Securing the Breach: Using a Holistic Data Protection Framework

Alex HanwayProduct Marketing Manager

March 2016

A brief history of encryption

How encryption is now deployed in the enterprise

Encryption and key management best

Agenda

2

Origins of an Organized Approach

3

Scytale and Casear Ciphers

Character Based

Simple character transposition

Depended on algorithm secrecy

Encryption Goes Mechanical

4

Engima Rotor Complex mechanical and electromechanical

machines Character based encryption Patented 1918 Commercial and military usage

Cryptography in the Modern Age

5

Modern Cryptography Began in late 1940’s, and aligned with the

Information Age Encryption moved from character based to bit

based The Data Encryption Standard (DES) used 56

bit keys (1975) Triple DES (3DES) used 192 bit keys (1998) The Advanced Encryption Standard is

available to all (2001) AES uses 128 or 256 bit keys and ‘modes’ to

secure data

3 mai 20236

Encryption in the Enterprise

Title

The Decision that Starts It All…

Confidential and Proprietary | For Internal Gemalto Use Only7

“Many organizations understand the benefits of encryption … but have difficulty on the question of just where to encrypt the data?.” - Jon Oltsik, Senior Analyst, Enterprise Strategy Group

Deployment Effort

Security

Destination

Source

Application

Database

File

Storage / Tape / Disk

More Encryption Keys to Store & ManageCrypto

Management Challenges

Non-Repudiation• Document Signing• Citizen eIDS• Boarding Passes• Transaction Signing• Biometrics

Integrity• Electronic Transfers• Time stamping• Signed Audit Logs• Secure

Communications• Mobile Payments

Encryption• Disk & File

Encryption• Code Signing• Database Encryption

Internet of Things

Compliance KMIP Virtual Data Center and

Cloud

Partner Integrations

Datacenter Consolidation

CybersecurityNext Gen

PKI

Growing Number of Encryption Use Case

What is Driving This Adoption?

Who controls the keys?

Are the keys trusted?

Where are the keys located?

Will they pass an audit?

Do they meet my future deployment models?

Do they work with my 3rd party applications?

Application-level encryption

Database-level encryption

What are the options?

File-level encryption

Disk and partition encryption(Physical & Virtual)

How Enterprises are Thinking…

Often information security decisions are made urgently in response to ‘fire drills’ – tight timelines dictated by new mandates, threats, or

breaches. Commonly this is done by business units.

For Bus, it’s natural to adopt a ‘build-it-yourself’ or ‘go-it-alone’ approach. In fact it works in many IT cases.

But building encryption and managing keys is a more complicated and resource intensive an investment than people think.

In addition, once encryption is implemented, administrators and teams must continue to manage the encryption keys for their

deployment. Suddenly the easy DIY project becomes an on-going administrative headache.

The Proliferation of Silos

11

File Servers

Applications & Web Servers

SQL & NoSQL Databases

Mainframes

Storage

Backup Media

Today – Silos

• Costly & Complex Administration

• Inconsistent Security Policy Enforcement

• No Repeatable Process• Inhibited Data &

Business Workflow • Audit Challenges

3 mai 202312

Encryption and Key Management Best Practices

Title

Required Elements

At-rest in storage In motion across the

network On-premises or in the

cloud

Secure and own encryption keys

Centrally manage keys and policies

Protect identities Ensure only authorized

users and services have access

Strong Key ManagementAccess Control Encrypt the Data

CONTROL IDENTITYWho & What Can Access Sensitive Data

PROTECT DATAProtection & Controls that Sit with the Data

1 2

13 Confidential and Proprietary | For Internal Gemalto Use Only

Where to Encrypt and Manage Keys?

Confidential and Proprietary | For Internal Gemalto Use Only14

“Many organizations understand the benefits of encryption … but have difficulty on the question of just where to encrypt the data?.” Jon Oltsik, Senior Analyst, Enterprise Strategy Group

Deployment Effort

Security

Destination

Source

Application

Database

File

Storage / Tape / Disk

15

Data Protection Best Practices

Confidential and Proprietary | For Internal Gemalto Use Only

• Encrypt or Tokenize• Apply Access Controls

• Manage Key Lifecycle• Apply Access Controls

Decouple KEYS from DATA

Protect Data Protect

Keys

A Three Step Approach

Confidential and Proprietary | For Internal Gemalto Use Only16

(DAS, SAN, NAS, HDFS)

(SQL & NoSQL) (Application servers) (Cloud Servers and Virtual Machines)

File Servers Databases Applications Public Cloud

• Centralized Key Management (Generation, Rotation, Expiration, etc.)• Audit Reporting and Compliance Management • Separation of duties – Encryption Keys decoupled from data

• File Level Encryption• Database Level Encryption• Application Level Encryption• Tokenization

