Maintaining Trust & Control of your Data in the Cloud

Complete encryption and key management available directly

from AWS and Marketplace

Complete encryption and key management available directly from AWS and Marketplace

Sheung-Chi NG, APAC

[email protected]

Apr 2016

We are the world leader in digital security

29.04.16Trust. Every day.2

WE’RE UNIQUE. WE’RE GLOBAL. WE’RE INNOVATIVE

2,900R&D ENGINEERS

114NEW PATENTS

FILED IN 2014

180+COUNTRIES WHERE

OUR CLIENTS ARE

BASED

14,000+EMPLOYEES

16NATIONALITIES

€2.5bn2014 REVENUE

+2bnEND USERS

BENEFIT FROM

OUR SOLUTIONS

DATAPROTECTONPORTFOLIO

DATA ENCRYPTION

CRYPTO MANAGEMENT

DIGITAL PAYMENTS

ENTERPRISE AUTHENTICATION

TRUSTED IDENTITIES

EBANKING & ECOMMERCE

SECURITY AT THE

coreSECURITY AT THE

edge

DATA SECURITY IS BASED ON TWO ELEMENTS

IDENTITYPROTECTION

PORTFOLIO

Gemalto IDP Business Areas

3 Introduction to Identity Data Protection 29.04.16

SafeNet’s Authentication Portfolio

VPNsWeb Apps

Web-mail

VDISaaS Apps

ERP IAM

SafeNet’s Authentication Ecosystem

Enterprise

Endpoints

SafeNet Next Generation Authentication

5 Identity Protection

AWS Responsibilities

Security and Compliance Concerns with Cloud Computing

How do you maintain ownership and control of your information in a multi-tenant environment?

• Securing, tracking and lifecycle/destruction of backups?

• Government requests?

• Privilege users of the cloud infrastructure?

How do you extend data governance and compliance to internal and external mandates?

7

Can Be Challenging to Illustrate Control Of Protected and

Sensitive Information in the Cloud

Value of Data Protection in the Cloud

Leverage the benefits of cloud computing while retaining ownership, compliance and control of your information

8© SafeNet Confidential and Proprietary

Enhancing AWS Security with Gemalto

9

Trust Anchor AmazonCloudHSM

Hybrid Deployments

Key Backup SafeNet Luna SA HSM

SafeNet Backup HSM

Key Management

SafeNet KeySecure SafeNet Virtual KeySecure

AWS Direct Integration

Amazon Redshift(HSM)

Amazon RDS(HSM)

Encryption & Pre-Boot Auth

Amazon EBS

AmazonEC2

SafeNetProtectV

Client Side Encryption

AmazonS3AWS SDK

SafeNetProtectApp

EC2 Database Encryption

Amazon EC2 Database

SafeNet ProtectDB & Tokenization

Partner Ecosystem

Storage, Archive,

Applications,

Orchestration,

Encryption, etc.

Key Mgmt: KMIP

HSMs: PKCS#11,

CAPI / CNG, Java

JCA, OpenSSL

FileEncryption

AmazonEC2

AmazonS3

SafeNetProtectFile

SafeNet Luna HSM

AWS CloudHSM

Hardware root of trust for encryption keys

Tamper-resistant appliances are designed & validated to government standards*

Helps meet compliance requirements

Used for code signing, document signing and transaction processing

Secures access to proxy layer keys for AWS-based databases (Redshift)


*Common Criteria EAL 4+ and NIST FIPS 140-2 Level 2

SafeNet vKeySecure

SafeNet Virtual KeySecure

• Hardened virtual appliance that runs in the AWS cloud

• AWS CloudHSM hardware root of trust

• Enables organizations to unify encryption and control across clouds

• Centralizes key management

in the cloud

• Available on AWS Marketplace today


40+KeySecure

Integrations

Largest EKM Integration Ecosystem

The industry’s first comprehensive solution protecting your data across physical, virtual, and cloud infrastructure.

