Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV Nadav Elkabets Presale Consultant
Protecting Your Data Encrypt Your Data 1 ProtectFile StorageSecure ProtectDB ProtectV Databases File Servers Storage Networks Virtual Machines Tokenization ProtectApp Applications SaaS Apps Internal Users + Administrators Cloud Providers Admins/Superusers Customers + Partners
ProtectV Full Disk Encryption of Virtual Instances Insert Your Name Insert Your Title Insert Date
Challenges in the Virtual Datacenter & Cloud Do I have control of my data? Who is accessing my data? Where is my data? Are regulations going to stop me from moving to the cloud?
Virtualized Data Could Live Anywhere Mail Servers E-commerce App server SharePoint Services File Servers Web Servers Payment info Customer data Critical data Sensitive Communications Intellectual Property
It s Easy to Lose Control in a Virtual World APP APP APP APP VMs are easy to copy (and steal) OS OS OS OS Hypervisor Compute Layer VMs are easy to move Snapshots Storage Snapshots VMs introduce a new class of privileged users and administrators server, storage, backup, and application all operating independently VMs have multiple instances, snapshots and backups of data Backup Shredding data capability if data at risk or switch providers
Data Protection for Virtual Infrastructure ProtectV is the industry s first comprehensive solution for protecting virtual environments With ProtectV you can: Isolate your data Authorize all access Track access to all copies of your data Revoke key access after a breach ProtectV enables you to migrate your sensitive data to virtual data centers, the cloud, and untrusted or shared environments securely
How ProtectV Secures the Entire VM Lifecycle Power On 1 ProtectV API makes server provisioning fast, automated and efficient to PowerOn a VM 5 Delete Every time you delete a key, it digitally shreds the data, rendering all copies of VMs inaccessible Start 2 You must be authenticated and authorized to launch a VM 4 Snapshot Every copy of VM in storage or backup is encrypted Daily Operations All data and VMs are encrypted 3
Anatomy of Securing Your Data in the Virtual or Cloud Environment Storage 1 ProtectV Client ProtectV Client is installed on your virtual machine or your servers in your data center 2 ProtectV Manager ProtectV Manager is a virtual machine that runs as a virtual machine Protected Volumes Hypervisor Protected Virtual Machines 3 KeySecure/ Virtual KeySecure Protected on-premise servers in physical datacenter KeySecure is a hardened, high-assurance enterprise key management solution in a hardware or new virtualized platform, Virtual KeySecure
Deployment Scenario: Public Cloud Trusted on-premise location Public Cloud KeySecure (HA) ProtectV Manager (HA) ProtectV Client Example of an AWS EC2 deployment
ProtectFile Transparent & Automated File-system Level Encryption of Server Data in the Distributed Enterprise Insert Your Name Insert Your Title Insert Date
Protecting Data-at-Rest: Solution Elements A COMPLETE SOLUTION IS NEEDED Securing the Breach Eliminating Insider Threats Protecting Sensitive Data-at-Rest in Enterprise Servers Encryption + Centralized Key Management Lock the Data Manage Keys Securely Separate Server Administration from Data Access & Key Management Separation of Duties Audit
ProtectFile: Protecting Server Data-at-Rest ProtectFile protects sensitive data-at-rest on enterprise servers with fully-automated encryption and access controls at the file-system level Encryption with Centralized Key Management File-level encryption Transparent to users, applications, databases and business processes Encryption keys are separate from the encrypted data Protected anywhere in the enterprise, DAS, NAS, SAN Application Database Granular Access Controls Segregation of sensitive Granular authorized access Segregate access Auditing and Logging Tamper-resistant logging of usage of protected data for the various ProtectFile clients being managed Signed logs Files and Folder Operating System Hardware Local Storage (DAS) ProtectFile Remote Storage (NAS, SAN)
Protection of Server Data in the Distributed Enterprise Protection of Data in Local Folders (DAS) & Network Shares (Remote Server or NAS Storage) ProtectFile protected paths \unprotected-path \local-path \\corporate \corporate Windows or Linux Server with ProtectFile \local-path is on direct-attached storage \\corporate is a mapped network share REGIONAL OFFICE DataSecure for Centralized Key Management & Policy Management HEAD OFFICE Server or NAS filer with Network Share called \corporate
