Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
марко Safe net@rainbow-informzashita - februar 2012
1. SafeNet DataSecure platform
Technological leadership in protecting the
information lifecycle
Marko Bobinac
Insert Your Name
PreSales Engineer Eastern EMEA
Insert Your Title
21.02.2012
Insert Date
2.
3. The Data Protection Company
Protecting high value information in
the worlds most complex environments
Solutions for persistently protecting information as
it moves through its lifecycle
Protection that evolves with the customer needs
3
4.
5. What We Do
You manage the world’s most sensitive, high-value
data. Our mission is to protect it.
5
6. SafeNet Data Protection Product Portfolio
Identities Transactions Data Communications
Data Encryption High-Speed
Authentication HSM
and Control Network Encryption
Offering the broadest Offering The most SafeNet’s DataSecure – a SafeNet high-speed
range of authenticators, secure, and easiest to Universal platform network encryptors
from smart cards and integrate technology for delivering intelligent data combine the highest
tokens to mobile phone securing PKI identities protection and control for performance with a unified
auth—all managed from and transactions. information assets management platform
a single platform
7. ProtectDB
Databas
ProtectFile
e
ProtectApp
File Servers Key Secure
SAM
Application/
ProtectZ
Web Servers
Mainframe
HSM
Email Gateways
PKI Infrastructure
Datasecure Certificate Authority
Data Encryption
Storage Encryption
Self Encrypting HDs & Control
Web Gateways
eSafe
Endpoint
Protection
1
Firewalls / SSL VPNs High Speed Encryption
Communication Protection Protection NAS
Communication Protection
Cloud / External IT Solutions
ProtectApp DataSecure
Authentication & Access
Management
Identity Protection
Secure Cloud Storage &Applications
HSM HSE
Cryptographic Keys Public and Private
Virtualized Application Security Cloud Infra Protection
Authentication & Access
Management SRM SaaS
Access to Cloud-Based Apps Software Rights Management
Software as a Service
8. Cryptography
as an IT Service 3rd Party
Technologies
Storage Secure KMIP
Appliance
HSM
Appliance Certificate Infrastructures
File Shares Nat. IDs AMI
Tape E-Signatures Metering
Backups
Network
Storage E-Passports
Protect
Protect Storage
Infrastructure
Protect V Manager
Virtual Appliance
Authentication
Manager
Data Secure
Virtual Instances Appliance
Virtual Storage Management
Center
Protect Cloud **##**
&Virtual Infrastructure High Speed Protect
Encryptors
Tokenization
Identities
Protect Applications Protect
Data Centers File Servers Data Transfer
Databases Mainframes
8
9. The Magic Quadrant for User Authentication
challengers leaders
Ability to execute
niche players visionaries
Completeness of vision
As of January 2012
10. DataSecure:
The Foundation of Data Encryption & Control
Insert Your Name
Insert Your Title
Insert Date
11. Six Best Practices in Data
Protection & Compliance
1. Security — Not Just Compliance
2. Define your Corporate Policies
3. Involve the Stakeholders
4. Know your Data
5. Understand your Threats
6. Determine where to Protect your Data
11
12. Seven Methodologies
for Data Encryption & Control
1. Maintain Control Over Data Types
2. Create Points of Trust for Administration and
Policy
3. Leverage a Secure, Hardened Platform
for Heterogeneous Environment
4. Chose Standards Based Security when
Possible
5. Select a Flexible Platform for Encryption and
Tokenization
6. Pick a Solution with Key Management
Best Practices
7. Ensure Proof of Compliance is Easy
12
13. Worldwide Compliance Requirements
• Canadian Electronic • Basel II Capital Accord • PCI (WW)
Evidence Act
• PCI Data Security Standard • AIPA (Italy)
(WW) • GDPdU and GoBS (Germany)
• CA SB1386 et al • NF Z 42-013 (France)
• HIPAA (USA) • EU Data Protection Directive • Electronic Ledger
• FDA 21 CFR Part 11 • Financial Services Storage Law (Japan)
• GLB Act • Authority (UK) • 11MEDIS-DC (Japan)
• Sarbanes-Oxley Act (USA) • UK Data Protection Act • Japan PIP Act
13
14. SafeNet Data Encryption & Control
Protecting sensitive data throughout its lifecycle...
