Test: SafeNet Data Protection on Demand from Gemalto
OnDemand Key Management and
Dr. Götz Güttich
With SafeNet Data Protection on Demand, Gemalto offers a cloudbasedplatform that encompasses a large number of ondemand code signing,
key management and encryption services which are usable via an onlinemarketplace. Gemalto’s platform is intended to make security management
simpler and less costly for its clients because no hardware needs to bepurchased and operated. Gemalto claims that the platform’s central
management tool can accomplish all work steps via point and click. Wetested the product to find out if this really works.
SafeNet Data Protection onDemand encompasses awhole series of services offered according to a payasyougrow principle. This assures flexible usage for the client and guarantees that hemust pay only for the featureshe actually uses. In this way,the service seamlessly adaptsto suit the requirements ofeach individual company.
The platform, which buildsupon Gemalto’s SafeNet Identity and Data Protection solutions, enables its users to secure critical data in every environment, i.e. also in thecloud, on the premises or invirtual installations. Moreover,it helps its users to implementsecurity policies and to comply with compliance regulations. Furthermore, it enablesIT managers to administratetheir encryption keys from acentral location across allcloud services. APIs also helpadministrators to integrate ondemand services for encryption, key management and
HSM (Hardware Security Module) in their surroundings,thus securing their applications and data. If necessary, anavailability of 99.95% can beguaranteed by a service levelagreement. An automatic failover function and keybackups are delivered alongwith the platform. Comprehensive reporting functions complete the scope of the serviceoffer.
The Existing Security ServicesLet’s take a quick look at thescope of services that are included in SafeNet Data Protection on Demand. According
to its manufacturer, the offerundergoes continual expansion. It currently encompassessix services. First, there’s the“Key Vault,” which IT managers can use as their ownHSM ondemand service fortheir applications. By contrast,“PKI Private Key Protection”protects private keys whichbelong to certificate authorities (CAs). “Digital Signing”enables IT staff to digitallysign software packages, firmware packages and electronicdocuments, thus guaranteeingthe server’s integrity. The“Oracle TDE Database KeyVault,” on the other hand, assures the encryption of the
1
Encryption in the Cloud
Oracle TDE dataencryptionkeys with a master key deposited within the HSM ondemand service. With the aid ofthe “Hyperledger,” responsiblestaff members secure blockchain artifacts via keys, whichlikewise land in the HSM ondemand service.
The last service is the “Salesforce Key Broker on De
mand.” It generates tenant secrets for Salesforce and facilitates the administration ofkeys and security policies incollaboration with SalesforceShield.
The TestFor our test, Gemalto madeavailable to us a test accountwhich we could use to scrutinize the functionality of thesolution. We created severaltest users on this account andactivated various services tosecure our test data, e.g. the
key of a certificate authority.We especially concentratedon the management of the solution and the work in ongoingoperation.
The First Work StepsAfter the first login at the abovementioned test account, thesolution began by requiring usto change the password thatwe had previously received
via email. This is a good feature because the system thusassures that services cannotbe accessed by someone withpotentially insecure passwords.
As soon as we had modifiedour password, the management tool called our attentionto the fact that no “applicationowners” were existent in thesystem. Our own test accountworked as a “tenant administrator” and was consequentlyintended to manage the users
and the administrators in thesystem. In the next step, weaccordingly set up an application owner account. To accomplish this, the solution required a socalled “subscribergroup.” The system immediately generated this group during the configuration of theaccount and afterwards addedit to the user account. The accounts were defined by anemail address and a password. The users of these newaccounts were likewise required to change their passwordsimmediately after their first login.
The First ServiceAfter a user logs in as “application owner,” he or she isshown an overview of theavailable services, i.e. “DigitalSigning,” “Hyperledger,” “KeyVault,” “Oracle TDE Database,” “Salesforce Key Broker”and “PKI Private Key Protection.” In the first step, we wanted to generate a key vault.Adding the services to ourown account always occursaccording to the same principle. An employee first clickson the entry of the desiredservice. Afterwards, the system show him or her the termsof service, which the employee is required to accept. Next,the solution asks for a namefor the service and, in the case of the key vault, the solution also wanted to know whether to allow or deny algorithms that are not in conformity with FIPS. After the relevant details had been provided, the system showed anoverview of the steps thatneeded to be performed andafterwards configured the service: this task took only a few
2
The solution’s Web interface with the existing services
seconds. Next, the solution also offered to immediately setup the client service, which isimplemented on the targetsystem in the enterprise. Assoon as this task is complete,the responsible employeesare able to download the cli
ent and install the client ontowhichever computer they intend for this purpose.
The Configuration of theKey VaultAfter the download, we firstunpacked the zip packagewith the client software ontoour test computer, which ranunder Windows Server 2012R2. As software, we had imported onto this system onlythe current updates from Microsoft. Gemalto’s documentation specified that the Microsoft Visual C++ 2015 Redistributable Update 3 package isindispensable for operatingthe client, so we installed that
update too. In the next step,we had to unpack the contents of the “cvclientmin.zip”zip file (which was located inthe original client zip package)into the same folder as the original installation package. Finally, it was also necessary to
run the “setenv.cmd” file asadministrator in order to setthe environmental variable. Afterwards, we could start theservice by calling up the “lunacm” file.
The Configuration of theServiceA few configuration steps were now necessary in order tobe able to work with the service. To provide an HSP application partition to store cryptographic objects for the utilizedapplications, we needed to initialize the roles for the Security Officer (SO), the Crypto Officer (CO) and the CryptoUser (CU). All steps necessa
ry for this are described in thedocumentation, so there’s noneed to go into greater detailabout them here. Suffice it tosay that setting up the servicetook less than five minutes inour test and that the key vaultwas available for us to use afterwards.
