RSA Encryption and Key Management Suite
The threat of experiencing a data breach has never been greater. According to the Identity Theft Resource Center, since the beginning of 2008, the personal information of over 30 million American consumers has been exposed through a data breach. And that only accounts for the breaches that have been reported. Data breaches are not just limited to the U.S., but remain a threat around the globe. No organization is immune to the risk regardless of size, location or industry. Many laws and regulations exist throughout the world, aimed at protecting privacy of individuals; however, those regulations can be interpreted in a number of ways. Many experts argue that data breaches are almost certainly a much larger problem because while the laws require organizations to provide the means to protect data, they fail to impose guidelines on organizations to acknowledge the true impact of a data breach or loss. A Shift in Enterprise Encryption and Key Management Securing sensitive data is a challenging task in order to meet the requirements associated with regulatory compliance. Any enterprise solution for protecting data especially data at rest in applications, databases, files or elsewhere must involve two core security technologies: strong encryption technology to protect sensitive data and full enterprise key management for effective administration and distribution of the keys that lock and unlock that protected data. Data encryption is quickly becoming the de facto control technology for meeting industry security standards and regulatory guidelines such as ISO 27002 and the Payment Card Industry (PCI) Data Security Standard (DSS). Effective, persistent security for your information requires encryption controls that can secure data at every layer of the IT stack and enterprise key management to reduce the cost and complexity of point encryption key management solutions. Several factors are driving the shift in the way businesses protect their sensitive information and lower their risk including: Companies are storing more sensitive data of all types The threat of data loss from insiders is on the rise There is a growing need to share more data with authorized external users Compounding this paradigm shift, traditional security technologies focused on hackers and perimeter protection do not help mitigate internal risks in a meaningful way. For example, in the 2008 Insider Threat Survey conducted by RSA, 64% of respondents noted they frequently or sometimes send work documents to their personal email address in order to access and work on them from home. A renewed focus is needed to encrypt the most sensitive data wherever it resides in an organization, thereby protecting the information rather than the infrastructure. Over time, the risk associated with unencrypted sensitive data being compromised can result in increased financial exposure, breach remediation, compliance costs, customer churn and brand erosion. RSA Encryption at a Glance Encrypt sensitive data irrespective of the location Meet regulatory and compliance requirements Mitigate risk through policy-based remediation and enforcement and avoid damage to brand equity and reputation Deploy enterprise key management for simplified operations and better security New markets are emerging for stolen data The regulatory environment continues to evolve and become more complex 2
The RSA Encryption and Key Management Suite is an integrated suite of products that provide encryption at different levels within the IT infrastructure. Before deciding where and what to encrypt and which data encryption and key management solutions to select, organizations should evaluate their options based on the following three rules: Data that moves physically or virtually should be encrypted. Data, whether at rest, in motion, or in use, needs to be encrypted. For backup tapes, emails that exchange confidential information or USB drives, encryption can prevent unauthorized access to data due to physical loss or online virtual interception of that information. Separation of duty. Encrypting based on duty or privilege also provides a level of access control to sensitive data. For example, if sensitive personnel records were encrypted, HR would likely be the only users with the key to access that data.administrators may be able to get in to the system to perform standard maintenance, however, would not be able to access the employee data. Mandated encryption. Depending on the industry, many organizations are mandated by law to encrypt sensitive data. RSA Solutions for Encryption and Key Management As part of RSA s Data Security System strategy, the RSA Encryption and Key Management Suite can help minimize the risks associated with data breaches of sensitive data, intellectual property and business strategy/operations data. The solution also meets regulatory requirements for encrypting data at rest and data in transit. Sensitive data stored in file systems on servers and end points is also protected. The RSA Encryption and Key Management Suite is an integrated suite of products that provide encryption at different levels within the IT infrastructure. The RSA Encryption Suite is comprised of encryption solutions designed to protect sensitive information stored in file systems on servers and endpoints. The RSA Key Manager solution securely stores, distributes and manages encryption keys throughout their lifecycle. Secure applications can be designed without increased costs or timelines, and additional data center encryption policies, such as tape and disk, can be deployed easier than with standalone key management. RSA s encryption solutions address the need for encryption at different levels within the enterprise infrastructure. Key advantages of the RSA Encryption and Key Management Suite are: Minimizes risk associated with data breaches of sensitive data, intellectual property and business strategy/operations data Meets regulatory requirements for data at rest and data in transit Protects sensitive information stored in file systems on servers and endpoints 3
