delivering scalable private key security with hardware ......compliant private keys with maximum...
TRANSCRIPT
1©2019 Venafi, Inc. All rights reserved.
// Delivering Scalable Private Key Security with Hardware Security Module Leaders
Hardware Security Modules (HSMs) protect machine identities by generating strong keys for SSL/TLS and SSH—these cryptographic keys along with digital certificates serve as machine identities. But, previously, when enterprises wanted to combine HSM key generation with certificate life cycle management, they had to rely on custom development or resource-intensive manual processes.With the introduction of Venafi Advanced Key Protect, organizations can now use the Venafi Platform for fast, automated orchestration of secure HSM key generation and protection combined with certificate issuance to improve security, increase efficiencies and meet compliance requirements. The full key and certificate life cycle is automated without the need for administrator interaction.
As the number of severe vulnerabilities and attacks targeting machine identities increases, the need for strong private keys for SSL/TLS and SSH throughout the enterprise is becoming more acute. For example, when private keys are stored in files or memory, they are susceptible to file and memory scraping as well as recent side-channel attacks. HSM-generated keys address these risks by producing strong FIPS compliant private keys with maximum entropy, using certified random number generation and secure hardware protection for keys.
HSMs have long been used in security-concious industries, including Banking, Financial Services, Federal Agencies and Retail. Critical business applications containing sensitive data, such as PCI,
DATA SHEET
Advanced Key Protect At a Glance
Venafi Advanced Key Protect powers the use of secure hardware-based cryptographic keys by orchestrating HSM-based generation and protection of cryptographically strong keys combined with certificate automation.
Prerequisites
• The Venafi Platform• One of the following
- Gemalto SafeNet Network HSM - nCipher nShield Connect HSM
Benefits
• Leverage your existing HSM investment for strong key generation and protection
• Automate certificates and keys in a FIPS 140-2 Level 2 environment supported by HSMs
• Comply with industry and internal security requirements
• Generate strong keys from a NIST certified random bit generator (RBG)
• Orchestrate strong keys across your enterprise under strict policy control
• Eliminate risk of stolen keys from file systems, software certificate stores and system memory
2©2019 Venafi, Inc. All rights reserved.
PII and PHI, are now using HSM key generation and hardware protection of data.
HSMs are critical for secure PKI and for the protection of deployed SSL/TLS certificates to critical business applications. Now with the close partnership between Venafi and leading HSM vendors, management has been dramatically simplified. HSM-generated keys can now be accessible at machine speed, even in complex, high-security environments.
HSM security benefits are so strong that regulations like PCI-DSS recommend that all private cryptographic key material be generated and stored within an HSM to protect in-scope PCI systems. In addition, entities doing business with government agencies must adhere to FedRamp standards. Beyond standards and regulations, organizations can substantially improve their overall security by leveraging HSMs to protect private cryptographic key material across the enterprise.
Traditionally, HSMs have only been deployed for a narrow set of applications. Despite the improved key strength and overall protection that HSMs provide for digital keys, their management burden has kept them from being utilized broadly. With Venafi Advanced Key Protect, organizations can easily expand usage and increase the value they get from their HSMs.
HSM Key Management Challenges
Broad HSM usage without key and certificate life cycle orchestration for SSL/TLS and SSH creates new challenges for organizations that want complete visibility into all of their keystores—this is a challenge even for the keys stored in the HSM. Organizations that deploy HSMs widely also lack the ability to centrally manage all their distributed keystores and are unable to consistently apply enterprise policy controls.
Previously, when organizations wanted to use automation to leverage strong HSM keys, manage the entire key life cycle, and apply policies or streamline workflows, they had to create custom scripts or run manual processes—both of which require major investments. These largely manual efforts often resulted in high-maintenance, error-prone solutions that did not scale.
The Solution: Venafi Advanced Key Protect
Venafi Advanced Key Protect delivers an out-of-the-box solution that overcomes these challenges. It integrates with industry-leading HSMs, including Gemalto and nCipher, to leverage strong HSM keys throughout an enterprise. As an add-on module to the Venafi Platform, Advanced Key Protect applies policy and workflow controls and enables fast, automated orchestration of keys and certificates. Together, these capabilities make it possible for enterprises to ensure the consistent use of the strongest cryptographic keys possible.
