Технологическая презентация SafeNet на семинаре "Информзащиты".

1. SafeNet DataSecure platform
Technological leadership in protecting the
information lifecycle
Marko Bobinac
Insert Your Name
PreSales Engineer Eastern EMEA
Insert Your Title
21.02.2012
Insert Date

3. The Data Protection Company
Protecting high value information in
the worlds most complex environments
Solutions for persistently protecting information as
it moves through its lifecycle
Protection that evolves with the customer needs
3

5. What We Do
You manage the world’s most sensitive, high-value
data. Our mission is to protect it.
5

6. SafeNet Data Protection Product Portfolio
Identities Transactions Data Communications
Data Encryption High-Speed
Authentication HSM
and Control Network Encryption
Offering the broadest Offering The most SafeNet’s DataSecure – a SafeNet high-speed
range of authenticators, secure, and easiest to Universal platform network encryptors
from smart cards and integrate technology for delivering intelligent data combine the highest
tokens to mobile phone securing PKI identities protection and control for performance with a unified
auth—all managed from and transactions. information assets management platform
a single platform

7. ProtectDB
Databas
ProtectFile
e
ProtectApp
File Servers Key Secure
SAM
Application/
ProtectZ
Web Servers
Mainframe
HSM
Email Gateways
PKI Infrastructure
Datasecure Certificate Authority
Data Encryption
Storage Encryption
Self Encrypting HDs & Control
Web Gateways
eSafe
Endpoint
Protection
1
Firewalls / SSL VPNs High Speed Encryption
Communication Protection Protection NAS
Communication Protection
Cloud / External IT Solutions
ProtectApp DataSecure
Authentication & Access
Management
Identity Protection
Secure Cloud Storage &Applications
HSM HSE
Cryptographic Keys Public and Private
Virtualized Application Security Cloud Infra Protection
Authentication & Access
Management SRM SaaS
Access to Cloud-Based Apps Software Rights Management
Software as a Service

8. Cryptography
as an IT Service 3rd Party
Technologies
Storage Secure KMIP
Appliance
HSM
Appliance Certificate Infrastructures
File Shares Nat. IDs AMI
Tape E-Signatures Metering
Backups
Network
Storage E-Passports
Protect
Protect Storage
Infrastructure
Protect V Manager
Virtual Appliance
Authentication
Manager
Data Secure
Virtual Instances Appliance
Virtual Storage Management
Center
Protect Cloud **##**
&Virtual Infrastructure High Speed Protect
Encryptors
Tokenization
Identities
Protect Applications Protect
Data Centers File Servers Data Transfer
Databases Mainframes
8

9. The Magic Quadrant for User Authentication
challengers leaders
Ability to execute
niche players visionaries
Completeness of vision
As of January 2012

10. DataSecure:
The Foundation of Data Encryption & Control
Insert Your Name
Insert Your Title
Insert Date

11. Six Best Practices in Data
Protection & Compliance
1. Security — Not Just Compliance
2. Define your Corporate Policies
3. Involve the Stakeholders
4. Know your Data
5. Understand your Threats
6. Determine where to Protect your Data
11

12. Seven Methodologies
for Data Encryption & Control
1. Maintain Control Over Data Types
2. Create Points of Trust for Administration and
Policy
3. Leverage a Secure, Hardened Platform
for Heterogeneous Environment
4. Chose Standards Based Security when
Possible
5. Select a Flexible Platform for Encryption and
Tokenization
6. Pick a Solution with Key Management
Best Practices
7. Ensure Proof of Compliance is Easy
12

13. Worldwide Compliance Requirements
• Canadian Electronic • Basel II Capital Accord • PCI (WW)
Evidence Act
• PCI Data Security Standard • AIPA (Italy)
(WW) • GDPdU and GoBS (Germany)
• CA SB1386 et al • NF Z 42-013 (France)
• HIPAA (USA) • EU Data Protection Directive • Electronic Ledger
• FDA 21 CFR Part 11 • Financial Services Storage Law (Japan)
• GLB Act • Authority (UK) • 11MEDIS-DC (Japan)
• Sarbanes-Oxley Act (USA) • UK Data Protection Act • Japan PIP Act
13

