SafeNet - Data Protection Company

SafeNet and NetApp Come Together
Next Gen Encryption and Enterprise Key Management

SafeNet and NetApp have teamed to
provide an unparalleled combination
of security and storage efficiency

Ondrej Valent
Regional Channel Sales Manager
ondrej.valent@safenet-inc.com
SafeNet, Inc. | www.safenet-inc.com
14. 9. 2011
© SafeNet Confidential and Proprietary

Agenda
I. Introduction
Who is SafeNet
Why are we here today
NetApp + SafeNet relationship

Overview of Products
StorageSecure Overview
Real world customer deployments
Understanding and Architecting a Unified Key Management Strategy
KeySecure Overview
8 Steps to Designing a Centralized Key Management Infrastructure


2

Proven Leader. Trusted to Protect.
SafeNet protects:
> the most money that moves in the world. 80% of all electronic intrabanking
transfers -- $1 trillion a day
> the most digital identities in the world. Most PKI identities for governments
and F-100 companies
> the most high-value software in the world. 80 million hardware keys; more
than any other vendor
> the most classified information in the world. The largest deployment of
government communications security

Global Footprint with more than 25,000 customers in 100 countries


3

Data Protection – It’s in the Lifecycle

SafeNet persistently protects information at critical point
in its lifecycle, empowering customers to efficiently adapt
to change and act on opportunity.

• Protecting the identities of users, applications, and
servers

• Securing the transactions they perform

• Enabling data ownership and control by encrypting
data when it is created, accessed, shared, stored,
and moved

• Encrypting the critical communication paths on
which data travels


4

SafeNet Data Protection Portfolio Summary
Data Encryption and Control Communication Protection –
Identity Protection - Transaction and Identity
– DataSecure, High-Speed Network
Authentication Protection - HSM
StorageSecure, KeySecure Encryption

Offering the broadest range The most secure, and World’s first and only SafeNet high-speed
of authenticators, from easiest to integrate unified platform that network encryptors
smart cards and tokens to application & transaction delivers intelligent data combine the highest
mobile phone auth—all security solution for protection and control for performance with the
managed from a single enterprise and government ALL information assets easiest integration and
platform management.

> The industry’s only > Market leader in > Data-centric, persistent > Solutions for Ethernet,
unified authentication enterprise-grade HSMs protection across data SONET up to 10Gb
platform offering > Industry innovator in centers, endpoints, and > Best-in-class Security
customers the freedom payment HSMs into the cloud Management Center
to adapt to changing > Centralized policy, key
environments > Widest portfolio of > Zero bandwidth loss,
platforms and solutions management, logging, low- latency encryption
> The market leader in and auditing
certificate-based token > Delivered over 75,000 > Unparalleled leverage
HSMs— the most in the > Integrated perimeter across classified and
authentication data leakage prevention
industry COTS communication
> Unique technology > Appliance-based, protection (FIPS 140-2
offerings with client-less > Only leading HSM with
the option of keys proven scalability, and Level 3)
tokens, high-assurance high performance
solutions, and more ALWAYS in Hardware


5

From the Data Center to the Edge, to the Cloud
Solutions that Extend Trust and Control into Virtualized Environments

ProtectDB
ProtectFile
Database ProtectApp
File Servers

Application/
Web Servers
HSM
ProtectZ
Mainframe KeySecure
PKI Infrastructure
Certificate Authority

DataSecure StorageSecure Brocade NetApp (NSE)
(BES) (FAS)
Data Encryption
ProtectFile
ProtectDrive
& Control
eSafe High Speed Encryption
Endpoint
Protection
1
Communication Protection Communication Protection

Cloud Solutions
Protect VVolume ProtectVInstance

Authentication & Access
Management
Secure Cloud-based Storage Secure Virtual Instance Control
Identity Protection HSM
DataSecure, ProtectApp,
ProtectDB,

Secure Cloud Identities
Secure Cloud Application Data and Transactions

HSE
Authentication & Access
Management

Secure Cloud
Communications
Secure Authentication for Cloud Services


6

…So Why Are We Here?
Why NetApp and SafeNet?

Storage Leadership Security Leadership
 Established market for DataFort and  Introduce replacements for the EOA
LKM, licensed Decru technology to DataFort E-series and Lifetime Key
SafeNet to build continued next-gen Manager (LKM) appliances
products
 Largest installed base of storage
encryption appliances
+  Global security leader, proven data
protection expertise
 Standards-based KMIP KM
 Established channel and sales platform—supports BES, NSE,
organizations heterogeneous environments
 Universal Storage encryption

NetApp and SafeNet – The leaders in storage and security have joined forces to introduce the
next generation of storage security and key management solutions.


