Thales e-security keyauthority Security-Hardened Appliance with IBM Tivoli Key Lifecycle Manager Support for IBM Storage Devices



Similar documents
Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

Thales ncipher modules. Version: 1.2. Date: 22 December Copyright 2009 ncipher Corporation Ltd. All rights reserved.

Thales e-security Key Isolation for Enterprises and Managed Service Providers

Thales nshield HSM. ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2.

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

Vormetric Encryption Architecture Overview

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

ncipher Modules Integration Guide for Axway Validation Authority Server 4.11 (Responder)

Enterprise Data Protection

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

ncipher Modules Integration Guide for Apache HTTP Server

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

ncipher modules Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services Windows Server bit and 64-bit

SecureD Technical Overview

CA Encryption Key Manager r14.5

Security in Fax: Minimizing Breaches and Compliance Risks

Secure SSL, Fast SSL

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Thales e-security Financial and Operational Benefits of using Datacryptor R4.02 in your network

Vormetric and SanDisk : Encryption-at-Rest for Active Data Sets

Perceptions about Self-Encrypting Drives: A Study of IT Practitioners

Solutions for Encrypting Data on Tape: Considerations and Best Practices

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS)

Integration Guide Microsoft Internet Information Services (IIS) 7.5 Windows Server 2008 R2

A Strategic Approach to Enterprise Key Management

Alliance Key Manager Solution Brief

WHITE PAPER WHY ORGANIZATIONS NEED LTO-6 TECHNOLOGY TODAY

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

Complying with PCI Data Security

nshield Modules Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption

Self-Encrypting Hard Disk Drives in the Data Center

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Seagate Instant Secure Erase Deployment Options

Discover A New Path For Your Healthcare Data and Storage

Enhance visibility into and control over software projects IBM Rational change and release management software

RSA Solution Brief. RSA envision. Platform. Compliance and Security Information Management. RSA Solution Brief

The governance IT needs Easy user adoption Trusted Managed File Transfer solutions

IBM CommonStore Archiving Preload Solution

The Impact of HIPAA and HITECH

Improving Microsoft SQL Server Recovery with EMC NetWorker and EMC RecoverPoint

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

How To Use The Hitachi Content Archive Platform

PrivyLink Cryptographic Key Server *

Address IT costs and streamline operations with IBM service desk and asset management.

Privacy + Security + Integrity

HIPAA and HITECH Compliance Simplification. Sol Cates

BANKING SECURITY and COMPLIANCE

IBM Tivoli Storage Manager Suite for Unified Recovery

Preemptive security solutions for healthcare

Securing the Service Desk in the Cloud

Innovations in Digital Signature. Rethinking Digital Signatures

Odyssey Access Client FIPS Edition

SafeNet DataSecure vs. Native Oracle Encryption

Mayur Dewaikar Sr. Product Manager Information Management Group Symantec Corporation

IBM Information Archive for , Files and ediscovery

RED HAT OPENSTACK PLATFORM A COST-EFFECTIVE PRIVATE CLOUD FOR YOUR BUSINESS

CASPR Commonly Accepted Security Practices and Recommendations

Four keys to effectively monitor and control secure file transfer

VDI Security for Better Protection and Performance

IBM Tivoli Storage Productivity Center (TPC)

IBM Storwize V7000 Unified and Storwize V7000 storage systems

Provide access control with innovative solutions from IBM.

Vistara Lifecycle Management

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Trend Micro Cloud Security for Citrix CloudPlatform

Securing and protecting the organization s most sensitive data

future data and infrastructure

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

SOA OPERATIONS EXCELLENCE WITH PROGRESS ACTIONAL WHITE PAPER

How To Create A Large Enterprise Cloud Storage System From A Large Server (Cisco Mds 9000) Family 2 (Cio) 2 (Mds) 2) (Cisa) 2-Year-Old (Cica) 2.5

Compliance for the Road Ahead

Citrix Lifecycle Management

IBM Tivoli Netcool Configuration Manager

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

IT Security & Compliance. On Time. On Budget. On Demand.

IBM Tivoli Netcool network management solutions for enterprise

The potential legal consequences of a personal data breach

MANAGEMENT AND ORCHESTRATION WORKFLOW AUTOMATION FOR VBLOCK INFRASTRUCTURE PLATFORMS

Only 8% of corporate laptop data is actually backed up to corporate servers. Pixius Advantage Outsourcing Managed Services

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Transcription:

> Thales e-security keyauthority Security-Hardened Appliance with IBM Tivoli Key Lifecycle Manager Support for IBM Storage Devices WHITE PAPER November 2011 www.thales-esecurity.com

TABLE OF CONTENTS THE CHANGING BUSINESS ENVIRONMENT FOR ENCRYPTION... 3 INTRODUCTION TO KEYAUTHORITY...................... 4 SOLUTION BENEFITS................................ 5 Reducing the risk of security breach..................... 5 Reducing the cost of encrypted storage................... 6 Simple deployment and management..................... 6 Meeting audit and compliance requirements................ 6 SUMMARY....................................... 7 2

