Keynote address by Erol Dogan (Pre-Sales Consultant – ME) at Two Become One Conference held on 20th November 2019 at Movenpick Hotel, Karachi Pakistan.
The conference was hosted by Access Group in collaboration with its strategic global partner and data protection leader - Thales.
It includes how Thales eSecurity broad range of market-leading data protection products are designed to help an organization safeguard its most sensitive information and business processes while complying with regulations and industry mandates.
It covers Thales products at a high level and presents the use cases as well.
4. 4
Securing your digital transformation by encrypting everything
Structured and
unstructured data
at rest
In motion
and in use
Within and
across devices
Process, platforms
and environments
5. 5
Securing your digital transformation with strong key management
High assurance
certified key storage
Centrally manage
keys and policies
Comprehensive
API and protocol
support
Role-based
management and
monitoring
8. 8
Thales eSecurity product portfolio
Big data
security
Tokenization with
data masking
Application
encryption
Transparent file &
database encryption
Cloud
encryption
gateway
Batch data
transformation
Key management
as a Service
KMaaS
Data protection hardware Data protection software
payShield
Payment HSM
Vormetric Data Security Manager
SafeNet HSE
Data in Motion
Encryption
SafeNet Luna
General purpose HSM
11. 11
Performance
Approx. 10 times faster
than Luna HSM 6
Operation Luna HSM 7
tps
Luna HSM 6
tps
RSA 2048 Sign 10,000 1,200
ECC P256 Sign > 20,000 2,000
Improved Latency
Operation Luna HSM 7
tps
Luna HSM 6
tps
AES-256 CBC 20,000 3,900
AES-256 GCM 19,000 3,600
Small packet encryption
Signing
12. 12
payShield – the #1 selling payment HSM in the world
Proven, scalable payment system security
Card and mobile
application support for all
major card schemes
Secures over 80% of the world’s POS
transactions
Reduces operating costs
Mobile Point
of Sale (mPOS)
Transaction
processing
Mobile
provisioning
Host Card
Emulation (HCE)
Card
issuance
Point-to-point encryption
(P2PE) protects payment
data and reduces
merchant PCI DSS scope
PIN block translation and
card data validation to
authorize transactions
for any card scheme
Secure element key
management and application
personalization
Secure mobile
contactless payments
at the point of sale
Secure EMV card
data preparation
and PIN generation
13. 13
The many places payShield is used
Mobile payment application
registration
and personalization (HCE)
Secure element key
management
EMV card data preparation/
personalization
PIN generation
and distribution
PIN block translation
Validating card data and
cryptograms
mPOS reader key
management
Securing card data
and PINs in transit (P2PE)
Transaction
processing
Mobile
provisioning
Card
issuance
Mobile card
acceptance
payShield
14. 14
The Vormetric Data Security Platform
Enabling compliance, breach protection and secure digital transformation
A single scalable platform for data-
at-rest security
Centralized policy and key management
and easily expanded to new use cases
for low TCO
Digital transformation security for
data migrating to cloud, big data, and
container environments
Transparent
encryption
Application
encryption
Encryption
gateway
Tokenization and
data masking
Key
management
KMaaS
15. 15
The many places Vormetric products are used
Transparent
file encryption
Application-layer
encryption
Tokenization Static
data masking
Dynamic data
masking
Cloud storage
encryption
Key management as
a service
Privileged user
access control
Access audit
logging
Batch data
encryption and
tokenization
Orchestration and
automation support
Secure key
management
16. 16
File access polices can be very granular. User access can be controlled by application, allowed
operations, time and the file or resource they attempt to access.
Supports controls for users and groups from the System level as well as LDAP/AD, Hadoop and
Container environments – Including Privileged users
Access Policy #1
User: HR-Group
App: ERP
Opp: Read Only
Time: Any
Resources: Any
Block access and log attempt
Vormetric Transparent Encryption
Vormetric Transparent Encryption - Granular Access Controls
Process and user aware file access policies
Who
HR ERP
Directory
User
Application /
Process
Group: SystemAdmin
Process: Cat command
What: Read File
Time: 2PM 11/14/2014
Where: HR ERP Directory
Operations When
Read
Write
File
permission,
etc..