With ProtectV you can enable customers to:• Isolate Virtual Machines and storage through encryption

• Authorize VM launches with StartGuard

• Track key access to all copies of your data

• Revoke key access after terminating an instance in the cloud or a breach

ProtectV enables you to migrate your sensitive data to untrusted or shared environments securely.

ProtectV Manager

VMVM

Microsoft

Linux

Red Hat

13

SafeNet ProtectV

SafeNet ProtectV


ProtectV: Secures the Entire Instance Lifecycle

Protect – Identify and encrypt entire VM, including boot and storage partitions

You must be authenticated and authorized to boot a server to the OS

All data and VMs are encrypted

Every time you

delete a key, it

“digitally shreds”

the data, rendering

all copies of VMs inaccessible

Every copy of VM in storage or backup is encrypted

Protect

Start

Daily Operations

Snapshot

Delete

1

2

34

5

15

SafeNet ProtectAppwith AWS SDKs


SafeNet ProtectApp

SafeNet ProtectApp with Amazon S3 SDKs

• ProtectApp’s Java API and AWS SDK for Java interoperate to form an encryption client that provideskeys as input to applications in order to encrypt an object before sending to S3

• Provides customer controlled client-side object encryption for storage in Amazon S3

• Enable developers to leverage existing AWS SDKs with the addition of centralized customer controlledenterprise key management

• AWS administrators can manage the storage environment but never have access to unencryptedapplication data


SafeNet ProtectFile

• Encrypt a variety of flat file types (text documents, spreadsheets, image files, etc.)

• Ensure files and folders are encrypted on Windows and Linux platforms on Amazon EC2 and on-premise before storing in the cloud (EBS or S3)

• Administrators can set policies to encrypt particular files and folders, granting access to onlyauthorized groups and users

• Render files containing sensitive data useless to attackers


SafeNet ProtectFile


ProtectFile Provides Separation of Duties

20

Finance

Sales

Human Resources KeySecureKeySecure

SSL

ServerAdministrator

Server (Windows or Linux)

Server (Windows or Linux)

DataSecureAdministrator

Application

Hardware

Operating System

Database

Files and Folders

Remote Storage

(NAS, SAN)

Local

Storage

(DAS)

ProtectFile

SafeNet ProtectDB


SafeNet ProtectDB

SafeNet ProtectDB provides transparent column-level encryption of structured data residing in databases.

The solution efficiently encrypts and decrypts specific fields in databases that may contain millions of records.

Deployed in tandem with SafeNet KeySecure hardware or virtual appliance, ProtectDB offers centralized key and policy management to ensure encrypted data remains secure throughout its lifecycle.

The solution provides a single interface for logging, auditing, and reporting access to protected data and encryption keys, a critical feature for compliance and data protection.

SafeNet ProtectDB features built-in, automated key rotation and data re-keying, a critical feature for compliance and data protection.

The highly-scalable solution enables isolation of sensitive data in a shared infrastructure, separation of duties, and improved compliance with a variety of regulations including, but not limited to, credit card numbers for Payment Card Industry Data Security Standard (PCI DSS).


SafeNet Tokenization


SafeNet TokenizationSafeNet Tokenization protects sensitive data (primary account numbers, social security numbers, phone numbers, passwords, email addresses, etc.) by replacing it with a unique token that is stored, processed or transmitted in place of the clear data.

Using Format Preserving Tokenization (FPT), SafeNet Tokenization preserves the length and format of the sensitive data.

SafeNet Tokenization is also flexible in its ability to support a variety of token formats, such as last four, first six, custom formats, and regular expression.

The solution utilizes Web APIs for easy deployment, requires no changes to existing databases and applications, and is extremely scalable across multiple data centers in the distributed enterprise.

Deployed with SafeNet KeySecure hardware or virtual appliance for centralized key and policy management, SafeNet Tokenization provides a single, centralized interface for logging, auditing, and reporting access to protected data, keys, and tokens.

Tokenization also features built-in, automated key rotation and data re-keying, a critical feature for compliance and data protection.

