Cloud and Virtualization gives you agility and efficiency to instantly roll out new services and expand your infrastructure. But the lack of physical control, or defined entrance and egress points, bring a whole host of cloud security issues – data co-mingling, privileged user abuse, snapshots and backups, data deletion, data leakage, geographic regulatory requirements, cloud super-admins, and many more. Fortunately, experts agree that encryption is the unifying cloud security control, allowing you protect, control and maintain the trust. Gemalto’s proven encryption and enterprise key management solutions turn any cloud environment into a trusted and compliant environment by solving the critical challenges of data governance, control, and ownership - no matter where you store your data. Andrew Watts-Curnow, Solutions Architect, Amazon Web Services, ASEAN Sheung Chi Ng, Senior Security Consulting Manager, Identity and Data Protection (IDP), APAC, Gemalto (Formerly SafeNet)

1. Complete encryption and key
management available directly
from AWS and Marketplace
Complete encryption and key management available
directly from AWS and Marketplace
Sheung-Chi NG, APAC
Sheungchi.Ng@safenet-inc.com
Apr 2016

2. We are the world leader in digital security
29.04.16Trust. Every day.2
WE’RE UNIQUE. WE’RE GLOBAL. WE’RE INNOVATIVE
2,900R&D ENGINEERS
114
NEW PATENTS
FILED IN 2014
180+COUNTRIES WHERE
OUR CLIENTS ARE
BASED
14,000+EMPLOYEES
16NATIONALITIES
€2.5bn2014 REVENUE
+2bn
END USERS
BENEFIT FROM
OUR SOLUTIONS

3. DATA
PROTECTON
PORTFOLIO
DATA ENCRYPTION
CRYPTO MANAGEMENT
DIGITAL PAYMENTS
ENTERPRISE AUTHENTICATION
TRUSTED IDENTITIES
EBANKING & ECOMMERCE
SECURITY AT THE
core
SECURITY AT THE
edge
DATA SECURITY IS BASED ON
TWO ELEMENTS
IDENTITY
PROTECTION
PORTFOLIO
Gemalto IDP Business Areas
3 Introduction to Identity Data Protection 29.04.16

5. SafeNet’s Authentication Portfolio
VPNs
Web
Apps
Web-
mail
VDI
SaaS
Apps
ERP IAM
SafeNet’s Authentication Ecosystem
Enterprise
Endpoints
SafeNet Next Generation Authentication
5 Identity Protection

6. AWS Responsibilities

7. Security and Compliance Concerns
with Cloud Computing
How do you maintain ownership and control of your
information in a multi-tenant environment?
• Securing, tracking and lifecycle/destruction of
backups?
• Government requests?
• Privilege users of the cloud infrastructure?
How do you extend data governance and compliance to
internal and external mandates?
7
Can Be Challenging to Illustrate Control Of Protected and
Sensitive Information in the Cloud

8. Value of Data Protection in the Cloud
Leverage the benefits of cloud computing while retaining
ownership, compliance and control of your information
8
© SafeNet Confidential and Proprietary

9. Enhancing AWS Security with Gemalto
9
Trust
Anchor AmazonCloudHSM
Hybrid
Deployments
Key Backup SafeNet Luna SA
HSM
SafeNet Backup HSM
Key
Management
SafeNet KeySecure SafeNet Virtual KeySecure
AWS Direct
Integration
Amazon Redshift
(HSM)
Amazon RDS
(HSM)
Encryption & Pre-
Boot Auth
Amazon
EBS
Amazon
EC2
SafeNet
ProtectV
Client Side
Encryption
Amazon
S3AWS SDK
SafeNet
ProtectApp
EC2 Database
Encryption
Amazon EC2
Database
SafeNet
ProtectDB &
Tokenization
Partner
Ecosystem
Storage, Archive,
Applications,
Orchestration,
Encryption, etc.
Key Mgmt: KMIP
HSMs: PKCS#11,
CAPI / CNG, Java
JCA, OpenSSL
File
Encryption
Amazon
EC2
Amazon
S3
SafeNet
ProtectFile

10. SafeNet Luna HSM
AWS CloudHSM
Hardware root of trust for encryption
keys
Tamper-resistant appliances are
designed & validated to government
standards*
Helps meet compliance requirements
Used for code signing, document
signing and transaction processing
Secures access to proxy layer keys for
AWS-based databases (Redshift)
10
© SafeNet Confidential and Proprietary
*Common Criteria EAL 4+ and NIST FIPS 140-2 Level 2