7

NetApp Security Offering


8


9

Now for the fun part…let’s get into the technology

Storage Encryption and Key Management


Network-Based Storage Encryption
Compliant, Fast, Transparent, Cost Effective
• FIPS 140-2 Level 3 validation meets PCI, HIPAA,
Meet Regulatory
and government data security requirements for
Requirements data at rest

• Encrypt data at wire speeds
No Performance • No impact to existing applications
Impact • Have no requirement for additional CPU
overhead
• Plug seamlessly into current IT environment
Ease of Installation • Realize zero downtime or disruption to
workflow
• No need for modifications to hosts, servers,
applications, or forklift upgrades to storage
Scalability • As data grows, scale cost-effectively


11

SafeNet Next Generation, Drop-in Upgrade for
NetApp E-Series DataFort and LKM
StorageSecure is the industry’s only unified
platform for securing data across the entire enterprise

StorageSecure integrates transparently into network-based file and block
Encryption (NAS and IP-SAN) environments, and protects
stored data with high-speed encryption, strong access
controls, authentication, and tamper-proof auditing:
1 to 10Gbps throughput
Industry standard protocols
Multiple 10GE interfaces
Low latency, wire-speed encryption and decryption engine
Clustering for high reliability and availability

KeySecure delivers enterprise wide key management


12

StorageSecure—Typical Data Flow

StorageSecure

Encrypted Data

Cleartext Data StorageSecure


13

StorageSecure Storage Encryption

Storage Encryption
Data written
to storage
Cryptainer1
Storage
Cryptainer2
Cryptainer3
StorageSecure

Data read
from storage
Clients/
Hosts

Authentication/Storage VPN AES-256 Encrypted

ACL Enforcement Compartmentalization
IPSec*/SSL (NAS) Mitigates insider threats
Supports AD/NIS/LDAP Information sharing
Crypto-signed logging* Secure Key Management

*deferred until release 1.1


14

StorageSecure Advantages
Transparent Deployment
No agents or application/database changes
Native support for NFS, CIFS, iSCSI
Transparent rekeying* enables zero downtime deployment
Negligible Performance Impact
Supports multi-gigabit line rate speeds
Minimal latency (~150 microsecond) with ‘Cut-through Crypto’
Tape: Hardware-based compression before encryption
Hardware-based Security
Clear-text keys never leave secure hardware
Stringent certification: FIPS 140-2 Level 3 compliant (validation in process)
Trusted by sensitive military, intelligence, banking customers
Secure Enterprise-wide Key Management
Simple, yet secure key sharing for availability and information sharing
KeySecure for automated enterprise-wide mgmt

© SafeNet Confidential and Proprietary *Deferred to release 1.1
15

StorageSecure
for NAS environments

© 2008 NetApp. All rights reserved. 16
16

NAS Infrastructure Without StorageSecure
• Data accessible by default – need
` appropriate ACLs to deny access
• Replicas, backups represent additional
exposure points
  

ACLs
 • Single factor admin authentication,
inconsistent role separation (e.g., root,
? domain admin, super-user can access data)

Cleartext
• Audit logs susceptible to tampering
Cleartext
Cleartext
Cleartext

• Data ‘mixing’ concerns on consolidated
Cleartext
Cleartext
Cleartext
Cleartext

storage
• Data on old disks is easily accessible
 without sanitization
Cleartext


Cleartext
Cleartext
Cleartext

STORAGE BACKUP
ADMIN ADMIN


17

NAS Infrastructure With StorageSecure
• ACL enforcement –second level ACLs on
`
StorageSecure needed to allow access
• Replicas, backups automatically secured –
encryption keys provide single point of control
ACLs 
   • Dual factor DF admin authentication, fine
grained role separation
StorageSecure 
• Cryptographically signed audit logs capture
F2>:P;
<F3>:P;
admin actions, user access
1><9F> <F3>^Q 1><9F>
<BA><E <97>^Q
<BA><E • Cryptographic data separation, even on
shared physical disks
• Data on old disks is secure without
AUDIT  F2>:P;
encryption keys
LOGS <F3><9F>

 <97>^Q
<BA><E

STORAGE BACKUP
ADMIN ADMIN


18

Deployment Use Cases
StorageSecure on the Road


19

StorageSecure Use Case Snapshot
Conversation Mapping

Encryption-enabled separation
Isolate Data in Multi-
1 tenant Environments
of data in shared virtual
environments

Protect Compliant Data Encrypt Data in Real-Time at
2 (Maintain PCI Posture) the Point of Capture/Creation
World Leading
Bank
Encrypt Data in Primary &
Protect Offline Data
3 Secondary Storage Before
in Archives
Writing to Tape

Destroy Data Securely or Destroy Encryption Keys at
4 Repurpose Storage Any Point of the Data Lifecycle


20

StorageSecure Use Case #1:
Data Isolation and Separation of Duties
Customer 1:

web app db

Customer 2: Cryptainer1

Cryptainer2
and/or
Bank Office 1: NAS Cryptainer3
Customer Support StorageSecure

Cryptainer4

Bank Office 2:
Headquarters


21

Protect Compliant Data
Networked
Applications

web app db

Mobile Workers
Storage
(Disk and Tape) Encrypted

Encrypted

Corporate Offices
StorageSecure NAS

Address global data
Military Applications protection mandates:
PCI-DSS, GLBA, SB1386,
Basel II, DoD 5015.2,
HIPAA, SEPA, SOX, etc.

