From this presentation you will learn:
· A brief history of encryption
· How encryption is now deployed in the enterprise
· Encryption and key management best practices to keep data safe
3. Origins of an Organized Approach
3
Scytale and Casear Ciphers
Character Based
Simple character
transposition
Depended on algorithm
secrecy
4. Encryption Goes Mechanical
4
Engima Rotor
Complex mechanical and electromechanical
machines
Character based encryption
Patented 1918
Commercial and military usage
5. Cryptography in the Modern Age
5
Modern Cryptography
Began in late 1940’s, and aligned with the
Information Age
Encryption moved from character based to
bit based
The Data Encryption Standard (DES) used
56 bit keys (1975)
Triple DES (3DES) used 192 bit keys (1998)
The Advanced Encryption Standard is
available to all (2001)
AES uses 128 or 256 bit keys and ‘modes’
to secure data
7. The Decision that Starts It All…
Confidential and Proprietary | For Internal Gemalto Use Only7
“Many organizations understand the benefits of encryption … but have difficulty on the
question of just where to encrypt the data?.”
- Jon Oltsik, Senior Analyst, Enterprise Strategy Group
Deployment Effort
Security
Destination
Source
Application
Database
File
Storage / Tape / Disk
8. More Encryption Keys to Store & Manage
Crypto
Management
Challenges
Non-Repudiation
• Document Signing
• Citizen eIDS
• Boarding Passes
• Transaction Signing
• Biometrics
Integrity
• Electronic Transfers
• Time stamping
• Signed Audit Logs
• Secure
Communications
• Mobile Payments
Encryption
• Disk & File
Encryption
• Code Signing
• Database Encryption
Internet of
Things
Compliance KMIP
Virtual Data
Center and
Cloud
Partner
Integrations
Datacenter
Consolidation
Cybersecurity Next Gen PKI
Growing Number of Encryption Use Case
What is Driving This Adoption?
Who controls the keys?
Are the keys trusted?
Where are the keys located?
Will they pass an audit?
Do they meet my future deployment models?
Do they work with my 3rd party applications?
10. How Enterprises are Thinking…
Often information security decisions are made urgently in response
to ‘fire drills’ – tight timelines dictated by new mandates, threats, or
breaches. Commonly this is done by business units.
For Bus, it’s natural to adopt a ‘build-it-yourself’ or ‘go-it-alone’
approach. In fact it works in many IT cases.
But building encryption and managing keys is a more complicated
and resource intensive an investment than people think.
In addition, once encryption is implemented, administrators and
teams must continue to manage the encryption keys for their
deployment. Suddenly the easy DIY project becomes an on-going
administrative headache.
11. The Proliferation of Silos
11
File Servers
Applications
& Web Servers
SQL & NoSQL
Databases
Mainframes
Storage
Backup Media
Today – Silos
• Costly & Complex
Administration
• Inconsistent Security
Policy Enforcement
• No Repeatable
Process
• Inhibited Data &
Business Workflow
• Audit Challenges
13. Required Elements
At-rest in storage
In motion across the
network
On-premises or in the
cloud
Secure and own
encryption keys
Centrally manage keys
and policies
Protect identities
Ensure only authorized
users and services
have access
Strong Key
Management
Access Control Encrypt the Data
CONTROL IDENTITY
Who & What Can Access Sensitive Data
PROTECT DATA
Protection & Controls that Sit with the Data
1 2
13 Confidential and Proprietary | For Internal Gemalto Use Only
14. Where to Encrypt and Manage Keys?
Confidential and Proprietary | For Internal Gemalto Use Only14
“Many organizations understand the benefits of encryption … but have difficulty on the
question of just where to encrypt the data?.”
Jon Oltsik, Senior Analyst, Enterprise Strategy Group
Deployment Effort
Security
Destination
Source
Application
Database
File
Storage / Tape / Disk
15. Data Protection Best Practices
Confidential and Proprietary | For Internal Gemalto Use Only15
• Encrypt or Tokenize
• Apply Access Controls
• Manage Key Lifecycle
• Apply Access Controls
Decouple KEYS from DATA
Protect
Data Protect
Keys
16. A Three Step Approach
Confidential and Proprietary | For Internal Gemalto Use Only16
(DAS, SAN, NAS,
HDFS)
(SQL & NoSQL) (Application servers) (Cloud Servers
and Virtual Machines)
File Servers Databases Applications Public Cloud
• Centralized Key Management (Generation, Rotation, Expiration, etc.)