14. SafeNet Data Encryption & Control
 Protecting sensitive data throughout its lifecycle...
wherever it resides
In Data Centers On Endpoints ProtectDB Tokenization
• Applications • Desktops 0000 000 00
• Databases • Laptops Databases
ProtectZ
• File Servers • Removable Media
ProtectApp
• Mainframes
Mainframes
DataSecure
Platform
ProtectFile Server
WebAppServers
In the Cloud Cloud
ProtectDrive
ProtectFile
• Persistent, secured cloud storage for
structured & unstructured data
File Servers
ProtectDrive
14

15. DataSecure Platform
 Appliance solution for
• High-performance encryption
• Simplified cryptographic key and policy management
• Hardened Linux kernel
• FIPS and Common Criteria certified
• High Availability
 Combined with connectors (software)
• Connectors for applications,
databases, file servers, and stations.
• Secures the connection to the appliance (connection
pooling, SSL).

16. Core Benefits of SafeNet DataSecure
Centralized encryption and key Authentication, authorization, and
Security Hardware-based solution
management auditing
High performance encryption Batch processing for massive
Performance offload amounts of data
Local encryption capabilities
Support for heterogeneous Support for open standards and Range of enterprise deployment
Flexibility environments APIs models
Simplified appliance-based
Manageability approach
Web management console CLI (command line interface)
Enterprise clustering and Load balancing, health checking, Geographically distributed
Availability replication and failover redundancy

17. Security
 Centralized Policy Management
• Security administrators control data protection policy
• Keys created and stored in a single location
• Dual Administrative Control
• Separation of Duties
• Logging, Auditing and Alerts
 FIPS & Common Criteria Certified Solution
• FIPS 140-2 Level 2 & CC EAL2 Certified
• Keys are stored in the appliance
• Different types of encryption available: AES, 3DES, RSA ...
• Certificate authority to manage its integrated SSL access
 Authentication & Authorization
• Multi-factor authentication possible between DS <> db or application.
• Access control: Granularity of crypto policy, by key, by schedule, etc.
• Support for LDAP

18. Performance
 Encryption Offload
• Optimized, high-performance hardware
• Frees up database and application servers
• Latency less than 300 microseconds per request
 Local Encryption Option
• Configurable for hardware offload or local encryption
 Batch Processing
• Perform batch encrypts/decrypts for high performance
• More than 100k TPS
• Batch tools include:
• Transform Utility
• ICAPI (SafeNet API protocol)
• Easy integration into existing applications
Perf. Average - 15 minutes to encrypt 5,000,000 records in 16 octects (char)
on MS SQL with x 1 i430 in AES256

19. Flexibility
 Heterogeneous Environments
• Comprehensive enterprise solution
• Web, Application, Database, Mainframe or File Server
• Data Center or Distributed Environments
• Open Standards-based APIs, cryptographic protocols
 Scalability
• Models with capacity from 2,500 TPS to 100,000 TPS
• Clustering further increases capacity and redundancy
• Licensing structure enables cost-effective build-out

20. Availability
Moscow  Clustering
• Keys and policy are
shared/replicated
DataSecure Cluster among DataSecures
in a global cluster
 Load Balancing
• Connector software
can load balance
across a group of
appliances
• Multi-tier load
balancing enables
transparent fail over to
Saint Petersburg alternate appliance(s)

21. Positioning of the SafeNet DataSecure ®
SafeNet
ProtectApp
Tokenization 0000
000 00
Application and
Web Servers
SafeNet
ProtectDB
Databases
Mainframes
SafeNet File Servers
ProtectFile
ProtectZ
SafeNet DataSecure
SCALABLE FOR
GROWTH
21
• Configurations to meet your needs — today and in the future
• Extend invest over data types as needed
• Scalable to address growth