The Real Costs of a Data Breach Headlines of data breaches affecting tens of thousands of individuals are reported each day, but what are the real costs that are not often considered? When examining the costs of a data breach, most consider the cost of having to compensate customers if their personal information is stolen and sold for the purpose of identity theft. But the real costs go far beyond that. The first cost often overlooked is that of breach notification. Consider a recent case where a backup tape was lost that contained the records of 4.5 million individuals. The odds of that information ending up in the wrong hands and being sold on the black market is probably low. The real cost comes into play now that the organization has to initiate a plan to notify their customers of a potential data breach and bear the associated costs. According to the Ponemon Institute, the cost of notifying an individual of a data breach is almost $200. Now consider the case in which 4.5 million individuals were potentially exposed and would require notification. The financial burden could be overwhelming. The second cost is for compliance efforts. While failure to comply with regulations may induce hefty fines, the flip side of creating and monitoring compliance programs creates an enormous amount of overhead. A study published in CIO Magazine contends that at least 20% of an IT organization s time is spent on compliance issues. That s one day a week per employee. Depending on the size of the IT organization, this can amount to exorbitant costs. Securely stores, distributes and manages encryption keys throughout their lifecycle Allows for secure application design without increased costs or timelines The RSA Encryption and Key Management suite includes: RSA Key Manager with Application Encryption RSA Key Manager for the Datacenter Native tape SAN/Disk Fabric-based (Connectrix ) Database RSA BSAFE encryption RSA Key Manager for the Datacenter RSA Key Manager for the Datacenter is an easy-to-use, centrally administered enterprise key management system that can manage encryption keys for a variety of encryption solutions like native tape backup, disk storage and fabricbased encryption. It is designed to simplify the deployment and ongoing use of encryption throughout the enterprise. RSA Key Manager for the Datacenter also works well with application encryption technology from RSA, which provides encryption and key management to secure sensitive data at the application layer. This allows customers to maintain a single comprehensive enterprise key management strategy. RSA Key Manager is an enforcement mechanism that scales across multiple encryption technologies in the enterprise with support from RSA, EMC and third parties. It provides key vaulting to ensure that keys are not compromised and will be available when data needs to be decrypted for future use. In addition, RSA Key Manager has built-in clustering for disaster recovery and business continuity, ensuring that critical keys that provide access to encrypted data are not lost. 4
RSA Key Manager for the Datacenter scales across the enterprise with centralized key management for encryption on the host, SAN switch, file system, tape drive and database. EMC PowerPath encryption EMC Connectrix encryption Tape backup File encryption Database encryption Sharing of encrypted data between different applications is facilitated by establishing centralized policies for key lifecycle management. Security risks are reduced by ensuring that the management of encrypted data and the management of encryption keys are maintained as two separate functions within the organization. RSA Key Manager for the Datacenter Solutions RSA Key Manager for the Datacenter solutions consists of the RSA Key Manager Server (pre-configured hardware server or appliance) plus modules for: Native Tape enables integration with native tape library encryption an excellent way to secure tape drives while in transit PowerPath enables EMC PowerPath encryption with RSA a server-resident solution for protection of sensitive data at rest before it moves to a storage array. Connectrix SME enables EMC Connectrix Storage Media Encryption (SME) with RSA a SAN switch-based solution for encryption to tape or virtual tape to achieve regulatory compliance and physical protection of data on tape media. Oracle enables the Transparent Data Encryption feature in Oracle Advanced Security for Oracle Database 11g for protecting sensitive data in databases. RSA Key Manager Server appliance a hardware form factor, pre-configured for central management of encryption keys throughout the enterprise. Organizations can leverage the same appliances across multiple storage encryption solutions. RSA Key Manager with Application Encryption RSA Key Manager with Application Encryption helps achieve compliance with regulations related to PCI and personally identifiable information (PII) by quickly embedding the encryption of sensitive data into enterprise applications. It also helps prevent the loss of sensitive data at the point of creation, ensuring that data stays encrypted, even as it is transmitted and stored. With built-in integration with the RSA Key Manager Server (available in both software and hardware), it simplifies provisioning, distribution and management of keys and speeds up the deployment and administration of encryption-enabled applications. 5
