View
10
Download
0
Category
Preview:
Citation preview
Marko Bobinac
PreSales Engineer, Identity & Data Protection
Use Cases Oriented Portfolio
Applications (.NET, JAVA,
KMIP, XML) Databases
3rd party solutions (e.g. Self-encrypting drives via KMIP)
File encryption
**##**
Tokenization
Ethernet
FiberChanel
Hardware Security Modules Appliance
File Shares
Tape
Backups
Network Share
Encryption Proxy
Virtual Instances Virtual Storage
AWS, VMWare,
Azure, SoftLayer
Protect V Manager Virtual Appliance
2
Identity and DataProtection portfolio
Authentication
Management (On-Premise or Cloud)
Nat. IDs
AMI
Metering
E-Signatures
E-Passports
Certificate Infrastructures
Trust. Every day.
Protect Cloud &
Virtual Infrastructure
Protect
Identities
Protect
Infrastructure
Protect NAS
Storage
ProtectFile Server/Desktop Agent
Key Secure Appliance
Protect
Data Centers
L2 HighSpeed
Encryptors
Protect
Data Transfer
Providing root of trust
Hardware Security Modues
Gemalto HSM Portfolio
4
SafeNet Network HSM
SafeNet Java HSM
SafeNet USB HSM SafeNet PCI HSM
PS Internal Express2 ProtectServer External2 SafeNet Payment HSM
SafeNet Authentication validates
user identities
SSL SSL
Enterprise
Applications
Use-case: Appliance Private key protection & Strong
Authentication
SSL Keys are stored in a
SafeNet Network Attached HSM
Use-case: Securing Private keys of SSL Proxies
6
Stores SSL keys in a secure FIPS 140-2 Level
2 or 3 tamper-proof hardware appliance.
Private SSL key never leaves the hardware
appliance.
Offloads SSL transactions from the proxy to
accelerate operations.
Provides administrators with full key control in
accordance with regulatory regimes (PCI DSS,
SOX, HIPAA, etc.)
Use-case: Securing PKI (economic option)
7
Root CA & Issuing CA & OCSP Responder
Luna SA6
Advantages
- Most economic setup
- Cost benefits
Partition A
Private Key of Root CA
Diadvantages
- Single Points-of-Failure
- No redundancy
- Root Key separated, but not locked on a
separate device
- No RemotePED
Luna Backup Device
(offline, securely stored in vault)
Partition C
Private Key of OCSP Resp
Partition B
Private Key of Issuing CA
Use-case: Securing PKI (high-security setup)
8
Issuing CAs
Luna SA6 - High Availability Group - Cluster Setup - Geographically Located
Root CA
Partition A
Private Key of Issuing CA A Partition …
Private Key of Issuing CA …
Advantages
- Load balancing & high availability
- Root Key separated
- Redundancy of backups
Luna Backup Devices
(offline, securely stored in vault)
Luna G5
(offline, securely stored in vault) Diadvantages
- No spare systems
- No dedicated backup systems
- Issuing CAs/OCSP Responder share same HSMs
Partition ... +1
Private Key of OCSP Responder
OCSP Responder
Use-case: Visa and MasterCard Cloud Based Payments
Merchant Acquirer Switch
(Scheme) Issuer
Handset used
to make
contactless
transaction
Payment details
are de-tokenised
by card scheme
SafeNet Payment HSM
PCI-HSM 2.0 certified
332 HSM
Integrations
HSM Partner Ecosystem
58 Payment
Integrations
Payment Partner Integrations
Decoupling keys from the data
Enterprise Key Management
Data Protection Best Practices
• Encrypt or Tokenize
• Apply Access Controls
• Manage Key Lifecycle
• Apply Access Controls
Decouple KEYS from DATA
Protect Data Protect
Keys
Demo available
PARTNERSHIPS
Data Protection Framework with KeySecure and Connectors
ECOSYSTEM
• Amazon Web Services
• Microsoft Azure HP
Dell
NetApp Storage Chef
Docker
Oracle
Microsoft SQL
IBM DB2
MySQL
MongoDB
Cassandra
Apache Hadoop
IBM BigInsights
NoSQL
Databases
SQL
Databases Storage
Archive
Tapes
Files, Folders & Shares -
DAS/NAS/SAN
Big Data P-to-NonP
Tokenization
Application
Encryption Cloud Public
& Private
Application Key
Management
ERP & CRM POINTS OF
PROTECTION
ENCRYPTION &
TOKENIZATION
SafeNet
ProtectApp
SafeNet
ProtectDB SafeNet
ProtectFile
SafeNet
Tokenization
Database Native TDE
Transform
Utility
Bulk
Tokenization Ecosystem
Web Services
DATA DISCOVERY
