марко safe net@rainbow-informzashita - februar 2012
DESCRIPTION
Технологическая презентация SafeNet на семинаре "Информзащиты".TRANSCRIPT
Insert Your Name
Insert Your Title
Insert Date
SafeNet DataSecure platform
Technological leadership in protecting the information lifecycle
Marko Bobinac
PreSales Engineer Eastern EMEA
21.02.2012
The Data Protection Company
3
Protecting high value information inthe worlds most complex environments
Protection that evolves with the customer needs
Solutions for persistently protecting information as it moves through its lifecycle
What We Do
You manage the world’s most sensitive, high-value data. Our mission is to protect it.
5
Identities Transactions Data Communications
SafeNet Data Protection Product Portfolio
Offering the broadest range of authenticators, from smart cards and
tokens to mobile phone auth—all managed from
a single platform
Authentication
Offering The most secure, and easiest to
integrate technology for securing PKI identities
and transactions.
HSM
SafeNet’s DataSecure – a Universal platform
delivering intelligent data protection and control for
information assets
Data Encryption and Control
SafeNet high-speed network encryptors combine the highest
performance with a unified management platform
High-Speed Network Encryption
1
eSafe
Cloud / External IT Solutions
Software Rights ManagementSoftware as a Service
Identity Protection
Endpoint Protection
Self Encrypting HDs
Authentication & Access
Management
PKI InfrastructureCertificate Authority
Authentication & Access
Management
Access to Cloud-Based Apps
SRM SaaS
HSM
Cryptographic KeysVirtualized Application Security
HSE
Public and PrivateCloud Infra Protection
Communication Protection
Web Gateways
Firewalls / SSL VPNs
High Speed Encryption
Communication Protection
HSM
DatasecureData Encryption& Control
ProtectZ
Mainframe
ProtectFile
File ServersSAM
ProtectDB
Database
ProtectApp
Application/Web Servers
ProtectApp
DataSecure
Secure Cloud Storage &Applications
Key Secure
Email Gateways
Storage Encryption
Protection NAS
Virtual Instances
Virtual Storage
Protect V ManagerVirtual Appliance
Data Secure Appliance
Applications
Databases Mainframes
File Servers
**##**
Tokenization
Cryptographyas an IT Service
8
Storage Secure Appliance
File Shares
NetworkStorage
TapeBackups
ManagementCenter
High SpeedEncryptors
Nat. IDs AMIMeteringE-Signatures
E-Passports
Certificate Infrastructures
AuthenticationManager
HSM Appliance
3rd PartyTechnologies
KMIP
Protect Cloud&Virtual Infrastructure
ProtectData Centers
Protect Storage
ProtectData Transfer
ProtectIdentities
ProtectInfrastructure
KMIP
The Magic Quadrant for User Authentication
Abi
lity
to e
xecu
te
Completeness of visionAs of January 2012
niche players visionaries
challengers leaders
Insert Your Name
Insert Your Title
Insert Date
DataSecure:
The Foundation of Data Encryption & Control
11
Six Best Practices in Data Protection & Compliance1. Security — Not Just Compliance
2. Define your Corporate Policies
3. Involve the Stakeholders
4. Know your Data
5. Understand your Threats
6. Determine where to Protect your Data
12
Seven Methodologies for Data Encryption & Control 1. Maintain Control Over Data Types
2. Create Points of Trust for Administration and Policy
3. Leverage a Secure, Hardened Platform for Heterogeneous Environment
4. Chose Standards Based Security when Possible
5. Select a Flexible Platform for Encryption and Tokenization
6. Pick a Solution with Key Management Best Practices
7. Ensure Proof of Compliance is Easy
13
Worldwide Compliance Requirements
• Canadian ElectronicEvidence Act
• PCI Data Security Standard (WW)
• CA SB1386 et al
• HIPAA (USA)
• FDA 21 CFR Part 11
• GLB Act
• Sarbanes-Oxley Act (USA)
• AIPA (Italy)
• GDPdU and GoBS (Germany)
• NF Z 42-013 (France)
• EU Data Protection Directive
• Financial Services
• Authority (UK)
• UK Data Protection Act
• Electronic Ledger Storage Law (Japan)
• 11MEDIS-DC (Japan)
• Japan PIP Act
• PCI (WW)• Basel II Capital Accord
14
SafeNet Data Encryption & Control
Protecting sensitive data throughout its lifecycle...wherever it resides
In Data Centers
• Applications
• Databases
• File Servers
• Mainframes
In the Cloud
• Persistent, secured cloud storage for structured & unstructured data
On Endpoints
• Desktops
• Laptops
• Removable MediaProtectApp
WebAppServers
