Crittografia e Enterprise Key Management una sfida possibile da affrontare

Transcription

1 <Insert Picture Here> Crittografia e Enterprise Key Management una sfida possibile da affrontare Giuseppe Russo Oracle Chief Technologist [email protected] Simone Mola SafeNet Sales Engineer [email protected]

2 Agenda Encryption, Keys and Enterprise Key Management headache How OASIS Key Management Interoperability Protocol help to solve this problem Some jointly Oracle Security Solutions and Safenet solution KMIP Use Cases for Enterprise Key Management

3 Data Loss Happens *Data from Open Security Foundation Data Loss DB,

4 Impact of Security Breaches $ Damage to corporate brand $ Loss of customers $ Fines $ Lawsuits / Settlements $ Operational costs to address breach

5 Encryption Solves the Problem Data encryption uses algorithms to transform plaintext into cyphertext, a form that is non-readable to unauthorized parties Provides protection from both off-site and on-premise information loss Enables secure shipment of data Supports time-based data expiration and secure data disposal Data Security Regulations around the world ask for encryption of sensitive data

6 It s All About the Keys Encryption keys determine functional output of encryption algorithm Keys convert the data into cyphertext and convert the data back to a readable form (clear text) Keys must be strong Randomly and securely generated Securely managed The longer the key length, the more secure the encryption method AES 256 is most secure encryption standard available today Symmetric, block cipher-based method 256 bit key length Lose the keys and you lose the data!

7 Enterprise Key Management Best Practices Keys must be always available Redundant servers with Backup/recovery Keys must be secure Proper access control: quorum, role-based, separation of duty for administration Hardened solution with FIPS certification Key management system must scale economically Easy-to-use interface with Simple client enrollment & setup Key management system must be openly architected Wide range of environments and client-end points, Standard protocols Key management system must offer auditing/reporting tools Key lifecycle, policy compliance, alerts

8 Headache reasons Enterprise Cryptographic Environments Staging Replica Production Database CRM Portals Enterprise Applications Collaboration & Content Mgmt VPN Systems LAN File Server WAN Disk Arrays ecommerce Applications Backup System Business Analytics Disparate, Often Proprietary Protocols Backup Disk Dev/Test Obfuscation Backup Tape Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System

9 KMIP source: OASIS Single Protocol Supporting Enterprise Cryptographic Environments Enterprise Cryptographic Environments Staging Replica Collaboration & Portals Production Content Mgmt Database VPN Systems LAN Enterprise CRM Applications File Server WAN Disk Arrays ecommerce Backup System Applications Business Analytics Backup Disk Dev/Test Obfuscation Backup Tape Key Management Interoperability Protocol Enterprise Key Management

10 What is KMIP source: OASIS (Organization for the Advancement of Structured Information Standards) is a not-forprofit consortium that drives the development, convergence and adoption of open standards for the global information society The Key Management Interoperability Protocol (KMIP) enables key lifecycle management. KMIP supports legacy and new encryption applications, supporting symmetric keys, asymmetric keys, digital certificates, and other "shared secrets." KMIP offers developers templates to simplify the development and use of KMIP-enabled applications. KMIP defines the protocol for encryption client and keymanagement server communication. Key lifecycle operations supported include generation, submission, retrieval, and deletion of cryptographic keys. Vendors will deliver KMIP-enabled encryption applications that support communication with compatible KMIP key-management servers.

11 KMIP Objects source: OASIS Objects Certificate, with type and value Symmetric Key, with Key Block Public Key, with Key Block Private Key, with Key Block Split Key, with parts and Key Block Secret Data, with type and Key Block Managed Objects Template and Policy Template: Managed Objects Certificate Symmetric Key Public Key Private Key Split Key Template Policy Template Secret Data Opaque Object Key Block (for keys) or value (for certificates) Template has a subset of Attributes that indicate what an object created from such a template is Policy Template has a subset of Attributes that indicate how an object created from such a template can be used Note that (Policy) Templates have nothing except Attributes: for convenience these Attributes are included in the (Policy) Template structure too. Opaque Object, without Key Block

12 KMIP Operations source: OASIS 26 client-to-server operations defined 2 server-to-client operations defined Generate objects Search and obtain objects Set/get attributes Use the objects Support of optional operations Support for asynchronous responses Create Create Key Pair Register Re-key Derive Key Certify Re-certify Locate Check Get Get Attributes Get Attribute List Add Attribute Modify Attribute Delete Attribute Obtain Lease Get Usage Allocation Activate Revoke Destroy Archive Recover Validate (optional) Query Cancel (optional) Poll (optional) Notify (optional) Put (optional) Server-to-client operations

13 KMIP Attributes source: OASIS 33 Attributes defined Describes what is the object Describes how to use the object Describes other features of the object Unique Identifier Name Object Type Cryptographic Algorithm Cryptographic Length Cryptographic Parameters Cryptographic Domain Parameters Certificate Type Certificate Identifier Certificate Issuer Certificate Subject Digest Operation Policy Name Cryptographic Usage Mask Lease Time Usage Limits State Initial Date Activation Date Process Start Date Protect Stop Date Deactivation Date Destroy Date Compromise Occurrence Date Compromise Date Revocation Reason Archive Date Object Group Link Application Specific ID Contact Information Last Change Date Custom Attribute

