With SafeNet, organizations can centrally, efficiently, and securely manage cryptographic keys and policies—across the key management lifecycle and throughout the enterprise. SafeNet's data center protection solutions are designed to secure all of the sensitive information that is stored in and accessed from enterprise data centers, including patient records, credit card information, social security numbers, and more.
Why Teams call analytics are critical to your entire business
SafeNet Enterprise Key and Crypto Management
1. 1
Enterprise Key and Crypto Management
Safenet KeySecure & DataSecure
Yves Van Tongerloo
Regional Sales Manager Belgium and Luxembourg
Yves.vantongerloo@safenet-inc.com
2. 2
What We Do
SafeNet delivers comprehensive data protection solutions
for persistent protection of high value information.
3. 3
Where We Are
A global footprint: 1600+ employees across 25 countries
4. 4
Who we are
SafeNet: Key facts
We protect the most
money that moves in
the world, $1 trillion
daily
We protect the most digital
identities in the world.
(+ 35 million identities)
We protect the most
classified information
in the world
FOUNDED
1983
REVENUE
+450m
EMPLOYEES
+1,600
- 26 countries
> 550 crypto
engineers
OWENERSHIP
Private
GLOBAL FOOTPRINT
+25,000
Customers in
100 countries
ACCREDITED
Products certified
to the highest
security standard
over 130 FIPS
certificates
Recognised by Gartner
as the Leader for
Authentication
7. 7
ProtectV – Data Protection for the
Physical and Virtual DataCenter and the
Cloud
8. 8
ProtectV: Throughout the Data Lifecycle
Every day that you power on VMs or
start up a server, ProtectV makes it
efficient, fast, and automated
You must be
authenticated and
authorized to launch
All data and VMs/servers are
encrypted
Every time you
delete a key, it
―digitally shreds‖
the
data, rendering
all copies of VMs
inaccessible
Every copy of VM in
storage or backup is
encrypted
Power On
Start
Daily OperationsSnapshot/image
Delete
1
2
34
5
9. 9
Anatomy of Securing Your Data
in the Physical/Virtual or Cloud Environment
KeySecure
DataSecure3
ProtectV Manager2
ProtectV Client1
Protected Virtual
Machines
ProtectV Client is installed on your VMs or
your servers in your datacenter.
ProtectV Manager is a virtual
machine that runs as a VM in
a VMware environment.
KeySecure/DataSecure is a hardened,
tamper-resistant high-assurance enterprise
key management solution in a hardware or
virtualized platform
Protected Volumes
Hypervisor
Storage
Protected on-premise servers
in physical datacenter
11. 11
SafeNet ProtectV on Instances
Cloud/
Virtual Servers
Cloud/
Virtual Storage
Encrypted Instance
•AES 256
• Pre-Launch Authentication
• Policy + Key Management
• Protected Volumes
ProtectV Protection
• OS does not boot without authentication
• Entire instance encrypted, protecting OS
• Attached volumes encrypted
• Supports thin provisioning critical to cloud
• Encrypt all data written to disk
• Central Key Management for strong control
• Resists brute-force attacks on keys
• Supports protected snapshots
12. 12
ProtectV and Scaling in Large Environments
Cloud APIs and Web Services
• Authentication Automation
• Bulk operations
Centralized
Management
SafeNet ProtectV Manager
• Provides centralized management
• Supports either customer premise or cloud deployments
• Manages and coordinates ProtectV Security
• Open APIs to cloud management
SafeNet KeySecure/DataSecure (on Premise)
• Centralizes key management for persistence and flexibility
• Secure key creation and storage
• Key archiving and shredding
• Easy integration with ProtectV Manager
15. 15
Crypto Service Level Encryption
Encrypt only sensitive columns
DML transparent
Eventually not DDL transparent
APP LAYER
OS LAYER
Crypto
Service
OS LAYER
DB LAYER
+ Keys in Hardware, millions of keys,
key migration, audit trail, LDAP & MS-AD integration
App Server
DB Server
Ext.