22. ProtectDB Use Case
 Use Case Steps CRM
1. Cleartext values passed via database 0000 000 00
server to DataSecure Credit card
2. DataSecure returns encrypted values to Value
the database server (Encrypted value can
be shared across the organization in other
environments in a persistently encrypted
format)
3. Transform Utility can be used to support Transform
Utility
high performance batch processing
0000 000 00
Supported Databases Encrypted
Value
• Oracle, Microsoft SQL Server, IBM DB2 & Teradata DataSecure
• Supports native database encryption key
storage/management 0000 000 00
0000 000 00
Algorithms 0000 000 00
• 3DES, DES, and AES 0000 000 00
Supported Platforms 0000 000 00
Credit card 00
0000 000
• Windows, Linux, Solaris, HP-UX, AIX, or IBM z/OS Value
22

23. DataBase protection with native encryption
Heterogene database environments – Oracle, MS SQL, IBM DB2…….
The information should not be visible to the DBA. (accessible vs. visible)
The cryptographic load often requires a hardware upgrade
Transparent native encryption requires an upgrade of the software versions
Access to the logs is not secure, and their reading complex (unfiltered)
Native platforms are not certified, "certifiable" (FIPS, CC)
The cryptographic keys are used in a non-secure buffer
The keys are not sequestered except with the use of an HSM, but only for the
MasterKey
Resources are not shared & key rotation process is binding

24. ProtectApp Use Case
 Use Case Steps
1. Cleartext value passed via
DataSecure
application layer to DataSecure 0000 000 00 0000 000 00
2. DataSecure returns encrypted value Encrypted
Cleartext
3. Encrypted value can be shared with Value E-Commerce Value
heterogeneous applications & (Java or .Net)
Application
database
Supported Web & Application Servers
• Oracle, IBM, BEA, IIS, Apache, Sun ONE, JBoss
Algorithms
• 3DES, DES, AES, RSA (signatures and CRM ERP
encryption), RC4, SHA-I, SHA-2 Application Application
Supported Platforms
• .NET, MSCAPI, PKCS#11, JCE, ICAPI, XML
• Windows, Linux, or IBM z/OS
Customer
Database
24

25. ProtectZ Features for Database & Applications
Running on IBM Mainframes
 Granular Protection
• Retain ownership of data on IBM z/OS mainframes Applications
in databases and applications
 Proven Algorithms
• Achieve the highest level of database and
application security by using proven cryptographic
algorithms combined with strong identity and
access-policy protection such as AES, DES and
DESede
 Broad Support
• Flexible support for APIs such as ICAPI & JCE, DataSecure
application support for Cobol, RPG, assembler for
environments such as CICS, TSO or batch and
data storage in DB2, IMS, VSAM, DASD
 Data Type Support
• Coverage for data types such as BIGINT, CHAR, Databases
DATE, DECIMAL, INTEGER, SMALLINT, TIME,
TIMESTAMP, and VARCHAR
25

26. ProtectFile for Servers Features
 Use Case Steps File
Network-attache
Server
1. Document encrypted by DataSecure Servers
based on corporate policy
2. Protected file or folder stored on file
server in data center Intellectual
3. Only privileged users can Property
access, view, modify, or delete
protected files
Interoperability with
Privileged
• RIS, SMS, Tivoli, TNG, Active Directory and multi- Users
factor authenticators
Algorithms
• FIPS 140 Level 2 AES
Supported Platforms
DataSecure
• Windows and Linux operating systems, Microsoft,
Novell, Netware & Unix (Samba)
26

27. ProtectFile Sample Policies
• Create policies that align to lines of business
• Granular policies can be defined to control access to
authorized users
Finance Managers – gets full
Call center reps can encrypt credit
access to confidential financial
card numbers for phone orders
spreadsheets
Outside Auditors – get access to
Customer contracts sent to the call
sensitive files remotely and
center are saved to a shared file
offline, but need to get re-
server by the Call Center reps where
authorized by IT every 30 days to
they are automatically encrypted
regain access. (Policy can be
and strict access control is applied.
configured based on any set
amount of time.)
Market analysts are able to access
IT Administrators – they get access and share their competitive analysis
to perform routine maintenance, on seasonal opportunities in the
but cannot see any files that have Finance folder, but only see cipher
been encrypted (IT sees only text if they try to click on the
cipher text). spreadsheet with analyst salary
information.

