maintaining trust & control of your data in the cloud
TRANSCRIPT
Complete encryption and key management available directly
from AWS and Marketplace
Complete encryption and key management available directly from AWS and Marketplace
Sheung-Chi NG, APAC
Apr 2016
We are the world leader in digital security
29.04.16Trust. Every day.2
WE’RE UNIQUE. WE’RE GLOBAL. WE’RE INNOVATIVE
2,900R&D ENGINEERS
114NEW PATENTS
FILED IN 2014
180+COUNTRIES WHERE
OUR CLIENTS ARE
BASED
14,000+EMPLOYEES
16NATIONALITIES
€2.5bn2014 REVENUE
+2bnEND USERS
BENEFIT FROM
OUR SOLUTIONS
DATAPROTECTONPORTFOLIO
DATA ENCRYPTION
CRYPTO MANAGEMENT
DIGITAL PAYMENTS
ENTERPRISE AUTHENTICATION
TRUSTED IDENTITIES
EBANKING & ECOMMERCE
SECURITY AT THE
coreSECURITY AT THE
edge
DATA SECURITY IS BASED ON TWO ELEMENTS
IDENTITYPROTECTION
PORTFOLIO
Gemalto IDP Business Areas
3 Introduction to Identity Data Protection 29.04.16
SafeNet’s Authentication Portfolio
VPNsWeb Apps
Web-mail
VDISaaS Apps
ERP IAM
SafeNet’s Authentication Ecosystem
Enterprise
Endpoints
SafeNet Next Generation Authentication
5 Identity Protection
AWS Responsibilities
Security and Compliance Concerns with Cloud Computing
How do you maintain ownership and control of your information in a multi-tenant environment?
• Securing, tracking and lifecycle/destruction of backups?
• Government requests?
• Privilege users of the cloud infrastructure?
How do you extend data governance and compliance to internal and external mandates?
7
Can Be Challenging to Illustrate Control Of Protected and
Sensitive Information in the Cloud
Value of Data Protection in the Cloud
Leverage the benefits of cloud computing while retaining ownership, compliance and control of your information
8© SafeNet Confidential and Proprietary
Enhancing AWS Security with Gemalto
9
Trust Anchor AmazonCloudHSM
Hybrid Deployments
Key Backup SafeNet Luna SA HSM
SafeNet Backup HSM
Key Management
SafeNet KeySecure SafeNet Virtual KeySecure
AWS Direct Integration
Amazon Redshift(HSM)
Amazon RDS(HSM)
Encryption & Pre-Boot Auth
Amazon EBS
AmazonEC2
SafeNetProtectV
Client Side Encryption
AmazonS3AWS SDK
SafeNetProtectApp
EC2 Database Encryption
Amazon EC2 Database
SafeNet ProtectDB & Tokenization
Partner Ecosystem
Storage, Archive,
Applications,
Orchestration,
Encryption, etc.
Key Mgmt: KMIP
HSMs: PKCS#11,
CAPI / CNG, Java
JCA, OpenSSL
FileEncryption
AmazonEC2
AmazonS3
SafeNetProtectFile
SafeNet Luna HSM
AWS CloudHSM
Hardware root of trust for encryption keys
Tamper-resistant appliances are designed & validated to government standards*
Helps meet compliance requirements
Used for code signing, document signing and transaction processing
Secures access to proxy layer keys for AWS-based databases (Redshift)
10© SafeNet Confidential and Proprietary
*Common Criteria EAL 4+ and NIST FIPS 140-2 Level 2
SafeNet vKeySecure
SafeNet Virtual KeySecure
• Hardened virtual appliance that runs in the AWS cloud
• AWS CloudHSM hardware root of trust
• Enables organizations to unify encryption and control across clouds
• Centralizes key management
in the cloud
• Available on AWS Marketplace today
11© SafeNet Confidential and Proprietary
40+KeySecure
Integrations
Largest EKM Integration Ecosystem
The industry’s first comprehensive solution protecting your data across physical, virtual, and cloud infrastructure.
