Data at Rest & Data in Motion. Mark Baldwin

(1)

Data at Rest &

Data in Motion

(2)

SafeNet Protects Sensitive Data

SafeNet provides the only end-to-end

enterprise data protection solution that

secures data at rest, data in motion, as

well as data in use - across application,

device, network, and database layers.

(3)

SafeNet DataSecure

®

Solution

Enterprise Encryption and Key Management

Application Servers Databases

Remote

Location

z/OS Mainframes Storage/ Tape Servers Web

Servers File Servers

Laptop/ Device

Data Center

SafeNet DataSecure® SafeNet EdgeSecure® Mainframes

(4)

DataSecure Solution

DataSecure Appliance

High-performance encryption

Integrated management interfaces

Hardened Linux appliance

FIPS and Common Criteria certified

Connector Software

Connects DataSecure capabilities to applications, databases,

file servers

(5)

Security

Performance

• Hardware-based, centralized key and policy management

• FIPS/CC certified solution

• Authentication and authorization

• High performance encryption offload, over 100K TPS

• Batch processing for massive amounts of data

• Efficient backup/restore capabilities, local encryption option

• Support for heterogeneous environments (app, db, file)

Benefits of SafeNet DataSecure

Manageability

Availability

Flexibility

• Support for heterogeneous environments (app, db, file)

• Support for open standards and APIs

• Range of enterprise deployment models

• Intuitive, easy-to-use administration

• Separation of duties

• Centralized policy management

• Enterprise clustering and replication

• Load balancing, health checking, and failover

• Geographically distributed redundancy

(6)

Centralized Enforcement

Security administrators control data protection policy

Keys created and stored in a single location

Dual Administrative Control

Separation of Duties

Logging, Auditing and Alerts

FIPS & Common Criteria Certified Solution

Security

FIPS & Common Criteria Certified Solution

FIPS 140-2 Level 2 & CC EAL2 Certified

Keys stored separately from sensitive data

AES, 3DES, RSA and others

Built-in Certificate Authority

Authentication & Authorization

Multi-factor system-to-system authentication and access control

Granular, key-based, cryptographic policy

(7)

Encryption Offload

Optimized, high-performance hardware

Frees up database and application servers

Latency less than 300 microseconds per request

Local Encryption Option

Configurable for hardware offload or local encryption

Batch Processing

Performance

Batch Processing

Perform batch encrypts/decrypts for high performance

More than 100k TPS

Batch tools include:

Transform Utility

ICAPI

(8)

Heterogeneous Environments

Comprehensive enterprise solution

Web, Application, Database, Mainframe or File Server

Data Center or Distributed Environments

Open Standards-based APIs, cryptographic protocols

Flexibility

Scalability

Models with capacity from 2,500 TPS to 100,000 TPS

Clustering further increases capacity and redundancy

(9)

Intuitive Administration

Graphical and command line interfaces

Point-and-click policy management

Encryption rights management

Key management

Network and system management

Simple configuration, analogous to a switch or router

Manageability

Simple configuration, analogous to a switch or router

Separation of Duties

Security administrators administer security

Maximize productivity, minimize liability

Extensible Management Platform

Cohesive, consistent elements across the enterprise

Common management protocols, processes

(10)

Availability

Boulder (US Operations)

DataSecure Cluster

• Clustering

• Keys and policy are

shared/replicated among

DataSecures in a global cluster

• Load Balancing

• Connector software can load

balance across a group of

Hong Kong (Asia-Pacific)

balance across a group of

appliances

• Multi-tier load balancing enables

transparent fail over to alternate

appliance(s)

(11)

Database Integration

• Database Connectors

• Oracle 8i, 9i, 10g,

11g

• IBM DB2 version 8,

9

• Microsoft SQL Server 2000, 2005,

2008

Customer Database SafeNet DataSecure

• Teradata

• Application changes not required

• Batch processing tools for managing large

data sets

(12)

Application Integration

• Application Connectors

• Microsoft .NET, CAPI

• JCE (Java)

• PKCS#11 (C/C++)

• SafeNet ICAPI (C/C++)

Reporting Customer Database

E-Commerce

• SafeNet ICAPI (C/C++)

• z/OS (Cobol, Assembler, etc.)

