide to solicit areas of interest from the audience and link off to separate ppt decks on these use cases, and then come back to the rest of the product level presentation.]
- Use this slide to introduce our products at a high level and present the use cases. For a detailed deep dive use the respective product decks The Vormetric Data Security Platform uses a single set of infrastructure, policy and management capabilities to secure sensitive data-at-rest wherever is resides – in data centers, clouds, big data and container environments. Enables organizations to meet data security compliance and regulatory requirements, best practices and helps to prevent data breaches. Platform capabilities include centralized policy and key management for all Vormetric products, as well as key management for third party solutions. The Platform is also easily extensible to support new environments and use cases – Providing both the capability to meet your organization’s need for digital transformation today, but the assurance that you will be able to extend data protection as new technologies evolve in the future. Vormetric Transparent Encryption Vormetric Transparent Encryption protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment is simple, scalable and fast, with agents enforcing data security and compliance policies. Policy and key management provided by the Vormetric Data Security Manager. Vormetric Application Encryption Vormetric Application Encryption offers standards-based APIs that streamline the process of adding NIST-standard AES encryption and format-preserving encryption (FPE) into existing applications. Enables encryption of files, columns in databases or big data nodes with an agent-based solution that easily deploys locally or to cloud environments. Vormetric Cloud Encryption Gateway Enables organizations to safeguard files in such cloud storage environments as Amazon Simple Storage Services (Amazon S3) and other S3-compatible object storage services. Offers capabilities for encryption, on-premises key management and detailed logging. Encrypts sensitive data before it is saved to the cloud storage environment and gives you control over encryption keys. Vormetric Tokenization with Data Masking Reduces the cost and effort required to comply with security policies and regulatory mandates like the Payment Card Industry Data Security Standard (PCI DSS). Provides easy-to-implement, format-preserving tokenization to protect sensitive fields in databases. Enables administrators to establish policies to return an entire field tokenized or dynamically mask parts of a field. Vormetric Key Management Delivers capabilities for centrally managing keys from all Vormetric Data Security Platform products, and for securely storing keys and certificates for third-party devices—including IBM Security Guardium Data Encryption, Microsoft SQL TDE, Oracle TDE and KMIP-compliant encryption products. Fosters consistent policy implementation across multiple systems and reduces training and maintenance costs. Vormetric Key Management as a Service (KMaaS) Offers capabilities for establishing strong governance over encryption keys and policies, so you can fully leverage SaaS environments such as SalesForce, while minimizing complexity and risk. Delivers hardened, compliant key governance solutions that integrate with cloud providers’ bring-your-own-key (BYOK) services. Leverages the BYOK APIs provided by cloud vendors to enable full control over the key management lifecycle.
- Operations = read/write/ls/ etc
- The Vormetric Data Security Platform consists of several product offerings, including Vormetric Transparent Encryption. Vormetric Transparent Encryption delivers file-level encryption, access control, and data access audit logs, it can be deployed without having to re-architect applications, users or administrative workflows. Here’s how Vormetric Transparent Encryption works. An agent is deployed on a server at the file system level. This agent acquires policies and encryption keys from the Vormetric Data Security Manager, a physical or virtual appliance. The Vormetric Data Security Manager administrators can manage thousands of agents across an entire organization. Based on the policies established, the agent can either grant or deny a user’s request, and it can control which activities the user can conduct. For example, an administrator could gain access to a database server for managing backups, but still not gain access to sensitive data residing on that server in the clear. On the other hand, an authorized user working with an approved application or process will be able to get clear text access, without experiencing any changes in their normal processes. The agents can be deployed anywhere you have a physical or virtual server. It could be Windows, Unix or Linux. Physical , virtual, cloud or Big data. The database can be on a file system or a raw volume. In addition, all file access is logged, providing detailed security intelligence that can be delivered to internal security managers and external auditors. It should also be noted, that Vormetric Transparent Encryption can be deployed without encryption and access control enforcement enabled. It could be used to capture consistent file access logs across all your servers.
- Thales eSecurity offers a broad range of market-leading data protection products, related professional data security services, and training — all of which are designed to help your organization safeguard its most sensitive information and business processes while complying with regulations and industry mandates. Drawing on the company’s more than 40 years of global experience protecting data for enterprises and governments around the globe, our independently certified hardware and software products deliver an ideal blend of high assurance and operational efficiency—so you never have to make tough tradeoffs between security, performance, and agility. Complementary services delivered by data protection experts in the Thales Advanced Solutions Group (ASG) can accelerate deployments, increase your confidence, improve your knowledge of best practices, and maximize return on your investment in data protection solutions.
- Delivering security and trust in data wherever data is created, shared or stored without impacting business agility.
- Thales eSecurity is the leading global data protection and digital trust management company allowing customers to protect more environments in more ways with the most comprehensive platform delivering the highest security with lowest TCO.