Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SafeNet Enterprise Key and Crypto Management

2,323 views

Published on

With SafeNet, organizations can centrally, efficiently, and securely manage cryptographic keys and policies—across the key management lifecycle and throughout the enterprise. SafeNet's data center protection solutions are designed to secure all of the sensitive information that is stored in and accessed from enterprise data centers, including patient records, credit card information, social security numbers, and more.

Published in: Technology
  • Be the first to comment

SafeNet Enterprise Key and Crypto Management

  1. 1. 1 Enterprise Key and Crypto Management Safenet KeySecure & DataSecure Yves Van Tongerloo Regional Sales Manager Belgium and Luxembourg Yves.vantongerloo@safenet-inc.com
  2. 2. 2 What We Do SafeNet delivers comprehensive data protection solutions for persistent protection of high value information.
  3. 3. 3 Where We Are A global footprint: 1600+ employees across 25 countries
  4. 4. 4 Who we are SafeNet: Key facts We protect the most money that moves in the world, $1 trillion daily We protect the most digital identities in the world. (+ 35 million identities) We protect the most classified information in the world FOUNDED 1983 REVENUE +450m EMPLOYEES +1,600 - 26 countries > 550 crypto engineers OWENERSHIP Private GLOBAL FOOTPRINT +25,000 Customers in 100 countries ACCREDITED Products certified to the highest security standard over 130 FIPS certificates Recognised by Gartner as the Leader for Authentication
  5. 5. 5 Sensitive Data is Everywhere. So are we.
  6. 6. 6 SafeNet Crypto Foundation Cloud & Virtual DataCenters ProtectV  SNMP, NTP, SYSLOG Web/Application Servers Databases ProtectApp Tokenization Manager DataSecure / KeySecure Enterprise Crypto Management ProtectDB Application Servers
  7. 7. 7 ProtectV – Data Protection for the Physical and Virtual DataCenter and the Cloud
  8. 8. 8 ProtectV: Throughout the Data Lifecycle Every day that you power on VMs or start up a server, ProtectV makes it efficient, fast, and automated You must be authenticated and authorized to launch All data and VMs/servers are encrypted Every time you delete a key, it ―digitally shreds‖ the data, rendering all copies of VMs inaccessible Every copy of VM in storage or backup is encrypted Power On Start Daily OperationsSnapshot/image Delete 1 2 34 5
  9. 9. 9 Anatomy of Securing Your Data in the Physical/Virtual or Cloud Environment KeySecure DataSecure3 ProtectV Manager2 ProtectV Client1 Protected Virtual Machines ProtectV Client is installed on your VMs or your servers in your datacenter. ProtectV Manager is a virtual machine that runs as a VM in a VMware environment. KeySecure/DataSecure is a hardened, tamper-resistant high-assurance enterprise key management solution in a hardware or virtualized platform Protected Volumes Hypervisor Storage Protected on-premise servers in physical datacenter
  10. 10. 10 ProtectV: How It Works © SafeNet Confidential and Proprietary Select machines with sensitive data Centrally set and apply security policies Tell client machines to encrypt data with the right key Authenticate before VM is launched Clients get the encrypt command and key— and start encrypting the data! ProtectV Manager ProtectV Client KeySecure
  11. 11. 11 SafeNet ProtectV on Instances Cloud/ Virtual Servers Cloud/ Virtual Storage Encrypted Instance •AES 256 • Pre-Launch Authentication • Policy + Key Management • Protected Volumes ProtectV Protection • OS does not boot without authentication • Entire instance encrypted, protecting OS • Attached volumes encrypted • Supports thin provisioning critical to cloud • Encrypt all data written to disk • Central Key Management for strong control • Resists brute-force attacks on keys • Supports protected snapshots
  12. 12. 12 ProtectV and Scaling in Large Environments Cloud APIs and Web Services • Authentication Automation • Bulk operations Centralized Management SafeNet ProtectV Manager • Provides centralized management • Supports either customer premise or cloud deployments • Manages and coordinates ProtectV Security • Open APIs to cloud management SafeNet KeySecure/DataSecure (on Premise) • Centralizes key management for persistence and flexibility • Secure key creation and storage • Key archiving and shredding • Easy integration with ProtectV Manager
