7/23/2019 Thales Voltage Encryption Sb

http://slidepdf.com/reader/full/thales-voltage-encryption-sb 1/4

www . t h a l e s - e s e c u r i t y . c om

Thales e-Security

 Voltage Securityand Thales Solution Overview 

 Solution Benefits  • Protect data everywhere it goes  •  Reduce the cost of compliance and audits  • Quickly deploy and manage  •  Protect the integrity of data security processes  • Guaranteed recoverability of data

  Sensitive data is at risk from the moment it is created orcaptured. Too often, organizations recognize the needfor greater security only after a data breach, and facecostly consequences under an array of data protectionregulations and laws. To reduce risk and demonstratecompliance, many organizations employ auditable dataprotection management processes - including encryptionand key management - that aim to render sensitiveinformation useless to all but legitimate users.

  Voltage Security and Thales solutions combine to delivera comprehensive end-to-end data protection approach

that encompasses enterprise applications, point of saleand storage infrastructure. Together they help eliminatethe traditional deployment and scale issues that haveplagued data protection projects in the past. They ensurethat organizations can achieve the performance andsecurity required, easily demonstrate compliance andwhere possible minimize the scope of audits including PCIDSS. Tightly integrated with Voltage Security solutions,Thales nShield hardware security modules (HSMs) enforcesecurity policies and provide a high assurance,tamper-resistant environment for encryption and keymanagement, securing not only sensitive data but thedata protection system itself from compromise.

 ACHIEVE END-TO-END DATA PROTECTION WITH VOLTAGESECURITY AND THALES NSHIELD HARDWARE SECURITY MODULES

“The Voltage solution integrated with

Thales HSMs just works, and in a matter of

weeks rather than months, delivered the

data protection and key management that

Heartland needs to move the payments

industry forward.”

Steven Elefant

CIO, Heartland Payment Systems

7/23/2019 Thales Voltage Encryption Sb

http://slidepdf.com/reader/full/thales-voltage-encryption-sb 2/4

characteristics such as field length. This means applications nolonger need special re-coding to process encrypted fields andcostly database schema changes can be avoided.

Tokenization & Data MaskingIn many situations the challenge of protecting sensitive data canbe made easier by simply removing the data in question. Very often, sensitive information such as Primary Account Number(PAN) data may flow through numerous applications, databasesand storage systems but does not need to be directly accessed inorder for them to function correctly.

To achieve this, Voltage SecureData™ Enterprise includes VoltageSecure Stateless Tokenization™ (SST) technology, which takesspecific classes of sensitive data that have a tightly defined format,such as a PAN, and generates unrelated data in the same formatto act as a substitute value. The token is then used as if it was theoriginal data by applications and can be safely viewed by staff. Voltage SST technology is “stateless” because it eliminates thetoken database which is central to other tokenization solutions,and removes the need for storage of cardholder or other sensitivedata. Voltage has developed an approach to tokenization that usesa set of static, pre-generated tables containing random numberscreated using a FIPS random number generator. These static tablesreside on virtual “appliances” – commodity servers – and are used

to consistently produce a unique, random token for each cleartext PAN input, resulting in a token that has no relationship to theoriginal PAN. No token database is required with SST technology,thus improving the speed, scalability, security and manageabilityof the tokenization process – and dramatically reducing PCI DSScompliance scope.

 ACHIEVE END-TO-END DATA PROTECTION WITH VOLTAGE SECURITY AND THALES NSHIELD HARDWARE SECURITY MODULES

Figure 1 Compared to traditional AES encryption, Voltage AES+FPE maintains the original field length.

Comprehensive Approaches To Data ProtectionThe Voltage Security solution supports a number of data protectiontechniques that address numerous security and operationalgoals and these can be applied at multiple points across anorganization’s extended IT infrastructure.

Data EncryptionEncryption protects sensitive data wherever it goes andprevents unauthorized applications and users from accessing it.By encrypting data, companies can reduce the scope of PCIDSS audits and may achieve safe harbor from data breach

disclosure and protection laws. However, IT architects andsecurity professionals often have concerns relating to the potentialdisruption of adding encryption to existing data processing systemsand schema and to the difficulty and costs of managing anddistributing keys efficiently and securely. To help overcome thesechallenges the Voltage SecureData solution embodiesimportant innovations:

 Voltage Identity-Based Encryption™ (IBE)This approach for deriving keys simplifies the deployment andincreases the scalability of end-to-end encryption. With IBE, publickeys for a device or user are derived from credentials that alreadyexist (e.g, server name, email address). This avoids the need topre-issue keys and specialized credentials and makes the task

of supporting large populations of users and devices far easier.Security sensitive and time intensive key distribution and trackingprocesses are virtually eliminated.

