fundamentals of hardware security modules mark yakabuski product manager, hsm rené bastien product...
TRANSCRIPT
Fundamentals of Hardware Security Modules
Mark Yakabuski Product Manager, HSM
René BastienProduct Manager, Payment Products
Clara WickeProduct Marketing Manager, HSM
Agenda
Definition of an HSM
Product overview & general applications
Market drivers/trends
Going to market/ Why we win
Product overview (individual)
Competitive matrix
Payment products
Marketing tools and Q2 outlook
What is a Hardware Security Module (HSM)?
A device to keep Business critical crypto keys at the highest level of security
Accelerate Crypto operations to eliminate bottlenecks
Provides a clear audit trail for all key materials, crypto operations
We have a wide range of HSM options Varying performance, storage capacity, and Form Factors, authentication models
Wide range of SDKs/Toolkits for flexible integration
HSM TechnologyBreadth of Hardware Security Offerings
Customizable,Economical
SOA, Web Services
FastestNetworked, Scaleable
Per
form
ance
PCM, CA4
Luna PCI
Luna SA / SP
Offline Key Archive
Protect Server
Luna XML
Protect Host EFT
Payments, EMV/EFT
Market Overview
Typical HSM Applications
Documents
10. FinancialTransactions:
EFT, Payments Clearing & PIN Mgt
9. SSL & XMLWebservers
FinancialNetworks
Internet
1. PKI Certificate Authority
2C. Smart Card, Passport & License
Issuance
4. Authentication& VPN
Access Control
5. Certificate Validation
7. Secure EMAIL & Document
Rights Mgt / Signing
6. Database Encryption Database
1B. Time Stamp
3. Client Systems with Disc Enc &
2F Auth
2A. Code Signing
2B. Secure Manu. / Device Issuance
8. Gaming consoles
HSM’s are the Tire!...Find the cars that need high
security Tires!
General Purpose Market Trends
ECC Brainpool/E-passport projects
ECC interest, Suite B (NSA standard http://en.wikipedia.org/wiki/NSA_Suite_B)
Key Management
PKI…real growth of 3rd gen PKI apps
Combining COTS solutions, and Customized development efforts.
Web Services/Service oriented architectures
MS CertServ continuing to gain install base
PCI-express
Paper to digital processing
PCI-DSS standard
SWIFT/UBS/SIC…
The BIG DEALS.
Large HSM deployments
•Hand/Hand with customized solutions.
•In account early, help architect
•Leverage our great SE’s
Ideal Customers – how to find them
Solution Seekers
Are purchasing/have purchased some application from a 3rd party
Our HSM has either been recommended or referred as one of a number of supporting HSMs
Customers will select an HSM based on
3rd party recommendation
Responsiveness & Support
global presence and capability
level of integration
price
Developers
Are developing their own application for sell, cost or competitive reasons
Developers are either internal users or OEMs
Customer will select their HSM partner based on:
Apps Eng team, SE capabilities
technology & toolkits
Responsiveness & Support
global presence and capability, stability
price
•An HSM is nothing without a Host Application (a car).
•Off the Shelf or Custom?
Integrations team in India
• Building Integration guides
Examples
Solution Seekers …any size organizations – with small to
medium sized deployments
Always because of a Partner Integration
SafeNets most valuable partners
Entrust & Verisign
Microsoft
Card Personalization
Payments Apps providers
From Contact to Contract ~ 3 months
Revenue from the deal is mostly complete at that point
but the partnership continues to deliver
Developers …large organizations – with large future
plans
Select SafeNet because of the quality of products/tools, our global presence and our relationship management
Examples
SWIFT, NCR, Cisco, Cavium, SIC
From Contact to Contract ~ 3 to 12 months
Revenue follows 3 to 6 months after Contract
Revenue is then ongoing based on the nature of the end solution
Action: Continue enhanced focus on partners – and developing those relationships
Action: Continue enhanced focus on partners – and developing those relationships
Action: Focus on enhancing toolkit & product offerings, material and positioning - and training Sales & responsiveness
Action: Focus on enhancing toolkit & product offerings, material and positioning - and training Sales & responsiveness
Roadmap
2008 HSM Value Add
Early 2008
Luna Sx
Luna SA maturity
Luna XML
Brainpool support (PSG, SA)
DOCK II (I know…finally!)
