aleksić - capital.bg fileproduced, processed and stored in more places shared more distributed to...

Predrag Aleksić, PreSales Engineer,

Enterprise and Cybersecurity

InfoSec Bulgaria October 2018

Produced, processed and

stored in more places Shared more

Distributed to more

locations outside of your

control

MORE DATA

Balancing Business Value and Security

The data protection dilemma

01/10/2018 Gemalto Enterprise & Cybersecurity - CONFIDENTIAL 2

3

The data protection dilemma

SECURE THE BREACH Control who and what can access information.

Apply data protection and controls that sit with

the data asset.

PROTECT WHAT MATTERS, WHERE IT

MATTERS Data is the new perimeter.

ACCEPT THE BREACH Perimeter security alone is no longer enough.

Do You Have a Plan B?

PLAN A Prevent the Breach

PLAN B Assume the breach

Minimize its impacts

Cybersecurity: have a plan

01/10/2018 Gemalto Enterprise & Cybersecurity - CONFIDENTIAL 4

Secure the Breach: the method

5

At-rest in storage

In motion across the

network

On-premises or in the

cloud

Secure and own

encryption keys

Centrally manage

keys and policies

Protect identities

Ensure only

authorized users and

services have access

Secure the

KEYS

Control the

ACCESS

Encrypt the

DATA

1 2 3

What Data

What Applications

What Storage

What use case?

Analyse the

NEED

0

So where to start?

SECURE THE BREACH

6

7

Crypto

Management

Key

Manager

HSM

Crypto

Provisioning

System

SECURE &

MANAGE KEYS

3

Applications

SaaS

Apps

Internal Users +

Administrators

Cloud Providers

Admins/Superuse

rs

Internal Users +

Administrators

Cloud Providers

Admins/Superuse

rs

Strong Authentication

CONTROL

ACCESS

Internal Users +

Administrators

Cloud Providers

Admins/Superusers

Customers +

Partners

1

The 3 key elements

File Servers

Database

s

Virtual Machines

Storage Networks Physical Data Virtual Data Data in the Cloud

ENCRYPT THE DATA

Data at Rest Encryption Data in Motion Encryption 2

8

Why encryption?

Lost or stolen data in terms of GDPR

Only breach notification

No user information duty

No secrets revealed

No bad publicity

Less business impact

Breach prevention

9

Why Key Management?

No direct GDPR compliancy requirement

BUT when encrypting data:

Data is no longer important

But Key Management is!

10

Why two-factor authentication?

Audit trail for GDPR compliancy

who accessed

at what time

which information

Reduce risk for stolen credentials

Breach prevention

So how to protect our data?

SECURE THE BREACH

11

Application

s (.NET, JAVA,

KMIP, XML) Databases

3rd party solutions (e.g. Self-encrypting drives via KMIP)

File encryption

**##**

Tokenization

Ethernet

FiberChanel

Hardware Security Modules Appliance

File Shares

Tape

Backups

Network Share

Encryption Proxy

Virtual Instances

Virtual Storage

Protect V Manager Virtual Appliance

12

Cryptography as an IT Service

Authentication

Management (On-Premise or

Cloud)

Nat. IDs

AMI

Metering

E-Signatures

E-Passports

Certificate Infrastructures

Trust. Every day.

Protect Cloud &

Virtual Infrastructure

Protect

Identities

Protect

Infrastructure

Protect NAS

Storage

ProtectFile Server/Desktop Agent

Key Secure Appliance

Protect

Data Centers

L2 HighSpeed

Encryptors

Protect

Data Transfer

Database

Application

File System Files | Folders | Shares

Storage

Local Storage

DAS

Full Disk Encryption – blanket

• Block Level Encryption

• Typically simple deployment

• No Encryption/Decryption Access Control

• Protects BACKUP only

Remote

Storage

NAS | SAN

Storage Level Security Users | Apps

Da

ta

Flo

w

Key Mngt

01.10.18

• Transparent File Encryption – files, folders, shares, databases,

ftp servers, application data, etc.

• Encryption Policies – Encryption policies determine which of the file

server’s paths and files will be encrypted, which keys will be used, and which users,

groups, or processes will be given access to the encrypted data

• Access Policies – Access policies define which users, groups, and

processes can access protected content

• Enforcing Backup & Restore Policies – enables

authorized admins perform backup-restore duties on encrypted files only

• Protection against Rogue “root” User – prevents

super user “root” from accessing sensitive data when impersonating and user.

• Separation of duties – security vs. data management

• Dual Control – MofN – sensitive operations require multiple admins.

File System–Level Transparent File Encryption

Database

Application

File System Files | Folders | Shares

Storage

Local Storage

DAS Remote

Storage

NAS | SAN

Users | Apps

Da

ta

Flo

w

Key Mngt

01.10.18

• Transparent column-level – local & remote

• Standard Encryption

• Format-Preserving Encryption (FPE)

• Tokenization

• Access policies – Key Ownership-based partitioning – databases may have visibility and access to their keys only

• Protection against DBA – prevention of DBA from impersonating other

database users

• Separation of duties – security vs. data management

• Dual Control (MofN) – performing sensitive operation require multiple

admins.

Database-level protection

Database

Application

File System Files | Folders | Shares

Storage

Local Storage

DAS Remote

Storage

NAS | SAN

Users | Apps

Da

ta

Flo

w

Key Mngt

01.10.18

Application-level protection

Database

Application

File System Files | Folders | Shares

Storage

Local Storage

DAS Remote

Storage

NAS | SAN

Users | Apps

Da

ta

Flo

w

Key Mgnt

• Cryptographic operations: Encrypt/decrypt, Sign/SignV, Mac/MacV

• Standard Encryption

• Format-Preserving Encryption (FPE)

• Tokenization

• Bulk Interfaces – Encryption, Tokenization, FPE. Token.

• Key & Certification management interfaces

• Access policies – • Key Ownership-based partitioning –

• Applications have visibility and access to their keys only

• Protection against all admins • Admins can only see encrypted data

• Separation of duties • security vs. data management

• Dual Control (MofN) • performing sensitive operation require multiple admins.

01.10.18

17

Gemalto Encryption Ecosystem Offers the industry’s most expansive ecosystem of integrations for encrypting data

within third party environments

Indicates a SafeNet Product

SafeNet Protect App

SafeNet Protect DB SafeNet Tokenization

SafeNet ProtectFile

SafeNet ProtectV

SafeNet High Speed

Encryptors

Layer 2 Ethernet Encryption

SafeNet KeySecure Platform

Distributed Key Management

Virtual

Machines

File

Servers

& Shares

Application

Servers Database

s Web and

Application

Servers

Network Encryption

Data in

Motion

Data at Rest

18

Gemalto Key Management Ecosystem The industry’s most expansive and diverse ecosystem of integrations including the

largest # of KMIP integration products

Cloud

Encryption

Gateways Backup &

Storage

Database

Encryption

Storage &

Archive

SIEM Tools

Cloud

Services File & Disk

Encryption

SafeNet

ProtectApp SafeNet

ProtectFile

SafeNet

ProtectDB

SafeNet

ProtectV™ SafeNet

Tokenization

SafeNet KeySecure Platform

Distributed Key Management

+300 HSM

Integrations

400+ Authentication

Integrations

300+ HSM

Integrations

30+ KeySecure

Integrations

35+ Crypto

Integrations

01/10/2018 Gemalto Enterprise & Cybersecurity CONFIDENTIAL 19

Thank You!