Time
Operations
Directory
File Type
File Name
Drive
Device/Disk
Group: HR
App: ERP
What: Read File
Time: 2PM 11/14/2014
Where: HR ERP Directory
Authorized User
Root User
Group: Finance
App: IE 9.0
What: Read File
Time: 5pm 11/14/2014
Where: HR ERP Directory
Unauthorized User
Limit system (even Root!), Hadoop, storage, container and other
administrators access to data without impeding their work.
17. 17
Vormetric Security
Intelligence
Logs to SIEM
John Smith
401 Main
Street
Clear Text
Approved Processes
and Users
Vormetric Transparent Encryption
User
Big Data, Containers,
Databases, Files,
Cloud Storage
VTE Agent
Allow/Block
Encrypt/Decrypt
Cloud Admin,
Storage
Admin, etc
*$^!@#)(
-|”_}?$%-:>>
DSM
*$^!@#)(
-|”_}?$%-
:>>
Encrypted
& Controlled
Privileged
Users
Server
Storage
Database
Application
User
File
Systems
Volume
Managers
Vormetric
Data Security Manager
virtual or physical
appliance
Transparently protects file system and/or volume data-at-rest
▌ No changes to applications or workflows required
▌ Encryption and Key Management – Lock down data
▌ Fine-grained access controls – Only decrypt data for authorized users and processes including system,
Active Directory/LDAP, container (OpenShift and Docker) and Hadoop users
▌ Detailed data access audit logs integrate easily with SIEM systems to detect attacks in process
18. 18
Thales services
Accelerate deployments, learn best practices, and maximize return on your investment
in data protection and security solutions
PKI professional services
Design, deploy and manage
world-class PKIs
Custom cryptographic
solutions
Leverage our knowledge to
protect your customers
Product deployment
Complete important data
protection projects quickly and
correctly
Training & certification
Learn best practices
19. 19
Thales – supporting a wide range of use cases
Customer
use cases
Cloud
security
Data
security
IoT security
Payments
Code signing
PKI
Tokenization
data masking
Digital
signing
Key
management
App
encryption
Data
encryption
Container
security
Hardware
security
modules
20. 20
Thales – securing your digital transformation
Trust and
compliance
Advanced
encryption
Strong key
management
Global service
& support
Editor's Notes
Digital transformation of financial services
Financial service providers are changing their approach for interacting with consumers
Drive towards increased interaction, personalized service - anytime, anywhere
Transformation examples include:
Birth of Digital Banks – primary interaction through mobile devices
Open APIs – access to financial institution consumer accounts and payment process applications
Part of European PSD2 initiative
HCE
Mobile has taken over the travel industry from mobile communications to customers to now protecting payments in the sky while acquiring wifi technology or buying food or beverages on board aircraft. The back end systems are also improving with more customer profiling and big data analytics. Data security for payments, Authentication for airline travel and protection of analytical data are all important security issues facing the travel industry.
The transportation Industry is embracing digital technologies including:
Digitally enabled information services will put data at the heart of a logistics business through initiatives such as logistics control towers and analytics as a service, and help in reducing operating costs while improving efficiency of operations
Shared logistics capabilities - through shared warehouse and shared transport capabilities, are expected to increase asset utilization in the near future - Critical data will be shared across industries increasing the need for data protection and strong authentication capabilities to keep IP information protected.
More than a thousand companies are developing new digital/mobile technologies that should allow consumers to take greater control over their healthcare choices. This combination may disrupt the industry’s migration toward larger, more integrated systems and put almost $300 billion—primarily, incumbent revenues—into play.
Organizations are embracing cloud technologies for their data centers – share everything while at the same time moving new workloads and applications to the cloud. Public Private, Hybrid technologies are fast becoming the norm for IT organizations. Amazon is doing over $12Billion in cloud revenue.