Mid 2008
PCI Express support on Luna platform
Luna XML v2
Luna Sx v2
Late 2008, early 2009
Luna “PKI Bundle”
Luna SA maturity continued
Remote PED
PCI Express support on PS platform
Easy setup/management
Enterprise Grade Features
Easy deployment, First XML HSM in Market
ePassports
Initiative
PCI Express Support
Luna SA
SA 4.2(Nov 2007):• NTLS redesign (connection limit increase, 800)• Over 4000 ops/sec• CNG support• Enhanced SNMP•Fuller Platform support (including Solaris X86 support)
Luna SA 4.4(Q4/08)
•HA Overhaul
•Remote PED
•PKI Bundle
Luna SA 4.3(march 31/08)
•Brain pool Support
•HP Itanium OS support
Result:
•A mature Enterprise Grade Appliance
•Robust Feature Set
•The required certifications
Remote PED Administration (part of Luna SA 4.4 release, Q4/08)
010110111010111011
New Orange PED key for
Remote Admin
1. Will require new Remote PED built at manufacturing (not field upgradeable). Can be used as either remote/local PED.
2. Will not be compatible with 2U units.
Will offer full PED functionality at Remote Admin work station.
•Centralized control
•No PED required at Data Centers
PKI Bundle (part of Luna SA 4.4 release, Q4/08)
Why?
•Customer/Partners have asked for it; Verisign, Entrust, Arcot, Microsoft, RSA….
•Allows us to leverage existing technology Luna SA/Luna tokens
•Create competitive differentiator
What is it?
• Luna SA, up to 20 partitions for Signing/key management. Internal SA card reader is used to house PCM tokens.
• Tokens are accessible via same client API as the Luna SA. Each token is a member of the available slot list exposed by the SA/CA4/KE total.
Benefit:
• Key Gen/Offline Root/Online Root capable from 1 unit
• Cost savings to customer
•Product
•IT Will not be compatible with 2U units.
SafeNet Luna XML…world’s first!Rapid-to-deploy high-assurance HSM for XML environments
Revolutionizing application and transactional security with the world’s easiest to integrate and deploy hardware security module
Why?
Business applications move to Service Oriented / XML based architecture.
Nature of XML is designed to allow for B2B, B2G, B2C inline communication/processing = Security Need!
Benefits?
Clientless
OS independent
Customers don’t need to be crypto API gurus(P11/JCA/CAPI)
FIPS validated HSM 140-2 Level 3
Scalable, Reduces IT costs and Time to deploy.
Built for Service Oriented Architectures
Meets Compliance Needs
Rapid Deployment with Luna XML
Customer Application
Custom built XML service
JCA/JCE API
Cryptoki Layer
Customer XML Application
Custom Java layer
OS dependency
From months … … to days!
Jan | Feb | Mar | Apr | Jun | … ? Mon | Tue | Wed | Thu | Fri !
OS independent!
Traditional HSM SafeNet Luna XML
XML Crypto Service
Luna XML Operational Use
Load balancer
XML Based Application
SSL
SSL
XML
SSL
SSL
XML
SSL
SSL
XML
Crypto object synchronizationXML crypto service
XML crypto service XML crypto service
Available across multiple sites
for DR
Easy to Scale!
Platform independent
Sample XML Call
XMLSign
Signs XML Document
<xmlSign Profile="urn:oasis:names:tc:dss:1.0:profile:dss_interop" RequestID="id">
<OptionalInputs>
<KeySelector>
<KeyInfo/>
</KeySelector>
<IncludeObject WhichDocument="12345" ObjectID="54321"/>
</OptionalInputs>
<InputDocuments>
<Document ID="12345" RefURI="uri">
<EscapedXML>escaped XML</EscapedXML>
<InlineXML>Some XML</InlineXML>
<Base64XML>base64 encoded xml </Base64XML>
<Base64Data>base64 data</Base64Data>
</Document>
</InputDocuments>
<AuthToken/>
</xmlSign>
What is XML? (Extensible Markup Language)
•Like HTML in structure
•Data centric, not concerned with display
•Leveraged via WSDL (Web Service def’n language)…like our PKCS#11 API.