Procs
DataSecure
16. 16
ProtectDB
Column based, encryption only where needed
Supports heterogeneous DB environments
Encryption offload from DB server
PCI-DSS compliancy supported
Supports key migration process
Oracle domain index can be used
Oracle RAC configuration supported
Per instance max. ~2500 Enc Ops under real DB runtime
conditions
Supported data types: BFILE, BLOB, CHAR, CLOB, DATE,
DECIMAL, LONG, LONG RAW, NCHAR, NUMBER, NUMERIC,
NVARCHAR2, VARCHAR, VARCHAR2
Mostly DML transparent
Not DDL transparent
18. 18
ProtectDB – Database Migration Summary
CUSTOMER
Name Account SSN Address City
Irwin Fletcher 000234 12345678 411 Main Street Santa Barbara
Josh Ritter 000115 11112222 1801 21st Ave San Francisco
CUSTOMER_ENCRYPTED
Name Account SSN Address City SSN_NEW
Irwin Fletcher 000234 NULL 411 Main Street Santa Barbara 0xEED95DB7751…
Josh Ritter 000115 NULL 1801 21st Ave San Francisco 0x21010B370F87…
CUSTOMER (View)
Name Account SSN Address City
Irwin Fletcher 000234 12345678 411 Main Street Santa Barbara
Josh Ritter 000115 11112222 1801 21st Ave San Francisco
20. 20
Application Level Encryption
Addresses wide range of confidentiality threats
Granular encryption control
Not application transparent
APP LAYER
OS LAYER
Crypto
Service
Crypto
API
OS LAYER
DB LAYER
App Server
DB Server
+ Keys in Hardware, millions of keys,
versioned keys, audit trail, LDAP & MS-AD integration
DataSecure
21. 21
ProtectApp
Focusses application development in
C/C++/C#, .NET, Java
User auth against DataSecure (with MS-AD, LDAP)
Supports versioned keys and re-encryption
Full logging/auditing on client and DataSecure
Bulk enc/dec calls
25. 25
Tokenization with Encryption
Replace sensitive data with non-sensitive token
Reduces audit scope drastically
Only small pieces of data (CCnums, PANs, etc.)
APP LAYER
OS LAYER OS LAYER
DB LAYER
+ Keys in Hardware, millions of keys,
key migration, audit trail, LDAP & MS-AD integration
App Server DB Server
Token
Manager
Crypto
Service
Token DB
DataSecure
26. 26
Tokenization in Action
Customer
Token Vault Database
{Hash,Token,Enc(PAN)}
Tokenization
Manager
Application
Server
Sensitive Information (Token)
Sensitive Information (Clear)
PAN
Token
PAN Token
Enc(PAN),Hash
PAN
Hash,Token,Enc(PAN)
Token
Other
Systems
Database
DataSecure
28. 28
Tokenization
Applicable for small pieces of data (SSN, PANs, CCnums)
Some integration work needed (with API or Web service)
No changes to existing databases, 3rd party applications
Token preserves original data format and fits into original
field
Made for PCI-DSS compliancy
Reduces scope of audits
Bulk Tokenization
Luhn Check
29. 29
Token Format
Data format and representation can be preserved
Token’s may be generated using a variety of formats:
Random First_Two_Last_Four
Sequential First_Six_Last_Four
Last_Four Fixed_Nineteen
First_Six Fixed_Twenty_Last_Four
Or, token format can be user-defined vie Reg-Ex
DataSecure ApplianceCentralizedpolicy- and cryptographickeymanagmentHigh-performance encryption Integrated management interfacesHardened Linux appliance FIPS and Common Criteria certifiedConnector Software Connects DataSecure capabilities to applications, databases, file servers, desktops/laptops, mainframes, network sharesLoad balancing, health checking, connection pooling , SSL
Column Encryption GuidelinesThe ability to encrypt a column depends on the relationship between the column and its table.Below is a list of roles that columns can play and their effect on encryption.• Identity column – Cannot be encrypted.• Primary key – Primary keys are dropped during migration. You must manually recreateprimary keys if you want to preserve the conditions established by the primary keys. If theprimary key is not referenced in a foreign key constraint, you should verify that the key is notreferenced implicitly as a foreign key before encrypting.• Foreign key – To encrypt a foreign key, you must manually drop the constraints prior to datamigration. After migration, you can re-establish them.• Indexed columns – Indexed columns can be encrypted, however, the sort order of theencrypted data will not be consistent with the sort order of the plaintext data.You should also evaluate the constraints placed on your columns, as these values may affect thedata migration process. Below is a list of constraints and their effect on encryption.• Join constraints – Confirm that the columns you are encrypting are not part of a joinconstraint. If you are encrypting a column that is part of a join constraint, you should encryptboth columns.• Unique constraints – When encrypting a column with a unique constraint, that constraint isdropped during the data migration process. If you want to retain the unique constraint afterencryption, you should manually recreate the unique constraint. You cannot use field-level IVson a column with unique constraints. Instead, you should choose one IV for the entire column.• Check constraint – To encrypt a column with a check constraint, you must drop the checkconstraint.Additional rules apply to the following topics:• Default values – Columns with a default value assigned to them cannot be encrypted. This isbecause the default constraint adds plaintext data to the column. Applications accessing thatdata then try to decrypt plaintext data, yielding unexpected results.• NULL values – NULL values are not encrypted by ProtectDB. If a migrated column containsNULL values, those values remain unencrypted in the resulting encrypted column. When adatabase query yields a NULL value, no cryptographic process is required, so ProtectDB doesnot interact with the DataSecure for that query.• Columns referenced in triggers on the table – These columns can be encrypted; however,all triggers on the table must be disabled before migration and re-enabled after the migration.• Encrypted columns – The columns that are currently encrypted cannot be encrypted.• Tables containing LONG or LONG RAW columns – If a table in an Oracle database contains acolumn of type LONG or LONG RAW, you can migrate data in that table; however, you cannotcreate views and triggers against this table, due to a limitation in Oracle. This is an importantconsideration if you want to automate subsequent insert, update, and select calls on theencrypted data.