SafeNet
ProtectV
SafeNet KeySecure
ENTERPRISE
KEY MANAGEMENT
16
Gemalto Encryption Ecosystem Offers the industry’s most expansive ecosystem of integrations for encrypting data
within third party environments
Indicates a SafeNet Product
SafeNet Protect App
SafeNet Protect DB SafeNet Tokenization
SafeNet ProtectFile SafeNet ProtectV
SafeNet High Speed Encryptors
Layer 2 Ethernet Encryption
SafeNet KeySecure Platform
Distributed Key Management
Virtual Machines
File Servers
& Shares
Application
Servers Databases Web and Application
Servers
Network Encryption
Data in Motion
Data at Rest
17
Gemalto Key Management Ecosystem The industry’s most expansive and diverse ecosystem of integrations including the
largest # of KMIP integration products
Cloud
Encryption
Gateways
Backup &
Storage
Database
Encryption
Storage &
Archive SIEM Tools
Cloud
Services File & Disk
Encryption
SafeNet
ProtectApp SafeNet
ProtectFile
SafeNet
ProtectDB
SafeNet
ProtectV™ SafeNet
Tokenization
SafeNet KeySecure Platform
Distributed Key Management
Use-case: Database and File Protection Options in
Physical/Virtual/Cloud environments
File/Folder/Share Encryption
(DAS/NAS/SAN)
ProtectFile Transparent file encryption at the
file-system level
ProtectApp Multi-purpose APIs to perform
data encryption, including file
encryption at the application level
NoSQL Database
ProtectFile Transparent database file encryption
Tokenization Application level tokenization
ProtectApp Application level encryption
ProtectDB Transparent column level encryption
ProtectFile Transparent database file encryption
ProtectApp Application level encryption
Tokenization Application level tokenization
TDE Transparent data encryption
SQL Database Encryption
Customer-Owned
Key Management
SafeNet KeySecure | Physical
SafeNet Virtual KeySecure | Cloud/Virtual
Use-case: Segregate Sensitive Department Data on Shared
Servers
Finance
Sales
Human
Resources SafeNet
KeySecure
SSL
Server
(Windows or Linux)
Documents
Images
Config Files
Password Files
Logs & Backups
Data files
Exports
Archives
Application
Hardware
Operating
System
Database
Files and
Folders
Remote
Storage
(NAS, SAN)
Local
Storage
(DAS)
SafeNet
ProtectFile
Network Attached
Storage Client
Server-side deployment architecture
PFClient
CIFS, NFS
Network-Attached
Storage Clients*
PFClient NAS policy for
each client
Client-side Network Share architecture
PFClient1**
PFClient2
PFClient3
PFClient6000
...
*each client has own PF installation (bootstraping) and own set of policies and keys
**PFClient deploys NetworkShare Policy to act as CIFS Crypto Proxy on Win7 and Win10
\\server\user001\
\\server\user002\
\\server\user003\
\\server\user6000\
Protecting the data in motion
High-Speed L2 encryption
23
SafeNet HSE Product Portfolio CN4010 CN4020 CN6010 CN6100 CN8000
Compact desktop
enclosure
Compact desktop
enclosure
1U rack mount enclosure 1U rack mount enclosure 4U rack mount enclosure
10/100/1000Mbps
(scalable licensing)
100/1000Mbps (scalable
licensing)
100/1000Mbps (scalable licensing) 1/10Gbps (scalable licensing) 10x10Gbps
RJ45 electrical
interfaces
Pluggable optical SFP
RJ45 electrical
interfaces
Pluggable optical SFP
RJ45 electrical interfaces
Pluggable XFP optical interfaces Pluggable optical SFP+
External plug pack
External plug pack Dual redundant AC/DC supplies Dual redundant AC/DC supplies Dual redundant AC
supplies
LED LED LCD/Key Pad LCD/Key Pad
User-serviceable fans/battery User-serviceable fans/battery User-serviceable
fans/battery
Latency < 10uS Latency < 10uS Latency < 8uS Latency < 6uS Latency < 8uS
CC EAL2+, FIPS 140-2
level 3
In process CC EAL2+, FIPS 140-2 level 3 CC EAL2+, FIPS 140-2 level 3 In process
All devices are interoperable and can be managed by SafeNet High Speed Management Platforms
Use-case: Multi-tenanted infrastructures
Business Objective HSE Benefits
• Secure communications across multi-enterprise
infrastructure
• Centralised management with localised admin