•SOAP (Simple object access protocol), used to encapsulate msg objects.
•SOAP msg’s defined in pairs (request/response)
Luna XML
Replacement for Luna SA?
No it is not…
New customers, new opportunities
Paper to digital
PCI DSS
B2B, B2G
Existing customers, new opportunities
New deployments
XML Value Added Questions
1. Are you deploying SOA/XML today, or in the future?
2. What if your services were compromised?
3. Are these services client or partner based?
4. Would you like to differentiate from your competitors?
5. Would you like decrease your HSM deployment and management costs
6. Would you like a quick/easy way to add Enterprise grade security to your service offerings?
Reduce risk, $ cost of compromise
Help Architect. Know the customer = larger deals
There are 1000’s of companies deploying Web Services…FIPS/CC HSM
differentiates
Luna XML!
No more platform Dependence, Upgrades
Luna SX (Start-up Xpress)
Why?
Difficult setup
So is Competitors
Gives us another competitive advantage.
What is Sx?
GUI management
Built in partnership with KEYON.
Can Manage SA or SP appliances (multiple)
How to get it?
Demo available
Production features will require update to license on the sentinel key.
GA?
Q2, 2008.
Luna SX Screen shot
Multiple devices, SA/SP
Multiple clients
Partition details
Available preset actionsAdmin Tabs
BrainPool Support
PSG with PTK 3.32 release GA May /08
Luna SA with 4.3 release GA March 31/08
Luna PCI with 3.0 release GA Q3/08
Support for Named, and “user defined” Brainpool ECC curves
Driven By ePassports Initiatives World Wide
User Defined feature…opens other doors (like Marlin curve set)
Release Details (Protect Server)
PTKC 3.32 (May/08)
Brainpool support
RoHS Card reader/Pin Pad support
PTK-M password fix
PSO/PSG support
CNG support
New OS support
Java 1.5 support
PTK 4.0 (Q1/09)
PCI-Express support
New PCI board layout
PTK BETA with Brainpool
support ava
ilable Now!
SafeNet HSM Product Range Overview
1024 RSASignings (max)
FIPS 140 Level 2 and Level 3 FIPS 140 Level 2 and Level 3
NetworkNetwork NetworkNetwork NetworkNetworkLu
na C
A3/CA4
Luna
SA
Luna
SP
Attachment ServerServer EmbeddedEmbedded
Luna
PCM Lu
na
PCI
Certifications
PKCS 11, Java, CAPI PKCS 11, Java, CAPISW Support
CCEAL 4+
(CA3)
CCEAL 4+
(CA3)
20 x partitions,
SSL acceleration
20 x partitions,
SSL acceleration
4000+/sec4000+/sec 4000+/sec4000+/sec 600/sec600/sec 7000/sec 7000/sec
PPOPPO PPOPPO
EncryptionAlgorithms Symmetric and Asymmetric Symmetric and Asymmetric
27/sec27/sec
EmbeddedEmbedded
600/sec600/sec
Other features
EmbeddedEmbedded
Prote
ctSer
ver
Exter
nal
Prote
ctSer
ve
r Int
erna
l
27/sec27/sec
CCEAL 4+ CCEAL 4+
1200/sec 1200/sec
Server/NetworkServer/Network
Prote
ctHos
t
EFT
PPOPPO
EFT CommandSets
EFT CommandSets
CCEAL 4+
CCEAL 4+
SafeNet Network-Attached HSMs
Luna SA / SP
High assurance enterprise-grade HSM
• 4,000 ops/s
• FIPS 140-2 Level 3, CC EAL 4+
• Full platform support
• Secure remote administration
• 10/100 Ethernet interface
• Protected application execution environment (Luna SP)
• Extensive algorithm support
ProtectHost EFT
High assurance HSM for financial payment systems
• PIN generation & verification
• Supports global payment processing, EMV, and Card Issuance APIs
• 1,200 Visa PIN Verify operations / sec
• Certifications: FIPS 140-2 Level 3, CC
• Easy GUI-based administration
Luna XML
High assurance enterprise-grade HSM for XML environments
• XML interface (WSDL) encapsulates crypto functions, enabling rapid integration development
• FIPS 140-2 Level 3
• Extensive algorithm support
• No client required
• 2,200 ops/sec
• OS independent
• Secure remote administration
• 10/100/1000 Ethernet interface
Luna SX
Central HSM Management Console
• Intuitive GUI
• Easy setup & management of multiple HSM appliances
• Reduces cost of administration
SafeNet Internal HSMs
CA4 Luna PCI
Root key HSM for true hardware key management
• FIPS 140-2 Level 3 certified
• Extensive algorithm support
• Supports two-factor trusted path authentication
• Supports common certificate authorities (Microsoft, Entrust, Verisign, RSA, etc.)