Thales eSecurity can help secure your digital transformation
We are Thales eSecurity helping secure your digital transformation today by delivering solutions that encrypt everything
From structure and unstructured data at rest to data in use and in motion across various devices, platforms and environments
We are Thales eSecurity helping secure your digital transformation today by delivering solutions with the strongest key management solution
Snapshot of our customers by vertical
HardwareOur hardened, tamper-resistant devices support a variety of customer applications to securely manage keys, certs, and more. All of our data protection hardware is certified to standards relevant to their application, including FIPS 140-2 and PCI-DSS.The nShield family of HSMs supports general purpose applications including PKI, TLS/SSL, and code signing, while payShield HSMs are dedicated to protecting keys and validating authentication data used for payment transactions. Our Vormetric DSM delivers key management services for encryption applications, and Datacryptor protects data-in-motion with very low latency.
Software
The Vormetric Data Security Platform from Thales makes it easy and efficient to manage data-at-rest security across entire organization. Built on a single extensible infrastructure for efficiency and low TCO, the platform features multiple data security products that can be deployed individually or in combination.
Solutions support compliance, best practices and data breach prevention with advanced encryption, access control, data access audit logs and key management for platform and third party solutions. With network and end point security more susceptible to compromise than at any time in the past, and with sensitive data increasingly stored outside the traditional bounds of the enterprise in cloud and SaaS environments, The Vormetric product line provides data security wherever information is stored or used with an extensible, integrated solution that meets your needs today, and prepares your organization for the next security challenge or compliance mandate.
Use Cases include SSL termination, Code signing, Connected Vehicle
Use this slide to introduce our products at a high level and present the use cases. For a detailed deep dive use the respective product decks.
payShield covers all the major card scheme applications that can reside on magnetic stripe, contact chip, contactless chip cards and mobile devices. Thales regularly updates its payShield base software to cover the very latest applications from American Express, Discover, JCB, MasterCard, UnionPay and Visa.
A key strength of payShield is that it is pre-integrated with software from all the leading payment application vendors globally, providing issuers, merchants and processors alike with a proven, scalable off-the-shelf solution for all aspects of card/mobile issuing/provisioning and the subsequent payment transaction processing. payShield has been independently certified to the PCI HSM security standard, in addition to FIPS 140-2 Level 3.
payShield HSMs are used extensively by issuing banks (to authorize payments), by acquirers (who provide processing services to merchants) and by payment gateways/switches (to route transactions to card networks and translate PIN blocks) for POS transactions and it is in this respect that we estimate that Thales payment HSMs are used somewhere in this ecosystem for about 80% of transactions.
The complementary tools such as payShield Manager, CipherTrust Monitor and the Key Management Device (KMD) help our payShield customers to reduce their operating costs by offering more efficient ways to undertake HSM management tasks and by eliminating the need in many cases to visit data centers.
[Note about presenting this – the presenter can use this slide to solicit areas of interest from the audience and link off to separate ppt decks on these use cases, and then come back to the rest of the product level presentation.]
Use this slide to introduce our products at a high level and present the use cases. For a detailed deep dive use the respective product decks
The Vormetric Data Security Platform uses a single set of infrastructure, policy and management capabilities to secure sensitive data-at-rest wherever is resides – in data centers, clouds, big data and container environments. Enables organizations to meet data security compliance and regulatory requirements, best practices and helps to prevent data breaches.
Platform capabilities include centralized policy and key management for all Vormetric products, as well as key management for third party solutions.
The Platform is also easily extensible to support new environments and use cases – Providing both the capability to meet your organization’s need for digital transformation today, but the assurance that you will be able to extend data protection as new technologies evolve in the future.
Vormetric Transparent Encryption
Vormetric Transparent Encryption protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment is simple, scalable and fast, with agents enforcing data security and compliance policies. Policy and key management provided by the Vormetric Data Security Manager.
