introducing safenet’s crypto hypervisor...49% have no confidence at all the network security...
TRANSCRIPT
On Demand Cryptographic Resources for Your Virtual Data Center and the Cloud:
Introducing SafeNet’s Crypto Hypervisor
Ugo PiazzalungaSafeNet ItalyTechnical Manager, IT Security
Agenda
The state of data security
Protecting Data With High Assurance Encryption
Is Hardware-based Encryption the answer?
What is needed?
How do we get there?
Introducing SafeNet’s Crypto Hypervisor!
The state of data securityAs part of our “Secure the Breach” program, SafeNet surveyed 850 security professionals
from 500+ organizations worldwide.
� 49% have no confidence at all the network security industry is able to detect and prevent breaches
� 59% said that if a network perimeter breach occurred, high value data would not be safe
� 66% believe they will suffer a breach within the next 3 years
3
http://www2.safenet-inc.com/securethebreach/downloads/secure_the_breach_manifesto.pdf
For more info download the secure the breach manifesto:
So what does all this mean?
� We need to accept that breaches WILL happen and once they do, the only protection is to secure the data itself
� The new perimeter is the data itself – we must Secure the Breach
4
Cloud Adoption VS Security & Privacy
5
• “72% of IT professionals cite data protection
security as a major obstacle to cloud deployment”
� 2012 Cisco Global Cloud Networking Survey
• “72% of IT professionals cite data protection
security as a major obstacle to cloud deployment”
� 2012 Cisco Global Cloud Networking Survey
• “More than 90% of [the business leaders] are
worried about security, availability, and privacy of their data as it rests in the cloud”
� 2009 Microsoft Survey
• “More than 90% of [the business leaders] are
worried about security, availability, and privacy of their data as it rests in the cloud”
� 2009 Microsoft Survey
Protecting Data With High Assurance Encryption
6
Is Hardware-based Encryption the Answer?
� The encryption solution stack• Encryption
• Key management
• Key vault
� If attacker breaches the perimeter, they gain only encrypted data
� Dependent on the security of keys, certificates, and PKI
� Managing and vaulting keys and certificates in hardware is a best practice
7
Encryption
Key management
Trusted
Key
Vaults
Crypto Hypervisor uses Hardware Security Modules
as the hardware platform
…a dedicated Hardware crypto
processor…
…designed for Hardware protection
of the crypto key lifecycle…
…validated to be secure by third
parties…
…a “Trust Anchor”…
A Hardware Security Module is…
… But “Hardware” doesn’t work in a Virtual World?Today’s Hardware-based encryption solutions are designed for the physical world!
Islands of encryption
9
Time-consuming crypto rollouts
Very slow to scale up and down
Limits of encryption today:
Inability to protect & control data centrally
Can’t take full benefits of cloud
DNSSEC SSL Email Code SignDatabase
What is needed?
Encryption Infrastructure that follows the cloud model!
10
Benefits:
• Reduce Costs (Reduce DC
presence)
• Centralize Subject Matter Expert
Crypto Group
• Unify Governance and Compliance
• Centralize services
How do we get there?Cloud requirements defined by NIST
11
NIST1 Cloud Definition of Essential Characteristics
Today’s Hardware encryption
On-Demand Self-Service No
Rapid Elasticity No
Measured Service Some
Broad Network Access Yes
Resource Pooling Some
Multi-Tenancy2 Some
1. National Institute of Standards and Technology2. Multi-Tenancy is an essential characteristic added by the Cloud Security Alliance
Introducing The Crypto Hypervisor
12
Where do we start?... With a hypervisor for encryption…
Introducing the SafeNet Crypto Hypervisor!
