Upload
others
View
18
Download
0
Embed Size (px)
Citation preview
#MicroFocusCyberSummit
SecureData Sentry
Alistair Rigg & Phil Sewell
Accelerate your migration to cloud workloads
Enterprise Cloud Trends and Risks
Cloud Trends Security Risks and Concerns
Cloud is the
#1 targetfor security spend increase by
Chief Security Officers2
An average of
27different cloud apps and services
are used by an enterprise1
1: The 2018 Global Cloud Data Security Study, by Ponemon Institute LLC, 20182: 2017 Security Priorities, survey of Chief Security Officers, IDG, 2017
Spinning up cloud workloads at the speed your business demands
Adopting XaaS IT solutions for hybrid computing opex economies
Accessing data for business processes and analytics
But Data Protection Must Not Hinder:
Protect “de-identified” data at global scale
Transfer protected/ingested data to the cloud
Maintain real-world value, control – usability
Eliminate the need to decrypt or use live data
Solution: Use De-identified Data in the Cloud
First name: John
Last name: Smith
Company: ACME
First name: Kijx
Last name: Yöecä
Company: aICb
Micro Focus Confidential
6
Top Data Security Challenges in the Cloud
Cloud customers need a data-centric approach for cloud data protection
Platformconcerns
Multi-tenancy Gaps in controls Compliance
× Lack of control over platform
× Insider threats, malicious code in a shared environment
PaaS
IaaS
SaaS
IaaS PaaS
SaaS
× Lack of protection across multi-cloud and on-premises
× Stricter legislation, GDPR, HIPAA
× Data residency
7
Voltage SecureData: End-to-End Security in the Cloud
De-identified data provides end-to-end protection, across hybridenvironments, accelerating DevOps
Platform agnostic
Neutralizes threats
End-to-End Coverage
Meets Compliance
Protection embedded into the data itself
Data unusable for attacker/ insider
Data protected in-transit, in-use, at rest
Encrypted data may not trigger penalties
PaaS
IaaS
SaaS
IaaS PaaS
SaaS
Voltage Stateless Key Management
No key database to store, manage or compromise
High performance and scalability for modern IT
Encryption and tokenization technologies
Customize solutions to meet exact requirementsand regulatory mandates (e.g., PCI, anonymization)
Broad platform support
Consistency from on-premises to hybrid cloud
Structured and unstructured data coverage
Agnostic for Linux, Hadoop, Windows, AWS, IBM z/OS, HPE NonStop, Vertica, Teradata, etc. support
Quick time-to-value
Complete end-to-end protection within a common approach to deploying Voltage data protection across endpoints
Format-preservation maintains transparency, usability
Sentry accelerates deployment with non-disruption
8
Voltage SecureData Platform
Voltage SecureDataManagement Console
Voltage SecureData
VoltageSecureData
Web Services API(REST, SOAP)
VoltageSecureDatanative APIs
(C, Java, C#, .NET)
VoltageSecureData
Command Lines& Automated
File Parsers
VoltageSecureData
File Processor
VoltageSecureData
Sentry
Atalla HSM
API
Voltage SecureData Cloud: Data-centric Cloud ProtectionSecureData management infrastructure running natively in cloud-hosted environments
9
Deployed directly within Azure and AWS
Accelerates adopting new business models – spin up DevOps with data protection
Innovate more easily and accelerate time to value, combined with SecureData Sentry
Native protection on AWS with SecureData Cloud for AWS – reduces opex on-premises
10
Voltage SecureData – Data Security Platform
Policy controlled data protection and masking services & clients
Business applications, data stores and processes
Voltage SecureData
iOS and Android devices
Volume Key Management
Voltage SecureData
Web Services API (REST, SOAP)
Voltage SecureData
Command Lines & Automated File
Parsers
Voltage SecureDatanative APIs
(C, Java, C#, .NET)
Voltage SecureData File Processor
Voltage SecureData Native UDFs
Voltage SecureData z/Protect, z/FPE
Partnerintegrations
VoltageSecureData
Sentry
Paymentterminals
Mobile apps Volumes and storage
Enterprise applications
Production databases
ETL & data integration
suites
3rd party applications
Teradata,Hadoop &
Vertica
Voltage Nonstop
Applications &Databases