Supported Client Versions
• Gemalto/SafeNet (Luna) client version 6.2.2 (plus OpenSSL toolkit 1.0.2 for Apache)
• nCipher Security World client version 12.40.2
Earliest Supported HSM Versions
• Gemalto SafeNet Network HSM (formerly Luna SA) models 7000 running software version 5.4.7-1 and firmware version 6.10.9
• nCipher nShield Connect HSM
- Connect+: 500+; 1500+; 6000+; Security World version 12.40.2
- Connect XC: Base; Mid; High; Security World version 12.40.2
“We evaluated all of the products from the top players in the space. Venafi was the clear winner for multiple reasons:
• Venafi allowed us to keep the entire certificate management process in-house.
• Venafi supported all the CA and HSM technologies we use.
• Venafi is extremely flexible and could satisfy all our immediate needs and anticipated future needs.
Fortune 500 Insurance Company Source: TechValidate. TVID: 8DA-A8D-6DA
3©2019 Venafi, Inc. All rights reserved.
How It Works
Venafi Advanced Key Protect supports two distinct functions:
1. Central HSM SSL/TLS and SSH Key Generation with Key and Certificate Installation on Managed Applications.
There are times when keys need to be stored with the applications they support. Secure key material is essential, especially when keys aren’t stored in an HSM. Venafi Advanced Key Protect coordinates the generation of private keys for certificates and SSH through a central HSM and pairs this with Venafi certificate issuance and installation. Together, this provides automated, validated distribution with maximum key entropy for applications.
The Details
The Venafi Platform can be used to generate all X.509 and SSH keys in a central HSM, even for applications that do not have the capability to integrate with an HSM. This ensures that keys are created with strong random number generation across the network. In this approach, instead of keeping the private key in the HSM, the Keypair is exported from the HSM and the private key
and certificate are installed on the system that will use them. This capability is supported by Gemalto HSMs.
When an administrator enters application and HSM information into the Venafi Platform, it triggers these actions by the platform:
• Instructs the HSM to generate a Keypair
• Retrieves the private key and a certificate-signing request (CSR) from the HSM
• Uses the CSR for certificate enrollment with a certificate authority (CA)
• Installs the certificate and the private key on the managed application
2. HSM SSL/TLS and SSH Private Key Protection Combined with Automated Certificate Orchestration.
This function is used when a business wants to protect keys using an HSM that is associated with the managed applications it supports. With Advanced Key Protect, private keys can be managed without ever leaving the hardware or being exposed to host memory. Businesses get full SSL/TLS and SSH key management in a FIPS 140-2 Level 2 or environment—pairing automated Venafi management with the security of the HSM.
Private Key and Certificate Installed on Managed Application
4©2019 Venafi, Inc. All rights reserved.
Venafi is trusted by:
5 OF THE 5 Top U.S. Health Insurers 5 OF THE 5 Top U.S. Airlines 3 OF THE 5 Top U.S. Retailers 4 OF THE 5 Top U.S. Banks 4 OF THE 5 Top U.K. Banks 4 OF THE 5 Top S. African Banks 4 OF THE 5 Top AU Banks
The Details
Venafi Advanced Key Protect triggers the generation of a Keypair by the HSM and orchestrates the connection to the system that needs the certificate. Venafi delivers key and certificate management with the Keypair securely maintained by the HSM. Both Gemalto and nCipher HSMs enable this approach and this capability is supported on Apache, Windows IIS and Java keystores.
Again, the process begins when an administrator enters application and HSM information into the Venafi Platform, but this time it triggers the following actions by the platform:
• Connects to the managed application and instructs the HSM to generate a Keypair
• Retrieves a CSR from the HSM through the managed application
• Uses the CSR for certificate enrollment with a CA
• Installs the certificate on the managed application (the private key remains on the HSM)
Next Steps
If you have the Venafi Platform and a Gemalto or nCipher HSM, or you’re considering investing in these solutions, contact us to learn more about how you can best leverage these solutions to maximize strong key generation and management.
About Venafi
Venafi is the cybersecurity market leader in machine identity protection, securing the cryptographic keys and digital certificates on which every business and government depends to deliver safe machine-to-machine communication. Organizations use Venafi key and certificate security to protect communications, commerce, critical systems and data, and mobile and user access.
To learn more, visit www.venafi.com
Private Key Securely Maintained on HSM