Thales e-security Key Isolation for Enterprises and Managed Service Providers

Similar documents
nshield Modules Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption

Thales nshield HSM. ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2.

Thales ncipher modules. Version: 1.2. Date: 22 December Copyright 2009 ncipher Corporation Ltd. All rights reserved.

Thales e-security Financial and Operational Benefits of using Datacryptor R4.02 in your network

Integration Guide Microsoft Internet Information Services (IIS) 7.5 Windows Server 2008 R2

ncipher modules Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services Windows Server bit and 64-bit

ncipher Modules Integration Guide for Axway Validation Authority Server 4.11 (Responder)

Thales Database Security Option Pack. for Microsoft SQL Server Integration Guide.

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

Thales e-security keyauthority Security-Hardened Appliance with IBM Tivoli Key Lifecycle Manager Support for IBM Storage Devices

ncipher Modules Integration Guide for Apache HTTP Server

Secure SSL, Fast SSL

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Overview of Luna High Availability and Load Balancing

Upgrading and Improving the Trust of Microsoft Windows Certificate Authorities

John Essner, CISO Office of Information Technology State of New Jersey

Thales nshield HSM. Integration Guide for ISC BIND DNSSEC.

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

COMMVAULT SIMPANA 10 SOFTWARE MULTI-TENANCY FEATURES FOR SERVICE PROVIDERS

Microsoft AD CS and OCSP Integration Guide. Microsoft Windows Server 2008 R2

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Security Issues in Cloud Computing

Alliance Key Manager Solution Brief

Implementing a Microsoft SQL Server 2005 Database

Web Applications Access Control Single Sign On

Advanced Service Desk Security

Data Protection: From PKI to Virtualization & Cloud

Designing Database Solutions for Microsoft SQL Server 2012 MOC 20465

Alice. Software as a Service(SaaS) Delivery Platform. innovation is simplicity

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Citrix GoToAssist Service Desk Security

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

Securing Virtual Applications and Servers

Data Protection and Mobile Payments. Jose Diaz - Business Development & Technical Alliances Ted Heiman Key Account Manager Thales e-security

RSA Digital Certificate Solution

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Course 20465C: Designing a Data Solution with Microsoft SQL Server

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Mirjam van Olst. Best Practices & Considerations for Designing Your SharePoint Logical Architecture

IT Security. Securing Your Business Investments

Complying with PCI Data Security

Key Management Best Practices

Information Technology Branch Access Control Technical Standard

Microsoft Windows Server 2008 PKI and Deploying the ncipher Hardware Security Module

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

Software-Defined Networks Powered by VellOS

PrivyLink Cryptographic Key Server *

Applying Cryptography as a Service to Mobile Applications

Certificate Management

Active Directory Services with Windows Server

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

e-authentication guidelines for esign- Online Electronic Signature Service

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

Active Directory Services with Windows Server

SafeNet DataSecure vs. Native Oracle Encryption

ADVANCING SECURITY IN STORAGE AREA NETWORKS

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Advanced virtualization management for Hyper-V and System Center environments.

Secure cloud access system using JAR ABSTRACT:

Building a better branch office.

CRYPTOGRAPHY AS A SERVICE

Designing a Data Solution with Microsoft SQL Server 2014

efolder White Paper: HIPAA Compliance

Security Overview Enterprise-Class Secure Mobile File Sharing

Designing a Data Solution with Microsoft SQL Server

Object Storage: A Growing Opportunity for Service Providers. White Paper. Prepared for: 2012 Neovise, LLC. All Rights Reserved.