Crypto Hypervisor c. 2013• HSM Partition
• HSM Isolation
• Dynamic crypto allocation
VMware hypervisor c. 2001• O/S Partition
• O/S Isolation
• Dynamic resource allocation
Application
Hypervisor
Operating System
Hardware
Platform
asD
AS
D4
8R
H
AsD
54
6F
4d
fgf
dd
fgd
fgh
jkD
6G
54
R
asD
AS
D4
8R
H
AsD
54
6F
4d
fgf
dd
fgd
fgh
jkD
6G
54
R
Dynamic Crypto Resource
Crypto Hypervisor
Crypto Hardware
Platform (HSM)
Application
Crypto Hypervisor:Designed for operational cloud model
14
On-demand
crypto delivery
1
Self-service
portal for users
2
New crypto services
spin up easily
3
Encryption now a
cloud enabler
4
Part of “New
VM Rollout
Process”
5
Apps can now
migrate to cloud
6
Three things to know about Crypto Hypervisor
15
Built for the cloud
• Shared resource pooling, rapid elasticity and multi-tenancy
• Can reduce capital costs up to 95%
Lower TCO
• Take advantage of virtualization
• Deliver high-assurance cryptographic resources in a fraction of the time
• 5 minutes, not 5 hours
Centralized control
• Strong auditing capabilities
• Compliance in the Cloud• Ensure enterprise-wide consistency of crypto policy
Solution Highlights
16
� Host Trust Link (HTL) securely binds virtual applications to dynamic crypto resources� Prevents Stolen VM from Accessing Critical Assets
� Crypto Command Center� Simplifies HSM management, through Abstraction of HSM Hardware� Publish Catalogs for on-demand service � Separation of roles/responsibilities in multi-tenancies
� Built on proven platform� Availability: Five 9’s uptime, robust high availability� Validated Security: FIPS 140-2 Level 3 and CC EAL 4+ (in process)� HW Trust: Keys remain in Hardware!
� Who/What/When Secure Auditing and Logging� Configurable based on your Organizational needs
� Control: Unique Roles for Security in Multi-tenant Environments.� System administrators: manages physical devices (appliances, expansion cards,
etc.), and provision access to resource catalogues for users.
� Consumer/User: manage crypto applications that consume crypto services. Own their HSM resource when ‘leased’.
Cloud operational model:CHv meets all NIST cloud requirements
17
NIST1 Cloud Definition of Essential Characteristics
Today’s Hardware encryption
On-Demand Self-Service Yes
Rapid Elasticity Yes
Measured Service Yes
Broad Network Access Yes
Resource Pooling Yes
Multi-Tenancy2 Yes
1. National Institute of Standards and Technology2. Multi-Tenancy is an essential characteristic added by the Cloud Security Alliance
Want to Learn more…about the World’s first Crypto Hypervisor?
� Demo session!
� Download 3 Whitepapers from SafeNet:
• Crytpo Command Center and SFNT HSMs• Available from SafeNet web site www.safenet-inc.com
• Host Trust Link Protection with SFNT HSMs• Available from SafeNet web site www.safenet-inc.com
• Secure Audit Logging for Compliance with SFNT HSMs• Available from SafeNet web site www.safenet-inc.com
18
How does it work?
20
Crypto Admin
SS
H
Crypto Application
+Luna Client
Consumer
Luna SADevice Pool
Crypto CommandCenter
Crypto Hypervisor Enables Crypto as a Service either on Premise or in the Cloud!
I’m Leo and I work in engineering for Fibo Financial. I have heard we know have a centralized security group…
I’m working on a new financial application, and know I need to sign all transactions securely… But I am not a Security expert!?
Can anyone at Fibo Financial help me…
what do I need to get started?
Can anyone at Fibo Financial help me…
is there really a Fibo Financial team that manages this stuff?
Can anyone at Fibo Financial help me…
How do I do this securely in compliance with
our corporate policies?
I contact the central security group and say…
“I need to securely sign transaction for my new application!
Can you help?”
“No problem. We follow best practices to secure keys for
transaction signing. I’ll set you up in the crypto system.”
The Crypto Admin creates a username, password for me…
Bob.Jameson.Password
…and provides to me a URL for Crypto Command Center, username and password…
Bob.Jameson.Password.URL
…as well as a cheat sheet explaining how to get started!
How to…• Select a service from Crypto Command Center
• Download Luna Client
• Install Luna Client
• Configure an application to use Crypto Service
I can now begin the setup process.
I start by using the Crypto Command Center
Client GUI…
Open the URL
Log in with my credentials
Pick the appropriate service from the catalog and “deploy” (signing)
Initialize a service
2
1
3
4
…next I configure my transaction signing application server to use my HSM.
Install Luna Client
Configure service for use by
transaction signing application
I can securely sign my code!
2
1
3
Now I am up and running!
Want to Learn more…about the World’s first Crypto Hypervisor?
� Demo session!
� Download 3 Whitepapers from SafeNet:
• Crypto Command Center and SFNT HSMs• Available from SafeNet web site www.safenet-inc.com
• Host Trust Link Protection with SFNT HSMs• Available from SafeNet web site www.safenet-inc.com
• Secure Audit Logging for Compliance with SFNT HSMs• Available from SafeNet web site www.safenet-inc.com
34
