Upload
centralohioissa
View
677
Download
1
Embed Size (px)
Citation preview
Securing the Breach: Using a Holistic Data Protection Framework
Alex HanwayProduct Marketing Manager
March 2016
A brief history of encryption
How encryption is now deployed in the enterprise
Encryption and key management best
Agenda
2
Origins of an Organized Approach
3
Scytale and Casear Ciphers
Character Based
Simple character transposition
Depended on algorithm secrecy
Encryption Goes Mechanical
4
Engima Rotor Complex mechanical and electromechanical
machines Character based encryption Patented 1918 Commercial and military usage
Cryptography in the Modern Age
5
Modern Cryptography Began in late 1940’s, and aligned with the
Information Age Encryption moved from character based to bit
based The Data Encryption Standard (DES) used 56
bit keys (1975) Triple DES (3DES) used 192 bit keys (1998) The Advanced Encryption Standard is
available to all (2001) AES uses 128 or 256 bit keys and ‘modes’ to
secure data
3 mai 20236
Encryption in the Enterprise
Title
The Decision that Starts It All…
Confidential and Proprietary | For Internal Gemalto Use Only7
“Many organizations understand the benefits of encryption … but have difficulty on the question of just where to encrypt the data?.” - Jon Oltsik, Senior Analyst, Enterprise Strategy Group
Deployment Effort
Security
Destination
Source
Application
Database
File
Storage / Tape / Disk
More Encryption Keys to Store & ManageCrypto
Management Challenges
Non-Repudiation• Document Signing• Citizen eIDS• Boarding Passes• Transaction Signing• Biometrics
Integrity• Electronic Transfers• Time stamping• Signed Audit Logs• Secure
Communications• Mobile Payments
Encryption• Disk & File
Encryption• Code Signing• Database Encryption
Internet of Things
Compliance KMIP Virtual Data Center and
Cloud
Partner Integrations
Datacenter Consolidation
CybersecurityNext Gen
PKI
Growing Number of Encryption Use Case
What is Driving This Adoption?
Who controls the keys?
Are the keys trusted?
Where are the keys located?
Will they pass an audit?
Do they meet my future deployment models?
Do they work with my 3rd party applications?
Application-level encryption
Database-level encryption
What are the options?
File-level encryption
Disk and partition encryption(Physical & Virtual)
How Enterprises are Thinking…
Often information security decisions are made urgently in response to ‘fire drills’ – tight timelines dictated by new mandates, threats, or
breaches. Commonly this is done by business units.
For Bus, it’s natural to adopt a ‘build-it-yourself’ or ‘go-it-alone’ approach. In fact it works in many IT cases.
But building encryption and managing keys is a more complicated and resource intensive an investment than people think.
In addition, once encryption is implemented, administrators and teams must continue to manage the encryption keys for their
deployment. Suddenly the easy DIY project becomes an on-going administrative headache.
The Proliferation of Silos
11
File Servers
Applications & Web Servers
SQL & NoSQL Databases
Mainframes
Storage
Backup Media
Today – Silos
• Costly & Complex Administration
• Inconsistent Security Policy Enforcement
• No Repeatable Process• Inhibited Data &
Business Workflow • Audit Challenges
3 mai 202312
Encryption and Key Management Best Practices
Title
Required Elements
At-rest in storage In motion across the
network On-premises or in the
cloud
Secure and own encryption keys
Centrally manage keys and policies
Protect identities Ensure only authorized
users and services have access
Strong Key ManagementAccess Control Encrypt the Data
CONTROL IDENTITYWho & What Can Access Sensitive Data
PROTECT DATAProtection & Controls that Sit with the Data
1 2
13 Confidential and Proprietary | For Internal Gemalto Use Only
Where to Encrypt and Manage Keys?
Confidential and Proprietary | For Internal Gemalto Use Only14
“Many organizations understand the benefits of encryption … but have difficulty on the question of just where to encrypt the data?.” Jon Oltsik, Senior Analyst, Enterprise Strategy Group
Deployment Effort
Security
Destination
Source
Application
Database
File
Storage / Tape / Disk
15
Data Protection Best Practices
Confidential and Proprietary | For Internal Gemalto Use Only
• Encrypt or Tokenize• Apply Access Controls
• Manage Key Lifecycle• Apply Access Controls
Decouple KEYS from DATA
Protect Data Protect
Keys
A Three Step Approach
Confidential and Proprietary | For Internal Gemalto Use Only16
(DAS, SAN, NAS, HDFS)
(SQL & NoSQL) (Application servers) (Cloud Servers and Virtual Machines)
File Servers Databases Applications Public Cloud
• Centralized Key Management (Generation, Rotation, Expiration, etc.)• Audit Reporting and Compliance Management • Separation of duties – Encryption Keys decoupled from data
• File Level Encryption• Database Level Encryption• Application Level Encryption• Tokenization
+ Access Control
Software-based Key Management
ApplicationServer
Application
PKCS #11 CAPI / CNGJava CSP OpenSSLXML
Cryptographic Processing
Key Storage
Key Usage Services
KeyManagement
Services
Backup/RestoreExport ControlsEKM InterfacePolicies
A Physical Network-Attached Key Manager
MultipleApplication
ServersApplication
Key Usage Services
KeyManagement
ServicesKey Vault Services
Tamper Resistance/ResponseSeparation of DutiesM of N Controls
PKCS #11 CAPI / CNGJava CSP OpenSSLXML
Backup/RestoreExport ControlsEKM InterfacePolicies
FIPS 140-2 Level 3 Common Criteria EAL4+
Offl
oad
MultiplePartitions
High Availability And
Load Balancing
Cryptographic Processing
Key Management: Best Practices
Encryption in the enterprise is simple. Key management in the enterprise is the real challenge
Key Management: Proper rotation, deletion, etc.