An Oracle White Paper June Security and the Oracle Database Cloud Service

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Server Virtualization with Windows Server Hyper-V and System Center

TPM Key Backup and Recovery. For Trusted Platforms


Course 20465: Designing a Data Solution with Microsoft SQL Server

Designing a Data Solution with Microsoft SQL Server

TOP SECRETS OF CLOUD SECURITY

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

The Benefits of Virtualizing

Security from a customer s perspective. Halogen s approach to security

SQL Azure vs. SQL Server

SP A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

High Security Online Backup. A Cyphertite White Paper February, Cloud-Based Backup Storage Threat Models

Configuring and Administering Microsoft SharePoint 2010

Active Directory Services with Windows Server MOC 10969

SSL ACCELERATION DEPLOYMENT STRATEGIES FOR ENTERPRISE SECURITY

Brainloop Cloud Security

Integration Guide. Microsoft Internet Information Services (IIS) 7.0 and ncipher Modules. Windows Server 2008 (32-bit and 64-bit)

Transcription:

Thales e-security Key Isolation for Enterprises and Managed Service Providers Technical White Paper May 2015

Contents 1. Introduction 1. Introduction... 2 2. Business Models.... 3 3. Security World... 4 3.1..... 5 3.2. Protecting keys... 5 3.3. ACLs.... 6 4. Policy Enforcement.... 7 5. Conclusion... 9 nshield is a family of multi-purpose HSMs that provide a trusted environment for secure cryptographic processing, key protection and key management. Cryptographic keys within an enterprise are used to identify people and machines, secure internal and external communications, encrypt and tokenize data at rest, sign messages and documents as well as other use cases. It is therefore vital for any business with a reliance on cryptographic keys to have assurances and enforceable policies surrounding key usage. The nshield family of Hardware Security Modules (HSMs) provides the ability to achieve that level of assurance. By using the Security World key management framework, supported by the nshield HSM family, an organization can create for itself a structured key infrastructure that meets the dynamic and fluid demands and requirements of today. This paper demonstrates how it is possible to easily configure Security World to define a framework which permits both partitioning and multi-tenancy cryptographic key isolation strategies. page 2 2015 Thales e-security, Inc. All rights reserved. page 3

2. Business Models 3. Security World Key isolation is often a requirement in both enterprise and managed service or cloud environments. There are two different business models which have a requirement for some form of partitioning with regards to their cryptographic resources estate: Enterprise customers who have a requirement to share cryptographic infrastructure resources between applications or departments within that same enterprise. Keys should be separated to preserve the necessary isolation between applications. Managed service providers who wish to divide a given cryptographic resource between any number of distinct and independent clients such that keys for one client are not accessible by another client. This paper addresses both models, and shows just how easy it is to design, implement and enforce a policy that meets their requirements. In addition to the requirements of the business model are a number of factors to consider when assessing techniques for partitioning: Object Types: Usually users, applications, or keys. Scale: This can range from one or two enterprise users or applications to millions of keys or customers. Thales Security World addresses the age old challenge of providing strong protection for keys while at the same time ensuring they are available for use by authorized applications that are deployed over high scale, redundant and distributed server To understand the ways in which Thales nshield HSMs can be deployed to support flexible isolation environments, we first need to have a clearer understanding of some Thales Security World architecture principles. To alleviate the developer from the burden of creating a key infrastructure, Thales provides the Security World architecture which is a simple, yet flexible key architecture that can be used to contain application keys, protected in a variety of ways while also providing easy to use load-balancing and disaster recovery functionality. Thales also provides industry standard APIs such as PKCS#11 and JCE based on the Security World architecture. It is assumed when using nshield HSMs that users are utilizing this standard key infrastructure whether integrating with existing standard interfaces or bespoke applications. Security World Key A Security: What determines the true level of security? What authentication policies are protecting application key material? How are physical security controls mapped to logical controls, and vice-versa. HSM A Accessibility: What access does the hosting organization have to customers material? Within an enterprise a provider may want to provide a super-user or an administrative quorum with access to all the keys. However customers will have more trust in a public service if the provider can t access their keys. Key B With all these factors in mind, how can Thales nshield HSMs assist in the development of isolated systems for the control of keys? HSM B Key C Figure 1 - Security World as a single security domain for HSMs and application keys Practically speaking a Security World creates a single security domain for keys and objects to be securely managed that can encompass many HSMs and clients. However, an HSM can only ever be configured with a single Security World at any one time. page 4 2015 Thales e-security, Inc. All rights reserved. page 5