• XML

• Support for virtually all application and

web server environments

Reporting Application SafeNet DataSecure E-Commerce Application

(13)

File Server

File System Integration

• File System Connectors

• Windows Server 2003

• Linux

• File Encryption Keys (FEKs) protect

files on disk

SafeNet DataSecure

files on disk

• FEKs are encrypted with a Key

Encryption Key (KEK) that resides on

the DataSecure appliance

• Policy configured on DataSecure and

sent to file server

(14)

DataSecure Appliances

i10

EdgeSecure

i116

DataSecure

i430

DataSecure

Use Case Scenarios

Remote

Locations/

Distributed

Environments

Low-End

Appliance

High-End

Appliance

Performance (TPS)

2,500

11,000

100,000

Form Factor

11.6” x 10.3” x

2.5”

(w, d, h)

1U,

rack-mountable

1U,

rack-mountable

Network Ethernet

Interfaces

One:

10/100

One:

10/100

Two:

10/100/1000

Power Supplies/

Redundancy

One PS

Two PS,

two fans, two

disks (RAID1)

(15)

Step 1: Identify what data you want to secure

and where that data resides.

Database Encryption Process

(slide 1 of 8)

CUSTOMER

Name Account SSN Address City

Irwin M. Fletcher 000234 123456789 411 Main Street

Santa Barbara Street Barbara Josh Ritter 000115 111122223 1801 21st_Ave _San

Francisco Steve Garvey 000199 987654321 123 First Ave Brentwood

CUSTOMER Table Structure

Column Name Data Type Length

Name VARCHAR 60

SSN CHAR 9

Address VARCHAR 75

(16)

Step 2: Alter table to add columns

(slide 2 of 8)

CUSTOMER

Name Account SSN Address City SSN_NEW

Irwin M. Fletcher 000234 123456789 411 Main Street Santa Barbara Josh Ritter 000115 111122223 1801 21st_Ave _San

CUSTOMER Table Structure

Column Name Data Type Length

Name VARCHAR 60

SSN CHAR 9

Address VARCHAR 75

(17)

Step 3: Migrate, encrypt data

(slide 3 of 8)

CUSTOMER

Name Account SSN Address City SSN_NEW

Irwin M. Fletcher 000234 123456789 411 Main Street

Santa Barbara

0xEED95DB775158895…

Josh Ritter 000115 111122223 1801 21st_Ave _San _{0x21010B370F8752D5…}

Josh Ritter 000115 111122223 1801 21st_Ave _San

Francisco

0x21010B370F8752D5…

Steve Garvey 000199 987654321 123 First Ave Brentwood 0xC5187FC3A3286B7F…

CUSTOMER Table Structure

Column Name Data Type Length

Name VARCHAR 60 SSN CHAR 9 Address VARCHAR 75 SSN_NEW VARBINARY 16 SafeNet DataSecure Appliance

(18)

Step 4: Null the original cleartext data

(slide 4 of 8)

CUSTOMER

Name Account SSN Address City SSN_NEW

Irwin M. Fletcher 000234 NULL 411 Main Street Santa Barbara 0xEED95DB775158895…

Josh Ritter 000115 NULL 1801 21st_Ave _San _{0x21010B370F8752D5…}

Josh Ritter 000115 NULL 1801 21 Ave San Francisco

0x21010B370F8752D5…

Steve Garvey 000199 NULL 123 First Ave Brentwood 0xC5187FC3A3286B7F…

CUSTOMER Table Structure

Column

Name

Data Type Length

Name VARCHAR 60 SSN CHAR 9 Address VARCHAR 75 SSN_NEW VARBINARY 16 SafeNet DataSecure Appliance

(19)

Sensitive data is now stored in encrypted format.