Segregating Sensitive Department Data on Shared Servers Documents Images Config Files Password Files Logs & Backups Application Finance Database Files and Folders Operating System Data files Exports Archives ProtectFile Sales Hardware SSL Local Storage (DAS) Server (Windows or Linux) Remote Storage (NAS, SAN) Human Resources DataSecure
Separation of Duties Server Administrator Application Finance Database Files and Folders Operating System ProtectFile Sales SSL Hardware Local Storage (DAS) Server (Windows or Linux) Remote Storage (NAS, SAN) Human Resources DataSecure DataSecure Administrator
How It Works Once ProtectFile is deployed and initiated on a server, it transparently encrypts and decrypts data in local and mapped network folders at the file-system level and enforces access policies defined in DataSecure without affecting productivity. ProtectFile protected paths \unprotected-path \local-path \\mapped-path \shared-path Server with Sensitive Data with ProtectFile deployed Network Share ProtectFile encrypts sensitive data in files in a wide range of file types in folders on servers, and network shares. DataSecure provides centralized key and policy management. Admins set policies for access to specific folders and files. Once selected for protection, any file that is deposited in the folder is automatically encrypted. DataSecure
What Enterprise Customers Look for in a File-level Encryption Solution Data-centric Protection Separation of Duties Regulatory Compliance
ProtectDB and ProtectApp Transparent Database Protection Insert Your Name Insert Your Title Insert Date
DataSecure Solution Suite Crypto Foundation Deliver root of trust services for enterprise-wide data protection DataSecure for high performance, centralized crypto Unified data protection covering the broadest range of data types and environments Data-centric, persistent protection from the DC to the cloud Centralized policy, key management, logging, and auditing Structured Data Protection Protect regulated data in databases and applications ProtectDB for database data encryption ProtectApp for application data encryption Tokenization Manager to reduce audit scope and protect data service ready platform
Transparent Database Protection SafeNet ProtectDB Benefits Removes performance impact on databases Protects across multi-vendor DBMS systems Application transparent Separation of duties from DB admins Centralized policy control of data access with granular restriction options Supports extremely large data sets Works with Cloud deployed databases Features Column level database encryption with database offload DBMS Support: Automated view, trigger, and stored procedure generation Cryptographic management by DataSecure administrators Supports delegated admin, M of N keys. Granular user authentication options: standard directory, DataSecure user, time of day, rate limiting, etc. Large data transformation support, including regular key rotation Web/Application Servers ProtectDB Users DataSecure
Crypto Service Level Encryption DataSecure App Server APP LAYER DB LAYER Ext. Procs Crypto Service OS LAYER OS LAYER + Encrypt only sensitive columns + DML transparent Eventually not DDL transparent DB Server + Keys in Hardware, millions of keys, key migration, audit trail, LDAP & MS-AD integration, GUI wizzard 22
Protect Data at the Application Level SafeNet ProtectApp Benefits Removes performance impact on application servers Protects across multi-vendor application and development platforms Works with cloud deployed applications Faster time-to-deployment for encryption Enhances application security through fine -grain user controls Features Application encryption with hardware appliance offload Supports all major application platforms Standard development libraries and APIs.NET, ICAPI, JCE, MSCAPI, PKCS #11, z/os Supports applications in VMware and Xen Cryptographic management by DataSecure administrators Supports delegated admin, M of N keys. Granular user authentication policy: standard directory, DataSecure user, time of day, rate limiting, etc. Users Web/Application Servers ProtectApp DataSecure
Application Level Encryption DataSecure App Server APP LAYER Crypto API Crypto Service DB LAYER OS LAYER OS LAYER DB Server + Addresses wide range of confidentiality threats + Granular encryption control Not application transparent + SafeNet enhancements: Keys in Hardware, millions of keys, versioned keys, audit trail, LDAP & MS-AD integration 24
Thank You!
Lunch Time! Please be back at 1.30 PM