THE CHANGING BUSINESS ENVIRONMENT FOR ENCRYPTION In the past few years, we have seen increasing legislation and industry regulation covering the protection of personal information privacy. In the US, more than 46 US states now have data breach notification laws. Moreover, new industry-specific mandates, such as the Health Information Technology for Economic and Clinical Health (HITECH) Act, add federal data breach notification for medical patients. The German Federal Data Protection Act, the EU Data Protection Act and initiatives from the Information Commissioner s Office in the UK add protections in Europe. More countries around the world have, or are considering, similar legislation. These laws typically state that organizations must encrypt data a nd/or notify residents if unencrypted personal data is exposed. The implication being that data encryption provides safe harbor from the law in the event of a security breach. But there is now an increasing shift in the way that legislators look at data protection; with a move away from simple notification that an event has happened, towards active protection of the data to start. Encryption is increasingly mandated, not optional, for the protection of sensitive information. Most recently, the US states of Massachusetts and Nevada have enacted laws that require businesses to encrypt personally identifiable information. The Nevada law (SB227) further prescribes effective key management as: Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology. Enterprises must now have a proven, reliable strategy or suffer the consequences of business as usual that leave sensitive data exposed to risks and severe consequences. Without a secure, automated and centralized system, managing and protecting keys incurs the security risks and operational inefficiencies of ad hoc procedures and redundant administration to generate, distribute, store, expire, and rotate encryption keys. This results in high operational costs, delays in meeting audit and compliance requirements, and increased risk of human error or malfeasance. The problem becomes more complex when attempting to integrate multiple, diverse encryption systems or extending support as new encrypting devices are adopted in the future. As companies increasingly must implement encryption to meet government, industry- and self-regulatory demands, focusing on secure, centralized, long-term key management is critical to ensure successful deployment of data encryption, maintain corporate responsibility, and remain competitive. 3

INTRODUCTION TO KEYAUTHORITY Thales e-security keyauthority is a hardware-based, security-hardened, encryption key management appliance designed to FIPS 140-2 Level 3 1 specifications. Supporting the IEEE P1619.3 draft key management standard, keyauthority ensures business continuity and data recovery requirements are met throughout the information lifecycle. With keyauthority, security policies are enforceable and detailed, secure logging enables audit and security compliance to be demonstrated. Storage managers remain in control without becoming distracted or burdened with time-consuming and unreliable manual procedures for key management. Ad hoc procedures can lead to lost access to keys, and by extension, lost data recoverability. IBM Tivoli Key Lifecycle Manager (TKLM) is a software-based key manager that supports IBM disk and tape storage systems; keyauthority natively hosts TKLM technology for managing IBM storage devices, behind a secure FIPS-compliant hardware boundary. Moreover, keyauthority provides a unified management console to manage encryption modules and devices, in addition to those managed by TKLM. For storage managers, keyauthority eliminates the barriers and concerns of adopting encryption, including reliability, recoverability, and the need to maintain multiple key management systems. Storage managers learn one interface to eliminate redundancy freeing time, simplifying security tasks, and reducing operating time and costs. 1 NIST approval currently in progress as of November 2011. 4

SOLUTION BENEFITS Reducing the Risk of Security Breach The primary driver for deploying encryption is to keep sensitive data secure in order to keep an organization out of the data-breach notification headlines and avoid remediation costs. Evidence of secure encryption along with corresponding security controls provides safe harbor for organizations facing a security breach, because any data that is stolen or lost is rendered useless without the associated keys. Organizations can thus avoid the consequences of notifying users, lost business and corporate shareholder value, negative press, fines and litigation, and similar high-cost remediation activities. The critical aspects of a reliable key management system include: > Automated policy-based controls over encryption keys, and thus, protecting sensitive data by controlling access to the appropriate users > A reliable, security-hardened system, able to maintain long-term key integrity in response to data retention policies > Role-based access to prevent overprivileged administration entitlements, and > Support for multiple classes of encryption modules and devices (such as tape libraries, disk arrays, and encryption switches). Encryption keys are required to unlock data, and therefore must be readily available to authorized users, while remaining resistant to tampering. Inefficient or unreliable key management based on manual procedures can adversely impact business continuity, data accessibility, and data retention. With keyauthority, storage administrators and architects can trust their encryption deployments to a system with clear, auditable custody and control of the keys. The hardware is designed to comply with FIPS 140-2 Level 3, providing tamperresistant and tamper-evident protection. For example, if the seals on the appliance are removed and the chassis is opened, the attack is detected and the System (master) Key is zeroed out, preventing any media keys from being usable. Authorized users can restore the System Key once the integrity of the system is reconfirmed. Further, role-based access controls provide separation of duties to ensure appropriate administrator entitlements and help prevent malicious insider attacks. There are five defined roles that follow NIST standards: Administrator, Security Officer, Group Manager, Recovery Officer, and Auditor. No single operator has access to all functions, for example an employee with an Administrator role can create new users, but cannot assign roles; while a Security Officer can only assign roles and cannot create new users. In some critical operations, a maker-checker (2-person rule) requirement requires four eyes of visibility to ensure the action is appropriate. 5

