Insert Your Name

Insert Your Title

Insert Date

SafeNet DataSecure platform

Technological leadership in protecting the information lifecycle

Marko Bobinac

PreSales Engineer Eastern EMEA

21.02.2012

The Data Protection Company

3

Protecting high value information inthe worlds most complex environments

Protection that evolves with the customer needs

Solutions for persistently protecting information as it moves through its lifecycle

What We Do

You manage the world’s most sensitive, high-value data. Our mission is to protect it.

5

Identities Transactions Data Communications

SafeNet Data Protection Product Portfolio

Offering the broadest range of authenticators, from smart cards and

tokens to mobile phone auth—all managed from

a single platform

Authentication

Offering The most secure, and easiest to

integrate technology for securing PKI identities

and transactions.

HSM

SafeNet’s DataSecure – a Universal platform

delivering intelligent data protection and control for

information assets

Data Encryption and Control

SafeNet high-speed network encryptors combine the highest

performance with a unified management platform

High-Speed Network Encryption

1

eSafe

Cloud / External IT Solutions

Software Rights ManagementSoftware as a Service

Identity Protection

Endpoint Protection

Self Encrypting HDs

Authentication & Access

Management

PKI InfrastructureCertificate Authority

Authentication & Access

Management

Access to Cloud-Based Apps

SRM SaaS

HSM

Cryptographic KeysVirtualized Application Security

HSE

Public and PrivateCloud Infra Protection

Communication Protection

Web Gateways

Firewalls / SSL VPNs

High Speed Encryption

Communication Protection

HSM

DatasecureData Encryption& Control

ProtectZ

Mainframe

ProtectFile

File ServersSAM

ProtectDB

Database

ProtectApp

Application/Web Servers

ProtectApp

DataSecure

Secure Cloud Storage &Applications

Key Secure

Email Gateways

Storage Encryption

Protection NAS

Virtual Instances

Virtual Storage

Protect V ManagerVirtual Appliance

Data Secure Appliance

Applications

Databases Mainframes

File Servers

**##**

Tokenization

Cryptographyas an IT Service

8

Storage Secure Appliance

File Shares

NetworkStorage

TapeBackups

ManagementCenter

High SpeedEncryptors

Nat. IDs AMIMeteringE-Signatures

E-Passports

Certificate Infrastructures

AuthenticationManager

HSM Appliance

3rd PartyTechnologies

KMIP

Protect Cloud&Virtual Infrastructure

ProtectData Centers

Protect Storage

ProtectData Transfer

ProtectIdentities

ProtectInfrastructure

KMIP

The Magic Quadrant for User Authentication

Abi

lity

to e

xecu

te

Completeness of visionAs of January 2012

niche players visionaries

challengers leaders

Insert Your Name

Insert Your Title

Insert Date

DataSecure:

The Foundation of Data Encryption & Control

11

Six Best Practices in Data Protection & Compliance1. Security — Not Just Compliance

2. Define your Corporate Policies

3. Involve the Stakeholders

4. Know your Data

5. Understand your Threats

6. Determine where to Protect your Data

12

Seven Methodologies for Data Encryption & Control 1. Maintain Control Over Data Types

2. Create Points of Trust for Administration and Policy

3. Leverage a Secure, Hardened Platform for Heterogeneous Environment

4. Chose Standards Based Security when Possible

5. Select a Flexible Platform for Encryption and Tokenization

6. Pick a Solution with Key Management Best Practices

7. Ensure Proof of Compliance is Easy

13

Worldwide Compliance Requirements

• Canadian ElectronicEvidence Act

• PCI Data Security Standard (WW)

• CA SB1386 et al

• HIPAA (USA)

• FDA 21 CFR Part 11

• GLB Act

• Sarbanes-Oxley Act (USA)

• AIPA (Italy)

• GDPdU and GoBS (Germany)

• NF Z 42-013 (France)

