Maintaining Trust & Control of your Data in the Cloud

1. Complete encryption and key management available directly from AWS and Marketplace Complete encryption and key management available directly from AWS and Marketplace Sheung-Chi NG, APAC Sheungchi.Ng@safenet-inc.com Apr 2016

2. We are the world leader in digital security 29.04.16Trust. Every day.2 WE’RE UNIQUE. WE’RE GLOBAL. WE’RE INNOVATIVE 2,900R&D ENGINEERS 114 NEW PATENTS FILED IN 2014 180+COUNTRIES WHERE OUR CLIENTS ARE BASED 14,000+EMPLOYEES 16NATIONALITIES €2.5bn2014 REVENUE +2bn END USERS BENEFIT FROM OUR SOLUTIONS

3. DATA PROTECTON PORTFOLIO DATA ENCRYPTION CRYPTO MANAGEMENT DIGITAL PAYMENTS ENTERPRISE AUTHENTICATION TRUSTED IDENTITIES EBANKING & ECOMMERCE SECURITY AT THE core SECURITY AT THE edge DATA SECURITY IS BASED ON TWO ELEMENTS IDENTITY PROTECTION PORTFOLIO Gemalto IDP Business Areas 3 Introduction to Identity Data Protection 29.04.16

5. SafeNet’s Authentication Portfolio VPNs Web Apps Web- mail VDI SaaS Apps ERP IAM SafeNet’s Authentication Ecosystem Enterprise Endpoints SafeNet Next Generation Authentication 5 Identity Protection

6. AWS Responsibilities

7. Security and Compliance Concerns with Cloud Computing How do you maintain ownership and control of your information in a multi-tenant environment? • Securing, tracking and lifecycle/destruction of backups? • Government requests? • Privilege users of the cloud infrastructure? How do you extend data governance and compliance to internal and external mandates? 7 Can Be Challenging to Illustrate Control Of Protected and Sensitive Information in the Cloud

8. Value of Data Protection in the Cloud Leverage the benefits of cloud computing while retaining ownership, compliance and control of your information 8 © SafeNet Confidential and Proprietary

9. Enhancing AWS Security with Gemalto 9 Trust Anchor AmazonCloudHSM Hybrid Deployments Key Backup SafeNet Luna SA HSM SafeNet Backup HSM Key Management SafeNet KeySecure SafeNet Virtual KeySecure AWS Direct Integration Amazon Redshift (HSM) Amazon RDS (HSM) Encryption & Pre- Boot Auth Amazon EBS Amazon EC2 SafeNet ProtectV Client Side Encryption Amazon S3AWS SDK SafeNet ProtectApp EC2 Database Encryption Amazon EC2 Database SafeNet ProtectDB & Tokenization Partner Ecosystem Storage, Archive, Applications, Orchestration, Encryption, etc. Key Mgmt: KMIP HSMs: PKCS#11, CAPI / CNG, Java JCA, OpenSSL File Encryption Amazon EC2 Amazon S3 SafeNet ProtectFile

10. SafeNet Luna HSM AWS CloudHSM Hardware root of trust for encryption keys Tamper-resistant appliances are designed & validated to government standards* Helps meet compliance requirements Used for code signing, document signing and transaction processing Secures access to proxy layer keys for AWS-based databases (Redshift) 10 © SafeNet Confidential and Proprietary *Common Criteria EAL 4+ and NIST FIPS 140-2 Level 2

11. SafeNet vKeySecure SafeNet Virtual KeySecure • Hardened virtual appliance that runs in the AWS cloud • AWS CloudHSM hardware root of trust • Enables organizations to unify encryption and control across clouds • Centralizes key management in the cloud • Available on AWS Marketplace today 11 © SafeNet Confidential and Proprietary

12. 40+ KeySecure Integrations Largest EKM Integration Ecosystem

13. The industry’s first comprehensive solution protecting your data across physical, virtual, and cloud infrastructure. With ProtectV you can enable customers to: • Isolate Virtual Machines and storage through encryption • Authorize VM launches with StartGuard • Track key access to all copies of your data • Revoke key access after terminating an instance in the cloud or a breach ProtectV enables you to migrate your sensitive data to untrusted or shared environments securely. ProtectV Manager VM VM Microsoft Linux Red Hat 13 SafeNet ProtectV