Lastly, a unified approach to key management requires support for multiple classes of encrypting endpoints such as disk, tape, switches, and servers with interoperability for integrating multiple vendor products. With keyauthority, not only is IBM storage supported, but new standards-based encrypting endpoints can be securely managed as they become available in the years to come. Reducing the Cost of Encrypted Storage keyauthority uses standards-based encryption key management, enabling new encryption systems to be certified and integrated into the management scheme quickly and efficiently, going forward. keyauthority is designed to support emerging protocol standards, as well as legacy or proprietary protocols, to greatly simplify interoperability of key management across a diverse encryption device infrastructure. keyauthority simplifies maintenance and operation of encryption, freeing administrator time and reducing costs, especially within heterogeneous storage environments. A single, centrally-managed key management system reduces the learning curve and operational costs by eliminating the need for multiple silo systems. Simple Deployment and Management As a hardware appliance that is already pre-integrated and qualified with industryleading encrypting storage endpoints, keyauthority is simple to install and configure, with high-performance optimizations that allow enterprises to accelerate deployment and time-to-value. keyauthority is highly scalable with qualified performance metrics; in addition to the one million keys supported by TKLM, the appliance expands support to twenty five million keys in a single key management cluster of multiple vendor encryption products. This is a significant improvement delivering the ability to actively manage full key lifecycles for large, global installations over many years with consistency. Meeting Audit and Compliance Requirements Storage teams must keep up with an ever-increasing number of government, industry and corporate security compliance requirements, while being able to immediately respond to routine audits and informal inquiries. keyauthority allows organizations to enforce encryption policies and minimize human error through automation of key lifecycle management procedures. Comprehensive, secure, tamper-resistant logs are centrally maintained within secured audit facilities to quickly provide a clear audit trail that demonstrates custody and control of the keys. Access to this secure audit facility is controlled by an appropriately assigned administrative role to ensure integrity and accountability. The net result: audits that are easier to pass with high reliability. 6

SUMMARY Increasing government legislation and industry mandates, along with corporate governance best practices, are driving the need to deploy encryption across enterprise applications for security compliance and data protection. IT organizations must implement encryption while maintaining service level agreements, ensuring data availability and the ability to reliably meet audits that demonstrate compliance for custody and control of keys. As more endpoints such as tape libraries and disk arrays are deployed, organizations must protect sensitive information on them. Therefore, the role of key management is critical to ensure the long-term data availability to trusted users and ability to demonstrate compliance with policies. Many organizations have relied on IBM storage as the foundation for implementing an encryption strategy. keyauthority provides IBM storage users with a secure FIPS140-2 Level 3 designed platform to host IBM encryption management, delivering the security of a hardware-based appliance, the accountability of role-based administration with secure logging, and the flexibility of a standards-based approach for storage interoperability. More information To find out more about how Thales e-security and IBM can help secure your sensitive information, please visit www.thales-esecurity.com or contact Thales e-security sales at one of the contact points on the back cover. About Thales e-security Thales e-security is a leading global provider of data protection solutions. With a 40-year track record of protecting the most sensitive corporate and government information, Thales e-security encryption and key management solutions are an essential component of any critical IT infrastructure. Thales makes it easy to enhance the security of softwarebased business applications and reduce the cost and complexity associated with the use of cryptography across the organization and out to the Cloud. 7

Europe, Middle East, Africa Meadow View House Long Crendon Industrial Estate Aylesbury Buckinghamshire HP18 9EQ. UK T: +44 (0)1844 201800 F: +44 (0)1844 208550 E: emea.sales@thales-esecurity.com Americas 2200 North Commerce Parkway Suite 200 Weston Florida 33326. USA T: +1 888 744 4976 or +1 954 888 6200 F: +1 954 888 6211 E: sales@thales-esecurity.com DISCLAIMER Thales reserves the right at any time, without notice and at its sole discretion to revise, update, enhance, modify, change or discontinue the information provided herein. THALES MAKES NO REPRESENTATION OR WARRANTY AS TO THE ADEQUACY OR COMPLETENESS OF THE INFORMATION PROVIDED HEREUNDER. All Rights Reserved. keyauthority is a registered trademark of Thales e-security Inc. Tivoli is a registered trademark of IBM Asia Pacific Unit 4101 41/F 248 Queen s Road East Wanchai Hong Kong PRC T: +852 2815 8633 F: +852 2815 8141 E: asia.sales@thales-esecurity.com Thales November 2011

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information