Test: SafeNet Data Protection on Demand from Gemalto

On­Demand Key Management and

Dr. Götz Güttich

With SafeNet Data Protection on Demand, Gemalto offers a cloud­basedplatform that encompasses a large number of on­demand code signing,

key management and encryption services which are usable via an onlinemarketplace. Gemalto’s platform is intended to make security management

simpler and less costly for its clients because no hardware needs to bepurchased and operated. Gemalto claims that the platform’s central

management tool can accomplish all work steps via point and click. Wetested the product to find out if this really works.

SafeNet Data Protection onDemand encompasses awhole series of services offe­red according to a pay­as­you­grow principle. This assu­res flexible usage for the cli­ent and guarantees that hemust pay only for the featureshe actually uses. In this way,the service seamlessly adaptsto suit the requirements ofeach individual company.

The platform, which buildsupon Gemalto’s SafeNet Iden­tity and Data Protection soluti­ons, enables its users to se­cure critical data in every en­vironment, i.e. also in thecloud, on the premises or invirtual installations. Moreover,it helps its users to implementsecurity policies and to comp­ly with compliance regulati­ons. Furthermore, it enablesIT managers to administratetheir encryption keys from acentral location across allcloud services. APIs also helpadministrators to integrate on­demand services for encrypti­on, key management and

HSM (Hardware Security Mo­dule) in their surroundings,thus securing their applicati­ons and data. If necessary, anavailability of 99.95% can beguaranteed by a service levelagreement. An automatic fai­lover function and keybackups are delivered alongwith the platform. Comprehen­sive reporting functions com­plete the scope of the serviceoffer.

The Existing Security Ser­vicesLet’s take a quick look at thescope of services that are in­cluded in SafeNet Data Pro­tection on Demand. According

to its manufacturer, the offerundergoes continual expansi­on. It currently encompassessix services. First, there’s the“Key Vault,” which IT mana­gers can use as their ownHSM on­demand service fortheir applications. By contrast,“PKI Private Key Protection”protects private keys whichbelong to certificate authori­ties (CAs). “Digital Signing”enables IT staff to digitallysign software packages, firm­ware packages and electronicdocuments, thus guaranteeingthe server’s integrity. The“Oracle TDE Database KeyVault,” on the other hand, as­sures the encryption of the

1

Encryption in the Cloud

Oracle TDE data­encryptionkeys with a master key depo­sited within the HSM on­de­mand service. With the aid ofthe “Hyperledger,” responsiblestaff members secure block­chain artifacts via keys, whichlikewise land in the HSM on­demand service.

The last service is the “Sales­force Key Broker on De­

mand.” It generates tenant se­crets for Salesforce and facili­tates the administration ofkeys and security policies incollaboration with SalesforceShield.

The TestFor our test, Gemalto madeavailable to us a test accountwhich we could use to scruti­nize the functionality of thesolution. We created severaltest users on this account andactivated various services tosecure our test data, e.g. the

key of a certificate authority.We especially concentratedon the management of the so­lution and the work in ongoingoperation.

The First Work StepsAfter the first login at the abo­vementioned test account, thesolution began by requiring usto change the password thatwe had previously received

via email. This is a good fea­ture because the system thusassures that services cannotbe accessed by someone withpotentially insecure pass­words.

As soon as we had modifiedour password, the manage­ment tool called our attentionto the fact that no “applicationowners” were existent in thesystem. Our own test accountworked as a “tenant adminis­trator” and was consequentlyintended to manage the users

and the administrators in thesystem. In the next step, weaccordingly set up an applica­tion owner account. To ac­complish this, the solution re­quired a so­called “subscribergroup.” The system immedia­tely generated this group du­ring the configuration of theaccount and afterwards addedit to the user account. The ac­counts were defined by anemail address and a pass­word. The users of these newaccounts were likewise requi­red to change their passwordsimmediately after their first lo­gin.