wherever it resides
In Data Centers On Endpoints ProtectDB Tokenization
• Applications • Desktops 0000 000 00
• Databases • Laptops Databases
ProtectZ
• File Servers • Removable Media
ProtectApp
• Mainframes
Mainframes
DataSecure
Platform
ProtectFile Server
WebAppServers
In the Cloud Cloud
ProtectDrive
ProtectFile
• Persistent, secured cloud storage for
structured & unstructured data
File Servers
ProtectDrive
14
15. DataSecure Platform
Appliance solution for
• High-performance encryption
• Simplified cryptographic key and policy management
• Hardened Linux kernel
• FIPS and Common Criteria certified
• High Availability
Combined with connectors (software)
• Connectors for applications,
databases, file servers, and stations.
• Secures the connection to the appliance (connection
pooling, SSL).
16. Core Benefits of SafeNet DataSecure
Centralized encryption and key Authentication, authorization, and
Security Hardware-based solution
management auditing
High performance encryption Batch processing for massive
Performance offload amounts of data
Local encryption capabilities
Support for heterogeneous Support for open standards and Range of enterprise deployment
Flexibility environments APIs models
Simplified appliance-based
Manageability approach
Web management console CLI (command line interface)
Enterprise clustering and Load balancing, health checking, Geographically distributed
Availability replication and failover redundancy
17. Security
Centralized Policy Management
• Security administrators control data protection policy
• Keys created and stored in a single location
• Dual Administrative Control
• Separation of Duties
• Logging, Auditing and Alerts
FIPS & Common Criteria Certified Solution
• FIPS 140-2 Level 2 & CC EAL2 Certified
• Keys are stored in the appliance
• Different types of encryption available: AES, 3DES, RSA ...
• Certificate authority to manage its integrated SSL access
Authentication & Authorization
• Multi-factor authentication possible between DS <> db or application.
• Access control: Granularity of crypto policy, by key, by schedule, etc.
• Support for LDAP
18. Performance
Encryption Offload
• Optimized, high-performance hardware
• Frees up database and application servers
• Latency less than 300 microseconds per request
Local Encryption Option
• Configurable for hardware offload or local encryption
Batch Processing
• Perform batch encrypts/decrypts for high performance
• More than 100k TPS
• Batch tools include:
• Transform Utility
• ICAPI (SafeNet API protocol)
• Easy integration into existing applications
Perf. Average - 15 minutes to encrypt 5,000,000 records in 16 octects (char)
on MS SQL with x 1 i430 in AES256
19. Flexibility
Heterogeneous Environments
• Comprehensive enterprise solution
• Web, Application, Database, Mainframe or File Server
• Data Center or Distributed Environments
• Open Standards-based APIs, cryptographic protocols
Scalability
• Models with capacity from 2,500 TPS to 100,000 TPS
• Clustering further increases capacity and redundancy
• Licensing structure enables cost-effective build-out
20. Availability
Moscow Clustering
• Keys and policy are
shared/replicated
DataSecure Cluster among DataSecures
in a global cluster
Load Balancing
• Connector software
can load balance
across a group of
appliances
• Multi-tier load
balancing enables
transparent fail over to
Saint Petersburg alternate appliance(s)
21. Positioning of the SafeNet DataSecure ®
SafeNet
ProtectApp
Tokenization 0000
000 00
Application and
Web Servers
SafeNet
ProtectDB
Databases
Mainframes
SafeNet File Servers
ProtectFile
ProtectZ
SafeNet DataSecure
SCALABLE FOR
GROWTH
21
• Configurations to meet your needs — today and in the future
• Extend invest over data types as needed
• Scalable to address growth
22. ProtectDB Use Case
Use Case Steps CRM
1. Cleartext values passed via database 0000 000 00
server to DataSecure Credit card
2. DataSecure returns encrypted values to Value
the database server (Encrypted value can
be shared across the organization in other
environments in a persistently encrypted
format)
3. Transform Utility can be used to support Transform
Utility
high performance batch processing
0000 000 00
Supported Databases Encrypted
Value
• Oracle, Microsoft SQL Server, IBM DB2 & Teradata DataSecure
• Supports native database encryption key
storage/management 0000 000 00
0000 000 00
Algorithms 0000 000 00
• 3DES, DES, and AES 0000 000 00
Supported Platforms 0000 000 00
Credit card 00
0000 000
• Windows, Linux, Solaris, HP-UX, AIX, or IBM z/OS Value
22
23. DataBase protection with native encryption
Heterogene database environments – Oracle, MS SQL, IBM DB2…….