14. SafeNet ProtectV 14 © SafeNet Confidential and Proprietary

15. ProtectV: Secures the Entire Instance Lifecycle Protect – Identify and encrypt entire VM, including boot and storage partitions You must be authenticated and authorized to boot a server to the OS All data and VMs are encrypted Every time you delete a key, it “digitally shreds” the data, rendering all copies of VMs inaccessible Every copy of VM in storage or backup is encrypted Protect Start Daily Operations Snapshot Delete 1 2 3 4 5 15

16. SafeNet ProtectApp with AWS SDKs 16 © SafeNet Confidential and Proprietary

17. SafeNet ProtectApp SafeNet ProtectApp with Amazon S3 SDKs • ProtectApp’s Java API and AWS SDK for Java interoperate to form an encryption client that provides keys as input to applications in order to encrypt an object before sending to S3 • Provides customer controlled client-side object encryption for storage in Amazon S3 • Enable developers to leverage existing AWS SDKs with the addition of centralized customer controlled enterprise key management • AWS administrators can manage the storage environment but never have access to unencrypted application data 17 © SafeNet Confidential and Proprietary

18. SafeNet ProtectFile • Encrypt a variety of flat file types (text documents, spreadsheets, image files, etc.) • Ensure files and folders are encrypted on Windows and Linux platforms on Amazon EC2 and on- premise before storing in the cloud (EBS or S3) • Administrators can set policies to encrypt particular files and folders, granting access to only authorized groups and users • Render files containing sensitive data useless to attackers 18 © SafeNet Confidential and Proprietary

19. SafeNet ProtectFile 19 © SafeNet Confidential and Proprietary

20. ProtectFile Provides Separation of Duties 20 Finance Sales Human Resources KeySecureKeySecure SSL Server Administrator Server (Windows or Linux) Server (Windows or Linux) DataSecure Administrator Application Hardware Operating System Database Files and Folders Remote Storage (NAS, SAN) Local Storage (DAS) ProtectFile

21. SafeNet ProtectDB 21 © SafeNet Confidential and Proprietary

22. SafeNet ProtectDB SafeNet ProtectDB provides transparent column-level encryption of structured data residing in databases. The solution efficiently encrypts and decrypts specific fields in databases that may contain millions of records. Deployed in tandem with SafeNet KeySecure hardware or virtual appliance, ProtectDB offers centralized key and policy management to ensure encrypted data remains secure throughout its lifecycle. The solution provides a single interface for logging, auditing, and reporting access to protected data and encryption keys, a critical feature for compliance and data protection. SafeNet ProtectDB features built-in, automated key rotation and data re-keying, a critical feature for compliance and data protection. The highly-scalable solution enables isolation of sensitive data in a shared infrastructure, separation of duties, and improved compliance with a variety of regulations including, but not limited to, credit card numbers for Payment Card Industry Data Security Standard (PCI DSS). 22 © SafeNet Confidential and Proprietary

23. SafeNet Tokenization 23 © SafeNet Confidential and Proprietary

24. SafeNet Tokenization SafeNet Tokenization protects sensitive data (primary account numbers, social security numbers, phone numbers, passwords, email addresses, etc.) by replacing it with a unique token that is stored, processed or transmitted in place of the clear data. Using Format Preserving Tokenization (FPT), SafeNet Tokenization preserves the length and format of the sensitive data. SafeNet Tokenization is also flexible in its ability to support a variety of token formats, such as last four, first six, custom formats, and regular expression. The solution utilizes Web APIs for easy deployment, requires no changes to existing databases and applications, and is extremely scalable across multiple data centers in the distributed enterprise. Deployed with SafeNet KeySecure hardware or virtual appliance for centralized key and policy management, SafeNet Tokenization provides a single, centralized interface for logging, auditing, and reporting access to protected data, keys, and tokens. Tokenization also features built-in, automated key rotation and data re-keying, a critical feature for compliance and data protection. Compliant with PCI Tokenization Guidelines and VISA Tokenization Best Practices, Tokenization is an ideal solution for organizations with high compliance costs as it significantly reduces regulatory scope, facilitates the annual audit process, and results in reduced total cost of ownership. 24 © SafeNet Confidential and Proprietary

