Data at Rest & Data in Motion. Mark Baldwin

Transcription

1 Data at Rest & Data in Motion Mark Baldwin

2 SafeNet Protects Sensitive Data SafeNet provides the only end-to-end enterprise data protection solution that secures data at rest, data in motion, as well as data in use - across application, device, network, and database layers.

3 SafeNet DataSecure Solution Enterprise Encryption and Key Management Remote Location SafeNet EdgeSecure Laptop/ Device Web Servers Databases Application z/os Servers Mainframes File Servers Storage/ Tape SafeNet DataSecure Data Center

4 DataSecure Solution DataSecure Appliance High-performance encryption Integrated management interfaces Hardened Linux appliance FIPS and Common Criteria certified Connector Software Connects DataSecure capabilities to applications, databases, file servers Load balancing, health checking, connection pooling, SSL

5 Benefits of SafeNet DataSecure Security Performance Flexibility Manageability Availability Hardware-based, centralized key and policy management FIPS/CC certified solution Authentication and authorization High performance encryption offload, over 100K TPS Batch processing for massive amounts of data Efficient backup/restore capabilities, local encryption option Support for heterogeneous environments (app, db, file) Support for open standards and APIs Range of enterprise deployment models Intuitive, easy-to-use administration Separation of duties Centralized policy management Enterprise clustering and replication Load balancing, health checking, and failover Geographically distributed redundancy

6 Centralized Enforcement Security Security administrators control data protection policy Keys created and stored in a single location Dual Administrative Control Separation of Duties Logging, Auditing and Alerts FIPS & Common Criteria Certified Solution FIPS Level 2 & CC EAL2 Certified Keys stored separately from sensitive data AES, 3DES, RSA and others Built-in Certificate Authority Authentication & Authorization Multi-factor system-to-system authentication and access control Granular, key-based, cryptographic policy Support for LDAP

7 Encryption Offload Optimized, high-performance hardware Frees up database and application servers Latency less than 300 microseconds per request Local Encryption Option Configurable for hardware offload or local encryption Batch Processing Perform batch encrypts/decrypts for high performance More than 100k TPS Batch tools include: Transform Utility ICAPI Easy integration into existing applications Performance

8 Flexibility Heterogeneous Environments Comprehensive enterprise solution Web, Application, Database, Mainframe or File Server Data Center or Distributed Environments Open Standards-based APIs, cryptographic protocols Scalability Models with capacity from 2,500 TPS to 100,000 TPS Clustering further increases capacity and redundancy Licensing structure enables cost-effective build-out

9 Intuitive Administration Graphical and command line interfaces Point-and-click policy management Encryption rights management Key management Network and system management Simple configuration, analogous to a switch or router Separation of Duties Security administrators administer security Maximize productivity, minimize liability Extensible Management Platform Cohesive, consistent elements across the enterprise Common management protocols, processes Standard implementation, integration methodology Manageability

10 Availability Boulder (US Operations) DataSecure Cluster Clustering Keys and policy are shared/replicated among DataSecures in a global cluster Load Balancing Connector software can load balance across a group of appliances Multi-tier load balancing enables transparent fail over to alternate appliance(s) Hong Kong (Asia-Pacific)

11 Database Integration Customer Database SafeNet DataSecure Database Connectors Oracle 8i, 9i, 10g, 11g IBM DB2 version 8, 9 Microsoft SQL Server 2000, 2005, 2008 Teradata Application changes not required Batch processing tools for managing large data sets

12 Application Integration E-Commerce Application Customer Database Reporting Application Application Connectors Microsoft.NET, CAPI JCE (Java) PKCS#11 (C/C++) SafeNet ICAPI (C/C++) z/os (Cobol, Assembler, etc.) XML Support for virtually all application and web server environments SafeNet DataSecure

13 File System Integration File Server SafeNet DataSecure File System Connectors Windows Server 2003 Linux File Encryption Keys (FEKs) protect files on disk FEKs are encrypted with a Key Encryption Key (KEK) that resides on the DataSecure appliance Policy configured on DataSecure and sent to file server

14 DataSecure Appliances Use Case Scenarios i10 EdgeSecure Remote Locations/ Distributed Environments i116 DataSecure Low-End Appliance i430 DataSecure High-End Appliance Performance (TPS) 2,500 11, ,000 Form Factor 11.6 x 10.3 x 2.5 1U, rackmountable 1U, rackmountable (w, d, h) Network Ethernet Interfaces One: 10/100 One: 10/100 Two: 10/100/1000 Power Supplies/ Redundancy One PS One PS Two PS, two fans, two disks (RAID1) FIPS and CC no yes yes

15 Database Encryption Process (slide 1 of 8) Step 1: Identify what data you want to secure and where that data resides. CUSTOMER Name Account SSN Address City Irwin M. Fletcher Main Street Santa Barbara Josh Ritter st Ave San Francisco Steve Garvey First Ave Brentwood CUSTOMER Table Structure Column Name Data Type Length Name VARCHAR 60 SSN CHAR 9 Address VARCHAR 75 SSN_NEW VARBINARY 16

16 Database Encryption Process (slide 2 of 8) Step 2: Alter table to add columns CUSTOMER Name Account SSN Address City SSN_NEW Irwin M. Fletcher Main Street Santa Barbara Josh Ritter st Ave San Francisco Steve Garvey First Ave Brentwood CUSTOMER Table Structure Column Name Data Type Length Name VARCHAR 60 SSN CHAR 9 Address VARCHAR 75 SSN_NEW VARBINARY 16

17 Database Encryption Process (slide 3 of 8) Step 3: Migrate, encrypt data CUSTOMER Name Account SSN Address City SSN_NEW Irwin M. Fletcher Main Street Santa Barbara 0xEED95DB Josh Ritter st Ave San 0x21010B370F8752D5 Francisco Steve Garvey First Ave Brentwood 0xC5187FC3A3286B7F CUSTOMER Table Structure Column Name Data Type Length Name VARCHAR 60 SSN CHAR 9 Address VARCHAR 75 SSN_NEW VARBINARY 16 SafeNet DataSecure Appliance

18 Database Encryption Process (slide 4 of 8) Step 4: Null the original cleartext data CUSTOMER Name Account SSN Address City SSN_NEW Irwin M. Fletcher NULL 411 Main Street Santa Barbara 0xEED95DB Josh Ritter NULL st Ave San 0x21010B370F8752D5 Francisco Steve Garvey NULL 123 First Ave Brentwood 0xC5187FC3A3286B7F CUSTOMER Table Structure Column Name Data Type Length Name VARCHAR 60 SSN CHAR 9 Address VARCHAR 75 SSN_NEW VARBINARY 16 SafeNet DataSecure Appliance

19 Database Encryption Process (slide 5 of 8) Sensitive data is now stored in encrypted format. Application integration can be completed with no further database changes, or CUSTOMER Name Account SSN Address City SSN_NEW Irwin M. Fletcher NULL 411 Main Street Santa Barbara Josh Ritter NULL st Ave San Francisco 0xEED95DB x21010B370F8752D5 Steve Garvey NULL 123 First Ave Brentwood 0xC5187FC3A3286B7F

20 Database Encryption Process (slide 6 of 8) Step 5: Implement database integration: Rename database, create views, triggers and stored procedures to automate updates and inserts CUSTOMER (View) Name Account SSN Address City Irwin M. Fletcher Main Street Santa Barbara Josh Ritter st Ave San Francisco Steve Garvey First Ave Brentwood CUSTOMER CUSTOMER_NEW Dynamic Encryption and Decryption of Data via Triggers and Views Name Account SSN Address City SSN_NEW Irwin Name M Account NULL SSN 411 Address Main Santa City 0xEED95DB SSN_NEW Fletcher Irwin M NULL Street 411 Main Barbara Santa 0xEED95DB Josh Fletcher Ritter NULL 1801 Street 21 st Ave San Barbara 0x21010B370F8752D5 Josh Ritter NULL st AveFrancisco San 0x21010B370F8752D5 Steve Garvey NULL 123 First Ave Brentwood Francisco 0xC5187FC3A3286B7F Steve Garvey NULL 123 First Ave Brentwood 0xC5187FC3A3286B7F

21 Application and Database Encryption Process (Slide 7 of 8) Subsequent updates and inserts preserve data privacy CUSTOMER (View) Name Account SSN Update Trigger Address City Irwin M. Fletcher Main Street Santa Barbara Josh Ritter st Ave San Francisco Steve Garvey First Ave Brentwood CUSTOMER_NEW Name Account SSN Address City SSN_NEW Irwin M. Fletcher NULL 411 Main Street Santa Barbara 0x5FC09A148B Josh Ritter NULL st Ave San Francisco 0x21010B370F8752D5 Steve Garvey NULL 123 First Ave Brentwood 0xC5187FC3A3286B7F

22 Application and Database Encryption Process (Slide 8 of 8) Subsequent updates and inserts preserve data privacy CUSTOMER (View) Name Account SSN Update Address Trigger City Irwin M. Fletcher Main Street Santa Barbara Josh Ritter st Ave San Francisco Steve Garvey First Ave Insert Brentwood Trigger Henry Baker Convention Gilroy CUSTOMER_NEW Name Account SSN Address City SSN_NEW Irwin M. Fletcher NULL 411 Main Street Santa Barbara 0x5FC09A148B Josh Ritter NULL st Ave San Francisco 0x21010B370F8752D5 Steve Garvey NULL 123 First Ave Brentwood 0xC5187FC3A3286B7F Henry Baker NULL 787 Convention San Francisco 0xF5253HU4A4657C3P

23 Encrypting Structured Data Three options: Database Encryption and decryption are initiated from the DB using Ingrian views and triggers Makes use of DB Connector Application Encryption and decryption are initiated from the application Makes use of Application Connector Hybrid Crypto operations are initiated from both the DB and the App Makes use of both DB and Application Connectors

24 Database Connector installed on Database Server (Oracle/MSSQL/DB2) User Tom WebServer Application Server query Response Database - field encrypted with Key x User Bob X3%R7!>W Tom can access Key x, Bob cannot x Datasecure

25 DB Integration Pros Theoretically very easy Can be done from the GUI No need to modify applications Cons Lower performance (2,000 Op/s max) Maintenance is more difficult No range queries Might cause problems for OTS applications

26 Application Connector installed on Application Server (PKCS#11/MS/Java/ICAPI/XML) User Tom WebServer Application Server query Response X3%R7!>W Database - field encrypted with Key x User Bob X3%R7!>W x Datasecure Tom can access Key x, Bob cannot

27 App Integration Pros Very easy 20 lines of code required High performance (can multi-thread apps) Less maintenance required Less risk of injury More secure than DB integration Cons You have to modify all your apps Might not have access to source code App Integration is the preferred method!

28 Application Integration, JCE Example 1 // Create NAE session 2 NAESession session = NAESession.getSession("username","password ); // Retrieve secret key IvParameterSpec iv = new IvParameterSpec(); SecretKey key = NAEKey.getSecretKey("AESKey", session); // Create cipher instance Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding, "IngrianProvider"); byte[ ] buffer = new byte [8192]; Outputstream os = new outputstream; cipher.init(cipher.encrypt_mode, key, iv); // Use the cipher instance to encrypt the input stream int readbytes; while ((readbytes = is.read(buffer)) >= 0) { byte[ ] result = cipher.update(buffer, 0, readbytes); if (result!= null) { // Write the encrypted string to output stream os.write(result); } } os.write(cipher.dofinal()); os.flush();

29 Application Integration, C# Code Example // Create NAE session NAESession session = new NAESession( username, password ); // Retrieve secret key SymmetricAlgorithm key = (Rijndael)session.GetKey( AESkey ); // Set the initialization vector, padding, and mode byte[ ] iv = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; key.iv = iv; key.padding = PaddingMode.PKCS5; key.mode = CipherMode.CBC; // Read in data to encrypt UTF8Encoding utf8 = new UTF8Encoding(); byte[ ] inputbytes = utf8.getbytes( String_To_Encrypt ); System.IO.MemoryStream memstr = new System.IO.MemoryStream(); // Create a crypto stream and encrypt data CryptoStream encrstr = new CryptoStream(memstr, key.createencryptor(), CryptoStreamMode.Write); encrstr.write(inputbytes, 0, inputbytes.length); encrstr.close(); byte[ ] encrbytes = memstr.toarray(); // Create encrypted string String m_encryptedstring = Convert.ToBase64String(encrBytes);

30 File Encryption Process Encryption Polices and KEKs are sent to File Server and stored in memory. File Encryption Keys (FEKs) are generated at the File Server and used to encrypt files. FEKs are encrypted using the KEK before they are sent to disk. File Header Individual File #1 in Cleartext format Original File File Servers 2) Encrypt File Encryption Key with Key Encryption Key 1)Encrypt cleartext data with File Encryption Key 7ndfhe34sherkjysu File Header sdfsdff wret345fbcfdsgfmhityur6c Encrypted File SafeNet DataSecure Policies are created at the DataSecure. A Key Encryption Key (KEK) is created for each directory.

31 Conclusion DataSecure Solution Secure, appliance-based solution for encryption and key management Provides high performance cryptographic offload Supports web, application, database and file server environments Centralizes management and enforces control of enterprise data protection policy Scales globally while ensuring high availability

32 ProtectDrive Industry-Leading Hard Drive encryption solution SC Magazine 5 Stars in all Categories Customer Deployments for 1000 s of Laptops 100% hard drive encryption by partition or full hard drive (all data encrypted - registry, temp files, etc) Encryption at physical drive level Pre Boot Server version for RAID Strong encryption algorithm - AES-256 Pre-boot Authentication (PBA) using Microsoft logon credentials Single Sign On Logon by Password, OR Logon by Digital Certificate with Strong two-factor authentication (USB tokens, smart cards) Support for Windows 2000 / XP / 2003 / Vista Microsoft Active Directory-based central administration for easy network deployment and management no separate management console required Port and Device Control Removable media encryption USB flash drives, and External Hard Drives FIPS-certified encryption functions EAL4 Common Criteria certification in process Strong Key Recovery and Emergency Login procedures

33 WAN Encryption devices FIPS and CC Certification Physically tamper-proof Minimal latency (typical < 10 microseconds) Point to Multipoint connection capability (not Link) Each connection uses unique AES256 symmetric key (changed every hour) Connections can be set to Encrypt, Bypass or Discard Zero Overhead data payload only encrypted For each type, there are different models to suit different bandwidths (capacities) and with different interfaces (connectors) to suit local environments

34 WAN Encryptor Topology SMC Telco Carrier Circuits Telco Edge Switch SafeNet Encryptor Customer Router LAN

35 Thank You