Application integration can be completed with no

further database changes, or…

(slide 5 of 8)

CUSTOMER

Name Account SSN Address City SSN_NEW

Irwin M. Fletcher 000234 NULL 411 Main Street Santa Barbara 0xEED95DB775158895 …

Josh Ritter 000115 NULL 1801 21st_Ave _San

Francisco

0x21010B370F8752D5 …

Steve Garvey 000199 NULL 123 First Ave Brentwood 0xC5187FC3A3286B7F …

(20)

Step 5: Implement database integration: Rename database,

create views, triggers and stored procedures to automate

updates and inserts

(slide 6 of 8)

CUSTOMER (View)

Name Account SSN Address City

Irwin M. Fletcher 000234 123456789 411 Main Street Santa Barbara Josh Ritter 000115 111122223 1801 21st_Ave _{San Francisco}

CUSTOMER

Name Account SSN Address City SSN_NEW

Francisco

0x21010B370F8752D5 …

Steve Garvey 000199 987654321 123 First Ave Brentwood

Dynamic Encryption and Decryption of Data via Triggers and Views

CUSTOMER_NEW

Name Account SSN Address City SSN_NEW

Francisco

0x21010B370F8752D5 …

(21)

Application and Database

Encryption Process

(Slide 7 of 8)

CUSTOMER (View)

Name Account SSN Address City

Irwin M. Fletcher 000234 987654321 411 Main Street Santa Barbara Josh Ritter 000115 111122223 1801 21st_Ave _San

Francisco

Subsequent updates and inserts preserve data privacy

Update Trigger

CUSTOMER_NEW

Name Account SSN Address City SSN_NEW

Irwin M. Fletcher 000234 NULL 411 Main Street Santa Barbara 0x5FC09A148B276126… Josh Ritter 000115 NULL 1801 21st_Ave _{San Francisco} _{0x21010B370F8752D5…}

(22)

Application and Database

Encryption Process

(Slide 8 of 8)

CUSTOMER (View)

Name Account SSN Address City

Irwin M. Fletcher 000234 987654321 411 Main Street Santa Barbara Josh Ritter 000115 111122223 1801 21st_Ave _{San Francisco}

Steve Garvey 000199 987654321 123 First Ave Brentwood

Subsequent updates and inserts preserve data privacy

Update Trigger

Insert

Steve Garvey 000199 987654321 123 First Ave Brentwood Henry Baker 000301 999666555 787 Convention Gilroy

CUSTOMER_NEW

Name Account SSN Address City SSN_NEW

Irwin M. Fletcher 000234 NULL 411 Main Street Santa Barbara 0x5FC09A148B276126 … Josh Ritter 000115 NULL 1801 21st_Ave _{San Francisco} _{0x21010B370F8752D5…}

Steve Garvey 000199 NULL 123 First Ave Brentwood 0xC5187FC3A3286B7F… Henry Baker 000301 NULL 787 Convention San Francisco 0xF5253HU4A4657C3P…

Insert Trigger

(23)

Encrypting Structured Data

Three options:

Database – Encryption and decryption are initiated from

the DB using Ingrian views and triggers

Makes use of DB Connector

Application – Encryption and decryption are initiated

from the application

Makes use of Application Connector

Hybrid – Crypto operations are initiated from both the

DB and the App

(24)

Database Connector installed on

Database Server (Oracle/MSSQL/DB2)

User

Tom

WebServer

Application

Server

Database - field

encrypted with Key

x

query Response

User

Bob

Datasecure

12345678 X3%R7!>W 12345678

Tom can access Key

x

, Bob cannot

(25)

DB Integration

Pros

Theoretically very easy

Can be done from the GUI

No need to modify

applications

Cons

Lower performance (2,000

Op/s max)

Maintenance is more

difficult

applications

No range queries

Might cause problems for

OTS applications

(26)

Application Connector installed on Application

Server (PKCS#11/MS/Java/ICAPI/XML)

User

Tom

WebServer

Application

Server

query Response X3%R7!>W

Database - field

encrypted with Key

x

User

Bob

Datasecure

12345678 X3%R7!>W

X3%R7!>W

Tom can access Key

x

, Bob cannot

(27)

App Integration

Pros

Very easy – 20 lines of

code required

High performance (can

multi-thread apps)

Less maintenance required

Cons

You have to modify all your

apps

Might not have access to

source code

Less maintenance required

Less risk of injury

More secure than DB

integration

(28)

Application Integration, JCE Example

1 2 3 4 5 6 7 8 9

// Create NAE session

NAESession session = NAESession.getSession("username","password”);

// Retrieve secret key

IvParameterSpec iv = new IvParameterSpec();