The information should not be visible to the DBA. (accessible vs. visible)
The cryptographic load often requires a hardware upgrade
Transparent native encryption requires an upgrade of the software versions
Access to the logs is not secure, and their reading complex (unfiltered)
Native platforms are not certified, "certifiable" (FIPS, CC)
The cryptographic keys are used in a non-secure buffer
The keys are not sequestered except with the use of an HSM, but only for the
MasterKey
Resources are not shared & key rotation process is binding
24. ProtectApp Use Case
Use Case Steps
1. Cleartext value passed via
DataSecure
application layer to DataSecure 0000 000 00 0000 000 00
2. DataSecure returns encrypted value Encrypted
Cleartext
3. Encrypted value can be shared with Value E-Commerce Value
heterogeneous applications & (Java or .Net)
Application
database
Supported Web & Application Servers
• Oracle, IBM, BEA, IIS, Apache, Sun ONE, JBoss
Algorithms
• 3DES, DES, AES, RSA (signatures and CRM ERP
encryption), RC4, SHA-I, SHA-2 Application Application
Supported Platforms
• .NET, MSCAPI, PKCS#11, JCE, ICAPI, XML
• Windows, Linux, or IBM z/OS
Customer
Database
24
25. ProtectZ Features for Database & Applications
Running on IBM Mainframes
Granular Protection
• Retain ownership of data on IBM z/OS mainframes Applications
in databases and applications
Proven Algorithms
• Achieve the highest level of database and
application security by using proven cryptographic
algorithms combined with strong identity and
access-policy protection such as AES, DES and
DESede
Broad Support
• Flexible support for APIs such as ICAPI & JCE, DataSecure
application support for Cobol, RPG, assembler for
environments such as CICS, TSO or batch and
data storage in DB2, IMS, VSAM, DASD
Data Type Support
• Coverage for data types such as BIGINT, CHAR, Databases
DATE, DECIMAL, INTEGER, SMALLINT, TIME,
TIMESTAMP, and VARCHAR
25
26. ProtectFile for Servers Features
Use Case Steps File
Network-attache
Server
1. Document encrypted by DataSecure Servers
based on corporate policy
2. Protected file or folder stored on file
server in data center Intellectual
3. Only privileged users can Property
access, view, modify, or delete
protected files
Interoperability with
Privileged
• RIS, SMS, Tivoli, TNG, Active Directory and multi- Users
factor authenticators
Algorithms
• FIPS 140 Level 2 AES
Supported Platforms
DataSecure
• Windows and Linux operating systems, Microsoft,
Novell, Netware & Unix (Samba)
26
27. ProtectFile Sample Policies
• Create policies that align to lines of business
• Granular policies can be defined to control access to
authorized users
Finance Managers – gets full
Call center reps can encrypt credit
access to confidential financial
card numbers for phone orders
spreadsheets
Outside Auditors – get access to
Customer contracts sent to the call
sensitive files remotely and
center are saved to a shared file
offline, but need to get re-
server by the Call Center reps where
authorized by IT every 30 days to
they are automatically encrypted
regain access. (Policy can be
and strict access control is applied.
configured based on any set
amount of time.)
Market analysts are able to access
IT Administrators – they get access and share their competitive analysis
to perform routine maintenance, on seasonal opportunities in the
but cannot see any files that have Finance folder, but only see cipher
been encrypted (IT sees only text if they try to click on the
cipher text). spreadsheet with analyst salary
information.
29. Access Level – sample I
User with Encrypt & Decrypt permissions
30. Access Level – sample II
User with Backup & Restore Ciphertext permissions
31. Access Level – sample III
User with No Access permissions
32. Information preview: StorageSecure
New appliance (March 2012) for protecting Storage
Supports any kind of NAS (CIFS, NFS)
1Gb/s - 10Gb/s of file encryption
Transparent – works on network layer
Not a replacement for ProtectFile – decision
depends on what fits you best as DataSecure offers
wider range of solutions!