Fast, high-assurancePCI HSM card forhardware key management and crypto acceleration
• 7,000 ops/s
• FIPS 140-2 Level 3, CC EAL 4+
• Supports two-factor trusted path authentication
• Extensive Algorithm support
Luna PCM
Portable, cost-effective PCMCIA HSM card for hardware key management and crypto acceleration
• Versions for document signing, key export for registration of tokens, and signing and back up of key material to a token
• FIPS 140-2 Level 3
• Extensive algorithm support
ProtectServer Gold
Cost-effective high-assurance PCI HSM card for customizable hardware key management
• 600 ops/s
• Easy GUI-based administration
• Customizable interface
• FIPS 140-2 Level 3
• Extensive algorithm support
• Secure remote administration
Competitive Details
SafeNet HSM Industry Leadership
First general purpose network HSM
Secures the most financial transactions
Most PKI deployments
Most HSM hardware form factors/toolkits
HSM leader for 15 years
Leader in HSM compliance (FIPS, CC, PCI-DSS, E-passports…)
……New Luna XML
Why SafeNet HSM’s?
Do You Care about these things?
Reducing your risk Fraud/Breaches
Physical disaster
Reducing your costs Moving to digital processing
Deployment/integration costs
Increasing your revenue Enabling new online Business process
Industry regulation/compliance FIPS, CC, Sarbox, PCI-DSS, E-Passports, EMV, and industry
audits
Who does: Largest online PKI provider in the World. Deploys 1000’s of SafeNet HSMs
Who does: Largest Financial Network in the World. Deploys 1000’s of SafeNet HSM’s.
Who does: World’s Largest internet Bank.
Luna Vs. PS, which to position?
Luna
HW Key Management
Enterprise class Appliance
SNMP, HA, secure CLI, NTLS, Shareability
CC certification in process
PED auth
More 3rd party integrations
HSM backup option
Existing Luna install base
Higher Performance
PS
FM’s (and the customization they offer)
PCI FF, lower entry $price$
Embedded OEM opportunities
Fuller OS support than Luna PCI
EFT FM
Existing PS install base
Position Luna:
•High Assurance, security focused offering.
•More FF choices.
•Enterprise Grade Appliance offering.
Position PS:
•Flexible, Embedded focused offering
•Customizable Firmware
•lower entry price.
Competing v nCipher on Security:
Leverage Luna featureson Entry Price:
Leverage PS features
Competitive Details (Positioning)
More Secure key management
More Enterprise Grade features
More speed, up to 7000 ops/sec (more than Double nCipher)
First to market XML HSM
Easiest to Set up/Manage (Luna Sx)
More extensive API/Toolkit set
FM’s, XML, Java, OpenSSL, P11, CAPI
More Extensive range of HSM offerings
Appliances, PCI cards, PCM tokens
More Large Customer installations
SWIFT, SIC, DOD UBS, Verisign, NCR, AOL
LESS expensive HSM’s
LESS expensive HSM product options (licenses, toolkits, FM)
LESS expensive HSM product options (licenses, toolkits, FM)
Protect Server FM $0.00 SEE 6,989.96$ $6,989.96
Luna SA partition upgrade from 2 to 5 partitions $2,500.00
NetHSM connection licence
(1) $4,813.43 $2,313.43
Difference
Luna SA(Fips 3) Bundle $21,950.00 NetHSM $28,880.53 $6,930.53
Difference
Difference
= BEST VALUE
Updates:
1. nCipher Buys Neoscale.
• Tape backup
• Key Man App (not very Robust).
• Bankrupt, then bought
2. Sun Crypto card
• Cheap, but not real threat.
• Ltd OS/API support
• FCC only in SUN box.