3.1. When generating an application key within Security World on a Thales nshield HSM, it is important that the raw key material be protected by the certified hardware of the module at all times. It is also important that the key can be loaded by authorized clients and backed up in accordance with industry best practice guidelines. The Thales Security World provides mechanisms whereby the raw application key material and various meta-data about how the key can be used -- the Access Control List (ACL) -- are cryptographically wrapped using Security World foundation keys, specifically a key called the module key (KM0). The wrapped application key can then be stored on all authorized HSM clients so that they can load the key at a later date, and can also be backed up onto recovery media since the process involves encrypting the raw key data with keys that are only available on an nshield HSM in the correct Security World. Since these wrapped application keys exist on the storage media on the authorized clients, the volume of keys that a Security World can protect is only limited by the size of the storage medium on the host, not some feature or limitation of the HSM. This neatly addresses the topic of scale in relation to isolation principles. 3.2. Protecting the use of keys Where controls need to be implemented for the safeguarding of application keys, Operator Card Sets (OCS) or Softcards (passphrases) can be used to authorize the loading of those keys. Physical OCS and logical softcards are collectively referred to as authentication tokens. An authentication token is associated with an application key when the application key is generated. The application key then requires the authentication token to be presented and validated before the key can be loaded onto an HSM. Once an application key has been loaded into an HSM, it can be used (ACL permitting) as often as required for approved cryptographic operations before then being programmatically or automatically unloaded. A single authentication token can be used to protect multiple application keys. 3.2.1. Softcards keys are, by default, protected by the KM0 wrapping process, however sometimes it will be necessary to implement additional security controls to ensure an application presents some form of authorization before the HSM legitimately loads the key for use. The single-factor authorization model adopted by Security World is Softcards. page 6 Softcards are really nothing more than a single passphrase, but where physical access to a smart card slot is impractical Softcards can be a practical solution to enforcing some control over when an application key is loaded. 3.2.2. OCS Quorums nshield HSMs use smart cards to provide two-factor authorization, however an OCS is not a single smart card (although it could be). An OCS is normally a set of smart cards which represent an authorized group. When created, the necessary quorum of these cards is also set. This is the number of cards from the total set that need to be presented in order to authorize the use of the keys protected by the cardset. Since individual cards are normally allocated to authorized members of a group of users (each smart card with a unique passphrase), when a cardset is authorized within the HSM, this does not represent a single user s authorization, but rather the authorization of the group to perform the requested action. The notation used to describe the quorum of the cardset is K of N, where N is the total number of card in the cardset and K (K>0) is the number of cards required to form a quorum (N>0, N<=K). So in a 2 of 5 OCS, there are 5 cards in total but only 2 of this set need to be presented to permit the loading of a key. A special property of a 1 of N OCS is that obviously only a single card need be presented (along with its passphrase). This means that no physical switching of cards in slots needs to take place which can be a practical advantage in certain conditions where you not only want to protect where an application key is loaded, but still also want to retain the Softcard advantage of restricting when it is loaded. Though this is perhaps an inferior configuration to a K of N OCS where K>1 in terms of security over availability. 3.3. ACLs The Access Control List (ACL) forms a significant part of the meta-data associated with a key. It is securely wrapped along with the key when the key is generated, and is protected to the same high standards as the key itself. The ACL for a given key describes what authorizations are required for a specific operation to be performed, such as other keys or tokens that should be loaded, and what other limitations are applied to the key once it is loaded (such as time-outs and number of permitted operations). Security World avoids the need for expensive backup tokens and manual key cloning. An ACL can describe a very simple scenario whereby a key can be used to encrypt and decrypt data, or can describe very complex hierarchies of keys which must be loaded (using their respective authentication tokens) before selected operations can be carried out. These ACL policies are all managed, unwrapped and enforced by the HSM natively, and as such cannot be compromised by an attacker. The ACL for a key is set when the key is generated and is not normally modifiable after that. 2015 Thales e-security, Inc. All rights reserved. page 7