The First ServiceAfter a user logs in as “appli­cation owner,” he or she isshown an overview of theavailable services, i.e. “DigitalSigning,” “Hyperledger,” “KeyVault,” “Oracle TDE Databa­se,” “Salesforce Key Broker”and “PKI Private Key Protecti­on.” In the first step, we wan­ted to generate a key vault.Adding the services to ourown account always occursaccording to the same princi­ple. An employee first clickson the entry of the desiredservice. Afterwards, the sys­tem show him or her the termsof service, which the employ­ee is required to accept. Next,the solution asks for a namefor the service and, in the ca­se of the key vault, the soluti­on also wanted to know whe­ther to allow or deny algo­rithms that are not in confor­mity with FIPS. After the rele­vant details had been provi­ded, the system showed anoverview of the steps thatneeded to be performed andafterwards configured the ser­vice: this task took only a few

2

The solution’s Web interface with the existing services

seconds. Next, the solution al­so offered to immediately setup the client service, which isimplemented on the targetsystem in the enterprise. Assoon as this task is complete,the responsible employeesare able to download the cli­

ent and install the client ontowhichever computer they in­tend for this purpose.

The Configuration of theKey VaultAfter the download, we firstunpacked the zip packagewith the client software ontoour test computer, which ranunder Windows Server 2012R2. As software, we had im­ported onto this system onlythe current updates from Mi­crosoft. Gemalto’s documen­tation specified that the Micro­soft Visual C++ 2015 Redistri­butable Update 3 package isindispensable for operatingthe client, so we installed that

update too. In the next step,we had to unpack the con­tents of the “cvclientmin.zip”zip file (which was located inthe original client zip package)into the same folder as the ori­ginal installation package. Fi­nally, it was also necessary to

run the “setenv.cmd” file asadministrator in order to setthe environmental variable. Af­terwards, we could start theservice by calling up the “lun­acm” file.

The Configuration of theServiceA few configuration steps we­re now necessary in order tobe able to work with the ser­vice. To provide an HSP appli­cation partition to store crypto­graphic objects for the utilizedapplications, we needed to in­itialize the roles for the Securi­ty Officer (SO), the Crypto Of­ficer (CO) and the CryptoUser (CU). All steps necessa­

ry for this are described in thedocumentation, so there’s noneed to go into greater detailabout them here. Suffice it tosay that setting up the servicetook less than five minutes inour test and that the key vaultwas available for us to use af­terwards.

Once we had put the serviceinto operation, we used the“ckdemo” test program (whichis included in the client’s sco­pe of delivery) to generatekeys, retrieve session data, etcetera, thus assuring thateverything functioned as in­tended. There were no unwel­come surprises.

The Work with the PrivateKey ProtectionIn the next phase of our test,we turned our attention to the“Private Key Protection” ser­vice. Here, we wanted to se­cure a CA key in order to takea closer look at the work withSafeNet Data Protection onDemand in praxis. For thispurpose, we again logged on­to our test account as applica­tion owner and used the “AddNew Service” command tocreate a PKI Private Key Pro­tection service.

Here too we were first requi­red to accept the terms of ser­vice. Afterwards, we could gi­ve a name to the service andspecify whether we wanted itto permit or deny algorithmsthat are not in conformity withFIPS. After the service wascreated, we again generatedthe service client and down­loaded the client onto our testsystem. The installation of theservice runs exactly the sameway here as it does with the

3

Setting up a service runs via a simple wizard

key vault service. Incidentally:in operation, the client softwa­re sets up only one configura­tion through which the systemcan access the service andtherefore does not alwaysneed to be active in ongoingoperation. The appearance ofthe utilized configuration de­pends on the implementedapplication and is preciselydescribed for the relevant ap­plications in the documentati­on on the website of the DataProtection on Demand ser­vice.

We relied here on the “Micro­soft Active Directory Certifica­te Services Integration Guide”and set up our CA so that itskey would be secured by theservice. To accomplish this,we first had to switch into the“KSP” subfolder of the clientinstallation and register thereour security library (a DLL thatlikewise belongs to the scopeof delivery of the client) withthe aid of the “KspConfig.exe”tool and the existing HSM slot(for the HSM on demand solu­tion offered via the service).The slot must be registeredtwice to operate the solution:once for the administrator ofthe current domains and onceagain for the system accountof the “NT Authority” domain.

