vormetric data securityxnetworks.es/contents/vormetric/vormetric_introduction.pdf · vormetric data...
TRANSCRIPT
www.Vormetric.com
Vormetric Data Security
Simplifying Data Security for the Enterprise
Agenda
! Introductions
! Vormetric Overview
! Data Security Architecture Challenges
! Product Architecture & Use Cases
! Q&A
Data - The New Global Currency….
2011 saw an all time high of 855 Incidents, 174 Million records compromised
“
96% of attacks were categorised as not highly difficult
“ % of records compromised involving Laptops - <1%
“
Source: 2012 Verizon Data Breach Inves5ga5ons Report
Total Percentage of Records compromised involving SERVERS: 94%
“
Source: 2012 Verizon Data Breach Investigations Report
Vormetric Summary
! Data security Simplified ! Physical, Virtual, Cloud
! Protect Structured & Unstructured Data ! File, Application and Database Servers
! Windows, Linux, Unix and Big Data Platforms
! Disruptive Architecture - Re perimeter the data ! Firewall like policy engine for privileged user / application access
! Transparency / Rapid Deployment / Time to value
! Security on Demand Service with consistent policy across multiple use cases
! V5 Architecture ! Vertical & Horizontal Scalability
Who is Vormetric?
! Founded in 2001
! Purpose: ! To Simplify Data Security
! Customers: 1000+ Customers Worldwide
! OEM Partners: ! IBM – Guardium Data Encryption
! Symantec – NetBackup
! Technology Partners ! Intel
! Imperva
Drivers for Data Security ! Compliance to regulations
! PCI, HITECH, State PII laws, EU laws, Int’l Laws
! Customer or executive mandates ! Increasing customer contractual demands to encrypt data
! Limit or reduce personnel allowed to access sensitive data
! Executive mandating encryption for safe harbor or to avoid breach notification
! Outsourcing enablement
! Better Defense and Depth Data Security ! Protect against threats that can cause a breach
! Transformational technology ! Virtualization, Cloud
6
Data Security
Architecture Challenges
Data Access Tiers
! Network Tier ! Data moves between Applications, Users, and Systems
! Application Tier ! Data is used by applications from either a Database or Storage(flat
files)
! Database Tier ! Data is structured in the Database for easy access and indexing
! System Tier ! Servers run the Applications and Databases that need access to
their data
! Storage Tier ! Ultimately data is stored in some form of storage – DAS, NAS, SAN,
etc…
Challenges of Data Security
! Not Transparent ! Changes to business processes,
applications, and databases are disruptive
! It’s too data type specific
! Must support multiple architectures
! Performance Suffers ! Encryption is traditionally impacts
performance negatively
! Is it strong enough? ! Do privileged users have access to
this data?
! How are the keys protected yet still available?
! Are duties separated?
! Too Hard to Adopt ! Difficult to understand
! Difficult to implement
! Difficult to maintain
Data Defense in Depth Strategy
Audit
Security Management
Domains
Privileged User Access Control
Separation of Roles & Need to
Know
Key Management
Encryption
Data Assets
Server Tier
Database Tier
Application Tier
Storage Tier
Internet
Operating System
Database
Applications
Data
Network Security Layers of Defense
• Firewalls • IDS / IPS • Content filtering • DLP • IAM
DAM
WAF
Data Security Layers of Defense Encryption
Encryption
Layered Enterprise Security
Data Security Simplified
! Transparent ! Must be transparent to business
processes, end users, and applications
! Data type neutral – any data, anywhere
! Efficient ! SLA, User, and Application performance
must remain acceptable
! Encryption overhead can approach zero
! Strong ! Privileged users should not have access
to sensitive data
! Firewall your data – approved users and applications allowed, deny all others.