• Audit Reporting and Compliance Management
• Separation of duties – Encryption Keys decoupled from data
• File Level Encryption
• Database Level Encryption
• Application Level Encryption
• Tokenization
+ Access Control
18. A Physical Network-Attached Key Manager
Multiple
Application
Servers
Application
Key Usage Services
Key
Management
Services
Key Vault Services
Tamper Resistance/Response
Separation of Duties
M of N Controls
PKCS #11 CAPI / CNG
Java CSP OpenSSL
XML
Backup/Restore
Export Controls
EKM Interface
Policies
FIPS 140-2 Level 3 Common Criteria EAL4+
Offload
Multiple
Partitions
High Availability
And
Load Balancing
Cryptographic Processing
19. Key Management: Best Practices
Encryption in the enterprise is simple. Key
management in the enterprise is the real challenge
Key Management: Proper rotation, deletion, etc.
Centralized key management: Keep track of all the keys, all the time
Separation of Duties: No single user with the keys to the kingdom
Key security: Hardware storage
Replication: Ensure high-availability
Backup and restoration: Protect against catastrophe
Auditing and reporting: Demonstrate that you control your data
20. Key Management Best Practices
Centralize key management across the enterprise
Application, Database, File, Disk, TDE, Virtual
Control centrally and then farm out encryption to individual Bus.
Store keys in hardware –
Physical key management appliance
Hardware Security Module (HSM)
Design an architecture that scales. A key manager should:
Manages load balancing
Conduct health checking
Offer connection pooling
Be able to broker SSL handshakes
Control key access
Separate duties amongst administrators
Implement access controls around secured data.
21. Segregation of Roles & Responsibilities
Security Administrators
• Responsible for key management, security policies, access
controls
Database Administrators
• Responsible for database management, schemas, field
definitions, creation of views and triggers, installation of stored
procedures
Application Developers
• Responsible for application code changes and/or developing
stored procedures to be installed on the database
Others:
• Storage Admin, backup admin, virtualization admin, etc.
22. Enterprise Data Protection as Centralized Service
22
File Servers
Applications
& Web Servers
SQL & NoSQL
Databases
Mainframes
Storage
Backup Media
• Costly & Complex Administration
• Inconsistent Security Policy
Enforcement
• No Repeatable Process
• Inhibited Data & Business
Workflow
• Audit Challenges
Today – Silos
UNIFIED DATA
PROTECTION
PLATFORM
COMPLIANCE
CRYPTO
FOUNDATION
SECURITY
KEY
MANAGEMENT
POLICY
MANAGEMENT
CLOUD
ON-PREMISES
VIRTUAL
• Single Vendor
• Centrally Defined & Managed
Security
• Strong Compliance & Low Audit
Cost
• Increased Security, Business
Agility, & Lower IT Costs
Tomorrow - Unified
23. The Benefits of Buying In
07.04.16Title23
Better Security
When security policies are centrally managed and broadly deployed, it is
easier to ensure effective enforcement. Sensitive cryptographic keys and
policy controls are tightly secured in purpose built mechanisms.
Every group that goes its own way remains vulnerable to compromise.
Unauthorized entry into one department could spread to other
departments.
Budget Savings
Security administration is time-consuming, costly and complex. Farming
out encryption security responsibilities preserves departmental budget.
Offload on-going key management costs to other parts of the
organization and benefit from architectures designs made by others.
24. 07.04.16Title24
The Benefits of Buying In (Continued)
07.04.16Title24
Streamlined Collaboration
Security silos run counter to the increasing interconnection of corporate
applications and workflows. Sharing sensitive data across departments
introduces security gaps, complexity and latency into the business.
Standardizing encryption through the central service improves the ability
to collaborate freely across the organization without fear of vulnerability
or non-compliance.
Faster Innovation
Building encryption yourself is deceptively complex and time-consuming.
Farming out key management to the central service frees resources that
can be dedicated to other important tasks.
Central encryption services can create standard ready-to-use APIs and
platforms that shorten development cycles for new products & services.
25. PARTNERSHIPS
Holistic Enterprise Data Protection Framework
ECOSYSTEM
• Amazon Web Services
• Microsoft Azure HP
Dell
NetApp Storage
Chef
Docker
Oracle
Microsoft SQL
IBM DB2
MySQL
MongoDB
Cassandra
Apache Hadoop
IBM BigInsights
IBMz – mainframes
IBMi – AS400
NoSQL
Databases
SQL
Databases
Storage
Archive Tapes
Files, Folders & Shares -
DAS/NAS/SAN
Big Data P-to-NonP
Tokenization
Application
Encryption
Cloud Public
& Private
Application Key
Management
ERP & CRMPOINTS OF
PROTECTION
ENCRYPTION &
TOKENIZATION
SafeNet
ProtectApp
SafeNet
ProtectDB
SafeNet
ProtectFile
SafeNet
Tokenization
Database Native TDE
Transform
Utility
Bulk
Tokenization
Web Services
SafeNet KeySecure
ENTERPRISE
KEY MANAGEMENT