11. SafeNet vKeySecure
SafeNet Virtual KeySecure
• Hardened virtual appliance that runs in the AWS cloud
• AWS CloudHSM hardware root of trust
• Enables organizations to
unify encryption and
control across clouds
• Centralizes key management
in the cloud
• Available on AWS Marketplace today
11
© SafeNet Confidential and Proprietary

12. 40+
KeySecure
Integrations
Largest EKM Integration Ecosystem

13. The industry’s first comprehensive solution protecting your data across physical, virtual, and cloud
infrastructure.
With ProtectV you can enable customers to:
• Isolate Virtual Machines and storage through encryption
• Authorize VM launches with StartGuard
• Track key access to all copies of your data
• Revoke key access after terminating an instance in the cloud or a breach
ProtectV enables you to migrate your sensitive data to untrusted or shared environments securely.
ProtectV
Manager
VM
VM
Microsoft
Linux
Red Hat
13
SafeNet ProtectV

14. SafeNet ProtectV
14
© SafeNet Confidential and Proprietary

15. ProtectV: Secures the Entire Instance Lifecycle
Protect – Identify and encrypt entire VM, including
boot and storage partitions
You must be
authenticated and
authorized to boot a
server to the OS
All data and VMs are
encrypted
Every time you
delete a key, it
“digitally shreds”
the data, rendering
all copies of VMs
inaccessible
Every copy of VM in
storage or backup is
encrypted
Protect
Start
Daily Operations
Snapshot
Delete
1
2
3
4
5
15

16. SafeNet ProtectApp
with AWS SDKs
16
© SafeNet Confidential and Proprietary

17. SafeNet ProtectApp
SafeNet ProtectApp with Amazon S3 SDKs
• ProtectApp’s Java API and AWS SDK for Java interoperate to form an encryption client that provides
keys as input to applications in order to encrypt an object before sending to S3
• Provides customer controlled client-side object encryption for storage in Amazon S3
• Enable developers to leverage existing AWS SDKs with the addition of centralized customer controlled
enterprise key management
• AWS administrators can manage the storage environment but never have access to unencrypted
application data
17
© SafeNet Confidential and Proprietary

18. SafeNet ProtectFile
• Encrypt a variety of flat file types (text documents, spreadsheets, image files, etc.)
• Ensure files and folders are encrypted on Windows and Linux platforms on Amazon EC2 and on-
premise before storing in the cloud (EBS or S3)
• Administrators can set policies to encrypt particular files and folders, granting access to only
authorized groups and users
• Render files containing sensitive data useless to attackers
18
© SafeNet Confidential and Proprietary

19. SafeNet ProtectFile
19
© SafeNet Confidential and Proprietary

20. ProtectFile Provides Separation of Duties
20
Finance
Sales
Human
Resources KeySecureKeySecure
SSL
Server
Administrator
Server
(Windows or Linux)
Server
(Windows or Linux)
DataSecure
Administrator
Application
Hardware
Operating
System
Database
Files and
Folders
Remote Storage
(NAS, SAN)
Local
Storage
(DAS)
ProtectFile

21. SafeNet ProtectDB
21
© SafeNet Confidential and Proprietary

22. SafeNet ProtectDB
SafeNet ProtectDB provides transparent column-level encryption of structured data
residing in databases.
The solution efficiently encrypts and decrypts specific fields in databases that may contain millions of
records.
Deployed in tandem with SafeNet KeySecure hardware or virtual appliance, ProtectDB offers
centralized key and policy management to ensure encrypted data remains secure throughout its
lifecycle.
The solution provides a single interface for logging, auditing, and reporting access to protected data
and encryption keys, a critical feature for compliance and data protection.
SafeNet ProtectDB features built-in, automated key rotation and data re-keying, a critical feature for
compliance and data protection.
The highly-scalable solution enables isolation of sensitive data in a shared infrastructure, separation of
duties, and improved compliance with a variety of regulations including, but not limited to, credit card
numbers for Payment Card Industry Data Security Standard (PCI DSS).
22
© SafeNet Confidential and Proprietary

