Apani Ov V9

640 vues

Publié le

EpiForce Protecting Personal Data

0 commentaire
0 j’aime
Statistiques
Remarques
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Aucun téléchargement
Vues
Nombre de vues
640
Sur SlideShare
0
Issues des intégrations
0
Intégrations
9
Actions
Partages
0
Téléchargements
11
Commentaires
0
J’aime
0
Intégrations 0
Aucune incorporation

Aucune remarque pour cette diapositive
  • At Apani, our solution keeps data in motion safe and secure from client to client and also server to client.
  • Apani is a global company, our corporate office is in Southern California with supporting offices in the UK and Japan We are privately funded by the Takahara Group. They are widely known in Japan as the largest consumer goods company, they are like a Proctor & Gamble company – they also produce pet food. Our software originated from a Hughes project before the Takahara Group purchased in 2003. Our technology was also used in the development of VPN software for Nortel and Cisco.
  • Apani provides support to its customers 24/7, along with professional services – We can install and support very large Enterprise customers as well as small to medium businesses. Our solution can support the needs of different markets, we specialize in Retail, Healthcare, Financial Services and the Public Sector. We will discuss this further as we take a look at a few success stories.
  • Our solution will work on all types of clients, from Windows, Unix, Linux and others. We are easily managed via our Management Console. Small footprint software solution for network segmentation instead of hardware firewalls. The software will are able to manage user access, encryption and segmentation. We will work on physical and virtual servers and protect against intruders. We can help support compliance mandates like PCI or HIPPA.
  • Citi was the first and our largest Enterprise customer They are a very well known financial services company- We help them with PCI compliance Detailed information is not available as it is proprietary to Citi
  • The University of Pennsylvania Health System is a group of 3 hospitals and they are one of the oldest hospitals with great credentials Our solutions helps them with PCI compliance, server segmentation and encryption of data in motion Our tool is centrally managed which helps IT and lower overhead once set up and configured
  • Our Public Sector success story is from the Staffordshire Police Department. Our solution support legacy applications for the police department on their 350 server and 2500 workstations. We helped them with their compliance initiative – in the UK it is called CoCo compliance They are encrypting data in motion and using our server segmentation
  • Canadian Tire Financial Services is the financial division of this Canadian retail giant.
  • Harrods is a luxury department store, but also has locations in airports throughout Asia and Europe They purchase our solutions for PCI Compliance initiatives and server segmentation
  • Firewalls and VPNs prevent unauthorized access to the corporate network from the outside EpiForce manages access and security between systems inside the corporate network Although hardware devices can control access between systems within the corporate network, as a software solution, EpiForce can be significantly less expensive
  • EpiForce components are: Database server stores all the Agent registration and policy data for the system. The database can be either MySQL is included with the product Oracle support can be configured Admin Server delivers policy on demand to each of the Agents and implements Certificate Authority functionality Admin Console is the GUI for all EpiForce policy and configuration Agents are the network security policy enforcement points. Agents each have an X.509v3 certificate issued by the Admin Server that must be used to authenticate the Agent before any communications is permitted. When communications is requested, both endpoint Agent systems request all the applicable policies from the Admin Server EpiForce architecture: Multiple replica databases provide fail-over system resiliency as well as localized performance for regional or departmental data centers. Multiple Admin Servers provide fail-over system resiliency and load-balancing for improved performance. One or more Admin Consoles manage all databases, Admin Servers and Agents Agents run on Microsoft Windows XP, 2003 Server, 2008 Server and Windows 7, Linux (Red Hat 3, 4 and 5), Solaris, AIX and HP-UX (both PA-RISC and Itanium. Windows and Linux systems can be virtualized in VMware, Citrix and Hyper-V and AIX systems can be run in LPARs
  • There are three parts to an Agent: The Key Manager (KM) responds to requests from the SP to negotiate between Agents by calling the INM and responds to requests by SP for network security policies by asking the Admin Server. The IKE (IPsec Key Exchange) Negotiation Manager (INM) in user space authenticates the Agents using the X509v3 certificates, negotiates security parameters and establishes Security Associations (SAs) to transfer user data The Security Policy (SP) manager is a driver that examines every packet that enters or leaves the system. The Security Policy module enforces the network security policy.