Compliant with PCI Tokenization Guidelines and VISA Tokenization Best Practices, Tokenization is an ideal solution for organizations with high compliance costs as it significantly reduces regulatory scope, facilitates the annual audit process, and results in reduced total cost of ownership.


SafeNet Authentication Service

SafeNet Authentication Service is a cloud-based authentication service that offers

multi-factor authentication solutions, protecting identities and ensuring that individuals

accessing Amazon WorkSpaces are who they claim to be.

SafeNet Authentication Service, combined with Amazon WorkSpaces, offers enterprises a

best-in-class virtual desktop system with strong authentication.

Next-Generation Authentication from SafeNet

Reduce the risk of unauthorized access to sensitive corporate resources.

Reduce IT management overhead through automated user and token lifecycle administration.

Enforce consistent access policies throughout your IT ecosystem—VPNs, SaaS applications, web portals, and on-premises applications.

Have a single point of management for defining and managing access controls to all resources.

Increase user convenience with federated login, extending enterprise identities to the cloud


Online Storage

Application Hosting

Disaster Recovery

SAML

Tokens & Users

Administrator

Agent

RADIUS

API

Private Networks

Corporate

Network

Corporate

Network

Corporate

Network

Corporate

Network

LDAP / Active

Directory

LDAP / Active

Directory

LDAP / Active

Directory

LDAP / Active

Directory

Cloud Services

Cloud Applications

SAML

SAML

SAS: Authenticating Networks, Applications and a Variety of Cloud Services

121Authentication

Integrations

Use Case

Customer Example: Netflix Key Management

Goals

• Remove data center dependencies andcomplexity

• Increase reliability and performance

Approach

• HSMs per region/environment

• Migrated from SafeNet KeySecure in thedata center to CloudHSM

• Decommissioned data center configuration

Netflix: Results

Using AWS Cloud HSM with HSM appliances in 3 regions

Lower latency and high security

Eliminate on-premises datacenter-based HSM/KM

Saves money – 33% savings over original projections

AWS

Virtual Private Cloud

CloudHSM VPC Instance

SSL

Application

HSM Client

Customer : FXXX MXXX - Property loan

Need?

FXXX MXXX hosts borrower or loan servicer information along with credit scores and other personal information. They plan to move their information to AWS cloud (cost savings). Their security team will not allow any server on the cloud unless the personal information on databases hosted in public cloud is protected (i.e. encrypted).

Why are they interested in ProtectV?

Unique AWS solution

Key Management on premise

Encrypting the entire VM

Environment?

AWS VPC Public Cloud

Handful of servers

Want to encrypt everything that goes into the cloud

31

Customer : TXX - Logistics company

No infrastructure deployed to TXX Express premises

Resilient cloud based service allowing for easy re-use of the

service globally

Low per user per month token cost allowing for integration with the

remote access service, offering an integrated and robust solution

• Cost the same as old remote access solution but offers,

• Strong authentication as standard

• More flexible access options

Flexible form factors allowing easier deployment and acceptance of the technology

Lower TCO of the existing Authentication solution

Time to provision a user down from 5 days to 30 minutes

Why choose Gemalto and AWS?

Gemalto and AWS can deliver an end-to-end “secured infrastructure” for ALLdata

• Secure Isolating of each virtual instance with ProtectV

• Application layer protection with ProtectApp and Tokenization

• File or Database protection with ProtectFile, ProtectDB

• Certifications to assure compliance

• CloudHSM provides customer control of encryption keys

Enable 2-Factor Access Control with Authentication Services

Virtual KeySecure and ProtectV enable 100% customer deployment at AWS, consumed like cloud services

Solution is extensible to other providers via KMIP

• Gemalto has 40+ integration partners for key management already!

Smooth Transition from Physical DC to Cloud


© SafeNet Confidential and Proprietary

Thank You! Questions?

Sheung-Chi NG, APAC

[email protected]

Apr 2016

Technology

Maintaining Trust & Control of your Data in the Cloud