• Separation of VLAN
• Multiple certificate support
• VLAN separation
• CMS provides multiple admin control via central
platform
• Granular policy control
• Ability to use customer specific certificates
Ethernet
Network
Use-case: Securing Branch Office Connectivity
Business Objective HSE Benefits
• Sensitive/regulated data traversing network
• Need to support Voice, Video and VLANs
• Simple management for multiple sites
• Centralized management
• VLAN bypass option
• Automated VLAN set-up
• Small footprint branch office solution
Carrier
Ethernet
Bra
nch O
ffic
es
Headquarters
10G
VLAN 1 100M
VLAN 2 250M
VLAN 3 5G0M
VLAN 4 1G
VLAN 5 1G
Use-case: Custom ECC - “Bring your Own Curves”
• CM7 can now create EC
Parameter PEM files
• User supplies domain
parameters
• CM7 checks parameters
• Generates PEM file
• E.g. RFC5639 Brainpool
Standard Curves
Use-case: Custom ENTROPY - “Bring your Own Keys”
This design decision provides a two fold benefit:
• The entropy pool is not polluted in any fashion with
internal processing.
• For the purposes of AES assurance testing, it
would be possible to install “known” entropy to
provide black box testing capability to the
customer.
SafeNet HSE is #1
> HIGHEST SECURITY
> The most secure data in motion protection
> FIPS 140-2 L3, CC, CAPS, UC APL, NATO, UK CPA (in progress)
> BEST PERFORMANCE
> Maximum throughput with zero protocol overhead
> Lowest OH, latency, jitter, lowest power draw, smallest footprint
> MOST FLEXIBLE
> In-field upgradeability to meet MEF use cases
> 10Mb to 10G, multi-protocol, field upgrades
> COST EFFECTIVE
> Can you afford not to encrypt?
> Future proof, rate limiting, mesh environments, low cost models
Securing access and operations of digital identities
Strong Authentication
GEMALTO CAN DO IT ALL
31
Supported Secure Elements
Secure
Element
Galaxy
Badge & NFC / BT Smart Connectivity Needed
Large compatibility
UICC Fragmented market
uSD Slot Needed
Badge & Attached Reader Low user convenience
Large compatibility
eSE Fragmented market
TEE Fragmented market
In roadmap
We are leaders in the Authentication Market
“[SafeNet] demonstrated a very sound market understanding and
very strong product strategy and innovation.” - Gartner
08.06.16 Title 32
150 Authentication
Integrations
Product convergence strategy
eToken Pro
Java 72K
eToken Pro
Anywhere
eToken
5100/5105
eToken
5200/5205
NG-OTP
eToken
5300
eToken
7300
eToken 5110
IDBridge
K30/50
eToken Pro
card
IDClassic
eToken
4100
IDPrime
.NET
ID Prime MD
830/840
IDPrime MD
900
Token/OS/Applet Convergence Middleware
Convergence
SafeNet
Authentication
Client
• Full client
• PKCS#11 lib
• Minidriver
34
Planned EOS IDPrime .NET
Challenging migration
TODAY
Use-case: PKI security for Mobile device management
35
User launches the MobilePKI for Good
app on their mobile. The mobile then
searches for devices in pairing mode
1
User presses button on Bluetooth device
for 3 seconds to put it into pairing mode
2
PREPARE APP
PREPARE DEVICE
User selects device to pair and enters
PIN. After MobilePKI for Good has been
successfully enrolled, user may use any
of the registered Good apps
CONNECT 3
Simple Bluetooth pairing
MobilePKI for Good components
36
SafeNet Prime MD 8840 MicroSD card combines the storage capability
of a standard MicroSD 8 or 16 GB memory card with the high security
level of a PKI smart card or smart token--works seamlessly with the
internal capabilities of most Android mobile devices
SafeNet Reader CT1100 is a Bluetooth Smart enabled
smart card badge holder, perfect for existing PKI badge
deployments
SafeNet Reader K1100 is a Bluetooth Smart enabled
USB token. Customers not using PKI can benefit from
two-factor authentication, based on secured
cryptographic keys stored on the SafeNet K1100 token
SafeNet MobilePKI for Good App and Support
provides strong 2FA on top of the Good platform and is
available from the Good App Store
Recommended