As a slot password for the re­gistration, we used the pass­word of the previously createdCrypto Officer because this of­ficer has the right to write inthe service partition. As soonas this task was accomplis­hed, we began installing theactive directory certificationservices on the server that wehad set up as domain control­ler. To do this, we performed a

standard installation of a certi­ficate authority with the servermanager.

Configuration of the Certifi­cate AuthorityAfter completing the setup, weconfigured the certificate aut­hority with the aid of the inten­ded wizard. In this context, weset up the system as an enter­prise certification site and as“Root CA.” Afterwards, we att­

empted to create a new priva­te key for the CA. Gemalto’sdocumentation states that forthis purpose, one should se­lect a Cryptographic ServiceProvider (CSP) from SafeNetfrom the corresponding drop­down menu. Unfortunately, nosuch provider appearedamong the configuration choi­ces shown to us, which werelimited to providers from Mi­crosoft.

We accordingly contacted themanufacturer’s support, whotold us that it is not only possi­ble to use the KSpConfig toolto register the utilized slot withone’s name (as we had done),but that it was also possiblewith one’s slot ID. The supportperson said that to solve theproblem described here, it can

sometimes help to perform theregistration via the slot ID.

We then erased the existingregistrations and performedthem again with the aid of theslot ID. This unfortunately didnot improve the situation,even after we had restartedthe computer. The manufac­turer’s support recommendedthat we check to see if the“SafeNetKsP.dll” file (which li­

kewise belongs to the scopeof delivery of the client) waslisted in the “C:\Windows\Sys­tem32” directory. This file wasnot listed in our test installati­on, so we copied the file intothe aforementioned directory.Afterwards, we were indeedable to access the SafeNetCSPs. We then began finali­zing the configuration. First,we needed to use the “scquery cert svc” command tocheck whether the CA servicewas active and to verify theCA key via “certutil ­verifykeys”. In this context, we noti­ced that the CA service on oursystem always stopped a fewseconds after it started. Hereagain we needed to contactthe manufacturer’s support,who told us that this was dueto our German Windows Ser­

The “KspConfig” tool when registering the slot

4

ver 2012 R2. We had, howe­ver, previously registered ourHSM slot for the administrator

and system account with theaid of the KspConfig.exe tool.The corresponding domain inthe system account is named“NT Authority” and the tooldidn’t offer us any other namefor this domain. But on one ofthe German servers, the cor­rect name is “NTAutorität”. Wesolved the problem by registe­ring the slot anew via the “ksp­cmd.exe password /s {partitionname} /u SYSTEM /d NTAU­TORITÄT” command­linecommand. Afterwards, the in­tegration of the active directo­ry certificate service in theHSM on demand service wascomplete and we could usethe system to archive keys, re­create keys and perform simi­lar tasks. The configurationbasically proceeds quickly andit doesn’t confront the admi­nistrator with any insurmoun­table challenges. However, wesuggested one modification toavoid potential misunderstan­

dings. Gemalto responded toour suggestion after the test.The manufacturer told us that

the configuration tools had be­en revised in the meantime.

SummaryWith SafeNet Data Protectionon Demand, Gemalto offersan exceedingly interesting ser­vice which has the potential toalso make code signing, en­

cryption and key managementavailable to companies forwhich the necessary effortsand the associated costs hadpreviously been too much.Users of this service do notneed to purchase and admi­nistrate any special hardware,and all clients pay only for theservices they actually use.SafeNet Data Protection onDemand can also be a bighelp toward achieving GDPRconformity (in the context ofthe “right to be forgotten”) be­cause stored data and keyscan simply be erased whene­ver desired.

The solution was convincing inour test because it was com­paratively quick to set up andrelatively simple to use. Thedocumentation is comprehen­sive and the manufacturer’ssupport was convincingly

good. If the abovementionedissues with the configurationtools and the localization havenot already been rectified,they will most probably be sol­ved in the very near future.

After a certain amount of back and forth, “SafeNet” also appeared as

a cryptography provider in the certificate service configuration.

5

The user template after installation.