Mainframeapplications &
databases
NetworkInterceptors
Web/cloudapplications
(AWS, Azure)
SaaS apps Paymentsystems
AtallaHSM
Voltage SecureData
Management Console
Authentication & authorization sources (e.g. active directory)
11
Voltage SecureData – Data Security Platform
Policy controlled data protection and masking services & clients
Business applications, data stores and processes
Voltage SecureData
iOS and Android devices
Volume Key Management
Voltage SecureData
Web Services API (REST, SOAP)
VoltageSecureData
Command Lines & Automated File
Parsers
Voltage SecureDatanative APIs
(C, Java, C#, .NET)
Voltage SecureData File Processor
Voltage SecureData Native UDFs
Voltage SecureData z/Protect, z/FPE
Partnerintegrations
VoltageSecureData
Sentry
Paymentterminals
Mobile apps Volumes and storage
Enterprise applications
Production databases
ETL & data integration
suites
3rd party applications
Teradata,Hadoop &
Vertica
Voltage Nonstop
Applications &Databases
Mainframeapplications &
databases
NetworkInterceptors
Web/cloudapplications
(AWS, Azure)
SaaS apps Paymentsystems
AtallaHSM
Voltage SecureData
Management Console
Authentication & authorization sources (e.g. active directory)
Compute
Data
Name SS# Credit Card #
Kwfdv Cqvzgk 161-82-1292 3712 3486 3545 1001
Veks Iounrfo 200-79-7127 5587 0856 7634 0139
Pdnme Wntob 095-52-8683 5348 9209 2367 2829
Eskfw Gzhqlv 178-17-8353 4929 4333 0934 4379
Jsfk Tbluhm 525-25-2125 4556 2545 6223 1830
Name SSN Credit Card #
James Potter 385-12-1199 3712 4567 8901 1001
Ryan Johnson 857-64-4190 5587 0806 2212 0139
Carrie Young 761-58-6733 5348 9261 0695 2829
Brent Warner 604-41-6687 4929 4358 7398 4379
Anna Berman 416-03-4226 4556 2525 1285 1830
CorporateData Center
VoltageServers
VoltageServersand / or
Name SS# Credit Card #
James Potter 385-12-1199 37123 456789 01001
Ryan Johnson 857-64-4190 5587 0806 2212 0139
Carrie Young 761-58-6733 5348 9261 0695 2829
Brent Warner 604-41-6687 4929 4358 7398 4379
Anna Berman 416-03-4226 4556 2525 1285 1830
Protect on-premises and deploy protected data to the cloud
Enable protect & access within compute workloads
Deploy Voltage Servers into AWS and Azure*
Plan for containerizationof Voltage Servers
opening up other cloud opportunities, incl. Google Cloud
SaaS data protection with Voltage SecureData Sentry
Platform Support and Design Fundamentals:Securing Cloud Workloads
SecureDataSentry
AmazonWeb Services
WindowsAzure
GoogleCloud Platform
Salesforce
Microsoft Dynamics CRM
Voltage SecureData SentryAddresses CISO Concerns
Accelerates Time-to-Value
(High ROI)
SimplifiesDeployment
(Non-Disruptive)
Lowers Costof Compliance
(Transparent)
CentralizesControl
(Comprehensive)
What is Voltage SecureData Sentry?
Data privacy & security compliance & risk reduction
Secure analytics, privacy andpseudonymization
Hybrid cloud data protection &collaboration
Voltage SecureDataEnterprise, Big Data, Cloud, Mobile and Payments data security -Tokenization, encryption, masking
Voltage SecureData SentryTransparent Integration for Cloud SaaS, Enterprise and COTS apps
+
ALM/QC
SecureData Sentry – Data Security for the Cloud
ALM Octane
+49 (162) 4297109
Phone Number
SalesforceMicrosoft Dynamics CRM
ALM/QC
Voltage SecureData
Sentry
SecureData Sentry – Data Security for the Cloud
+49 (162) 4297109
Phone Number
+49 (162) 8753109
Format-Preserving
SalesforceMicrosoft Dynamics CRM
ALM Octane
ALM/Quality Center
Salesforce Classic
Salesforce Lightning
Salesforce Health Cloud
Salesforce Financial Services Cloud
Office 365
SugarCRM
Microsoft Dynamics 365
Oracle Service Cloud
SharePoint 2013 and later
SAP Hybris Cloud4Customer
ServiceNow
Symantec Endpoint Protection Cloud
BMC Remedyforce
Nimonik
Fortinet Analyzer
And many, many more…
19
Supported Application Examples
Salesforce SAP Hybris Microsoft Fortinet
Voltage SecureData Sentry TechnologiesMulti-Channel Protection
Protocols and APIs:
HTTP / HTTPS
SMTP
ICAP / ICAP-S
Content:
HTML
HTML5
XML
JSON
Protection Mechanisms:
Format Preserving Encryption (FPE)
Format Preserving Hashing (FPH)
Secure Stateless Tokenization (SST)
Identity Based Signature/Encryption (AES)
...