 Voltage Format-Preserving Encryption™ (FPE)This mode of using AES encryption enables tightly structuredsensitive data, such as credit card and social securitynumbers, to be encrypted while still retaining their defining

FPE

FPE

2724 9283 2943 2838

*juYE62W%UWjaks&

982-28-7723

lja&2924kUEF65%Q

709G9242H-35

Hiu97NMko2 Ku}oq

Credit Card0012 3456 7890 0000

Tax ID000-00-0000

Bank Account800N2982K-22

BANK CARD

7/23/2019 Thales Voltage Encryption Sb

http://slidepdf.com/reader/full/thales-voltage-encryption-sb 3/4

Benefits of the Combined SolutionThe combined power of the Voltage Security and Thales solution isunique in its ability to secure data and the data protection systemitself against compromise. Thales HSMs not only secure andmanage the root, system level secrets of the Voltage solution butthey also protect the sensitive encryption operations associatedwith IBE key derivation. Security critical processes are performedwithin the Thales HSM using the Secure Execution Engine (SEE)capability which ensures encryption and key managementoperations are performed inside the HSM’s tamper-resistantenvironment away from possible malware or insider compromise.

The Thales nShield HSMs are independently certified to the FIPS140-2 level 3 security benchmark and employ sophisticated keymanagement techniques to ensure that keys are securely managedand backed up, guaranteeing recoverability in the event of systemfailure. All administrative functions on the HSMs, and on the

keys that they protect, require strong authentication for systemadministrators which can be further strengthened by establishingdual controls, whereby the collusion of multiple administratorswould be required to subvert the system. Together, thesecapabilities provide comprehensive logical and physical protectionthat delivers a tangible and auditable method for enforcing thesecurity policies that underpin this critical component of a dataprotection infrastructure.

www . t h a l e s - e s e c u r i t y . c om

Organizations are required to protect their customers’ PersonallyIdentifiable Information (PII) data in their systems, including in test,development, analytics warehouses and outsourced environments. Voltage SecureData™ delivers a comprehensive solution for dataencryption, de-identification, and masking that does not require costlyand time consuming data schema and format changes in existingsystems. Voltage SecureData™ Masking enables enterprises to ensuresensitive data is de-identified, while remaining usable, before it isdistributed to less controlled environments such as test, developmentand analytics warehouses. Voltage SecureData Masking delivers thesame rigor for non-production test and development systems,by leveraging an extensible architecture with powerful tools forpolicy-driven data masking.

Email and File EncryptionWhile transactions systems and business applications that handlesensitive data must clearly be protected, that same sensitive data

is also found in less tightly structured systems such as email andfile servers. Data within these systems is often widely shared insideand outside the organization and is notoriously hard to control andtypically involves significant effort and complexity for the average user.Consequently, email and file encryption projects have been slow todeploy and often fail as user objections emerge.

 Voltage SecureMail and Voltage SecureFile use a differentapproach, making deployment easier and the user experiencesimple. With Voltage IBE technology, email or server identities areused to derive public encryption keys. Using this approach emailencryption is transparent to users and can be enforced by policy.Similarly, file encryption can also be deployed transparently and isavailable on a wide range of platforms.

Figure 2  Combined solution: Voltage SecureData™ and Thales HSMs in a merchant deployment model.

Merchant Merchant Acquirer  

7/23/2019 Thales Voltage Encryption Sb

http://slidepdf.com/reader/full/thales-voltage-encryption-sb 4/4

For additional information follow the links below:

 Voltage Format Preserving EncryptionTM,Tokenization, and Masking• Voltage SecureData™• Voltage SecureData™ Payments

 Voltage Email Encryption• Voltage SecureMail™

• Voltage SecureMail Cloud

File Encryption• Voltage SecureFile™

Thales Hardware Security Modules• Thales nShield Connect™• Thales nShield Solo™

Secure data everywhere it goesBy focusing on protecting sensitive data instead of building barriersthat restrict the flow of data, organizations can develop IT securityprograms that help enable business growth. Voltage Security andThales data protection solutions enable you to secure your datathroughout your organization and out to business partners andservice providers - end-to-end.

Reduce the cost of compliance and audits

By protecting sensitive data, Voltage Security data protectionsolutions allow organizations to reduce the scope of auditsand achieve safe harbor. Thales nShield HSMs make it easy todemonstrate policy enforcement, reducing the time spent on audits.Sixty-three percent of QSAs find that the use of HSMs reduces thetime spent demonstrating compliance.

Build trust into your data protection systemToo often sensitive data has been compromised by unauthorizedinsiders or malicious software. Voltage Security and Thalessolutions uniquely move the most sensitive data protection and keymanagement processes from software-based systems into certified,hardware-based and tamper-resistant Thales nShield HSMs.

Quickly deploy and manage Voltage Security and Thales solutions enable developers,administrators, and operations teams to quickly deploy andmanage data protection. Thales nShield HSMs integrate withthe complete range of Voltage Security data protection productsincluding Voltage SecureData Enterprise, Voltage SecureDataPayments and Voltage SecureMail and fully support both encryptionand tokenization capabilities.

SUMMARY

 Americas – 

Thales e-Security Inc. 900 South Pine Island Road, Suite 710, Plantation, FL 33324 USA • Tel:+1 888 744 4976 or +1 954 888 6200 • Fax:+1 954 888 6211 • E-mail: sales@thalesesec.com

 Asia Pacific –  Unit 4101 41/F 248, Queen’s Road East, Wanchai, Hong Kong, PRC • Tel:+852 2815 8633 • Fax:+852 2815 8141 • E-mail: asia.sales@thales-esecurity.com

Europe, Middle East, Africa – 

Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ • Tel:+44 (0)1844 201800 • Fax:+44 (0)1844 208550 • E-mail: emea.sales@thales-esecurity.com

Follow us on: