Crittografia e Enterprise Key Management una sfida possibile da affrontare

Similar documents
Key Management Interoperability Protocol (KMIP)

Key Management Interoperability Protocol (KMIP)

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

FAMILY BROCHURE Sensitive data is everywhere. So are we.

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

Key Management Best Practices

Securing Your Data at Rest With Encryption

KeySecure CUSTOMER RELEASE NOTES. Contents. Version: Issue Date: 2 February 2015 Document Part Number: , Rev A.

Alliance Key Manager Solution Brief

ABC of Storage Security. M. Granata NetApp System Engineer

Microsoft SQL Server Integration Guide

Complying with PCI Data Security

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS)

Securing Data in Oracle Database 12c

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

How To Encrypt Data On A Network With Cisco Storage Media Encryption (Sme) For Disk And Tape (Smine)

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Compliance for the Road Ahead

PLATFORM ENCRYPTlON ARCHlTECTURE. How to protect sensitive data without locking up business functionality.

Vormetric Encryption Architecture Overview

Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security

A Strategic Approach to Enterprise Key Management

Encrypting Data at Rest

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

SafeNet DataSecure vs. Native Oracle Encryption

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

Solutions for Encrypting Data on Tape: Considerations and Best Practices

Alliance Key Manager Cloud HSM Frequently Asked Questions

Applying Cryptography as a Service to Mobile Applications

ways to enhance security in AWS ebook

All Things Oracle Database Encryption

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

EMC DATA DOMAIN ENCRYPTION A Detailed Review

<Insert Picture Here> Oracle Database Security Overview

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

ways to enhance security in AWS ebook

Key Management in the Multi-Platform Environment

KeySecure User Guide KEYSECURE USER GUIDE 1

Transparent Data Encryption: New Technologies and Best Practices for Database Encryption

MySQL Security: Best Practices

IBM Tivoli Storage Manager Version Introduction to Data Protection Solutions IBM

Making Data Security The Foundation Of Your Virtualization Infrastructure

Clodoaldo Barrera Chief Technical Strategist IBM System Storage. Making a successful transition to Software Defined Storage

RSA Digital Certificate Solution

How To Protect Your Data From Harm With Safenet

Overview of Luna High Availability and Load Balancing

Securing Data at Rest with Encryption

Encrypt Your Cloud. Davi Ottenheimer flyingpenguin. Session Classification: Advanced

Secure the AWS Cloud with SafeNet Solutions ebook GEMALTO.COM

Exhibit to Data Center Services Service Component Provider Master Services Agreement

2013 AWS Worldwide Public Sector Summit Washington, D.C.

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Hitachi Virtual Storage Platform Family: Security Overview. By Hitachi Data Systems

SafeNet Securing Microsoft Solutions

Technical Brief: Virtualization

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

How To Encrypt Data On Netapp On A Server On A Microsoft Flash On A Flash Ona2 On A Mini Hard Drive On A Network On A Hard Drive (Flash) On A Computer Or Hard Drive With A Harddrive (Flash On

Data Backup and Restore (DBR) Overview Detailed Description Pricing... 5 SLAs... 5 Service Matrix Service Description

RSA SecurID Two-factor Authentication

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

Securing Data in the Cloud

Kelvin Wee CISA, CISM, CISSP Principal Consultant (DLP Specialist) Asia Pacific and Japan

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

Data Protection: From PKI to Virtualization & Cloud

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

PRIVACY, SECURITY AND THE VOLLY SERVICE

Protecting Data at Rest with Vormetric Data Security Expert

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

How To Use Aws.Com

Encryption Key Management for Microsoft SQL Server 2008/2014

FileCloud Security FAQ

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Securing Your Sensitive Data with EKM & TDE. on SQL Server 2008/2012

IBM Software Information Management Creating an Integrated, Optimized, and Secure Enterprise Data Platform:

SecureDoc Disk Encryption Cryptographic Engine

Certificate Management

PrivateServer HSM EKM Provider for Microsoft SQL Server

Data-Centric security and HP NonStop-centric ecosystems. Andrew Price, XYPRO Technology Corporation Mark Bower, Voltage Security

EMC VMAX3 DATA AT REST ENCRYPTION

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

Comprehensive Agentless Cloud Backup and Recovery Software for the Enterprise

Microsoft Windows Server 2008 PKI and Deploying the ncipher Hardware Security Module

<Insert Picture Here> Infrastructure as a Service (IaaS) Cloud Computing for Enterprises

An Oracle White Paper June Oracle Database 11g: Cost-Effective Solutions for Security and Compliance

Key Management Issues in the Cloud Infrastructure

Secure Network Communications FIPS Non Proprietary Security Policy

Daymark DPS Enterprise - Agentless Cloud Backup and Recovery Software

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

<Insert Picture Here> Refreshing Your Data Protection Environment with Next-Generation Architectures

SafeNet security enhancements for IBM solutions

Transcription:

<Insert Picture Here> Crittografia e Enterprise Key Management una sfida possibile da affrontare Giuseppe Russo Oracle Chief Technologist giuseppe.russo@oracle.com Simone Mola SafeNet Sales Engineer simone.mola@safenet-inc.com

Agenda Encryption, Keys and Enterprise Key Management headache How OASIS Key Management Interoperability Protocol help to solve this problem Some jointly Oracle Security Solutions and Safenet solution KMIP Use Cases for Enterprise Key Management

Data Loss Happens *Data from Open Security Foundation Data Loss DB, http://datalossdb.org

Impact of Security Breaches $ Damage to corporate brand $ Loss of customers $ Fines $ Lawsuits / Settlements $ Operational costs to address breach

Encryption Solves the Problem Data encryption uses algorithms to transform plaintext into cyphertext, a form that is non-readable to unauthorized parties Provides protection from both off-site and on-premise information loss Enables secure shipment of data Supports time-based data expiration and secure data disposal Data Security Regulations around the world ask for encryption of sensitive data

It s All About the Keys Encryption keys determine functional output of encryption algorithm Keys convert the data into cyphertext and convert the data back to a readable form (clear text) Keys must be strong Randomly and securely generated Securely managed The longer the key length, the more secure the encryption method AES 256 is most secure encryption standard available today Symmetric, block cipher-based method 256 bit key length Lose the keys and you lose the data!

Enterprise Key Management Best Practices Keys must be always available Redundant servers with Backup/recovery Keys must be secure Proper access control: quorum, role-based, separation of duty for administration Hardened solution with FIPS certification Key management system must scale economically Easy-to-use interface with Simple client enrollment & setup Key management system must be openly architected Wide range of environments and client-end points, Standard protocols Key management system must offer auditing/reporting tools Key lifecycle, policy compliance, alerts

Headache reasons Enterprise Cryptographic Environments Staging Replica Production Email Database CRM Portals Enterprise Applications Collaboration & Content Mgmt VPN Systems LAN File Server WAN Disk Arrays ecommerce Applications Backup System Business Analytics Disparate, Often Proprietary Protocols Backup Disk Dev/Test Obfuscation Backup Tape Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System

KMIP source: OASIS Single Protocol Supporting Enterprise Cryptographic Environments Enterprise Cryptographic Environments Staging Replica Collaboration & Portals Production Content Mgmt Database VPN Systems LAN Enterprise CRM Applications Email File Server WAN Disk Arrays ecommerce Backup System Applications Business Analytics Backup Disk Dev/Test Obfuscation Backup Tape Key Management Interoperability Protocol Enterprise Key Management

What is KMIP source: OASIS (Organization for the Advancement of Structured Information Standards) is a not-forprofit consortium that drives the development, convergence and adoption of open standards for the global information society The Key Management Interoperability Protocol (KMIP) enables key lifecycle management. KMIP supports legacy and new encryption applications, supporting symmetric keys, asymmetric keys, digital certificates, and other "shared secrets." KMIP offers developers templates to simplify the development and use of KMIP-enabled applications. KMIP defines the protocol for encryption client and keymanagement server communication. Key lifecycle operations supported include generation, submission, retrieval, and deletion of cryptographic keys. Vendors will deliver KMIP-enabled encryption applications that support communication with compatible KMIP key-management servers.

KMIP Objects source: OASIS Objects Certificate, with type and value Symmetric Key, with Key Block Public Key, with Key Block Private Key, with Key Block Split Key, with parts and Key Block Secret Data, with type and Key Block Managed Objects Template and Policy Template: Managed Objects Certificate Symmetric Key Public Key Private Key Split Key Template Policy Template Secret Data Opaque Object Key Block (for keys) or value (for certificates) Template has a subset of Attributes that indicate what an object created from such a template is Policy Template has a subset of Attributes that indicate how an object created from such a template can be used Note that (Policy) Templates have nothing except Attributes: for convenience these Attributes are included in the (Policy) Template structure too. Opaque Object, without Key Block

KMIP Operations source: OASIS 26 client-to-server operations defined 2 server-to-client operations defined Generate objects Search and obtain objects Set/get attributes Use the objects Support of optional operations Support for asynchronous responses Create Create Key Pair Register Re-key Derive Key Certify Re-certify Locate Check Get Get Attributes Get Attribute List Add Attribute Modify Attribute Delete Attribute Obtain Lease Get Usage Allocation Activate Revoke Destroy Archive Recover Validate (optional) Query Cancel (optional) Poll (optional) Notify (optional) Put (optional) Server-to-client operations

KMIP Attributes source: OASIS 33 Attributes defined Describes what is the object Describes how to use the object Describes other features of the object Unique Identifier Name Object Type Cryptographic Algorithm Cryptographic Length Cryptographic Parameters Cryptographic Domain Parameters Certificate Type Certificate Identifier Certificate Issuer Certificate Subject Digest Operation Policy Name Cryptographic Usage Mask Lease Time Usage Limits State Initial Date Activation Date Process Start Date Protect Stop Date Deactivation Date Destroy Date Compromise Occurrence Date Compromise Date Revocation Reason Archive Date Object Group Link Application Specific ID Contact Information Last Change Date Custom Attribute

Request / Response Model source: OASIS Enterprise Key Manager Respons e Header Symmetric Key Unique Identifier Key Value Request Header Get Unique Identifier Name: XYZ SSN: 1234567890 Acct No: 45YT-658 Status: Gold Unencrypted data Encrypting Storage @!$%!%!%!%%^& *&^%$#&%$#$%*!^ @*%$*^^^^%$@*) %#*@(*$%%%%#@ Encrypted data Host

Authentication source: OASIS Authentication is external to the protocol All servers should support at least SSL/TLS Authentication message field contains the Credential Base Object Client or server certificate in the case of SSL/TLS Host SSL/TLS Enterprise Key Manager @!$%!%!%!%%^& *&^%$#&%$#$%*!^ @*%$*^^^^%$@*) %#*@(*$%%%%#@ Identity certificate @!$%!%!%!%%^& *&^%$#&%$#$%*!^ @*%$*^^^^%$@*) %#*@(*$%%%%#@ Identity certificate

Use Cases Ecosystem HSM Virtualization & Cloud

Ecosystem SAN Brocade SAN switch SafeNet StorageSecure Applications, DB, Files Applications, DB, Files HSM Client Tape Library NetApp Storage Encryption

Oracle + SafeNet KMIP Ecosystem Encrypt DB information in a scalabel and secure way Ingredients: Oracle DB Oracle TDE Solaris Operating Systems Solaris Crypto File System SPARC T4 processor SafeNet LUNA PCI-E HSM LUNA EKM Client SafeNet KeySecure

Oracle TDE Trasparent Data Encryption part of Oracle's comprehensive portfolio of database security solutions helps organizations comply with privacy and regulatory mandates TDE transparently encrypt all application data or specific sensitive columns, such as credit cards, social security numbers, or personally identifiable information

Keys used for Oracle Transparent Data Encryption

Places to Store the Master Key Oracle Wallet This is the default Stores Masterkey and Certificates in a file in your filesystem Required software is part of Oracle software distribution Hardware Security Modules (HSM) Specialized hardware device External or internal to server Might be FIPS 140-2 certified and tamper proof Required software supplied by Vendor Master Key Hardware Security Module

Solaris Cryptographic Framework is an architecture that enables applications in the Oracle Solaris operating system to use or provide cryptographic services interactions with the framework are based on the RSA PKCS#11 Cryptographic Token Interface (Cryptoki)

Solaris Cryptographic Framework

Oracle SPARC T4 Processor 18 On Chip Crypto functions Balanced high-bandwidth interfaces and internals 3.0 GHz Out of Order Execution 2 On Chip 10 GbE Networking Dynamic Threading 8 Cores, 64 Threads Co-engineered with Oracle software 2 On Chip Dual-Channel DDR3 Memory Controllers 2 On Chip x8 PCIe gen2 I/O Interfaces

Oracle + SafeNet KMIP Ecosystem

Monitoring & Remote Foundry Monitor HSM key activity throughout the enterprise, or one or more business units View key status on demand Monitor for Key Creations, Key Deletions and Key Modifications KeySecure logs events such that an Enterprise can act on events if desired Reports changes in attributes, key creations, deletions Logging/audit of key activity for compliance Increased security KeySecure controls key creation and deletion - keys in HSM Keys are created in HSMs - KeySecure appliance does not create keys KeySecure is used to set the key attributes

Virtualization & Cloud Tape Drives Brocade SAN switch On Premise Centralized key management for persistence and flexibility On-premise key vault extends trust to the cloud Secure key creation, storage and vault Key archiving and shredding Protect App, ProtectDB, ProtectFile

With the [ServiceMesh] Agility Platform, customers can achieve breakthroughs in the flexibility, responsiveness, and affordability of their IT operating model. Core to delivering these benefits is the requirement to secure an organization s sensitive assets across networks, data, users, and machine instances. We re pleased to leverage enterprise-grade solutions like KeySecure for securing and administering cryptographic keys, which is integral to the overall security solution we provide to our enterprise clients. Frank Martinez, CTO

SafeNet ProtectV On Premise Centralized key management for persistence and flexibility On-premise key vault extends trust to the cloud Secure key creation, storage and vault Key archiving and shredding

What Customers are Looking For in Enterprise Key Management Heterogeneous key lifecycle management solution Single, centralized solution for all cryptographic keys Centrally manage key attributes, state changes and key provisioning Highly scalable to manage millions of heterogeneous keys Open standards-based, enterprise key management Supports Key Management Interoperable Protocol (KMIP) to manage a large number of encryption solutions and vendors Root of trust for physical, virtual, and cloud-based environments High assurance and robustness Appliance-based, tamper-proof hardware (k460) with a hardened OS FIPS 140-2 level 3 (in process) Hardware key storage

SafeNet KeySecure Enterprise Key Lifecycle Management Centrally managed, consolidation of keys store, manage, generate, distribute, rotate, backup, activate, deactivate, and destroy Up to 1 million keys per cluster High Assurance Level Standard based approach OASIS KMIP Broadest Coverage in Industry NAS StorageSecure SAN - Brocade Encryption Solutions (BES and FS8/18) KMIP support (NSE/FDE, Tape Library and other 3 rd Party support) Cloud-enabled (KMIP-based) SafeNet LUNA SA (HSM) and PCI Card Management Hardware- based,secure key replication across multiple appliances Active-Active mode of clustering Geo distribution support Highly scalable for cloud implementations LDAP/Active Directory Integration and Syslog forwarding Heterogeneous solutions: SFNT and non- SFNT devices, applications, databases, storage devices, SAN switches, tape libraries, HSM, network and endpoint devices, etc.

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information