Additional Features:
Escaping, e.g. °¿1°kHy7h¿°
Key Management:
Stateless Key Management PDF
DOCX
GZIP
XLSX
CSV
REST
SOAP
JDBC
ODBC
custom and binary protocols
SecureDataSentry
Integration with the Voltage SecureData Simple API
ssnfpe.protect(SSN) ssnfpe.access(SSNe)
SSN: 022-37-2773
Databases Logs, Reports, and Backups
Web Application(Java / Linux)
Web Form
SSN: 734-81-9292 SSN: 734-81-9292 SSN: 734-81-9292 SSN: 022-37-2773
Customer Service Application
(Windows .NET)
Atalla HSMs
Management Console
Key Servers
Data Protection Alternate Approach with Voltage SecureData Sentry
ssnfpe.protect(SSN)
ssnfpe.access(SSNe)
SSN: 022-37-2773
Databases Logs, Reports, and Backups
Web Application(Java / Linux)
Web Form
SSN: 734-81-9292 SSN: 734-81-9292 SSN: 734-81-9292 SSN: 022-37-2773
Customer Service Application
(Windows .NET)
SecureDataSentry
Atalla HSMs
Management Console
Key Servers
Data Protection Approaches with Voltage SecureData Sentry and Direct Integration
Database Web UI Web Application Web Service Layer
HTTP REST JDBC
SecureDataSentry
1
SecureDataSentry
2
SecureDataSentry
3
SecureDataSimple API
UDF
5
SecureDataREST API
REST
4
Use Case: Global Financial Services Company
Business Need Moving to cloud delivery of business as SaaS
40+ Sensitive data types, 100M customers, 3rd Party mandate for data security
Solution Voltage SecureData to encrypt and tokenize sensitive data in
AWS, Azure
Protect personal, location, mobile device and event data
On-premise policy enforcement, security operations, audit and key management
Business Outcomes
Unified architecture for streamlined compliance and risk control
Met 3rd party data protection mandates and audits – in weeks
Minimized sensitive data exposure in AWS and Azure
Enabled differentiated services with data security
26
Use case example: Global credit card processor
Name: James PotterCCN: 4171 5678 8765 4321404 Transaction denied
https:\\paymentservice.com/ticket
Welcome to Payment Services.To open a case please enter the following:
Name: James PotterCCN: 4171 5678 8765 4321Describe your experience: “The transaction failed for an unknown reason.”
MerchantCustomer
Payment ProcessorEmployee
Name: James PotterCCN: 4171 5678 8765 4321Describe your experience: “The transaction failed for an unknown reason.”
Name: James PotterCCN: 4171 5678 8765 4321Describe your experience:“The transaction failed for an unknown reason.”
PCI DSS non-compliant ticket handling
27
Microsoft Dynamics CRM
Name: James PotterCCN: 4171 5678 8765 4321404 Transaction denied
https:\\paymentservice.com/ticket
Welcome to Payment Services.To open a case please enter the following:
Name: James PotterCCN: 4171 5678 8765 4321Describe your experience: “The transaction failed for an unknown reason.”
MerchantCustomer
Use case example: Global credit card processor
Name: Kwfdv CqvzgkCCN: 8B60 3TAZ UYTZ R62PDescribe your experience:“biy NKibxaWSjnC 0y93HR 9xD Gi yIRKaqy 7KNU1a.”
Name: James PotterCCN: 8B60 3TAZ UYTZ 4321Describe your experience: “The transaction failed for an unknown reason.”