• EU Data Protection Directive

• Financial Services

• Authority (UK)

• UK Data Protection Act

• Electronic Ledger Storage Law (Japan)

• 11MEDIS-DC (Japan)

• Japan PIP Act

• PCI (WW)• Basel II Capital Accord

14

SafeNet Data Encryption & Control

Protecting sensitive data throughout its lifecycle...wherever it resides

In Data Centers

• Applications

• Databases

• File Servers

• Mainframes

In the Cloud

• Persistent, secured cloud storage for structured & unstructured data

On Endpoints

• Desktops

• Laptops

• Removable MediaProtectApp

WebAppServers

File Servers

ProtectDriveProtectFile

Tokenization

Cloud

DataSecurePlatform

ProtectFile Server

ProtectZ

Mainframes

ProtectDB

Databases

0000 000 00

ProtectDrive

DataSecure Platform

Appliance solution for• High-performance encryption • Simplified cryptographic key and policy management• Hardened Linux kernel• FIPS and Common Criteria certified• High Availability

Combined with connectors (software)• Connectors for applications,

databases, file servers, and stations.• Secures the connection to the appliance (connection

pooling, SSL).

Core Benefits of SafeNet DataSecure

Security Hardware-based solution

Centralized encryption and key

management

Authentication, authorization, and

auditing

Performance High performance encryption offload

Batch processing for massive

amounts of data

Local encryption capabilities

FlexibilitySupport for

heterogeneous environments

Support for open standards and

APIs

Range of enterprise

deployment models

ManageabilitySimplified

appliance-based approach

Web management console

CLI (command line interface)

AvailabilityEnterprise

clustering and replication

Load balancing, health checking,

and failover

Geographically distributed redundancy

Centralized Policy Management• Security administrators control data protection policy• Keys created and stored in a single location• Dual Administrative Control• Separation of Duties• Logging, Auditing and Alerts

FIPS & Common Criteria Certified Solution• FIPS 140-2 Level 2 & CC EAL2 Certified• Keys are stored in the appliance• Different types of encryption available: AES, 3DES, RSA ...• Certificate authority to manage its integrated SSL access

Authentication & Authorization • Multi-factor authentication possible between DS <> db or application.• Access control: Granularity of crypto policy, by key, by schedule, etc. • Support for LDAP

Security

Encryption Offload • Optimized, high-performance hardware• Frees up database and application servers• Latency less than 300 microseconds per request

Local Encryption Option• Configurable for hardware offload or local encryption

Batch Processing• Perform batch encrypts/decrypts for high performance• More than 100k TPS• Batch tools include:

• Transform Utility • ICAPI (SafeNet API protocol)

• Easy integration into existing applications

Performance

Perf. Average - 15 minutes to encrypt 5,000,000 records in 16 octects (char) on MS SQL with x 1 i430 in AES256

Heterogeneous Environments• Comprehensive enterprise solution• Web, Application, Database, Mainframe or File Server• Data Center or Distributed Environments• Open Standards-based APIs, cryptographic protocols

Scalability • Models with capacity from 2,500 TPS to 100,000 TPS• Clustering further increases capacity and redundancy• Licensing structure enables cost-effective build-out

Flexibility

Moscow

Saint Petersburg

DataSecure Cluster

Clustering• Keys and policy are

shared/replicated among DataSecures in a global cluster

Load Balancing• Connector software can

load balance across a group of appliances

• Multi-tier load balancing enables transparent fail over to alternate appliance(s)

Availability

Positioning of the SafeNet DataSecure ®

• Configurations to meet your needs — today and in the future• Extend invest over data types as needed• Scalable to address growth

21

SCALABLE FOR GROWTH

SafeNet DataSecure

SafeNetProtectApp

Application andWeb Servers

SafeNetProtectFile

File Servers

Databases

SafeNetProtectDB

Tokenization 0000 000 00

ProtectZ

Mainframes

22

0000 000 00

ProtectDB Use Case

Use Case Steps1. Cleartext values passed via database

server to DataSecure2. DataSecure returns encrypted values to

the database server (Encrypted value can be shared across the organization in other environments in a persistently encrypted format)