! Bulletproof key management
! Easy ! Easy to Understand
! Easy to Implement
! Easy to Manage
Technical Issues with Other Encryption Approaches ! Changes are hard to implement and maintain
! “Application level encryption is too complex”
! “Column level encryption and tokenization requires too many changes and introduces performance problems”
! No/Poor Key Management ! “Native Database Encryption doesn’t have key management and
is platform specific”
! Separation of Duties Required ! “Full disk encryption and Inline Encryption provides no
protection except when media is stolen”
Vormetric Data Security
Product and Architecture Review
Vormetric Data Security Product Suite
! Vormetric Encryption ! Purpose: Transparent Data Encryption and Access Control of
structured and unstructured data ! Use Cases: Database Encryption, Application Data Encryption,
Privileged User Data Access Control
! Vormetric Key Management ! Purpose: Provide Key Management for other Encryption platforms ! Use Cases: Application Encryption, TDE Key Management
! Vormetric Key Vault ! Purpose: Securely store and report on Security Materials ! Use Cases: Key Vaulting, Certificate Vaulting, Vaulting of other
Security materials.
Vormetric Data Security
Data Security Manager
SQL Server 2008 TDE
Key Agent
Oracle 11gR2 TDE
Key Agent
Database
Encryption Agent
Encryption Agent
Unstructured
Vormetric Encryption
Vormetric Key Vault
Vormetric Key Management
Vormetric Encryption
Architecture and Use Cases
Vormetric Encryption Capabilities
Data Encryption Data Access Control Audit Data Access
! Encrypts file, directory and raw devices
! Transparent to:
! Applications
! Databases
! Storage Infrastructure
! Integrated Key Management
! Firewall-like access controls for data access
! Separate data access from data management for systems privileged users(root, SA, etc…)
! Granular data access logging
! Granular control of what events are logged
Vormetric Encryption Components
Slide No: 19
Data Security Manager File System Agent
! Centralized Policy, Key, and Audit Manager
! Multiple Domains – Logical Separation of Hosts, Keys, Policies, and Vormetric Administrators
! FIPS 140-2 Certified
! File System or Volume Encryption
! Overlays on existing FS or Volumes
! Transparent to Storage, Applications, and Databases
! Enforces policy for encryption and access controls
! Highly Efficient Block Encryption
! Supports: Linux, Unix, Windows Servers
Vormetric Encryption Architecture
*communication is only required at system boot
Policy is used to restrict access to sensitive data by user and process information provided by the OS.
Users
Application
Database
File System
SAN, NAS, DAS Storage
OS
SSL/TLS FS Agent
Vormetric Encryption Use Cases
Database Encryption Unstructured Data Encryption
Cloud Encryption
! Usage: Encrypt Tablespace, Log, and other DB files
! Common Databases: Oracle, MSSQL, DB2, Sybase, Informix, MySQL…
! Usage: Encrypt and Control access to any type of data used by LUW server
! Common Data Types: Logs, Reports, Images, ETL, Audio/Video Recordings, Documents, Big Data…
! Examples: FileNet, Documentum, Nice, Hadoop, Home Grown, etc…
! Usage: Encrypt and Control Access to data used by Cloud Instances
! Common Cloud Providers: Amazon EC2, Rackspace, MS Azure
Vormetric Encryption Policy Vormetric Policy ≈ Firewall Rules
Rules have Criteria and Effects Criteria
! User/Group, Process, Data Location, Type of I/O, Time
Effects ! Permission: Permit or Deny
! Encryption Key: Yes or No ! Audit: Yes or No
The Rules of a policy work like a firewall rule engine 1. Receive criteria from request. 2. Try to match Criteria to Rules. Start at the top. 3. On first match apply the associated Effect. 4. If no match, then deny
Policy Example – Oracle Tablespace
Copyright © 2012 Vormetric, Inc. - Proprietary and Confidential. All Rights Reserved.
# User Process Ac?on Effects
oracle oracle_binaries * permit, apply_key
root admin_tools read permit, audit
* * * deny, audit, apply_key
1
2
3
Policy Benefits ü Database encrypJon, without changing database schema or
applicaJon code. ü Remove custodial risk of “root” level user
Technical Benefits
! Transparent ! No changes required to Database,
Application or Storage
! Data type neutral – any data type
! Efficient ! SLA, User, and Application performance
are maintained
! Encryption overhead is minimal ! Rapid Deployment
! Strong ! System privileged users can be
restricted from accessing sensitive data
! Firewall your data – approved users and applications allowed, deny all others.