  13. 13. 13 ProtectV Deployment Scenario Private Public On Premise ProtectV Manager (High Availability) Enterprise Key Manager (High Availability) ProtectV Solution Components: • ProtectV Client • ProtectV Manager • Enterprise Key Manager ProtectV Client
  14. 14. 14 DataBase Encryption with Protect DB
  15. 15. 15 Crypto Service Level Encryption  Encrypt only sensitive columns  DML transparent  Eventually not DDL transparent APP LAYER OS LAYER Crypto Service OS LAYER DB LAYER + Keys in Hardware, millions of keys, key migration, audit trail, LDAP & MS-AD integration App Server DB Server Ext. Procs DataSecure
  16. 16. 16 ProtectDB  Column based, encryption only where needed  Supports heterogeneous DB environments  Encryption offload from DB server  PCI-DSS compliancy supported  Supports key migration process  Oracle domain index can be used  Oracle RAC configuration supported  Per instance max. ~2500 Enc Ops under real DB runtime conditions  Supported data types: BFILE, BLOB, CHAR, CLOB, DATE, DECIMAL, LONG, LONG RAW, NCHAR, NUMBER, NUMERIC, NVARCHAR2, VARCHAR, VARCHAR2  Mostly DML transparent  Not DDL transparent
  17. 17. 17 ProtectDB in Action User Tom User Bob WebServer Application Server Database - field encrypted with Key X 12345678 0xEED95… query response 12345678 Tom can access Key X, Bob cannot X DataSecure
  18. 18. 18 ProtectDB – Database Migration Summary CUSTOMER Name Account SSN Address City Irwin Fletcher 000234 12345678 411 Main Street Santa Barbara Josh Ritter 000115 11112222 1801 21st Ave San Francisco CUSTOMER_ENCRYPTED Name Account SSN Address City SSN_NEW Irwin Fletcher 000234 NULL 411 Main Street Santa Barbara 0xEED95DB7751… Josh Ritter 000115 NULL 1801 21st Ave San Francisco 0x21010B370F87… CUSTOMER (View) Name Account SSN Address City Irwin Fletcher 000234 12345678 411 Main Street Santa Barbara Josh Ritter 000115 11112222 1801 21st Ave San Francisco
  19. 19. 19 Data Encryption with ProtectApp
  20. 20. 20 Application Level Encryption  Addresses wide range of confidentiality threats  Granular encryption control  Not application transparent APP LAYER OS LAYER Crypto Service Crypto API OS LAYER DB LAYER App Server DB Server + Keys in Hardware, millions of keys, versioned keys, audit trail, LDAP & MS-AD integration DataSecure
  21. 21. 21 ProtectApp  Focusses application development in C/C++/C#, .NET, Java  User auth against DataSecure (with MS-AD, LDAP)  Supports versioned keys and re-encryption  Full logging/auditing on client and DataSecure  Bulk enc/dec calls
  22. 22. 22 ProtectApp in Action User Tom User Bob WebServer Application Server 12345678 0xEED95… query Response 0xEED95… Tom can access Key X, Bob cannot Database - field encrypted with Key X X DataSecure
  23. 23. 23 Supported Algorithms Encryption and Decryption with Symmetric Keys • AES • DES • DESede (triple DES) • SEED • RC4 Encryption and Decryption with Asymmetric Keys • RSA Message Authentication Codes (MACs) • HMAC-SHA1 • HMAC-SHA256 • HMAC-SHA384 • HMAC-SHA512 Digital Signatures • RSA
  24. 24. 24 Format Preserving Tokenization
  25. 25. 25 Tokenization with Encryption  Replace sensitive data with non-sensitive token  Reduces audit scope drastically  Only small pieces of data (CCnums, PANs, etc.) APP LAYER OS LAYER OS LAYER DB LAYER + Keys in Hardware, millions of keys, key migration, audit trail, LDAP & MS-AD integration App Server DB Server Token Manager Crypto Service Token DB DataSecure
  26. 26. 26 Tokenization in Action Customer Token Vault Database {Hash,Token,Enc(PAN)} Tokenization Manager Application Server Sensitive Information (Token) Sensitive Information (Clear) PAN Token PAN Token Enc(PAN),Hash PAN Hash,Token,Enc(PAN) Token Other Systems Database DataSecure
  27. 27. 27 Deploying SafeNet Tokenization Manager
  28. 28. 28 Tokenization  Applicable for small pieces of data (SSN, PANs, CCnums)  Some integration work needed (with API or Web service)  No changes to existing databases, 3rd party applications  Token preserves original data format and fits into original field  Made for PCI-DSS compliancy   Reduces scope of audits  Bulk Tokenization  Luhn Check
  29. 29. 29 Token Format  Data format and representation can be preserved  Token’s may be generated using a variety of formats: Random First_Two_Last_Four Sequential First_Six_Last_Four Last_Four Fixed_Nineteen First_Six Fixed_Twenty_Last_Four  Or, token format can be user-defined vie Reg-Ex
  30. 30. 30 Token Format Examples
  31. 31. 31 Thank You! SafeNet Universal Protection Universal Data Protection from Data Center to Cloud

×