32
32
33. Tokenization Manager Use Case
1. Sensitive data comes Payment Backoffice Small Enterprise
in through a application support Market Application
consumer system
2. Sensitive data is
passed to
Tokenization Manager
3. Tokenization encrypts the
sensitive data, stores it and
returns a token Tokenization
Manager
4. Payment application passes
tokens to Tokenization Manager
to request original data it needs
for bank transaction DataSecure
PCI
5. Tokenization decrypts and Auditor
returns sensitive data
6. PCI Auditor only needs to
inspect tokenized database and
active applications
34. Maintain Ownership and Control
with DataSecure
Centralized tool to create granular protection policies and control
who and what has access to sensitive data when and where
Standards-based encryption with the highest level of security in a
commercial platform
Logging, auditing and reporting capabilities provide visibility for
enforcement, refinement and compliance
Persistent protection as data moves within data centers, out to
endpoints and into the cloud
34
35. Protection for different Data Types
INDUSTRY DATA TYPES
One platform to protect:
Healthcare Patient Records
Financial
Account Info
Services
• Personal Identifiable
Retail
Credit Cards Information
Manufacturing
Design Specs
Energy
Land Surveys • Payment & Transactional
Government Soc. Sec # Tax ID
Data
DataSecure
• Intellectual Property
Key Management
Policy Management
Control Administration
• Non-public Information
FileServers
Applications Databases
Cloud
35
36. DataSecure Supports Separation of Duties
DataSecure is the foundation of data encryption &
control by securing a wide array of data types under
one platform that:
Provides tools for the
SECURITY
administration, enforcement, monitoring, and report of data
protection solution
Establishes distinct roles so no single administrator can
compromise the system
Administration for key and policy management requiring
―m of n‖ credentials
36
37. Key Management throughout Lifecycle
Oracle DB
SQL DB DB2 DB
Database
Administrator
Legal
Manager
Finance
IT Manager Manager
for Tape HR
Storage Manager
Security
Officer Generate, Certify, Backup, Activate, Deactivate, Rotate, Compromise, Destroy
37
38. Summary
Tokenization
Manager
SafeNet
000
ProtectApp
Data Center Protection
0
000
00
Application and
• Designed to secure all of the
Web Servers
SafeNet
ProtectDB
sensitive information that is SafeNet
ProtectFile
File Servers Databases
stored in and accessed from Laptop
Mainframes
enterprise data centers SafeNet
ProtectZ
• Protecting the structured data SafeNet
ProtectDrive SafeNet DataSecure
stored in databases, SCALABLE
applications, and mainframe FOR GROWTH
environments as well as the
unstructured data kept in file The Solution Suite Includes:
servers
• ProtectDB
• With DataSecure driving • ProtectApp
central enforcement of • ProtectZ
corporate policies and access
• ProtectFile
control
• Tokenization Manager
38
39. Unrivaled Customer Success with Some of the
World’s Most Respected and Admired Companies
Financial
Technology
Household
Brands
Retail
39
This slide shows the breadth of our data protection solutions and how they follow the information.... Worth noting though, that it’s the management and auditing information that needs to be centralised and consolidated! – Hence the ‘back again’ comment!
First, security needs to be considered as a strategic initiative from the top down going beyond minimal compensating control to meet compliance to a true competitive advantage. If an organization has safeguarded the customer’s data privacy and their intellectual property, then the risk of bad press, competitive infiltration or other malicious activity will keep them focused on their core competency instead of doing expensive, time-consuming damage control due to a breach.Additionally, defining protection policies that address the needs of the stakeholders and users with productivity in mind means an in depth knowledge of the data is required. Where is it, who needs access and when? Next, you need to think like a criminal and know where your threats may come from. It is very possible it may be someone sitting in the cubicle next to you. Now you can proactively take t he steps necessary to protect your data throughout it’s lifecycle.
Maintain control over as many data types from a single platform to ease management, reduce risk, and improve proof of compliance.Create points of trust to eliminate points of vulnerability by using a platform that supports separation of duties for administrators and defines granular access policies by role.Leverage a hardened platform with the highest level of security for a commercial solution that offers flexibility for a heterogeneous environment.Consider a platform based on proven security standards versus proprietary or custom solutions that limit coverage and introduce gaps in securityConsider a platform that can support both encryption and tokenization methodologiesPick a platform that supports best practices for lifecycle key management across as many data types as possible and plan for key management across your enterprise.Select a solution that make proof of compliance easy whether you are subject to an audit or conducting a self assessment.
While local mandates continue to expand to include more stringent requirements for data privacy and intellectual property protection – organizations looking to thrive in a global community should consider worldwide compliance requirements. Further evidence that data protection is taken very seriously across the globe.