+ Access Control

Software-based Key Management

ApplicationServer

Application

PKCS #11 CAPI / CNGJava CSP OpenSSLXML

Cryptographic Processing

Key Storage

Key Usage Services

KeyManagement

Services

Backup/RestoreExport ControlsEKM InterfacePolicies

A Physical Network-Attached Key Manager

MultipleApplication

ServersApplication

Key Usage Services

KeyManagement

ServicesKey Vault Services

Tamper Resistance/ResponseSeparation of DutiesM of N Controls

PKCS #11 CAPI / CNGJava CSP OpenSSLXML

Backup/RestoreExport ControlsEKM InterfacePolicies

FIPS 140-2 Level 3 Common Criteria EAL4+

Offl

oad

MultiplePartitions

High Availability And

Load Balancing

Cryptographic Processing

Key Management: Best Practices

Encryption in the enterprise is simple. Key management in the enterprise is the real challenge

Key Management: Proper rotation, deletion, etc.

Centralized key management: Keep track of all the keys, all the time

Separation of Duties: No single user with the keys to the kingdom

Key security: Hardware storage

Replication: Ensure high-availability

Backup and restoration: Protect against catastrophe

Auditing and reporting: Demonstrate that you control your data

Key Management Best Practices Centralize key management across the enterprise

Application, Database, File, Disk, TDE, Virtual Control centrally and then farm out encryption to individual Bus.

Store keys in hardware – Physical key management appliance Hardware Security Module (HSM)

Design an architecture that scales. A key manager should: Manages load balancing Conduct health checking Offer connection pooling Be able to broker SSL handshakes

Control key access Separate duties amongst administrators Implement access controls around secured data.

Segregation of Roles & Responsibilities

Security Administrators• Responsible for key management, security policies, access

controls

Database Administrators• Responsible for database management, schemas, field

definitions, creation of views and triggers, installation of stored procedures

Application Developers• Responsible for application code changes and/or developing

stored procedures to be installed on the databaseOthers:

• Storage Admin, backup admin, virtualization admin, etc.

Enterprise Data Protection as Centralized Service

22

File Servers

Applications & Web Servers

SQL & NoSQL Databases

Mainframes

Storage

Backup Media

• Costly & Complex Administration

• Inconsistent Security Policy Enforcement

• No Repeatable Process

• Inhibited Data & Business

Workflow

• Audit Challenges

Today – Silos

UNIFIED DATA PROTECTION PLATFORM

COMPLIANCE

CRYPTO FOUNDATION

SECURITY

KEY MANAGEMENT

POLICY MANAGEMENT

CLOUDON-PREMISESVIRTUAL

• Single Vendor

• Centrally Defined & Managed Security

• Strong Compliance & Low Audit Cost

• Increased Security, Business Agility, & Lower IT Costs

Tomorrow - Unified

3 mai 202323

The Benefits of Buying In

Title

Better SecurityWhen security policies are centrally managed and broadly deployed, it is easier to ensure effective enforcement. Sensitive cryptographic keys and policy controls are tightly secured in purpose built mechanisms.

Every group that goes its own way remains vulnerable to compromise. Unauthorized entry into one department could spread to other departments.

Budget SavingsSecurity administration is time-consuming, costly and complex. Farming out encryption security responsibilities preserves departmental budget.

Offload on-going key management costs to other parts of the organization and benefit from architectures designs made by others.

3 mai 202324 Title

The Benefits of Buying In (Continued)

3 mai 2023Title24

Streamlined CollaborationSecurity silos run counter to the increasing interconnection of corporate applications and workflows. Sharing sensitive data across departments introduces security gaps, complexity and latency into the business.

Standardizing encryption through the central service improves the ability to collaborate freely across the organization without fear of vulnerability or non-compliance.

Faster InnovationBuilding encryption yourself is deceptively complex and time-consuming. Farming out key management to the central service frees resources that can be dedicated to other important tasks.

Central encryption services can create standard ready-to-use APIs and platforms that shorten development cycles for new products & services.

PARTNERSHIPS

Holistic Enterprise Data Protection Framework

ECOSYSTEM

• Amazon Web Services• Microsoft Azure HP

DellNetApp Storage

ChefDocker

OracleMicrosoft SQLIBM DB2MySQLMongoDBCassandra

Apache HadoopIBM BigInsights

IBMz – mainframesIBMi – AS400

NoSQL Databases

SQL Databases

Storage Archive Tapes

Files, Folders & Shares - DAS/NAS/SAN

Big Data P-to-NonP

Tokenization

Application Encryption

Cloud Public& Private

Application Key Management

ERP & CRMPOINTS OF PROTECTION

ENCRYPTION & TOKENIZATION

SafeNet ProtectApp

SafeNet ProtectDB

SafeNet ProtectFile

SafeNet Tokenization

Database Native TDE

Transform Utility

Bulk Tokenization

Web Services

SafeNet KeySecure

ENTERPRISE KEY MANAGEMENT

Thank you.