• SSL/IPSec target card.
Competitor’s Positioning
nCipher leads with Key Management positioning
We offer True Hardware key management
nCipher positions themselves as “Enterprise provider”, SFNT as “low-cost” provider.
We have lower list prices, but a more extensive, secure HSM offering
nCipher offers discounts on maintenance, and initial purchases.
nCipher has a stronger MS relationship
nCipher “solution sells”, often is more marketing than “meat”.
Most of what they market as solutions, are the same partnerships offering we have. We are moving to a clearer marketing focus on solutions.
Payment HSMs
Rene Bastien
Product Marketing Manager
HSMs in Payment
Market drivers differ
Retail Market: EMV
PCI-DSS
Streamlining of operations (outsourcing, PIN)
Move to contactless cards
Payment over new channels (m-payment, NFC, transit, loyalty)
Wholesale: Transaction authentication
User authentication
Compliance requirements
Payment Products
Network-attached HSM: ProtectHost EFT
Replaces PHW
Great competitive features :
Form factor (1U instead of 4U)
Price competitive
Performance (50% faster than Thales)
Ease of integration (runs same software as PHW)
Backwards compatible
Payment Products
ProtectTool EFT
Version 5.02 in SQA.
Expected GA by Q3-2008.
Sits on ProtectServer Gold
Essentially, Mark II in a different form factor
Works with PTK C
Payment Products
ViewPIN+
Application that does 2 things quite well:
Changes your PIN
Enables you to retrieve a forgotten PIN
All of this securely
All of this either at home through a web browser, or in a bank branch
No one does that!
Replaces IVR interface
Simplifies ATM upgrades
Great lead-in to new accounts
Payment Product Roadmap
ViewPIN+ formal launch in November 2008
Mark II roadmap for the next 2 years
Full EMV support
Dual role devices (MarkII plus AMB)
Contactless
Mobile commerce
Multiple languages, printers for PIN mailers
Integration with other products, partners
Mark II over multiple platforms
SafeNet’s Competitive Edge
Hardware: Performance
Commonality of platform
Multiple form factors
Continuous R&D
FIPS and CC compliance
Application: General purpose appliances (including XML appliance)
Depth, breadth of offering
Market share: General purpose worldwide: leader
Payment: EMEA (2nd)
APACS (1st)
Partnerships and integrations
HSM Marketing Materials and Campaigns
Clara Wicke
Product Marketing Manager, HSM
MySafeNet.com
Sales Tools
Case Studies Qatar Central Bank
Security Biometric
PCI DSS
E-passport
Egg Bank
Canadian Government
Automotive
Pharmaceutical
Competitive Matrixes
Presentations Sales Presentations and Corporate Product Slides
Product Briefs Luna XML
Luna SA
Luna SP
Luna CA4
Luna PCI 7000
ProtectServer External
ProtectServer Gold
ProtectHost EFT
Sales & Partner Success Kits Hard and Soft Copy
Solutions Briefs Solutions Selling Handouts
Technical Matrixes
Webinars Application Development
PCI- Changes and Audits
PCI- Global Compliance
PCI- Technical Architecture & Best Practices
PCI- Deadlines Past Merchants Still Not Compliant Parts 1 & 2
SOA Web Services Security with Layer 7
HSM 101
Whitepapers & Guides CA3-CA4 Migration Guide
Compliance
Microsoft Guide (almost there)
Tumbleweed User Guide
E-Passport
PKI Best Practices
XML Security
HSM XML “Cheat Sheet”
Sales Kit- What’s Inside!
HSM Overview
Key Drivers (Internal and External)
HSM Value Proposition
Applications by Vertical
Problem Owner Profiles
Vertical Solutions
Competitive Analysis
Partner Guides
Quick Sheets for Applications, Competition, and Objection Handling
Prospect List
And More!!!
Online version of sales kit http://mysafenet
Upcoming HSM Campaigns Q2/Q3
HSM Luna XML Campaign Launched product at RSA
List being purchased to identify project managers for applications in IT
Also use internal house list of software developers
May: Email to promote XML white paper
June: Email to promote XML webinar
Vertical Focused Campaigns Financial
PCI DSS Compliance
Paper to Digital Transactions
Government E-passport
First Responders
Thank You