22

Archival Protection
Networked
Applications

web app db

Mobile Workers
Primary Storage Secondary Storage

Corporate Offices
StorageSecure
NAS

Military Applications NAS

Encrypted Encrypted Encrypted


23

Secure Data Destruction
Networked
Applications

web app db

Mobile Workers
Storage
(Disk and Tape) Encrypted

Encrypted

Corporate Offices
StorageSecure NAS

“Data in Danger “


24

Understanding and Architecting a
Unified Key Management Strategy


Customer Problem
Web/Application
Servers
“Pockets” of Encryption Domains
Database
Servers Multi-vendor silo-ed systems
Platform-specific solutions
Fragmented policy and key
Mainframes management

File
Operational Inefficiencies
Shares
“Spreadsheet” key management
Manual audit reviews
Audit Deficiencies & Failures
Storage

Regular key rotation
Standards adherence (NIST 800-57,
PCI-DSS, etc.)
Cloud/Virtualization

“Open” Clients

Laptop/Desktops


32

Requirements that Drive Key Management
Regulations
• PCI, Privacy Regulations impose financial penalties
• Proactive security measures have compelling ROI

IP Protection • Protect IP, digital assets from insider threat
• Strengthen access controls

• Consolidation and central management of keys across
Security Best Practices
security silos
• Strong authentication and admin role separation
• Non-repudiable auditing
• Secure data disposal
Business Trends
• Controlled data access with outsourced IT, offshore
development centers


33

An Ideal Enterprise Key Manager

Application and
web servers Databases
File Servers

Hardware

Mainframes

Laptop/mobile
Handset

SafeNet KeySecure Backup
Media

> Secure, Centralized Key Management
> Data-centric Policy Management Storage
> Identity & Access Management
> Visibility via Logging, Auditing,
Reporting


34

Best Practices for Enterprise Key Lifecycle
Management
Create Attribute Secure Modify Distribute Expire

Generate high Assign Secure keys by Automate key Provide a secure Enable purge
entropy keys permissions and wrapping with rotation and method to and delete key
key ownership to secure keys other critical distribute keys upon pre-set
privileged users functions for high expiration
based on roles Cannot store availability and policies
clear text key in Allow key usage
Enable external memory attributes to be
authenticated modified
clients to set and (create/delete/
modify key rotate) by
attributes authenticated
key owners


35

A Storage Infrastructure With and Without
Secure Key Management and Encryption

AUDIT
LOGS
ACLs
F2>:P; F2>:P;


<F3><9F> 1><9F>

?
Cleartext Cleartext
<97>^Q
Cleartext <97>^Q
Cleartext
<BA><E
Cleartext <BA><E
Cleartext

 
?
 
?


? ?

SECURITY NETWORKING/DOMAIN STORAGE
ADMIN ADMIN ADMIN

Gaps in
Strong Inconsistent
Cryptographic Insiders (admin)
Insider manage Backup/replica
All data copies Data exposed
Data separation,
authentication ACLs
ACLs, audit logs access
but can’t read exposure
protected on old disks
Secure disposal


36

Introducing SafeNet KeySecure k460
Enterprise Key Management

Enterprise Key Management
Centrally managed, consolidation of keys
Up to 1 million keys per cluster
•Secure key replication to multiple appliances
High Assurance Level •Active-Active mode of clustering
•Redundant, hot-swappable hard drives & power
Standard based approach – OASIS KMIP (Key •Heterogeneous solutions: SFNT and non-SFNT
devices, applications, databases, storage devices, SAN
Management Interoperability Protocol) switches, tape libraries, HSM, network and endpoint
devices, etc.
Broadest Coverage in Industry
NAS - StorageSecure
SAN - Brocade Encryption Solutions (BES and FS8/18)
KMIP support (NSE/FDE, Quantum Tape Library and other 3rd Party Support)
Cloud-enabled


37

8 Steps to Designing a Centralized
Key Management Infrastructure


Key Management Design Flow Chart

Define Admin
Define Security Discover Classify Data
Roles &
Goals Sensitive Data Locations
Responsibilities

Map Data Define Data Align Policies to Document and
Movement and Restoration Use Business Automate
Use Cases Cases Processes Lifecycle Mgmt


39

In Summary…
Next Generation Encryption and Key Management
KeySecure acts as a “Glue” for an effective data protection strategy
Wide coverage in Storage Encryption – NAS, SAN, DAS & Tape

Unified Key
Robust, Standards- Streamlined,
Manager for
based Key Simplified Key
Storage, HSMs,
Management Lifecycle Mgmt
ProtectV

Enterprise
Key Mgmt for
KMIP Compliant Centralized Platform
Heterogeneous
Environments


47

Ondrej Valent
Regional Channel Sales Manager CEE
ondrej.valent@safenet-inc.com
SafeNet, Inc. | www.safenet-inc.com
15. 9. 2011

SafeNet - Data Protection Company

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to SafeNet - Data Protection Company

Similar to SafeNet - Data Protection Company (20)

More from ASBIS SK

More from ASBIS SK (20)

Recently uploaded

Recently uploaded (20)

SafeNet - Data Protection Company