With ProtectV you can enable customers to:• Isolate Virtual Machines and storage through encryption
• Authorize VM launches with StartGuard
• Track key access to all copies of your data
• Revoke key access after terminating an instance in the cloud or a breach
ProtectV enables you to migrate your sensitive data to untrusted or shared environments securely.
ProtectV Manager
VMVM
Microsoft
Linux
Red Hat
13
SafeNet ProtectV
SafeNet ProtectV
14© SafeNet Confidential and Proprietary
ProtectV: Secures the Entire Instance Lifecycle
Protect – Identify and encrypt entire VM, including boot and storage partitions
You must be authenticated and authorized to boot a server to the OS
All data and VMs are encrypted
Every time you
delete a key, it
“digitally shreds”
the data, rendering
all copies of VMs inaccessible
Every copy of VM in storage or backup is encrypted
Protect
Start
Daily Operations
Snapshot
Delete
1
2
34
5
15
SafeNet ProtectAppwith AWS SDKs
16© SafeNet Confidential and Proprietary
SafeNet ProtectApp
SafeNet ProtectApp with Amazon S3 SDKs
• ProtectApp’s Java API and AWS SDK for Java interoperate to form an encryption client that provideskeys as input to applications in order to encrypt an object before sending to S3
• Provides customer controlled client-side object encryption for storage in Amazon S3
• Enable developers to leverage existing AWS SDKs with the addition of centralized customer controlledenterprise key management
• AWS administrators can manage the storage environment but never have access to unencryptedapplication data
17© SafeNet Confidential and Proprietary
SafeNet ProtectFile
• Encrypt a variety of flat file types (text documents, spreadsheets, image files, etc.)
• Ensure files and folders are encrypted on Windows and Linux platforms on Amazon EC2 and on-premise before storing in the cloud (EBS or S3)
• Administrators can set policies to encrypt particular files and folders, granting access to onlyauthorized groups and users
• Render files containing sensitive data useless to attackers
18© SafeNet Confidential and Proprietary
SafeNet ProtectFile
19© SafeNet Confidential and Proprietary
ProtectFile Provides Separation of Duties
20
Finance
Sales
Human Resources KeySecureKeySecure
SSL
ServerAdministrator
Server (Windows or Linux)
Server (Windows or Linux)
DataSecureAdministrator
Application
Hardware
Operating System
Database
Files and Folders
Remote Storage
(NAS, SAN)
Local
Storage
(DAS)
ProtectFile
SafeNet ProtectDB
21© SafeNet Confidential and Proprietary
SafeNet ProtectDB
SafeNet ProtectDB provides transparent column-level encryption of structured data residing in databases.
The solution efficiently encrypts and decrypts specific fields in databases that may contain millions of records.
Deployed in tandem with SafeNet KeySecure hardware or virtual appliance, ProtectDB offers centralized key and policy management to ensure encrypted data remains secure throughout its lifecycle.
The solution provides a single interface for logging, auditing, and reporting access to protected data and encryption keys, a critical feature for compliance and data protection.
SafeNet ProtectDB features built-in, automated key rotation and data re-keying, a critical feature for compliance and data protection.
The highly-scalable solution enables isolation of sensitive data in a shared infrastructure, separation of duties, and improved compliance with a variety of regulations including, but not limited to, credit card numbers for Payment Card Industry Data Security Standard (PCI DSS).
22© SafeNet Confidential and Proprietary
SafeNet Tokenization
23© SafeNet Confidential and Proprietary
SafeNet TokenizationSafeNet Tokenization protects sensitive data (primary account numbers, social security numbers, phone numbers, passwords, email addresses, etc.) by replacing it with a unique token that is stored, processed or transmitted in place of the clear data.
Using Format Preserving Tokenization (FPT), SafeNet Tokenization preserves the length and format of the sensitive data.
SafeNet Tokenization is also flexible in its ability to support a variety of token formats, such as last four, first six, custom formats, and regular expression.
The solution utilizes Web APIs for easy deployment, requires no changes to existing databases and applications, and is extremely scalable across multiple data centers in the distributed enterprise.
Deployed with SafeNet KeySecure hardware or virtual appliance for centralized key and policy management, SafeNet Tokenization provides a single, centralized interface for logging, auditing, and reporting access to protected data, keys, and tokens.