Vormetric Application Encryption
Vormetric Application Encryption offers standards-based APIs that streamline the process of adding NIST-standard AES encryption and format-preserving encryption (FPE) into existing applications. Enables encryption of files, columns in databases or big data nodes with an agent-based solution that easily deploys locally or to cloud environments.
Vormetric Cloud Encryption Gateway
Enables organizations to safeguard files in such cloud storage environments as Amazon Simple Storage Services (Amazon S3) and other S3-compatible object storage services. Offers capabilities for encryption, on-premises key management and detailed logging. Encrypts sensitive data before it is saved to the cloud storage environment and gives you control over encryption keys.
Vormetric Tokenization with Data Masking
Reduces the cost and effort required to comply with security policies and regulatory mandates like the Payment Card Industry Data Security Standard (PCI DSS). Provides easy-to-implement, format-preserving tokenization to protect sensitive fields in databases. Enables administrators to establish policies to return an entire field tokenized or dynamically mask parts of a field.
Vormetric Key Management
Delivers capabilities for centrally managing keys from all Vormetric Data Security Platform products, and for securely storing keys and certificates for third-party devices—including IBM Security Guardium Data Encryption, Microsoft SQL TDE, Oracle TDE and KMIP-compliant encryption products. Fosters consistent policy implementation across multiple systems and reduces training and maintenance costs.
Vormetric Key Management as a Service (KMaaS)
Offers capabilities for establishing strong governance over encryption keys and policies, so you can fully leverage SaaS environments such as SalesForce, while minimizing complexity and risk. Delivers hardened, compliant key governance solutions that integrate with cloud providers’ bring-your-own-key (BYOK) services. Leverages the BYOK APIs provided by cloud vendors to enable full control over the key management lifecycle.
Operations = read/write/ls/ etc
The Vormetric Data Security Platform consists of several product offerings, including Vormetric Transparent Encryption.
Vormetric Transparent Encryption delivers file-level encryption, access control, and data access audit logs, it can be deployed without having to re-architect applications, users or administrative workflows.
Here’s how Vormetric Transparent Encryption works. An agent is deployed on a server at the file system level.
This agent acquires policies and encryption keys from the Vormetric Data Security Manager, a physical or virtual appliance. The Vormetric Data Security Manager administrators can manage thousands of agents across an entire organization.
Based on the policies established, the agent can either grant or deny a user’s request, and it can control which activities the user can conduct.
For example, an administrator could gain access to a database server for managing backups, but still not gain access to sensitive data residing on that server in the clear.
On the other hand, an authorized user working with an approved application or process will be able to get clear text access, without experiencing any changes in their normal processes.
The agents can be deployed anywhere you have a physical or virtual server. It could be Windows, Unix or Linux. Physical , virtual, cloud or Big data. The database can be on a file system or a raw volume.
In addition, all file access is logged, providing detailed security intelligence that can be delivered to internal security managers and external auditors.
It should also be noted, that Vormetric Transparent Encryption can be deployed without encryption and access control enforcement enabled. It could be used to capture consistent file access logs across all your servers.
Thales eSecurity offers a broad range of market-leading data protection products, related professional data security services, and training — all of which are designed to help your organization safeguard its most sensitive information and business processes while complying with regulations and industry mandates.
Drawing on the company’s more than 40 years of global experience protecting data for enterprises and governments around the globe, our independently certified hardware and software products deliver an ideal blend of high assurance and operational efficiency—so you never have to make tough tradeoffs between security, performance, and agility.
Complementary services delivered by data protection experts in the Thales Advanced Solutions Group (ASG) can accelerate deployments, increase your confidence, improve your knowledge of best practices, and maximize return on your investment in data protection solutions.
Delivering security and trust in data wherever data is created, shared or stored without impacting business agility.
Thales eSecurity is the leading global data protection and digital trust management company allowing customers to protect more environments in more ways with the most comprehensive platform delivering the highest security with lowest TCO.