28. Access Policy page example

29. Access Level – sample I
 User with Encrypt & Decrypt permissions

30. Access Level – sample II
 User with Backup & Restore Ciphertext permissions

31. Access Level – sample III
 User with No Access permissions

32. Information preview: StorageSecure
 New appliance (March 2012) for protecting Storage
 Supports any kind of NAS (CIFS, NFS)
 1Gb/s - 10Gb/s of file encryption
 Transparent – works on network layer
 Not a replacement for ProtectFile – decision
depends on what fits you best as DataSecure offers
wider range of solutions!
32
32

33. Tokenization Manager Use Case
1. Sensitive data comes Payment Backoffice Small Enterprise
in through a application support Market Application
consumer system
2. Sensitive data is
passed to
Tokenization Manager
3. Tokenization encrypts the
sensitive data, stores it and
returns a token Tokenization
Manager
4. Payment application passes
tokens to Tokenization Manager
to request original data it needs
for bank transaction DataSecure
PCI
5. Tokenization decrypts and Auditor
returns sensitive data
6. PCI Auditor only needs to
inspect tokenized database and
active applications

34. Maintain Ownership and Control
with DataSecure
Centralized tool to create granular protection policies and control
who and what has access to sensitive data when and where
Standards-based encryption with the highest level of security in a
commercial platform
Logging, auditing and reporting capabilities provide visibility for
enforcement, refinement and compliance
Persistent protection as data moves within data centers, out to
endpoints and into the cloud
34

35. Protection for different Data Types
INDUSTRY DATA TYPES
 One platform to protect:
Healthcare Patient Records
Financial
Account Info
Services
• Personal Identifiable
Retail
Credit Cards Information
Manufacturing
Design Specs
Energy
Land Surveys • Payment & Transactional
Government Soc. Sec # Tax ID
Data
DataSecure
• Intellectual Property
Key Management
Policy Management
Control Administration
• Non-public Information
FileServers
Applications Databases
Cloud
35

36. DataSecure Supports Separation of Duties
 DataSecure is the foundation of data encryption &
control by securing a wide array of data types under
one platform that:
Provides tools for the
SECURITY
administration, enforcement, monitoring, and report of data
protection solution
Establishes distinct roles so no single administrator can
compromise the system
Administration for key and policy management requiring
―m of n‖ credentials
36

37. Key Management throughout Lifecycle
Oracle DB
SQL DB DB2 DB
Database
Administrator
Legal
Manager
Finance
IT Manager Manager
for Tape HR
Storage Manager
Security
Officer Generate, Certify, Backup, Activate, Deactivate, Rotate, Compromise, Destroy
37

38. Summary
Tokenization
Manager
SafeNet
000
ProtectApp
 Data Center Protection
0
000
00
Application and
• Designed to secure all of the
Web Servers
SafeNet
ProtectDB
sensitive information that is SafeNet
ProtectFile
File Servers Databases
stored in and accessed from Laptop
Mainframes
enterprise data centers SafeNet
ProtectZ
• Protecting the structured data SafeNet
ProtectDrive SafeNet DataSecure
stored in databases, SCALABLE
applications, and mainframe FOR GROWTH
environments as well as the
unstructured data kept in file The Solution Suite Includes:
servers
• ProtectDB
• With DataSecure driving • ProtectApp
central enforcement of • ProtectZ
corporate policies and access
• ProtectFile
control
• Tokenization Manager
38

39. Unrivaled Customer Success with Some of the
World’s Most Respected and Admired Companies
Financial
Technology
Household
Brands
Retail
39

40. marko.bobinac@safenet-inc.com
Thank you
Insert Your Name
Insert Your Title
Insert Date