File Servers
ProtectDriveProtectFile
Tokenization
Cloud
DataSecurePlatform
ProtectFile Server
ProtectZ
Mainframes
ProtectDB
Databases
0000 000 00
ProtectDrive
DataSecure Platform
Appliance solution for• High-performance encryption • Simplified cryptographic key and policy management• Hardened Linux kernel• FIPS and Common Criteria certified• High Availability
Combined with connectors (software)• Connectors for applications,
databases, file servers, and stations.• Secures the connection to the appliance (connection
pooling, SSL).
Core Benefits of SafeNet DataSecure
Security Hardware-based solution
Centralized encryption and key
management
Authentication, authorization, and
auditing
Performance High performance encryption offload
Batch processing for massive
amounts of data
Local encryption capabilities
FlexibilitySupport for
heterogeneous environments
Support for open standards and
APIs
Range of enterprise
deployment models
ManageabilitySimplified
appliance-based approach
Web management console
CLI (command line interface)
AvailabilityEnterprise
clustering and replication
Load balancing, health checking,
and failover
Geographically distributed redundancy
Centralized Policy Management• Security administrators control data protection policy• Keys created and stored in a single location• Dual Administrative Control• Separation of Duties• Logging, Auditing and Alerts
FIPS & Common Criteria Certified Solution• FIPS 140-2 Level 2 & CC EAL2 Certified• Keys are stored in the appliance• Different types of encryption available: AES, 3DES, RSA ...• Certificate authority to manage its integrated SSL access
Authentication & Authorization • Multi-factor authentication possible between DS <> db or application.• Access control: Granularity of crypto policy, by key, by schedule, etc. • Support for LDAP
Security
Encryption Offload • Optimized, high-performance hardware• Frees up database and application servers• Latency less than 300 microseconds per request
Local Encryption Option• Configurable for hardware offload or local encryption
Batch Processing• Perform batch encrypts/decrypts for high performance• More than 100k TPS• Batch tools include:
• Transform Utility • ICAPI (SafeNet API protocol)
• Easy integration into existing applications
Performance
Perf. Average - 15 minutes to encrypt 5,000,000 records in 16 octects (char) on MS SQL with x 1 i430 in AES256
Heterogeneous Environments• Comprehensive enterprise solution• Web, Application, Database, Mainframe or File Server• Data Center or Distributed Environments• Open Standards-based APIs, cryptographic protocols
Scalability • Models with capacity from 2,500 TPS to 100,000 TPS• Clustering further increases capacity and redundancy• Licensing structure enables cost-effective build-out
Flexibility
Moscow
Saint Petersburg
DataSecure Cluster
Clustering• Keys and policy are
shared/replicated among DataSecures in a global cluster
Load Balancing• Connector software can
load balance across a group of appliances
• Multi-tier load balancing enables transparent fail over to alternate appliance(s)
Availability
Positioning of the SafeNet DataSecure ®
• Configurations to meet your needs — today and in the future• Extend invest over data types as needed• Scalable to address growth
21
SCALABLE FOR GROWTH
SafeNet DataSecure
SafeNetProtectApp
Application andWeb Servers
SafeNetProtectFile
File Servers
Databases
SafeNetProtectDB
Tokenization 0000 000 00
ProtectZ
Mainframes
22
0000 000 00
ProtectDB Use Case
Use Case Steps1. Cleartext values passed via database
server to DataSecure2. DataSecure returns encrypted values to
the database server (Encrypted value can be shared across the organization in other environments in a persistently encrypted format)
3. Transform Utility can be used to support high performance batch processing
Supported Databases• Oracle, Microsoft SQL Server, IBM DB2 & Teradata• Supports native database encryption key
storage/management
Algorithms• 3DES, DES, and AES
Supported Platforms• Windows, Linux, Solaris, HP-UX, AIX, or IBM z/OS
Encrypted Value
0000 000 00
DataSecure
0000 000 00
Credit cardValue
CRM
Transform Utility
0000 000 00
0000 000 00
0000 000 00
0000 000 00
0000 000 00
Credit cardValue
DataBase protection with native encryption
Heterogene database environments – Oracle, MS SQL, IBM DB2…….
