Embed Size (px)
Citation preview
Predrag Aleksić, PreSales Engineer,
Enterprise and Cybersecurity
InfoSec Bulgaria October 2018
Produced, processed and
stored in more places Shared more
Distributed to more
locations outside of your
control
MORE DATA
Balancing Business Value and Security
The data protection dilemma
01/10/2018 Gemalto Enterprise & Cybersecurity - CONFIDENTIAL 2
3
The data protection dilemma
SECURE THE BREACH Control who and what can access information.
Apply data protection and controls that sit with
the data asset.
PROTECT WHAT MATTERS, WHERE IT
MATTERS Data is the new perimeter.
ACCEPT THE BREACH Perimeter security alone is no longer enough.
Do You Have a Plan B?
PLAN A Prevent the Breach
PLAN B Assume the breach
Minimize its impacts
Cybersecurity: have a plan
01/10/2018 Gemalto Enterprise & Cybersecurity - CONFIDENTIAL 4
Secure the Breach: the method
5
At-rest in storage
In motion across the
network
On-premises or in the
cloud
Secure and own
encryption keys
Centrally manage
keys and policies
Protect identities
Ensure only
authorized users and
services have access
Secure the
KEYS
Control the
ACCESS
Encrypt the
DATA
1 2 3
What Data
What Applications
What Storage
What use case?
Analyse the
NEED
0
So where to start?
SECURE THE BREACH
6
7
Crypto
Management
Key
Manager
HSM
Crypto
Provisioning
System
SECURE &
MANAGE KEYS
3
Applications
SaaS
Apps
Internal Users +
Administrators
Cloud Providers
Admins/Superuse
rs
Internal Users +
Administrators
Cloud Providers
Admins/Superuse
rs
Strong Authentication
CONTROL
ACCESS
Internal Users +
Administrators
Cloud Providers
Admins/Superusers
Customers +
Partners
1
The 3 key elements
File Servers
Database
s
Virtual Machines
Storage Networks Physical Data Virtual Data Data in the Cloud
ENCRYPT THE DATA
Data at Rest Encryption Data in Motion Encryption 2
8
Why encryption?
Lost or stolen data in terms of GDPR
Only breach notification
No user information duty
No secrets revealed
No bad publicity
Less business impact
Breach prevention
9
Why Key Management?
No direct GDPR compliancy requirement
BUT when encrypting data:
Data is no longer important
But Key Management is!
10
Why two-factor authentication?
Audit trail for GDPR compliancy
who accessed
at what time
which information
Reduce risk for stolen credentials
Breach prevention
So how to protect our data?
SECURE THE BREACH
11
Application
s (.NET, JAVA,
KMIP, XML) Databases
3rd party solutions (e.g. Self-encrypting drives via KMIP)
File encryption
**##**
Tokenization
Ethernet
FiberChanel
Hardware Security Modules Appliance
File Shares
Tape
Backups
Network Share
Encryption Proxy
Virtual Instances
Virtual Storage
Protect V Manager Virtual Appliance
12
Cryptography as an IT Service
Authentication
Management (On-Premise or
Cloud)
Nat. IDs
AMI
Metering
E-Signatures
E-Passports
Certificate Infrastructures
Trust. Every day.
Protect Cloud &
Virtual Infrastructure
Protect
Identities
Protect
Infrastructure
Protect NAS
Storage
ProtectFile Server/Desktop Agent
Key Secure Appliance
Protect
Data Centers
L2 HighSpeed
Encryptors
Protect
Data Transfer
Database
Application
File System Files | Folders | Shares
Storage
Local Storage
DAS
Full Disk Encryption – blanket
• Block Level Encryption
• Typically simple deployment
• No Encryption/Decryption Access Control
• Protects BACKUP only
Remote
Storage
NAS | SAN
Storage Level Security Users | Apps
Da
ta
Flo
w
Key Mngt
01.10.18
• Transparent File Encryption – files, folders, shares, databases,
ftp servers, application data, etc.
• Encryption Policies – Encryption policies determine which of the file
server’s paths and files will be encrypted, which keys will be used, and which users,
groups, or processes will be given access to the encrypted data
• Access Policies – Access policies define which users, groups, and
processes can access protected content
• Enforcing Backup & Restore Policies – enables
authorized admins perform backup-restore duties on encrypted files only
• Protection against Rogue “root” User – prevents
super user “root” from accessing sensitive data when impersonating and user.
• Separation of duties – security vs. data management
• Dual Control – MofN – sensitive operations require multiple admins.
File System–Level Transparent File Encryption
Database
Application
File System Files | Folders | Shares
Storage
Local Storage
DAS Remote
Storage
NAS | SAN
Users | Apps
Da
ta
Flo
w
Key Mngt
01.10.18
• Transparent column-level – local & remote
• Standard Encryption
• Format-Preserving Encryption (FPE)
• Tokenization
• Access policies – Key Ownership-based partitioning – databases may have visibility and access to their keys only
• Protection against DBA – prevention of DBA from impersonating other
database users
• Separation of duties – security vs. data management
• Dual Control (MofN) – performing sensitive operation require multiple
admins.
Database-level protection
Database
Application
File System Files | Folders | Shares
Storage
Local Storage
DAS Remote
Storage
NAS | SAN
Users | Apps
Da
ta
Flo
w
Key Mngt
01.10.18
Application-level protection
Database
Application
File System Files | Folders | Shares
Storage
Local Storage
DAS Remote
Storage
NAS | SAN
Users | Apps
Da
ta
Flo
w
Key Mgnt
• Cryptographic operations: Encrypt/decrypt, Sign/SignV, Mac/MacV
• Standard Encryption
• Format-Preserving Encryption (FPE)
• Tokenization
• Bulk Interfaces – Encryption, Tokenization, FPE. Token.
• Key & Certification management interfaces
• Access policies – • Key Ownership-based partitioning –
• Applications have visibility and access to their keys only
• Protection against all admins • Admins can only see encrypted data
• Separation of duties • security vs. data management
• Dual Control (MofN) • performing sensitive operation require multiple admins.
01.10.18
17
Gemalto Encryption Ecosystem Offers the industry’s most expansive ecosystem of integrations for encrypting data
within third party environments
Indicates a SafeNet Product
SafeNet Protect App
SafeNet Protect DB SafeNet Tokenization
SafeNet ProtectFile
SafeNet ProtectV
SafeNet High Speed
Encryptors
Layer 2 Ethernet Encryption
SafeNet KeySecure Platform
Distributed Key Management
Virtual
Machines
File
Servers
& Shares
Application
Servers Database
s Web and
Application
Servers
Network Encryption
Data in
Motion
Data at Rest
18
Gemalto Key Management Ecosystem The industry’s most expansive and diverse ecosystem of integrations including the
largest # of KMIP integration products
Cloud
Encryption
Gateways Backup &
Storage
Database
Encryption
Storage &
Archive
SIEM Tools
Cloud
Services File & Disk
Encryption
SafeNet
ProtectApp SafeNet
ProtectFile
SafeNet
ProtectDB
SafeNet
ProtectV™ SafeNet
Tokenization
SafeNet KeySecure Platform
Distributed Key Management
+300 HSM
Integrations
400+ Authentication
Integrations
300+ HSM
Integrations
30+ KeySecure
Integrations
35+ Crypto
Integrations
01/10/2018 Gemalto Enterprise & Cybersecurity CONFIDENTIAL 19
Thank You!