With DataSecure at the heart, sensitive data is protected from the data center to the endpoints to the cloud – both structured and unstructured
Heterogeneous Database EncryptionCentralized access control and encryption for Oracle, Microsoft SQL Server, IBM DB2 and TeradataGranular ProtectionProtect an entire database or specific columns within the database in order to streamline transparent performanceProven AlgorithmsAchieve the highest level of database security by using proven cryptographic algorithms such as 3DES, DES and AESBroad Platform SupportOffering centralized control across databases on Microsoft Windows, Linux, Solaris, HP-UX, AIX, or IBM z/OS environmentsSupport native encryption for key storage/manangement
Heterogeneous Application EncryptionCentralized access control and encryption for data in the application layer of solutions like ERP, HR and CRM (Note – could require SI assistance with application customization experience)Granular ProtectionDefine thresholds of operation for privileged users in order to safeguard against malicious or negligent threatsProven AlgorithmsAchieve the highest level of application security by using proven cryptographic algorithms such as 3DES, DES, AES,RSA (signatures and encryption), RC4, SHA-I, SHA-2Broad Platform SupportOffering centralized control for web and application servers from Oracle, IBM, BEA, IIS, Apache, Sun ONE, JBoss, SAP and platforms such as Microsoft Windows, Linux, and IBM z/OS
Flexible usesSafeNet ProtectZ software can be called from any programming language that follows IBM OS standards. The calling application can encrypt or decrypt any information and return it to the appropriate storage device. In addition to protecting production applications, you can use ProtectZ to facilitate testing of new applications, new software releases, or simply to improve data throughput.Efficient encryptionDataSecure can help move large amounts of sensitive data in and out of data stores rapidly by encrypting or decrypting specific fields in bulk within the flat files that can contain millions of records. By focusing on select fields, you can encrypt and decrypt data efficiently, in a fraction of the time that it might take for the entire file. DataSecure also can be used to encrypt the entire binary files when you do not need field-level granularity.Information securedYou chose your mainframe environment to deliver high levels of performance and reliability for your most important applications and data. By adopting SafeNet ProtectZ, you gain a robust security solution that matches the power of your mainframe environment.
Heterogeneous File TypesSupports encryption for a wide variety of data types such as spreadsheets, documents, images, PDFs, and moreInteroperabilityMicrosoft Windows Terminal Server, Offline Folder Synchronization, DFS (Distributed File System), Global Catalog, and NovellGranular ProtectionSecure at the file or folder level and establish rights for privileged users in order to safeguard against malicious or negligent threatsProven AlgorithmsFIPS 140 Level 2 AES Broad Platform SupportOffering support for Windows and Linux operating systems, Microsoft, Novell, Netware & Unix (Samba)
To move files into and out of C:\\Encrypted Docs\\ you will need to be a user with Encrypt & Decrypt access.
When logged in as a user with Backup & Restore Ciphertext access the file can be opened but is scrambled. This user could run applications that backup important files without being able to read the sensitive information.
Log in as a User with No Access, any user other than one used in the previous examples in this case, the contents of the folder are not even visible.
In order to maintain ownership and control of your sensitive information throughout its lifecycle – SafeNet provides a centralized platform to define and syndication protection policies by data type, by location, by role, and even by time of day. No you can enforce who and what has access to which information when and where.We are able to offer this control by leveraging standards like FIPS and KMIP for encryption and lifecycle key management with government grade security.Next, having visibility into how your policies are controlling your sensitive information means make continuous refinement for compliance and for growth as you adapt to the ever changing business environment.And finally, applying a persistent protection for your sensitive data enables you the flexibility to extend protection beyond your data centers and endpoints into the cloud – driving further flexibility to manage costs, efficiencies and productivity.
No single admin can compromise the systemM of N – multiple credentialSplit knowledge & dual controlMaybe use the diagram from Key Man WP
DataSecure offers lifecycle key management such as generate, rotate to destroy for all of the data types covered including heterogeneous databases, applications and files. The access policies defined by role are enforced with key management and separation of duties required by most protection mandates are supported. Note: Tape storage support today is via 3rd party partners such as Unisys, SecurityFirst, and of course there is HP which is more indirect
Data Center protection focuses on the data stored and accessed from databases, applications and file servers enforcing protection with corporate driven policies and access controls managed with DataSecure and the suite of ProtectDB, ProtectApp, ProtectFile…