The information should not be visible to the DBA. (accessible vs. visible)
The cryptographic load often requires a hardware upgrade
Transparent native encryption requires an upgrade of the software versions
Access to the logs is not secure, and their reading complex (unfiltered)
Native platforms are not certified, "certifiable" (FIPS, CC)
The cryptographic keys are used in a non-secure buffer
The keys are not sequestered except with the use of an HSM, but only for the MasterKey
Resources are not shared & key rotation process is binding
24
Encrypted Value
0000 000 00
ProtectApp Use Case
Use Case Steps1. Cleartext value passed via
application layer to DataSecure2. DataSecure returns encrypted value3. Encrypted value can be shared with
heterogeneous applications & database
DataSecure
0000 000 00
CleartextValue
Supported Web & Application Servers• Oracle, IBM, BEA, IIS, Apache, Sun ONE, JBoss
Algorithms• 3DES, DES, AES, RSA (signatures and
encryption), RC4, SHA-I, SHA-2
Supported Platforms• .NET, MSCAPI, PKCS#11, JCE, ICAPI, XML• Windows, Linux, or IBM z/OS
E-Commerce(Java or .Net)Application
ERPApplication
CustomerDatabase
CRMApplication
25
ProtectZ Features for Database & Applications Running on IBM Mainframes
Granular Protection• Retain ownership of data on IBM z/OS mainframes
in databases and applications Proven Algorithms
• Achieve the highest level of database and application security by using proven cryptographic algorithms combined with strong identity and access-policy protection such as AES, DES and DESede
Broad Support• Flexible support for APIs such as ICAPI & JCE,
application support for Cobol, RPG, assembler for environments such as CICS, TSO or batch and data storage in DB2, IMS, VSAM, DASD
Data Type Support• Coverage for data types such as BIGINT, CHAR,
DATE, DECIMAL, INTEGER, SMALLINT, TIME, TIMESTAMP, and VARCHAR
Applications
Databases
DataSecure
26
ProtectFile for Servers Features
Use Case Steps1. Document encrypted by DataSecure
based on corporate policy2. Protected file or folder stored on file
server in data center3. Only privileged users can access,
view, modify, or delete protected files
Interoperability with• RIS, SMS, Tivoli, TNG, Active Directory and multi-
factor authenticators
Algorithms• FIPS 140 Level 2 AES
Supported Platforms• Windows and Linux operating systems, Microsoft,
Novell, Netware & Unix (Samba)
Intellectual Property
Network-attached Servers
File Server
DataSecure
Privileged Users
ProtectFile Sample Policies
Finance Managers – gets full access to confidential financial spreadsheets
Outside Auditors – get access to sensitive files remotely and offline, but need to get re-authorized by IT every 30 days to regain access. (Policy can be configured based on any set amount of time.)
IT Administrators – they get access to perform routine maintenance, but cannot see any files that have been encrypted (IT sees only cipher text).