3. Transform Utility can be used to support high performance batch processing

Supported Databases• Oracle, Microsoft SQL Server, IBM DB2 & Teradata• Supports native database encryption key

storage/management

Algorithms• 3DES, DES, and AES

Supported Platforms• Windows, Linux, Solaris, HP-UX, AIX, or IBM z/OS

Encrypted Value

0000 000 00

DataSecure

0000 000 00

Credit cardValue

CRM

Transform Utility

0000 000 00

0000 000 00

0000 000 00

0000 000 00

0000 000 00

Credit cardValue

DataBase protection with native encryption

Heterogene database environments – Oracle, MS SQL, IBM DB2…….

The information should not be visible to the DBA. (accessible vs. visible)

The cryptographic load often requires a hardware upgrade

Transparent native encryption requires an upgrade of the software versions

Access to the logs is not secure, and their reading complex (unfiltered)

Native platforms are not certified, "certifiable" (FIPS, CC)

The cryptographic keys are used in a non-secure buffer

The keys are not sequestered except with the use of an HSM, but only for the MasterKey

Resources are not shared & key rotation process is binding

24

Encrypted Value

0000 000 00

ProtectApp Use Case

Use Case Steps1. Cleartext value passed via

application layer to DataSecure2. DataSecure returns encrypted value3. Encrypted value can be shared with

heterogeneous applications & database

DataSecure

0000 000 00

CleartextValue

Supported Web & Application Servers• Oracle, IBM, BEA, IIS, Apache, Sun ONE, JBoss

Algorithms• 3DES, DES, AES, RSA (signatures and

encryption), RC4, SHA-I, SHA-2

Supported Platforms• .NET, MSCAPI, PKCS#11, JCE, ICAPI, XML• Windows, Linux, or IBM z/OS

E-Commerce(Java or .Net)Application

ERPApplication

CustomerDatabase

CRMApplication

25

ProtectZ Features for Database & Applications Running on IBM Mainframes

Granular Protection• Retain ownership of data on IBM z/OS mainframes

in databases and applications Proven Algorithms

• Achieve the highest level of database and application security by using proven cryptographic algorithms combined with strong identity and access-policy protection such as AES, DES and DESede

Broad Support• Flexible support for APIs such as ICAPI & JCE,

application support for Cobol, RPG, assembler for environments such as CICS, TSO or batch and data storage in DB2, IMS, VSAM, DASD

Data Type Support• Coverage for data types such as BIGINT, CHAR,

DATE, DECIMAL, INTEGER, SMALLINT, TIME, TIMESTAMP, and VARCHAR

Applications

Databases

DataSecure

26

ProtectFile for Servers Features

Use Case Steps1. Document encrypted by DataSecure

based on corporate policy2. Protected file or folder stored on file

server in data center3. Only privileged users can access,

view, modify, or delete protected files

Interoperability with• RIS, SMS, Tivoli, TNG, Active Directory and multi-

factor authenticators

Algorithms• FIPS 140 Level 2 AES

Supported Platforms• Windows and Linux operating systems, Microsoft,

Novell, Netware & Unix (Samba)

Intellectual Property

Network-attached Servers

File Server

DataSecure

Privileged Users

ProtectFile Sample Policies

Finance Managers – gets full access to confidential financial spreadsheets

Outside Auditors – get access to sensitive files remotely and offline, but need to get re-authorized by IT every 30 days to regain access. (Policy can be configured based on any set amount of time.)

IT Administrators – they get access to perform routine maintenance, but cannot see any files that have been encrypted (IT sees only cipher text).

Call center reps can encrypt creditcard numbers for phone orders

Customer contracts sent to the call center are saved to a shared file server by the Call Center reps where they are automatically encrypted and strict access control is applied.