PCI DSS compliant ticket handling
SecureDataSentry
Payment ProcessorEmployee
28
Microsoft Dynamics CRM
SecureData Sentry high-level architecture
Discoverable content: HTML, XML, JSON, PDF, CSV, DOCX, XLSX, GSIP
Voltage cryptography: FPE, SST, FPH, AES (IBSE), stateless key management
Name: James PotterCCN: 4171 5678 8765 4321
Name: James PotterCCN: 8B60 3TAZ UYTZ 4321SecureData
SentrySecureData
Sentry
WebProxy
DatabaseAPI
App 1 App 2
SecureData
Cloud/SaaS Apps COTS andEnterprise Databases
SecureData + Sentry Management Console
JDBC, ODBCREST
HTTP/S, REST,SOAP, SMTP
Two Modes of Operation:
Discovery (Learning Mode) – Create and deploy “Protection Modules” to the engines
Protection – Applies rules to the live traffic for enforcement
Name: Kwfdv CqvzgkCCN: 8B60 3TAZ UYTZ R62PDescribe your experience:“biy NKibxaWSjnC 0y93HR 9xD Gi yIRKaqy 7KNU1a.”
29
Microsoft Dynamics CRM
Voltage SecureData Sentry: Flows and Modes
Name: SmithSSN: 123-11-1123
Web Proxy
Native xDBC Driver
Wire Protocol
HTTP/S
HTTP/S
xDBC
REST/SOAP
Name: SmithSSN: 123-11-1123
Name: SmithSSN: 123-11-1123
Voltage SecureData Sentry: Flows and Modes
Name: SmithSSN: 123-11-1123
Web Proxy
Sentry xDBC Driver
Sentry Engine
Stream Content Parsing
SentryManagement Console
ICAP/S
Native xDBC Driver
SQL
Wire Protocol
HTTP/S
HTTP/S
xDBC
Voltage SecureData Sentry
Voltage SecureDataKey & Web Servers
REST/SOAP
Name: MzigdSSN: 093-34-3945
Name: °¿1°Mzigd¿°SSN: °¿1°093-34-3945¿°
Protection ModeData Access & Protection
Salesforce Protection Module
Target Variables<App X> Protection Module
<App Y> Protection Module
Simple API / REST
Deployment Plans
<App X>
<App Y>
Salesforce
Inspection ModeData Discovery
+ Developer Mode
Application Profile
Discovery Template
Protection TemplateInspection
Protection Module
Variables & Expressions
Configure Protection
Proprietary Protocol
Voltage SecureData Sentry: Deployment OptionsPOC Setup
Squid Proxy is used
Proxy is configured directly in the browser
3128
Name: SmithSSN: 123-11-1123 Name: °¿1°Mzigd¿°
Ticket: #1 ProbName: °¿2°cPaj¿°Ticket: #2 Prob
Name: °¿3°Ofa3¿°Ticket: #3 Prob
Linux Server / VM
Voltage SecureDataSentryEngine
Squid Proxy
Linux Virtual Appliance
VoltageSecureDataServer
ICAP/-S
ServiceNow
Only corporate proxy is used
Use of ICAP protocol
No changes to end user browsers
Corporate proxy can perform:
request filtering
authentication handling
Corporate proxy might not be able to forward user information:
IP of workstation
userid
Voltage SecureData Sentry: Deployment OptionsCorporate Proxy
Corporate Proxy
Name: SmithSSN: 123-11-1123
Name: °¿2°cPaj¿°Ticket: #2 Prob
Name: °¿3°Ofa3¿°Ticket: #3 Prob
Linux Server / VM
Voltage SecureDataSentryEngine
Linux Virtual Appliance
VoltageSecureDataServer
ICAP/-S
Name: °¿1°Mzigd¿°Ticket: #1 Prob
ServiceNow
Corporate proxy may not support ICAP protocol
Corporate proxy is forwarding requests to Squid
No changes to end user browsers
Corporate proxy can perform:
request filtering
authentication handling
Corporate proxy might not be able to forward user information:
IP of workstation
userid
Voltage SecureData Sentry: Deployment OptionsProxy Chaining
Corporate Proxy
Name: SmithSSN: 123-11-1123
Linux Server / VM
Voltage SecureDataSentryEngine
Squid Proxy
Linux Virtual Appliance
VoltageSecureDataServer
Name: °¿2°cPaj¿°Ticket: #2 Prob
Name: °¿3°Ofa3¿°Ticket: #3 Prob
Name: °¿1°Mzigd¿°Ticket: #1 Prob
ServiceNow