23. SafeNet Tokenization
23
© SafeNet Confidential and Proprietary

24. SafeNet Tokenization
SafeNet Tokenization protects sensitive data (primary account numbers, social security numbers, phone numbers, passwords,
email addresses, etc.) by replacing it with a unique token that is stored, processed or transmitted in place of the clear
data.
Using Format Preserving Tokenization (FPT), SafeNet Tokenization preserves the length and format of the sensitive data.
SafeNet Tokenization is also flexible in its ability to support a variety of token formats, such as last four, first six, custom
formats, and regular expression.
The solution utilizes Web APIs for easy deployment, requires no changes to existing databases and applications, and is
extremely scalable across multiple data centers in the distributed enterprise.
Deployed with SafeNet KeySecure hardware or virtual appliance for centralized key and policy management, SafeNet
Tokenization provides a single, centralized interface for logging, auditing, and reporting access to protected data, keys, and
tokens.
Tokenization also features built-in, automated key rotation and data re-keying, a critical feature for compliance and data
protection.
Compliant with PCI Tokenization Guidelines and VISA Tokenization Best Practices, Tokenization is an ideal solution for
organizations with high compliance costs as it significantly reduces regulatory scope, facilitates the annual audit process, and
results in reduced total cost of ownership.
24
© SafeNet Confidential and Proprietary

25. SafeNet Authentication
Service
SafeNet Authentication Service is a cloud-based authentication service that offers
multi-factor authentication solutions, protecting identities and ensuring that individuals
accessing Amazon WorkSpaces are who they claim to be.
SafeNet Authentication Service, combined with Amazon WorkSpaces, offers enterprises a
best-in-class virtual desktop system with strong authentication.
Next-Generation Authentication from SafeNet
Reduce the risk of unauthorized access to sensitive corporate resources.
Reduce IT management overhead through automated user and token lifecycle administration.
Enforce consistent access policies throughout your IT ecosystem—VPNs, SaaS applications,
web portals, and on-premises applications.
Have a single point of management for defining and managing access controls to all resources.
Increase user convenience with federated login, extending enterprise identities to the cloud
25
© SafeNet Confidential and Proprietary

26. Online
Storage
Application
Hosting
Disaster
Recovery
SAML
Tokens & Users
Administrator
Agent
RADIUS
API
Private Networks
Corporate
Network
Corporate
Network
Corporate
Network
Corporate
Network
LDAP / Active
Directory
LDAP / Active
Directory
LDAP / Active
Directory
LDAP / Active
Directory
Cloud
Services
Cloud
Applications
SAML
SAML
SAS: Authenticating Networks, Applications and
a Variety of Cloud Services

27. 121
Authentication
Integrations

28. Use Case

29. Customer Example: Netflix Key
Management
Goals
• Remove data center dependencies and
complexity
• Increase reliability and performance
Approach
• HSMs per region/environment
• Migrated from SafeNet KeySecure in the
data center to CloudHSM
• Decommissioned data center configuration

30. Netflix: Results
Using AWS Cloud HSM with
HSM appliances in 3 regions
Lower latency and high
security
Eliminate on-premises
datacenter-based HSM/KM
Saves money – 33% savings
over original projections
AWS
Virtual Private Cloud
CloudHSM VPC Instance
SSL
Application
HSM Client

31. Customer : FXXX MXXX - Property loan
Need?
FXXX MXXX hosts borrower or loan servicer information along with credit scores and other personal
information. They plan to move their information to AWS cloud (cost savings). Their security team will
not allow any server on the cloud unless the personal information on databases hosted in public
cloud is protected (i.e. encrypted).
Why are they interested in ProtectV?
Unique AWS solution
Key Management on premise
Encrypting the entire VM
Environment?
AWS VPC Public Cloud
Handful of servers
Want to encrypt everything that goes into the cloud
31

32. Customer : TXX - Logistics company
No infrastructure deployed to TXX Express premises
Resilient cloud based service allowing for easy re-use of the
service globally
Low per user per month token cost allowing for integration with the
remote access service, offering an integrated and robust solution
• Cost the same as old remote access solution but offers,
• Strong authentication as standard
• More flexible access options
Flexible form factors allowing easier deployment and acceptance
of the technology
Lower TCO of the existing Authentication solution
Time to provision a user down from 5 days to 30 minutes

33. Why choose Gemalto and AWS?
Gemalto and AWS can deliver an end-to-end “secured infrastructure” for ALL
data
• Secure Isolating of each virtual instance with ProtectV
• Application layer protection with ProtectApp and Tokenization
• File or Database protection with ProtectFile, ProtectDB
• Certifications to assure compliance
• CloudHSM provides customer control of encryption keys
Enable 2-Factor Access Control with Authentication Services
Virtual KeySecure and ProtectV enable 100% customer deployment at AWS,
consumed like cloud services
Solution is extensible to other providers via KMIP
• Gemalto has 40+ integration partners for key management already!
Smooth Transition from Physical DC to Cloud
33
© SafeNet Confidential and Proprietary

34. © SafeNet Confidential and Proprietary
Thank You!
Questions?
Sheung-Chi NG, APAC
Sheungchi.Ng@safenet-inc.com
Apr 2016