! Integrated Key Management
! Easy ! Easy to Understand
! Easy to Implement
! Easy to Manage
www.Vormetric.com
Q&A
Thank you!
www.Vormetric.com
Vormetric / Imperva
Protect Server Data
DAS SAN NAS VM CLOUD
Log Files Password files Config Files Archive
File Share Archive Content Multi Needs
Data Files Transaction Logs Exports Backup
IIS APACHE WebLogic
DB2 Oracle SQL Sybase MySQL
File Servers FTP Servers Email Servers Others
Log Files Password files Config files Archive
ERP CRM Payment CMS Custom Apps
Server Tier
Data Tier
Application Tier
Storage Tier
Internet
Operating System
Database
Applications
Data
Network Security Layers of Defense
Firewall IDS / IPS Content filtering
DLP IAM
DAM
WAF
Data Security Layers of Defense Encryption
Encryption
Layered Enterprise Security
Server Tier
Data Tier
Application Tier
Storage Tier
Data Security Layers of Defense
Network Security Layers of Defense
Firewall IDS / IPS Content filtering
DLP IAM
Imperva+Vormetric Protect Your Data
Database
Applications
Data
Operating System
Internet
Vormetric
Database file encryption, OS-level audit & access
controls
Encryption key management
Imperva
Awareness of Database users & rights
Database Activity audit & access controls
Database
Applications
Users
Data
Layered Database Security Solution
Operating System
Imperva and Vormetric Threat Coverage
Typical Threats: Unauthorized access to sensitive database data
Typical Threats: Unauthorized system access to data, mitigate risk of lost media (server, disk)
Vormetric
Imperva
Database
Applications
Users
Data
Operating System
Solution Requirements
! Transparent auditing & security controls
! Real-Time visibility into access activity
! Control privileged user access, viewing and manageability
! Easy to deploy and manage across heterogeneous environments
! Minimal impact to operations
Imperva-Vormetric Solution
Sensitive information protection, access control and usage monitoring
! Capture Usage Details
! Encrypt sensitive data and manage keys
! Control User Access ! Application users
! Privileged users
! System users
! Report & Analyze
Imperva + Vormetric
! Imperva SecureSphere Data Security Suite: Protect high-value business databases in the data center
! Audit and monitor user access to sensitive data across heterogeneous database platforms
! Generate alerts or block access when prohibited or anomalous database access occurs
! Advanced analytics and reporting to accelerate incident response and forensic investigation
! Vormetric Data Security: Encrypt, audit and control access to sensitive data files
! Transparent encryption of structured (database) and unstructured data
! Physical, virtual and cloud environments
! Integrated encryption key management and management for Transparent Data Encryption keys
! Protect against external threats (hackers with user credentials) and most internal threats (IT admins, etc)
Vormetric Key Management
Vormetric Key Management Capabilities
Network HSM Application Encryption
! Enables API level encryption for custom developed Applications
! Network HSM Protocols u PKCS#11
u EKM
! Simplify Key Management for 3rd Party Encryption Products
! Provide Network HSM to Encryption Products via
u PKCS#11 (Oracle 11gR2)
u EKM (MSSQL 2008 R2)
Vormetric Key Management Components
Data Security Manager (DSM)
Application Agent
! Provides Network HSM Key Management Services for:
u Oracle 11g R2 TDE
(Tablespace Encryption)
u MSSQL 2008 R2 Enterprise
TDE (Tablespace Encryption)
u Application Level Encryption
! Same DSM as used with all VDS products
! FIPS 140-2 Key Manager with Separation of Duties
TDE Key Architecture before Vormetric
Master Encryption keys are stored on the local system in a file with the data by default
TDE Master Encryption Key
Local wallet or table
Oracle / Microsoft TDE
TDE Key Architecture with Vormetric
TDE Master Encryption Key
! Vormetric’s DSM acts as Network HSM for securing keys for Oracle and Microsoft TDE
! Vormetric’s Application Agent is installed on the database server
Oracle / Microsoft TDE Database
SSL
Conn
ectio
n
Application Agent
Vormetric Application Level Encryption
Encryption Keys Stored on DSM
! Vormetric’s DSM performs Network HSM functions
! Vormetric’s Application Agent is installed on the application server that will be performing encryption operations
! Custom Applications can then utilize the Vormetric Encryption Agent to perform crypto services
Custom Application
SSL
Conn
ectio
n
Application Agent
ApplicaJon PKCS11, MSCAPI
1. ApplicaJon send sensiJve data securely to the DSM to be encrypted
2. The encrypted data is sent back to the applicaJon and then stored in the database
User
Technical Benefits
! Transparent ! Seamlessly enable Key Management for
existing TDE installations
! Efficient ! Provide high performance HSM services
to your TDE installations
! Selectively encrypt sensitive Data in Custom Applications
! Strong ! Remove DBAs from Key Management
Duties
! Encrypt Data in Custom Applications from the moment the Data is created.