Nearly one-third of consumers notified of a security breach terminate their relationship with the company. Ponemon Institute RSA Key Manager with Application Encryption is designed to address the needs of security teams and application owners. It has been used in many diverse, business-critical applications including point-of-sale, business intelligence, transaction processing and web applications to meet regulatory compliance and internal security policy requirements. RSA Key Manager with Application Encryption offers the following features: Easy to use interface that works within existing development infrastructure Use simple encrypt and decrypt calls to shorten the learning curve for developers since no in-depth encryption knowledge is required. Support for popular development languages and platforms such as C,.NET, Java, COBOL and CICS ensure quick integration into the workflow of existing development tools and infrastructure. Support for common cryptographic operations and FIPS certified Use industry standard algorithms such as Advanced Encryption Standards (AES), 3DES and HMAC either for strong encryption key generation or for operations such as MAC verify and cipher header integrity check. RSA Key Manager with Application Encryption is also FIPS-140 certified. Built-in integration with the RSA Key Manager Server Encryption keys can be automatically provisioned and distributed securely with the RSA Key Manager Server via mutually authenticated SSL, saving developers from the complex task of managing keys. Key caching support for uninterrupted operations A unique configurable key cache ensures that cryptographic operations can continue without interruption in the event of a connectivity failure. Comprehensive platform support Broad platform support across Linux, mainframe, UNIX and Windows simplifies the integration with existing applications. RSA BSAFE Encryption RSA BSAFE encryption provides the security functionality necessary to allow developers to meet the stringent FIPS 140 and Suite B requirements for offering products to U.S. government agencies. RSA s solutions are relied upon by the U.S. Department of Defense and many other government agencies because of their reputation for quality, reliability and adherence to FIPS 140 and Suite B cryptographic standards. Many leading companies including Adobe, Oracle, Hypercom, Skyworks, Sony and Nintendo rely on RSA BSAFE encryption to provide the foundational security functionality required by their respective software and device applications. RSA BSAFE encryption, privacy and signature solutions device developers are designed to help meet security requirements on the most constrained devices. 6
RSA BSAFE security tools for C/C++ software developers provide the secure foundation needed to support data privacy, network authentication and secure network communication in commercial software applications. RSA BSAFE security tools for Java extend the security capabilities of the Java platform and fully support Java security standards including Java Cryptography Extensions (JCE). RSA s Java tools also provide one of the first FIPS 140 validated JCE-compliant cryptography providers on the market. Designing applications using RSA BSAFE security software allows organizations to achieve a solid, secure application design without significantly increasing development times or costs. And unlike alternatives such as open source security software, RSA s technology is enhanced regularly to address the latest vulnerabilities and advancements in cryptographic technology and are built on open and proven industry standards, many of which have been developed and championed by RSA. RSA s solutions offer interoperability and ease of integration into existing software and device systems. About RSA s Data Security System Strategy The RSA Data Security System provides a comprehensive approach to securing data. The vision for the Data Security System is to enable centralized policy management that is business risk driven by discovering and classifying sensitive information, deploying appropriate enforcement controls (such as encryption), and reporting and auditing security events. The RSA Data Security System embraces a holistic approach that integrates security policy management, data discovery, data security enforcement and audit capabilities into a framework to enable complete data security. The cost of a sensitive data breach will increase 20 percent per year through 2009. Gartner Research 7
RSA is your trusted partner RSA, the Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world s leading organizations succeed by solving their most complex and sensitive security challenges. RSA s information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle no matter where it moves, who accesses it or how it is used. RSA offers industry-leading solutions in identity assurance & access control, data loss prevention, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.rsa.com and www.emc.com. 2008 RSA Security Inc. All Rights Reserved. RSA, RSA Security and the RSA logo are either registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC, PowerPath and Symmetrix are registered trademarks of EMC Corporation. Windows is a registered trademark of Microsoft Corporation. All other products and services mentioned are trademarks of their respective companies. RKMGRS SB 0109