14 Request / Response Model source: OASIS Enterprise Key Manager Respons e Header Symmetric Key Unique Identifier Key Value Request Header Get Unique Identifier Name: XYZ SSN: Acct No: 45YT-658 Status: Gold Unencrypted data Encrypting %#*@(*$%%%%#@ Encrypted data Host

15 Authentication source: OASIS Authentication is external to the protocol All servers should support at least SSL/TLS Authentication message field contains the Credential Base Object Client or server certificate in the case of SSL/TLS Host SSL/TLS Enterprise Key *&^%$#&%$#$%*!^ Identity *&^%$#&%$#$%*!^ Identity certificate

16 Use Cases Ecosystem HSM Virtualization & Cloud

17 Ecosystem SAN Brocade SAN switch SafeNet StorageSecure Applications, DB, Files Applications, DB, Files HSM Client Tape Library NetApp Storage Encryption

18 Oracle + SafeNet KMIP Ecosystem Encrypt DB information in a scalabel and secure way Ingredients: Oracle DB Oracle TDE Solaris Operating Systems Solaris Crypto File System SPARC T4 processor SafeNet LUNA PCI-E HSM LUNA EKM Client SafeNet KeySecure

19 Oracle TDE Trasparent Data Encryption part of Oracle's comprehensive portfolio of database security solutions helps organizations comply with privacy and regulatory mandates TDE transparently encrypt all application data or specific sensitive columns, such as credit cards, social security numbers, or personally identifiable information

20 Keys used for Oracle Transparent Data Encryption

21 Places to Store the Master Key Oracle Wallet This is the default Stores Masterkey and Certificates in a file in your filesystem Required software is part of Oracle software distribution Hardware Security Modules (HSM) Specialized hardware device External or internal to server Might be FIPS certified and tamper proof Required software supplied by Vendor Master Key Hardware Security Module

22 Solaris Cryptographic Framework is an architecture that enables applications in the Oracle Solaris operating system to use or provide cryptographic services interactions with the framework are based on the RSA PKCS#11 Cryptographic Token Interface (Cryptoki)

23 Solaris Cryptographic Framework

24 Oracle SPARC T4 Processor 18 On Chip Crypto functions Balanced high-bandwidth interfaces and internals 3.0 GHz Out of Order Execution 2 On Chip 10 GbE Networking Dynamic Threading 8 Cores, 64 Threads Co-engineered with Oracle software 2 On Chip Dual-Channel DDR3 Memory Controllers 2 On Chip x8 PCIe gen2 I/O Interfaces

25 Oracle + SafeNet KMIP Ecosystem

26 Monitoring & Remote Foundry Monitor HSM key activity throughout the enterprise, or one or more business units View key status on demand Monitor for Key Creations, Key Deletions and Key Modifications KeySecure logs events such that an Enterprise can act on events if desired Reports changes in attributes, key creations, deletions Logging/audit of key activity for compliance Increased security KeySecure controls key creation and deletion - keys in HSM Keys are created in HSMs - KeySecure appliance does not create keys KeySecure is used to set the key attributes

27 Virtualization & Cloud Tape Drives Brocade SAN switch On Premise Centralized key management for persistence and flexibility On-premise key vault extends trust to the cloud Secure key creation, storage and vault Key archiving and shredding Protect App, ProtectDB, ProtectFile

28 With the [ServiceMesh] Agility Platform, customers can achieve breakthroughs in the flexibility, responsiveness, and affordability of their IT operating model. Core to delivering these benefits is the requirement to secure an organization s sensitive assets across networks, data, users, and machine instances. We re pleased to leverage enterprise-grade solutions like KeySecure for securing and administering cryptographic keys, which is integral to the overall security solution we provide to our enterprise clients. Frank Martinez, CTO

29 SafeNet ProtectV On Premise Centralized key management for persistence and flexibility On-premise key vault extends trust to the cloud Secure key creation, storage and vault Key archiving and shredding

30 What Customers are Looking For in Enterprise Key Management Heterogeneous key lifecycle management solution Single, centralized solution for all cryptographic keys Centrally manage key attributes, state changes and key provisioning Highly scalable to manage millions of heterogeneous keys Open standards-based, enterprise key management Supports Key Management Interoperable Protocol (KMIP) to manage a large number of encryption solutions and vendors Root of trust for physical, virtual, and cloud-based environments High assurance and robustness Appliance-based, tamper-proof hardware (k460) with a hardened OS FIPS level 3 (in process) Hardware key storage

31 SafeNet KeySecure Enterprise Key Lifecycle Management Centrally managed, consolidation of keys store, manage, generate, distribute, rotate, backup, activate, deactivate, and destroy Up to 1 million keys per cluster High Assurance Level Standard based approach OASIS KMIP Broadest Coverage in Industry NAS StorageSecure SAN - Brocade Encryption Solutions (BES and FS8/18) KMIP support (NSE/FDE, Tape Library and other 3 rd Party support) Cloud-enabled (KMIP-based) SafeNet LUNA SA (HSM) and PCI Card Management Hardware- based,secure key replication across multiple appliances Active-Active mode of clustering Geo distribution support Highly scalable for cloud implementations LDAP/Active Directory Integration and Syslog forwarding Heterogeneous solutions: SFNT and non- SFNT devices, applications, databases, storage devices, SAN switches, tape libraries, HSM, network and endpoint devices, etc.

32 Questions?