Once we had put the serviceinto operation, we used the“ckdemo” test program (whichis included in the client’s scope of delivery) to generatekeys, retrieve session data, etcetera, thus assuring thateverything functioned as intended. There were no unwelcome surprises.
The Work with the PrivateKey ProtectionIn the next phase of our test,we turned our attention to the“Private Key Protection” service. Here, we wanted to secure a CA key in order to takea closer look at the work withSafeNet Data Protection onDemand in praxis. For thispurpose, we again logged onto our test account as application owner and used the “AddNew Service” command tocreate a PKI Private Key Protection service.
Here too we were first required to accept the terms of service. Afterwards, we could give a name to the service andspecify whether we wanted itto permit or deny algorithmsthat are not in conformity withFIPS. After the service wascreated, we again generatedthe service client and downloaded the client onto our testsystem. The installation of theservice runs exactly the sameway here as it does with the
3
Setting up a service runs via a simple wizard
key vault service. Incidentally:in operation, the client software sets up only one configuration through which the systemcan access the service andtherefore does not alwaysneed to be active in ongoingoperation. The appearance ofthe utilized configuration depends on the implementedapplication and is preciselydescribed for the relevant applications in the documentation on the website of the DataProtection on Demand service.
We relied here on the “Microsoft Active Directory Certificate Services Integration Guide”and set up our CA so that itskey would be secured by theservice. To accomplish this,we first had to switch into the“KSP” subfolder of the clientinstallation and register thereour security library (a DLL thatlikewise belongs to the scopeof delivery of the client) withthe aid of the “KspConfig.exe”tool and the existing HSM slot(for the HSM on demand solution offered via the service).The slot must be registeredtwice to operate the solution:once for the administrator ofthe current domains and onceagain for the system accountof the “NT Authority” domain.
As a slot password for the registration, we used the password of the previously createdCrypto Officer because this officer has the right to write inthe service partition. As soonas this task was accomplished, we began installing theactive directory certificationservices on the server that wehad set up as domain controller. To do this, we performed a
standard installation of a certificate authority with the servermanager.
Configuration of the Certificate AuthorityAfter completing the setup, weconfigured the certificate authority with the aid of the intended wizard. In this context, weset up the system as an enterprise certification site and as“Root CA.” Afterwards, we att
empted to create a new private key for the CA. Gemalto’sdocumentation states that forthis purpose, one should select a Cryptographic ServiceProvider (CSP) from SafeNetfrom the corresponding dropdown menu. Unfortunately, nosuch provider appearedamong the configuration choices shown to us, which werelimited to providers from Microsoft.
We accordingly contacted themanufacturer’s support, whotold us that it is not only possible to use the KSpConfig toolto register the utilized slot withone’s name (as we had done),but that it was also possiblewith one’s slot ID. The supportperson said that to solve theproblem described here, it can
sometimes help to perform theregistration via the slot ID.
We then erased the existingregistrations and performedthem again with the aid of theslot ID. This unfortunately didnot improve the situation,even after we had restartedthe computer. The manufacturer’s support recommendedthat we check to see if the“SafeNetKsP.dll” file (which li
kewise belongs to the scopeof delivery of the client) waslisted in the “C:\Windows\System32” directory. This file wasnot listed in our test installation, so we copied the file intothe aforementioned directory.Afterwards, we were indeedable to access the SafeNetCSPs. We then began finalizing the configuration. First,we needed to use the “scquery cert svc” command tocheck whether the CA servicewas active and to verify theCA key via “certutil verifykeys”. In this context, we noticed that the CA service on oursystem always stopped a fewseconds after it started. Hereagain we needed to contactthe manufacturer’s support,who told us that this was dueto our German Windows Ser
The “KspConfig” tool when registering the slot
4
ver 2012 R2. We had, however, previously registered ourHSM slot for the administrator
and system account with theaid of the KspConfig.exe tool.The corresponding domain inthe system account is named“NT Authority” and the tooldidn’t offer us any other namefor this domain. But on one ofthe German servers, the correct name is “NTAutorität”. Wesolved the problem by registering the slot anew via the “kspcmd.exe password /s {partitionname} /u SYSTEM /d NTAUTORITÄT” commandlinecommand. Afterwards, the integration of the active directory certificate service in theHSM on demand service wascomplete and we could usethe system to archive keys, recreate keys and perform similar tasks. The configurationbasically proceeds quickly andit doesn’t confront the administrator with any insurmountable challenges. However, wesuggested one modification toavoid potential misunderstan
dings. Gemalto responded toour suggestion after the test.The manufacturer told us that
the configuration tools had been revised in the meantime.
SummaryWith SafeNet Data Protectionon Demand, Gemalto offersan exceedingly interesting service which has the potential toalso make code signing, en
cryption and key managementavailable to companies forwhich the necessary effortsand the associated costs hadpreviously been too much.Users of this service do notneed to purchase and administrate any special hardware,and all clients pay only for theservices they actually use.SafeNet Data Protection onDemand can also be a bighelp toward achieving GDPRconformity (in the context ofthe “right to be forgotten”) because stored data and keyscan simply be erased whenever desired.
The solution was convincing inour test because it was comparatively quick to set up andrelatively simple to use. Thedocumentation is comprehensive and the manufacturer’ssupport was convincingly
good. If the abovementionedissues with the configurationtools and the localization havenot already been rectified,they will most probably be solved in the very near future.
After a certain amount of back and forth, “SafeNet” also appeared as
a cryptography provider in the certificate service configuration.
5
The user template after installation.