4. Policy Enforcement The concepts of Security World ACLs, OCS Quorums and Softcards are tightly bound together, and can be used in combination or isolation to meet even the most demanding security requirements or policies for a given application. With this in mind, we can now see that a key loading and usage policy is enforced by three factors: Access to the application key token If you don t have the application key token on your application server you simply cannot load that key onto a target HSM. This policy is enforced outside the HSM, by careful and deliberate synchronization of specific application across the application server estate. Token Authorization If a key is protected by an Authorizing token, such as a Softcard or an OCS, then you must present that token before you are then permitted to load the key into the HSM. This policy is enforced inside the HSM. Access Control Lists (ACL) Once the key is loaded, the key can only then be used for specific purposes and under specific conditions described in the ACL that is bundled in the application key token. Again, this policy is enforced inside the HSM. So how can these properties be used to construct an isolated security environment for our example business models of the Enterprise and the Managed Service Provider who require isolation between applications or customers? In both cases you can use individual or combinations of the following strategies:- 1) Restrict the replication of application to only those hosts that require access to use a specific application key. 2) Leverage one of the authorization token techniques (Softcard or OCS) to control when and where an application key is loaded. 3) Programmatically manipulate the ACL of a target application key token to restrict where, when and how the key can be used. By defining a policy as a combination of these strategies, you can then apply different policies to groups of application keys. It is then clear to see how Security World can not only meet a static security environment, but also one where several opposing security policies can co-exist on the same HSM or groups of HSMs. The ACL associated with an Key defines the key policy in a form an nshield HSM can strongly enforce. page 8 2015 Thales e-security, Inc. All rights reserved. page 9

5. Conclusion As previously described, there is a high degree of flexibility in the Thales Security World key management architecture which creates a fluid fit with enterprise or managed service requirements for multi-tenancy or partitioning. The nshield HSM hardware provides a safe place where keys can be loaded and used. One of the core strengths of the Security World architecture is that application are stored in an armoured format on application servers free from the confines of any particular HSM. So deciding where the application are and are not available is really the initial factor one should define when designing a framework for partitioning. By abstracting Keys, the size of the pool of available HSMs can be tuned dynamically to satisfy changing performance requirements without the need to clone application keys between HSMs. Module Protected More availability Less enforcement Softcard Protected 1 of N OCS Protected Less availability More enforcement K of N OCS Protected Figure 3 - Degrees of Availability and Enforcement via Authorizing Tokens The design and implementation of your HSM key management policies and architecture are based on your organizational needs and the balance of requirements between the need for accessibility to keys for high volume or automated usage and the security controls defining key usage that might be required by certain high assurance situations. Security World offers several flexible and mutually exclusive mechanisms to assist in this design and implementation of such an architecture. For more details about the Security World architecture, visit https://www.thales-esecurity.com/knowledge-base/white-papers/thalessecurity-world. Figure 2 stored on hosts It is therefore better to instead conceptualize the partitioning problem less as one about containerizing the HSM, since policy enforcement of key loading and use is already trusted, but more about how the ACLs and authorization tokens are configured with application keys and most importantly how those tokens are distributed and made available to individual application hosts. page 10 2015 Thales e-security, Inc. All rights reserved. page 11

About Thales e-security Thales e-security is a leading global provider of trusted cryptographic solutions with a 40-year track record of protecting the world s most sensitive applications and information. Thales solutions enhance privacy, trusted identities, and secure payments with certified, high performance encryption and digital signature technology for customers in a wide range markets including financial services, high technology, manufacturing and government. Thales e-security has a worldwide support capability, with regional headquarters in the United States, United Kingdom, and Hong Kong. www.thales-esecurity.com Follow us on: Thales e-security May 2015 PLB5024 Americas Thales e-security Inc. 900 South Pine Island Road, Suite 710, Plantation, FL 33324 USA Tel:+1 888 744 4976 or +1 954 888 6200 Fax:+1 954 888 6211 E-mail: sales@thalesesec.com page Asia Pacific 12 Thales Transport & Security (HK) Lt, Unit 4101-3, 41/F, Sunlight Tower, 248 Queen s Road East, Wanchai, Hong Kong Tel:+852 2815 8633 Fax:+852 2815 8141 E-mail: asia.sales@thales-esecurity.com Europe, Middle East, Africa Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ Tel:+44 (0)1844 201800 Fax:+44 (0)1844 208550 E-mail: emea.sales@thales-esecurity.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information