  • A Zone is a set of rules (clear, protect or deny) for specific ports that apply to a list of Agents or Users, IP addresses or address ranges. Additionally, Agents can be added to a Zone by address ranges, subnets, or both. There are three types of Zones: Client/Server Zone― Defines a Security Policy when a client initiates communication with a server. Internal Access Zone― Defines a Security Policy for peer-to-peer, bi-directional communications between Agents and Users. Used for communications between servers in the data center. External Access Zone― Define a Security Policy between a specific Agent and a host, such as an Internet site, inside or outside the Zone. When an Agent begins communications with another system, the Agent requests a list of all Zones that apply between the two end points from the Admin Server. The Agent sorts the received Zone information by Zone priority where Client/Server Zones are the highest priority. The Agent uses the security policy in the highest priority Zone that applies to the port used for communications between the two Agents. This allows the use of multiple overlapping Zones to describe the overall network security policy.
  • Because EpiForce Agents are installed as a driver, no application changes are required to implement network security policy Some use cases for EpiForce are: Separation of production from non-production systems, sometime referred to as network segmentation Limit access to internal systems to legitimate partner and contractors Protect data-in-motion within the company network from sniffers Virtualization implementation Configure network access policy on the user’s login identity rather than Agent so that the policy will follow the user as they move from system to system
  • Network segmentation can be implemented in two ways: Create a Zone that either grants access or denies access. Configure individual Agents as Isolated and use Zones to allow critical communications Creating a Zone which denies communications between development systems and human resource servers eliminates access for developers to a sensitive data center resource Network segmentation can minimize the scope of audits where one group of Agents cannot access another group
  • Many companies are faced with a guest networking security challenge and use network firewalls, ACLs and VLANs and firewall rules to physically separate the machines involved in contractor projects from the broader network The challenge is to manage the access to systems once guests are granted access to the corporate network A single EpiForce Agent can be used to limit access for guest users to internal systems by: The guest uses a VPN through a firewall to access the corporate network. The VPN authenticates the user and provides an IP address from a pool of address The user is directed to a Windows or Citrix terminal server with the EpiForce Agent installed An agent-based policy can use the source IP address range to allow or block access to internal servers A user-based policy can limit access to internal servers where the end-user logs in at the Windows or Citrix terminal server
  • Policy-based encryption of data in motion enables encryption to be applied in a granular, port-level deployment, encrypting only those communications required to be confidential to minimize encryption computational overhead EpiForce provides enterprises the ideal encryption option – strong security, minimal application performance impact and lower bandwidth requirements
  • Where EpiForce Agents are installed on systems running in a virtualized environment, network security policy is enforced regardless of the host system EpiForce Agents can change IP addresses without changing any policy configurations so virtual machines can move freely between hosts in the data center EpiForce Agents support moving live VMs using VMware VMotion without interrupting communications. IP addresses are automatically changed as the VM is moved between ESX hosts Not only is network traffic managed between a VM and the external network, all traffic is managed between VMs on the same host Each Agent is identified by a unique name. Since duplicate Agent names are not allowed, VM sprawl is minimized Compare this to virtualized network security implemented using firewalls and intrusion protection systems
  • In addition to specifying network security policy for all traffic to and from an Agent, EpiForce can also apply security policy by the user name that sends or receives traffic on all Windows platforms with cooperation with Agents on non-Windows platforms. User names that are used to specify network policy must be entered in the EpiForce database. EpiForce supports local, system and domain defined user names. Where users are managed in a Microsoft Active Directory (AD) domain controller, user names can be imported and periodically synchronized with AD using scheduled LDAP extracts. LDAP extract schedules are configured in the Admin Console. If user names are defined in AD, the Admin Server can authenticate user names using Microsoft Kerberos login credentials before sending network security policy based on a user name to the Agent.
  • EpiForce features: Uses industry standard cryptographic protocols to secure Agents and network data Automates all cryptographic tasks, for example, certificate renewals and key creation Provides selective data protection for data on the corporate network Manages network security for all VMs within a host as well as between hosts. Implements identical network security policies on both virtual and physical systems transparently
  • Apani Ov V9