Call center reps can encrypt creditcard numbers for phone orders
Customer contracts sent to the call center are saved to a shared file server by the Call Center reps where they are automatically encrypted and strict access control is applied.
Market analysts are able to access and share their competitive analysis on seasonal opportunities in the Finance folder, but only see cipher text if they try to click on the spreadsheet with analyst salary information.
• Create policies that align to lines of business• Granular policies can be defined to control access to
authorized users
Access Policy page example
User with Encrypt & Decrypt permissions
Access Level – sample I
User with Backup & Restore Ciphertext permissions
Access Level – sample II
User with No Access permissions
Access Level – sample III
32
Information preview: StorageSecure
New appliance (March 2012) for protecting Storage Supports any kind of NAS (CIFS, NFS) 1Gb/s - 10Gb/s of file encryption Transparent – works on network layer Not a replacement for ProtectFile – decision
depends on what fits you best as DataSecure offers wider range of solutions!
32
TokenizationManager
DataSecure
Enterprise Application
Backoffice support
Payment application
Small Market
7 6 5 4 3 2 1 9 8 7 6 5 4 3 2 11 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7Tokenization Manager Use Case
1. Sensitive data comes in through a consumer system
2. Sensitive data is passed to Tokenization Manager
3. Tokenization encrypts the sensitive data, stores it and returns a token
4. Payment application passes tokens to Tokenization Manager to request original data it needs for bank transaction
5. Tokenization decrypts and returns sensitive data
6. PCI Auditor only needs to inspect tokenized database and active applications
PCI Auditor
34
Centralized tool to create granular protection policies and control who and what has access to sensitive data when and where
Standards-based encryption with the highest level of security in a commercial platform
Logging, auditing and reporting capabilities provide visibility for enforcement, refinement and compliance
Persistent protection as data moves within data centers, out to endpoints and into the cloud
Maintain Ownership and Control with DataSecure
35
Protection for different Data Types
One platform to protect:• Personal Identifiable
Information
• Payment & Transactional Data
• Intellectual Property
• Non-public Information
FileServers
Databases
Cloud
Applications
DataSecure
Key ManagementPolicy Management
Control Administration
INDUSTRY DATA TYPES
Healthcare
Financial Services
Retail
Manufacturing
Energy
Government
Patient Records
Account Info
Credit Cards
Design Specs
Land Surveys
Soc. Sec # Tax ID
36
DataSecure Supports Separation of Duties
DataSecure is the foundation of data encryption & control by securing a wide array of data types under one platform that:
Provides tools for the administration, enforcement, monitoring, and report of data protection solution
Establishes distinct roles so no single administrator can compromise the system
Administration for key and policy management requiring “m of n” credentials
SECURITY
37
Finance Manager
Legal Manager
HR Manager
SQL DB
Oracle DB
Database Administrator
Key Management throughout Lifecycle
DB2 DB
Security Officer
IT Manager for Tape Storage
Generate, Certify, Backup, Activate, Deactivate, Rotate, Compromise, Destroy
38
Summary
Data Center Protection • Designed to secure all of the
sensitive information that is stored in and accessed from enterprise data centers
• Protecting the structured data stored in databases, applications, and mainframe environments as well as the unstructured data kept in file servers
• With DataSecure driving central enforcement of corporate policies and access control
The Solution Suite Includes:
• ProtectDB• ProtectApp• ProtectZ• ProtectFile• Tokenization Manager
SCALABLE FOR GROWTH
SafeNet DataSecure
SafeNetProtectApp
Application and
Web Servers
SafeNetProtectFile
File Servers Databases
SafeNetProtectDB
SafeNetProtectDrive
Laptop
TokenizationManager
0000
000 00
SafeNetProtectZ
Mainframes
39
Technology
Financial
Unrivaled Customer Success with Some of the World’s Most Respected and Admired Companies
HouseholdBrands
Retail