Centralized key management: Keep track of all the keys, all the time
Separation of Duties: No single user with the keys to the kingdom
Key security: Hardware storage
Replication: Ensure high-availability
Backup and restoration: Protect against catastrophe
Auditing and reporting: Demonstrate that you control your data
Key Management Best Practices Centralize key management across the enterprise
Application, Database, File, Disk, TDE, Virtual Control centrally and then farm out encryption to individual Bus.
Store keys in hardware – Physical key management appliance Hardware Security Module (HSM)
Design an architecture that scales. A key manager should: Manages load balancing Conduct health checking Offer connection pooling Be able to broker SSL handshakes
Control key access Separate duties amongst administrators Implement access controls around secured data.
Segregation of Roles & Responsibilities
Security Administrators• Responsible for key management, security policies, access
controls
Database Administrators• Responsible for database management, schemas, field
definitions, creation of views and triggers, installation of stored procedures
Application Developers• Responsible for application code changes and/or developing
stored procedures to be installed on the databaseOthers:
• Storage Admin, backup admin, virtualization admin, etc.
Enterprise Data Protection as Centralized Service
22
File Servers
Applications & Web Servers
SQL & NoSQL Databases
Mainframes
Storage
Backup Media
• Costly & Complex Administration
• Inconsistent Security Policy Enforcement
• No Repeatable Process
• Inhibited Data & Business
Workflow
• Audit Challenges
Today – Silos
UNIFIED DATA PROTECTION PLATFORM
COMPLIANCE
CRYPTO FOUNDATION
SECURITY
KEY MANAGEMENT
POLICY MANAGEMENT
CLOUDON-PREMISESVIRTUAL
• Single Vendor
• Centrally Defined & Managed Security
• Strong Compliance & Low Audit Cost
• Increased Security, Business Agility, & Lower IT Costs
Tomorrow - Unified
3 mai 202323
The Benefits of Buying In
Title
Better SecurityWhen security policies are centrally managed and broadly deployed, it is easier to ensure effective enforcement. Sensitive cryptographic keys and policy controls are tightly secured in purpose built mechanisms.
Every group that goes its own way remains vulnerable to compromise. Unauthorized entry into one department could spread to other departments.
Budget SavingsSecurity administration is time-consuming, costly and complex. Farming out encryption security responsibilities preserves departmental budget.
Offload on-going key management costs to other parts of the organization and benefit from architectures designs made by others.
3 mai 202324 Title
The Benefits of Buying In (Continued)
3 mai 2023Title24
Streamlined CollaborationSecurity silos run counter to the increasing interconnection of corporate applications and workflows. Sharing sensitive data across departments introduces security gaps, complexity and latency into the business.
Standardizing encryption through the central service improves the ability to collaborate freely across the organization without fear of vulnerability or non-compliance.
Faster InnovationBuilding encryption yourself is deceptively complex and time-consuming. Farming out key management to the central service frees resources that can be dedicated to other important tasks.
Central encryption services can create standard ready-to-use APIs and platforms that shorten development cycles for new products & services.
PARTNERSHIPS
Holistic Enterprise Data Protection Framework
ECOSYSTEM
• Amazon Web Services• Microsoft Azure HP
DellNetApp Storage
ChefDocker
OracleMicrosoft SQLIBM DB2MySQLMongoDBCassandra
Apache HadoopIBM BigInsights
IBMz – mainframesIBMi – AS400
NoSQL Databases
SQL Databases
Storage Archive Tapes
Files, Folders & Shares - DAS/NAS/SAN
Big Data P-to-NonP
Tokenization
Application Encryption
Cloud Public& Private
Application Key Management
ERP & CRMPOINTS OF PROTECTION
ENCRYPTION & TOKENIZATION
SafeNet ProtectApp
SafeNet ProtectDB
SafeNet ProtectFile
SafeNet Tokenization
Database Native TDE
Transform Utility
Bulk Tokenization
Web Services
SafeNet KeySecure
ENTERPRISE KEY MANAGEMENT
Thank you.