25. SafeNet Authentication Service SafeNet Authentication Service is a cloud-based authentication service that offers multi-factor authentication solutions, protecting identities and ensuring that individuals accessing Amazon WorkSpaces are who they claim to be. SafeNet Authentication Service, combined with Amazon WorkSpaces, offers enterprises a best-in-class virtual desktop system with strong authentication. Next-Generation Authentication from SafeNet Reduce the risk of unauthorized access to sensitive corporate resources. Reduce IT management overhead through automated user and token lifecycle administration. Enforce consistent access policies throughout your IT ecosystem—VPNs, SaaS applications, web portals, and on-premises applications. Have a single point of management for defining and managing access controls to all resources. Increase user convenience with federated login, extending enterprise identities to the cloud 25 © SafeNet Confidential and Proprietary

26. Online Storage Application Hosting Disaster Recovery SAML Tokens & Users Administrator Agent RADIUS API Private Networks Corporate Network Corporate Network Corporate Network Corporate Network LDAP / Active Directory LDAP / Active Directory LDAP / Active Directory LDAP / Active Directory Cloud Services Cloud Applications SAML SAML SAS: Authenticating Networks, Applications and a Variety of Cloud Services

27. 121 Authentication Integrations

28. Use Case

29. Customer Example: Netflix Key Management Goals • Remove data center dependencies and complexity • Increase reliability and performance Approach • HSMs per region/environment • Migrated from SafeNet KeySecure in the data center to CloudHSM • Decommissioned data center configuration

30. Netflix: Results Using AWS Cloud HSM with HSM appliances in 3 regions Lower latency and high security Eliminate on-premises datacenter-based HSM/KM Saves money – 33% savings over original projections AWS Virtual Private Cloud CloudHSM VPC Instance SSL Application HSM Client

31. Customer : FXXX MXXX - Property loan Need? FXXX MXXX hosts borrower or loan servicer information along with credit scores and other personal information. They plan to move their information to AWS cloud (cost savings). Their security team will not allow any server on the cloud unless the personal information on databases hosted in public cloud is protected (i.e. encrypted). Why are they interested in ProtectV? Unique AWS solution Key Management on premise Encrypting the entire VM Environment? AWS VPC Public Cloud Handful of servers Want to encrypt everything that goes into the cloud 31

32. Customer : TXX - Logistics company No infrastructure deployed to TXX Express premises Resilient cloud based service allowing for easy re-use of the service globally Low per user per month token cost allowing for integration with the remote access service, offering an integrated and robust solution • Cost the same as old remote access solution but offers, • Strong authentication as standard • More flexible access options Flexible form factors allowing easier deployment and acceptance of the technology Lower TCO of the existing Authentication solution Time to provision a user down from 5 days to 30 minutes

33. Why choose Gemalto and AWS? Gemalto and AWS can deliver an end-to-end “secured infrastructure” for ALL data • Secure Isolating of each virtual instance with ProtectV • Application layer protection with ProtectApp and Tokenization • File or Database protection with ProtectFile, ProtectDB • Certifications to assure compliance • CloudHSM provides customer control of encryption keys Enable 2-Factor Access Control with Authentication Services Virtual KeySecure and ProtectV enable 100% customer deployment at AWS, consumed like cloud services Solution is extensible to other providers via KMIP • Gemalto has 40+ integration partners for key management already! Smooth Transition from Physical DC to Cloud 33 © SafeNet Confidential and Proprietary

34. © SafeNet Confidential and Proprietary Thank You! Questions? Sheung-Chi NG, APAC Sheungchi.Ng@safenet-inc.com Apr 2016

Maintaining Trust & Control of your Data in the Cloud

Maintaining Trust & Control of your Data in the Cloud

Recommandé

Contenu connexe

Tendances

Tendances(20)

En vedette

En vedette(20)

Similaire à Maintaining Trust & Control of your Data in the Cloud

Similaire à Maintaining Trust & Control of your Data in the Cloud(20)

Plus de Amazon Web Services

Plus de Amazon Web Services(20)

Dernier

Dernier(20)

Maintaining Trust & Control of your Data in the Cloud