    1. 1. … ..Protecting Your Data
    2. 2. Apani Security <ul><li>“ Apani delivers security software protecting sensitive data from internal and external intruders.” </li></ul>
    3. 3. About Apani <ul><li>Global Company </li></ul><ul><ul><li>Headquartered: Southern California </li></ul></ul><ul><ul><li>Offices in United States, United Kingdom and Japan </li></ul></ul><ul><li>Company Founded 2003, Privately Funded </li></ul><ul><ul><li>Takahara Group, Tokyo, Japan </li></ul></ul><ul><li>Strong Security Software Experience </li></ul><ul><ul><li>Hughes Aircraft </li></ul></ul><ul><ul><li>Developed VPN software for Nortel & Cisco </li></ul></ul><ul><li>Citigroup, Inc. First Major Enterprise Customer </li></ul>
    4. 4. <ul><li>Security Solution Provider </li></ul><ul><ul><li>Enterprise wide security software company </li></ul></ul><ul><ul><li>Professional Services </li></ul></ul><ul><ul><li>24/7 Technical Support </li></ul></ul>About Apani <ul><li>Market Focus </li></ul><ul><ul><li>Retail </li></ul></ul><ul><ul><li>Healthcare </li></ul></ul><ul><ul><li>Financial Services </li></ul></ul><ul><ul><li>Public Sector </li></ul></ul>
    5. 5. The Apani Solution <ul><ul><li>Support for heterogeneous environments </li></ul></ul><ul><ul><li>Enterprise wide and centrally managed </li></ul></ul><ul><ul><li>Software based network segmentation </li></ul></ul><ul><ul><li>Deploy over existing network infrastructure </li></ul></ul><ul><ul><li>Physical and virtual machines </li></ul></ul><ul><ul><li>Identity based access and control </li></ul></ul><ul><ul><li>Transparent to both users and applications </li></ul></ul><ul><ul><li>Protect against insider and outsider threats </li></ul></ul><ul><ul><li>Encrypt data-in-motion </li></ul></ul><ul><ul><li>Meet compliance mandates </li></ul></ul>
    6. 6. Financial Services Success <ul><li>Citigroup, Inc., Global financial services company </li></ul><ul><ul><li>provides consumers, corporations, governments, and institutions with a range of financial products and services </li></ul></ul><ul><ul><li>200 million customer accounts and operates in approximately 140 countries </li></ul></ul><ul><li>First major enterprise customer </li></ul><ul><li>PCI – DSS compliance </li></ul><ul><li>Security implementation: “Details are proprietary to Citi” </li></ul>
    7. 7. Health Care Success <ul><li>Pennsylvania School of Medicine </li></ul><ul><ul><li>Oldest and one of the finest </li></ul></ul><ul><ul><li>3 hospitals with over 1500 beds </li></ul></ul><ul><li>PCI – DSS compliance </li></ul><ul><li>Encrypt data in motion </li></ul><ul><li>Server segmentation </li></ul><ul><li>Central management in a heterogeneous environment </li></ul>
    8. 8. Public Sector Success <ul><li>Staffordshire Police </li></ul><ul><ul><li>Staffordshire, England </li></ul></ul><ul><ul><li>Employs 4500 personnel </li></ul></ul><ul><li>350 servers and 2500 workstations </li></ul><ul><li>CoCo compliance, United Kingdom </li></ul><ul><li>Support legacy applications </li></ul><ul><li>Encrypt data in motion for LAN and WAN </li></ul><ul><li>Server segmentation </li></ul>
    9. 9. Retail Success <ul><li>Financial services company providing credit card, insurance, and banking services worldwide </li></ul><ul><ul><li>Canadian Tire Corporation, Ltd has more than 475 stores across Canada </li></ul></ul><ul><ul><li>CTFS is financial services arm of Canadian Tire Corporation, Ltd </li></ul></ul><ul><li>Managing 5 million credit card accounts </li></ul><ul><ul><li>The Options MasterCard accepted at 24 million locations worldwide </li></ul></ul><ul><li>PCI – DSS compliance </li></ul><ul><li>Encrypt data in motion </li></ul><ul><li>Server segmentation </li></ul><ul><li>Central management in a heterogeneous environment </li></ul>
    10. 10. Retail Success <ul><li>UK luxury department store </li></ul><ul><ul><li>Landmark Knightsbridge department store, one of London's biggest attractions </li></ul></ul><ul><ul><li>Signature shops in airports and department stores in Asia and Europe </li></ul></ul><ul><li>PCI – DSS compliance </li></ul><ul><li>Encrypt data in motion </li></ul><ul><li>Server segmentation </li></ul><ul><li>Central management in a heterogeneous environment </li></ul>
    11. 11. … ..EpiForce Technical Overview
    12. 12. Apani Product Overview <ul><ul><li>EpiForce – Apani Security Software Solution </li></ul></ul><ul><ul><li>EpiForce includes: </li></ul></ul><ul><ul><ul><li>Encryption of data-in-motion </li></ul></ul></ul><ul><ul><ul><li>Network security segmentation </li></ul></ul></ul><ul><ul><ul><li>Identity based access </li></ul></ul></ul><ul><ul><ul><li>Central security management </li></ul></ul></ul>