Tokenization also features built-in, automated key rotation and data re-keying, a critical feature for compliance and data protection.
Compliant with PCI Tokenization Guidelines and VISA Tokenization Best Practices, Tokenization is an ideal solution for organizations with high compliance costs as it significantly reduces regulatory scope, facilitates the annual audit process, and results in reduced total cost of ownership.
24© SafeNet Confidential and Proprietary
SafeNet Authentication Service
SafeNet Authentication Service is a cloud-based authentication service that offers
multi-factor authentication solutions, protecting identities and ensuring that individuals
accessing Amazon WorkSpaces are who they claim to be.
SafeNet Authentication Service, combined with Amazon WorkSpaces, offers enterprises a
best-in-class virtual desktop system with strong authentication.
Next-Generation Authentication from SafeNet
Reduce the risk of unauthorized access to sensitive corporate resources.
Reduce IT management overhead through automated user and token lifecycle administration.
Enforce consistent access policies throughout your IT ecosystem—VPNs, SaaS applications, web portals, and on-premises applications.
Have a single point of management for defining and managing access controls to all resources.
Increase user convenience with federated login, extending enterprise identities to the cloud
25© SafeNet Confidential and Proprietary
Online Storage
Application Hosting
Disaster Recovery
SAML
Tokens & Users
Administrator
Agent
RADIUS
API
Private Networks
Corporate
Network
Corporate
Network
Corporate
Network
Corporate
Network
LDAP / Active
Directory
LDAP / Active
Directory
LDAP / Active
Directory
LDAP / Active
Directory
Cloud Services
Cloud Applications
SAML
SAML
SAS: Authenticating Networks, Applications and a Variety of Cloud Services
121Authentication
Integrations
Use Case
Customer Example: Netflix Key Management
Goals
• Remove data center dependencies andcomplexity
• Increase reliability and performance
Approach
• HSMs per region/environment
• Migrated from SafeNet KeySecure in thedata center to CloudHSM
• Decommissioned data center configuration
Netflix: Results
Using AWS Cloud HSM with HSM appliances in 3 regions
Lower latency and high security
Eliminate on-premises datacenter-based HSM/KM
Saves money – 33% savings over original projections
AWS
Virtual Private Cloud
CloudHSM VPC Instance
SSL
Application
HSM Client
Customer : FXXX MXXX - Property loan
Need?
FXXX MXXX hosts borrower or loan servicer information along with credit scores and other personal information. They plan to move their information to AWS cloud (cost savings). Their security team will not allow any server on the cloud unless the personal information on databases hosted in public cloud is protected (i.e. encrypted).
Why are they interested in ProtectV?
Unique AWS solution
Key Management on premise
Encrypting the entire VM
Environment?
AWS VPC Public Cloud
Handful of servers
Want to encrypt everything that goes into the cloud
31
Customer : TXX - Logistics company
No infrastructure deployed to TXX Express premises
Resilient cloud based service allowing for easy re-use of the
service globally
Low per user per month token cost allowing for integration with the
remote access service, offering an integrated and robust solution
• Cost the same as old remote access solution but offers,
• Strong authentication as standard
• More flexible access options
Flexible form factors allowing easier deployment and acceptance of the technology
Lower TCO of the existing Authentication solution
Time to provision a user down from 5 days to 30 minutes
Why choose Gemalto and AWS?
Gemalto and AWS can deliver an end-to-end “secured infrastructure” for ALLdata
• Secure Isolating of each virtual instance with ProtectV
• Application layer protection with ProtectApp and Tokenization
• File or Database protection with ProtectFile, ProtectDB
• Certifications to assure compliance
• CloudHSM provides customer control of encryption keys
Enable 2-Factor Access Control with Authentication Services
Virtual KeySecure and ProtectV enable 100% customer deployment at AWS, consumed like cloud services
Solution is extensible to other providers via KMIP
• Gemalto has 40+ integration partners for key management already!
Smooth Transition from Physical DC to Cloud
33© SafeNet Confidential and Proprietary
© SafeNet Confidential and Proprietary
Thank You! Questions?
Sheung-Chi NG, APAC
Apr 2016