SecretKey key = NAEKey.getSecretKey("AESKey", session);

// Create cipher instance

Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding”, "IngrianProvider");

byte[ ] buffer = new byte [8192]; Outputstream os = new outputstream;

10 11 12 13 14 15 16 17 18 19 20 21

cipher.init(Cipher.ENCRYPT_MODE, key, iv);

// Use the cipher instance to encrypt the input stream

int readBytes;

while ((readBytes = is.read(buffer)) >= 0) {

byte[ ] result = cipher.update(buffer, 0, readBytes);

if (result != null) {

// Write the encrypted string to output stream

os.write(result); }

}

os.write(cipher.doFinal());

(29)

Application Integration, C# Code Example

1 2 3 4 5 6 7 8 9 10

// Create NAE session

NAESession session = new NAESession(“username”,”password”);

// Retrieve secret key

SymmetricAlgorithm key = (Rijndael)session.GetKey(“AESkey”); // Set the initialization vector, padding, and mode

byte[ ] iv = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 };

key.IV = iv;

key.Padding = PaddingMode.PKCS5; key.Mode = CipherMode.CBC;

// Read in data to encrypt

11 12 13 14 15 16 17 18 19 20 21

UTF8Encoding utf8 = new UTF8Encoding();

byte[ ] inputBytes = utf8.GetBytes(“String_To_Encrypt”);

System.IO.MemoryStream memstr = new System.IO.MemoryStream();

// Create a crypto stream and encrypt data

CryptoStream encrstr = new CryptoStream(memstr, key.CreateEncryptor(),

CryptoStreamMode.Write);

encrstr.Write(inputBytes, 0, inputBytes.Length); encrstr.Close();

byte[ ] encrBytes = memstr.ToArray();

// Create encrypted string

(30)

File Encryption Process

Encryption Polices and KEKs are sent to File Server and stored in memory. File Encryption Keys (FEKs) are generated at the File Server and used to encrypt files. FEKs are encrypted using the KEK before they are sent to disk.

File Header

Individual

File #1 in Cleartext format…

Original File File Servers SafeNet DataSecure®

Policies are created at the DataSecure. A Key Encryption Key (KEK) is created for each directory. File Header…

sdfsdff

wret345fbcfdsgfmhityur6c…

7ndfhe34sherkjysu… Encrypted File 2) Encrypt File

Encryption Key with Key Encryption Key

1)Encrypt cleartext data with File Encryption Key

(31)

Conclusion

DataSecure Solution

Secure, appliance-based solution for

encryption and key management

Provides high performance

cryptographic offload

Supports web, application, database

and file server environments

Centralizes management and

enforces control of enterprise data

protection policy

Scales globally while ensuring high

availability

(32)

ProtectDrive

Industry-Leading Hard Drive encryption solution

SC Magazine 5 Stars in all Categories

Customer Deployments for 1000’s of Laptops

100% hard drive encryption by partition or full hard drive (all data encrypted - registry, temp files, etc)

Encryption at physical drive level – Pre Boot

Server version for RAID

Strong encryption algorithm - AES-256

Pre-boot Authentication (PBA) using Microsoft logon credentials – Single Sign On

Logon by Password, OR

Logon by Digital Certificate with Strong two-factor authentication (USB tokens, smart cards)

Support for Windows 2000 / XP / 2003 / Vista

Microsoft Active Directory-based central administration for easy network deployment and management – no separate management console required

Port and Device Control

Removable media encryption – USB flash drives, and External Hard Drives

FIPS-certified encryption functions

EAL4 Common Criteria certification in process

(33)

WAN Encryption devices

FIPS and CC Certification

Physically tamper-proof

Minimal latency (typical < 10 microseconds)

Point to Multipoint connection capability (not Link)

Each connection uses unique AES256 symmetric key (changed every

hour)

Connections can be set to Encrypt, Bypass or Discard

Zero Overhead – data payload only encrypted

For each type, there are different models to suit different bandwidths

(capacities) and with different interfaces (connectors) to suit local

environments

(34)

WAN Encryptor Topology

Telco Carrier Circuits SMC LAN Customer Router SafeNet Encryptor Telco Edge Switch

(35)