    13. 13. EpiForce Architecture <ul><li>Flexible, granular policy </li></ul><ul><ul><li>User- and host-based network access control </li></ul></ul><ul><ul><li>Network layer implementation </li></ul></ul><ul><li>Distributed, failover protection </li></ul><ul><ul><li>No single point of failure </li></ul></ul><ul><ul><li>No bottlenecks </li></ul></ul><ul><li>Secure, standards-based </li></ul><ul><ul><li>IPSec, X.509v3 </li></ul></ul><ul><ul><li>3DES, 128/256 bit AES </li></ul></ul><ul><ul><li>FIPS 140.2 level 1 </li></ul></ul><ul><li>Highly scalable </li></ul><ul><ul><li>On-demand policy distribution </li></ul></ul><ul><ul><li>Up to 300,000 agents </li></ul></ul><ul><li>Interoperability </li></ul><ul><ul><li>Supports AIX, HP-UX, Linux, Solaris, VMware, Windows and legacy platforms </li></ul></ul>
    14. 14. <ul><li>Software Agent integrated with host TCP/IP stack </li></ul><ul><li>Communicates with admin server to update and monitor host security policies </li></ul><ul><li>Authenticates hosts via X.509v3 certificates </li></ul><ul><li>Mediates all inbound and outbound network access </li></ul>Software Agents User Space Kernel Space Physical Link IP TCP Application Key Manager IKE Negotiation Manager Cryptographic Engine <ul><li>Access Control </li></ul><ul><li>Authentication </li></ul><ul><li>Confidentiality </li></ul><ul><li>Integrity </li></ul>Security Policy Manager
    15. 15. Security Zones <ul><li>Zones are configured to create security policies </li></ul><ul><li>Zones bring lists of Agents or users together with rules (clear, deny or protect) and ports </li></ul><ul><li>There are three zone types in priority order: </li></ul><ul><ul><li>Client/Server Zones </li></ul></ul><ul><ul><li>Internal Access Zones </li></ul></ul><ul><ul><li>External Access Zones </li></ul></ul><ul><li>Zones overlay existing security architecture </li></ul>
    16. 16. EpiForce Deployment Scenarios <ul><li>Network segmentation into security zones </li></ul><ul><li>Partner & outsource isolation </li></ul><ul><li>Encrypt data in motion </li></ul><ul><li>Virtualization </li></ul><ul><li>Identity based access </li></ul>
    17. 17. <ul><li>Security zones provide defense in depth </li></ul><ul><li>Real time policy management </li></ul><ul><li>Host-based access control </li></ul><ul><li>Authenticate, authorize, administer and audit </li></ul>Network Segmentation
    18. 18. Contractor with VPN Firewall/VPN Windows/Citrix Terminal Server Contractor Isolation <ul><li>Single EpiForce Agent on the server can control multiple remote users and their security policies </li></ul><ul><li>Mitigates the risk of unauthorized access to critical data </li></ul>
    19. 19. <ul><li>Highly effective, low-overhead encryption engine </li></ul><ul><li>Selective encryption at the port level </li></ul><ul><li>Secure legacy applications without rewrites </li></ul><ul><li>Industry-standard, strong encryption </li></ul><ul><li>Policy persistence with migration </li></ul>Encrypt Data in Motion
    20. 20. Virtualization <ul><li>Manage virtual and physical environments </li></ul><ul><li>No bottle neck or single point of failure </li></ul><ul><li>Support for VMotion </li></ul><ul><li>Protect communication between virtual machines on same ESX host </li></ul><ul><li>No impact on current architecture </li></ul>
    21. 21. Identity Based Access <ul><li>Network access control based on identity </li></ul><ul><ul><li>Policy follows user </li></ul></ul><ul><ul><li>Flexible & dynamic </li></ul></ul><ul><ul><li>Data invisible to unauthorized users, reducing risk </li></ul></ul><ul><ul><li>Central management of security policies </li></ul></ul><ul><ul><li>Audit user activity </li></ul></ul>Contractors Partners Employees HR Finance Test Portal Sales Marketing
    22. 22. EpiForce Feature Summary <ul><li>Uses industry standard cryptographic protocols to secure Agents and network data </li></ul><ul><li>Automates all cryptographic tasks, for example, certificate renewals and key creation </li></ul><ul><li>Provides selective data protection for data on the corporate network </li></ul><ul><li>Manages network security for all VMs within a host as well as between hosts. </li></ul><ul><li>Implements identical network security policies on both virtual and physical systems transparently </li></ul>
    23. 23. The Ideal Security Solution <ul><li>Easier to deploy than hardware based security products </li></ul><ul><li>Investment protection of legacy applications </li></ul><ul><li>Lower cost of ownership </li></ul><ul><ul><li>100% software based </li></ul></ul><ul><ul><li>Easily maintained </li></ul></ul><ul><ul><li>Limited training </li></ul></ul><ul><li>Scalability </li></ul><ul><ul><li>Accommodates growth </li></ul></ul><ul><ul><li>Adapts to changes in the network infrastructure </li></ul></ul><ul><ul><li>Virtual and physical environments </li></ul></ul><ul><li>Promotes green IT </li></ul><ul><ul><li>Install on existing servers and desktops </li></ul></ul><ul><ul><li>Added security without adding to the footprint </li></ul></ul>A Solution Backed by a Company with a Passion for Client Satisfaction

    ×