Market analysts are able to access and share their competitive analysis on seasonal opportunities in the Finance folder, but only see cipher text if they try to click on the spreadsheet with analyst salary information.

• Create policies that align to lines of business• Granular policies can be defined to control access to

authorized users

Access Policy page example

User with Encrypt & Decrypt permissions

Access Level – sample I

User with Backup & Restore Ciphertext permissions

Access Level – sample II

User with No Access permissions

Access Level – sample III

32

Information preview: StorageSecure

New appliance (March 2012) for protecting Storage Supports any kind of NAS (CIFS, NFS) 1Gb/s - 10Gb/s of file encryption Transparent – works on network layer Not a replacement for ProtectFile – decision

depends on what fits you best as DataSecure offers wider range of solutions!

32

TokenizationManager

DataSecure

Enterprise Application

Backoffice support

Payment application

Small Market

7 6 5 4 3 2 1 9 8 7 6 5 4 3 2 11 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7Tokenization Manager Use Case

1. Sensitive data comes in through a consumer system

2. Sensitive data is passed to Tokenization Manager

3. Tokenization encrypts the sensitive data, stores it and returns a token

4. Payment application passes tokens to Tokenization Manager to request original data it needs for bank transaction

5. Tokenization decrypts and returns sensitive data

6. PCI Auditor only needs to inspect tokenized database and active applications

PCI Auditor

34

Centralized tool to create granular protection policies and control who and what has access to sensitive data when and where

Standards-based encryption with the highest level of security in a commercial platform

Logging, auditing and reporting capabilities provide visibility for enforcement, refinement and compliance

Persistent protection as data moves within data centers, out to endpoints and into the cloud

Maintain Ownership and Control with DataSecure

35

Protection for different Data Types

One platform to protect:• Personal Identifiable

Information

• Payment & Transactional Data

• Intellectual Property

• Non-public Information

FileServers

Databases

Cloud

Applications

DataSecure

Key ManagementPolicy Management

Control Administration

INDUSTRY DATA TYPES

Healthcare

Financial Services

Retail

Manufacturing

Energy

Government

Patient Records

Account Info

Credit Cards

Design Specs

Land Surveys

Soc. Sec # Tax ID

36

DataSecure Supports Separation of Duties

DataSecure is the foundation of data encryption & control by securing a wide array of data types under one platform that:

Provides tools for the administration, enforcement, monitoring, and report of data protection solution

Establishes distinct roles so no single administrator can compromise the system

Administration for key and policy management requiring “m of n” credentials

SECURITY

37

Finance Manager

Legal Manager

HR Manager

SQL DB

Oracle DB

Database Administrator

Key Management throughout Lifecycle

DB2 DB

Security Officer

IT Manager for Tape Storage

Generate, Certify, Backup, Activate, Deactivate, Rotate, Compromise, Destroy

38

Summary

Data Center Protection • Designed to secure all of the

sensitive information that is stored in and accessed from enterprise data centers

• Protecting the structured data stored in databases, applications, and mainframe environments as well as the unstructured data kept in file servers

• With DataSecure driving central enforcement of corporate policies and access control

The Solution Suite Includes:

• ProtectDB• ProtectApp• ProtectZ• ProtectFile• Tokenization Manager

SCALABLE FOR GROWTH

SafeNet DataSecure

SafeNetProtectApp

Application and

Web Servers

SafeNetProtectFile

File Servers Databases

SafeNetProtectDB

SafeNetProtectDrive

Laptop

TokenizationManager

0000

000 00

SafeNetProtectZ

Mainframes

39

Technology

Financial

Unrivaled Customer Success with Some of the World’s Most Respected and Admired Companies

HouseholdBrands

Retail

Insert Your Name

Insert Your Title

Insert Date

marko.bobinac@safenet-inc.com

Thank you