Vormetric Data Security

Transcription

1 Vormetric Data Security Next Steps for Product Evaluation and Adoption Albert Dolan Systems Engineer EMEA

2 In Depth Architecture Demonstration POC Data Transformation Deployment Use Cases Defense in Depth

3 Vormetric Encryption Capabilities Data Encryption Data Firewall Security Intelligence Encrypts file system and volumes, transparent to: Applications Databases Storage Infrastructure Integrated Key Management High Efficiency Encryption Need to know access to data, based on approved behavior. Separate data access from data management for system administrators Detailed data access context Granular control of what events are captured

4 Vormetric Data Security Encryption Agent Vormetric Encryption Vormetric Key Management Key Agent Data Security Manager Unstructured Oracle 11gR2 TDE Encryption Agent Vormetric Key Vault Key Agent Database SQL Server 2008 TDE

5 Vormetric Encryption Architecture Users Application Database Operating System Policy is used to restrict access to sensitive data by user and process information provided by the Operating System. File Systems FS Agent Volume Managers SSL/TLS

6 Vormetric Encryption Policy Rules have Criteria and Effects Criteria Effects User/Group, Process, Data Location, Type of I/O, Time Permission: Permit or Deny Encryption Key: Yes or No Audit: Yes or No The Rules of a policy work like a firewall rule engine 1. Receive criteria from request. 2. Try to match Criteria to Rules. Start at the top. 3. On first match apply the associated Effect. 4. If no match, then deny

7 Policy Example Oracle Tablespace # User Process Action Effects oracle oracle_binaries * permit, apply_key root admin_tools read permit, audit * * * deny, audit, apply_key Policy Benefits Database encryption, without changing database schema or application code. Remove custodial risk of root level user

8 Software Demonstration Separation of Duties Domains Integrated Key Management Binary Signatures Audit Logs Policies

9 POC Steps Servers in Scope Understand production environment Provide pricing Acceptance Test Plan Explains details of process Specify environment information Set tasks to verify during engagement 1 2 days Onsite Verify functionality per ATP Demonstrate usage/best practices Work closely with team to explain the concepts of the solution

10 Data Transformation Need exclusive access (e.g. database offline) Backup data first! Rekey is same process Transform - File Copy Requires duplication of storage Easy to recover from if process stopped Same as database backup/restore Transform - Dataxform Multi-threaded Encrypted in place

11 Deployments Done by Professional Services/Partners Configured to your requirements Suggest: naming standards, Key ranges / rotation, User management, etc. Install DSMs and Agents, configure HA Set up policies for your environment 5 days common, including 1-2 days training

12 Use Cases

13 Common Use Cases Database Encryption File Encryption Privileged User Control DLP Quarantining Configuration File Change Management Data Transport Security

14 Use Case: Database Encryption Requirement: Database must be encrypted (e.g. PCI) High Level: Used to encrypt the Database Tablespace, and allow access to only the Database Engine Vendors: Oracle, MSSQL, DB2, Informix, Sybase, MySQL, PostGreSQL, etc. Vormetric Advantages: Any database Any database version No changes required High performance Removes system superuser access to data

15 Use Case: File/App Server Requirement: Unstructured data files used by users and applications must be encrypted High Level: Vormetric Encryption is used to encrypt data at rest. A Data Firewall is used to assign access to data for users and processes Common Applications: Windows File Servers, WebApps, Big Data, Document Management, Call Center Recordings, etc. Vormetric Advantages: No application changes Any application - from SAP to your home grown.net app Approved users never know the difference High performance

16 Use Case: Privileged User Control Requirement: Control superuser access to data High Level: Vormetric can control what sensitive data any user/process can access Vormetric Advantages: User tracked ( su and sudo can be ignored) No way to bypass Audit all activity High performance

17 Use Case: DLP Quarantine Requirement: Post Discovery Quarantining of Sensitive Data based on Classification High Level: VDS provides a centralized quarantine location for DLP products to store and lock down discovered data Vormetric Advantages: DLP Vendor Agnostic Protects data in a secured repository Enforces encryption, and need to know of sensitive materials

18 Use Case: Configuration File Control Requirement: Lock down configuration files for system utilities and applications High Level: Vormetric provides security around any identified files or file types Vormetric Advantages: Same interface for encryption and access control Can either block or audit access to files, and can change behavior based on time Can prevent changes from malware

19 Use Case: Data Transport Security Requirement: Secure data in transport High Level: Vormetric encryption can secure files being transported, either over wire or physical transport of drives/systems Vormetric Advantages: High performance Keys never visible, can t be decrypted outside of our solution

20 Vormetric + DAM Defense in Depth

21 Layered Enterprise Security Network Security Layers of Defense Firewall IDS / IPS Content filtering DLP IAM Internet WAF Applications Application Tier Data Security Layers of Defense DAM Database Operating System Data Tier Server Tier Data Storage Tier

22 Layered Database Security Solution Users Applications Database Operating System Data DAM Vormetric Awareness of Database users & rights Database Activity audit & access controls Database file encryption, OS-level audit & access controls Encryption key management

23 Thank you Questions?