! Easy ! Automatically replicate your Keys across
multiple environments
! Easy to follow sample implimentations
Vormetric Key Vault
Vormetric Key Vault Capabilities
Vaulting
! Vault Security Materials § Symmetric Keys
§ Asymmetric Keys
§ Certificates
§ Other Security Materials (Passwords, etc…)
Vormetric Key Vault Components
Data Security Manager
VMSSC
! Command Line tool or API for programmatic vaulting and management of keys
! Same DSM as all other VDS Products
! FIPS 140-2 Certified
Vormetric Key Vault
Supported Key Types: Symmetric Asymmetric Certificates
Web GUI Command Line / API
u Manual Key Import
u Key Vault
u Reporting
u Logging
u Bulk Key Import
u Scripting Interface
u Ingest
u Retrieval
u Removal
Vormetric Key Vault Use Cases
Vault keys Report on vaulted keys
! Secure storage of Keys and Certificates
! Vault other sensitive materials such as (Passwords, CC numbers, etc…)
! Centralized tracking, reporting, and alerting of Vaulted Keys
! Remove need for manual processes (Spreadsheets, etc)
! Alert on expiring keys before it becomes a problem.
Vormetric’s MetaClear Encryption
Name: J Smith CCN:60115793892 Exp Date: 04/04 Bal: $5,145,789 SSN: 514-73-8970
Clear Text
Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02
File Data
Block-‐Level
Benefits of Vormetric MetaClear Encryption • Encrypts File Data, leaving Metadata in the clear • Does not impact Data Management tools like: Replication, Migration, Snapshotting • High-Performance Encryption • Remove custodial risk – enable data management without data visibility.
Une
ncrypted
Full Disk / Sw
itch Encryp?
on
Vo
rmet
ric
En
cryp
tio
n
dfjdNk%(Amg 8nGmwlNskd 9f Nd&9Dm*Nd
dfjdNk%(Amg 8nGmwlNskd 9f Nd&9Dm*Ndd xIu2Ks0BKsjd Nac0&6mKcoS qCio9M*sdopF
dfjdNk%(Amg 8nGmwlNskd 9f Nd&9Dm*Ndd xIu2Ks0BKsjd Nac0&6mKcoS qCio9M*sdopF
Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02
File System Metadata
Vormetric Encryption Components
Encryp'on for Any File, Any Database, Any Applica'on, Any Device, Anywhere
Access Control
Read/Write Control
MetaClear Encryption
Granular Audit
Policy-Based
Decryption
Encryption Expert Agent (SW agent)
Key Management
Policy Distribution
Centralized Audit
Policy Templates
and Libraries
Separation of Duties
Data Security Manager (appliance)
Data Defense in Depth Strategy
Audit
Security Management
Domains
Privileged User Access Control
Separation of Roles & Need to
Know
Key Management
Encryption
Data Assets