Transcript Authentication - Identity Protection

Data Protection Portfolio
Chris Harris
Northern European Pre-Sales Manager
SafeNet Data Protection Portfolio
Authentication Identity Protection
Hardware Security
Modules
 Offering the broadest
range of
authentication, from
HW smartcard tokens
to mobile phone auth
all managed from a
single platform
 The market leader in
certificate based token
authentication
 Industry only unified
authentication platform
offering customers the
freedom to adapt
 Unique technology
offerings with clienteles
tokens ,high assurance
offerings and more
DataSecure Encryption and Control
High Speed Encryption
 The fastest, most
secure, and easiest to
integrate application &
transaction security
solution for enterprise
and government
 World’s first and only
unified platform that
delivers intelligent
data protection and
control for ALL
information assets
 SafeNet high-speed
Encryptors combine
the highest
performance with the
easiest integration and
management.
 The market leader in
enterprise-grade HSM
 Centralized policy, key
management, logging
and auditing
 Unparalleled leverage
across classified and
COTS communication
protection (FIPS 140-2
Level 3)
 Industry Innovator in
Payment HSM
 Widest portfolio of
platforms and solutions
 SafeNet Delivered its
75,000th HSM — sets
Industry Milestone
REV 0.1
 Data centric, persistent
protection across
datacenters, endpoints
and into the cloud
 Best-in-class Security
Management Center
 Integrated perimeter
data leakage prevention
 Solutions for Ethernet,
SONET up to 10Gb
 Appliance based,
Proven scalability and
high performance
 Zero bandwidth loss,
low- latency Encryption
2
Authentication Solutions
Authentication - Identity Protection
Token Management
System
Smartcard USB
Tokens
SmartCards
SafeNet’s strong authentication
solutions help our customers meet
organizational and end user needs
enable business growth and achieve
compliance
Hybrid
(OTP/SC/Storage)
Tokens
OTP tokens
Software / mobile
Authenticators
REV 0.1
4
Strong Authentication – The Need
24x7 secure access to
sensitive business information
•Passwords are:
• Often easy to crack and easy to guess
• Easy to steal: keystroke loggers, phishing attacks
• Difficult to remember and use
• The cause of high help-desk costs
Digital signing of transactions
Secure PCs and laptops
The Authentication Portfolio
• SafeWord's seamless integration
with an Microsoft infrastructure
makes it simple to deploy twofactor authentication for VPNs,
• Token
assignment, enrollment,
Citrix applications,
Web
revocation,
applications, Webmail,
andupdate, replacement
• Access
Password reset/change
Outlook Web
• Auditing, Reporting
• Self-service options
• Integrated with AD/LDAP
The Authentication Portfolio
Certificate- CertificateBased (PKI) based
USB devices Smartcards
Hybrid
OTP
Software
Mobile
eToken PRO
eToken NG-OTP
eToken PASS
eToken Virtual
MobilePASS:
iPhone,
BlackBerry,
JAVA capable
Phones, SMS
eToken PRO
Anywhere
eToken PRO
Smartcard
Smartcard 400
iKey 4000
Smartcard 330
iKey 1000
Smartcard
330M
eToken Flash
Hardware Security Modules
HSM - Transaction & Identity Protection
Luna SA / SP
ProtectHost EFT
Luna XML
Luna SX
SafeNet’s Hardware Security
Modules are the fastest, most
secure, and easiest to integrate
solution for protecting identities,
applications and transactions
CA4
Luna PCM
ProtectServer Gold
Luna PCI
REV 0.1
9
What is a HSM, Why use one?
 Security
 Sensitive cryptographic keys and processes are stored, managed and
protected by dedicated hardware
 Performance
 Processing bottlenecks are eliminated with hardware cryptographic
acceleration
 Auditability
 Dedicated hardware provides a clear audit trail for all key materials
Introducing the Product Line
•SafeNet brings together the HSM technology of three leading
companies to deliver an array of customer choice with regard to
features, certifications, performance and connectivity.
HSM Product Portfolio
Luna SA
 High assurance
enterprise-grade HSM
Luna PCI
Luna CA4
 Fast, high-assurance
PCI HSM card for
hardware key management
and
crypto acceleration
 Root key HSM for
true hardware key
management
• 7,000 ops/s
• FIPS 140-2 Level 3
• Extensive algorithm
support
• 10/100 Ethernet interface
• Supports two-factor
trusted path
authentication
• Supports two-factor
trusted path
authentication
• Extensive algorithm
support
• Extensive Algorithm
support
• Supports common
certificate authorities
(Microsoft, Entrust,
Verisign, RSA, etc.)
• 5,500+ ops/s
• Certifications: FIPS
140-2 Level 3, CC EAL 4+
• Full platform support
• Secure remote
administration
• Supports partitioning
• Hardware secured remote
administration
• FIPS 140-2 Level 3
certified
Luna PCM
 Portable, cost-effective
PCMCIA HSM card for
hardware key management
and
crypto acceleration
• Versions for document
signing, key export for
registration of tokens,
and signing and back up
of key material to a token
• FIPS 140-2 Level 2
• Extensive algorithm
support
HSM Product Portfolio
ProtectServer Gold
 Cost-effective highassurance PCI HSM
card for customizable
hardware key
management
• Up to 600 ops/s
• Easy GUI-based
administration
• Customizable interface
• FIPS 140-2 Level 3
• Extensive algorithm
support
• Secure remote
administration
Luna SP
 Protected Application
Execution Environment
• 5,500+ ops/s
• Certifications: FIPS
140-2 Level 3
• Executes sensitive
application processing tasks.
• Web service interface to
application clients.
• Signed code prevents
unauthorised execution
• Leverages tried and
trusted Java security model
• Hardware secured remote
administration
Luna XML
ProtectHost EFT
 High assurance
enterprise-grade HSM for
XML environments
 High assurance
HSM for financial
payment systems
• XML interface (WSDL)
encapsulates crypto
functions, enabling rapid
integration development
• PIN generation &
verification
• FIPS 140-2 Level 3
• Extensive algorithm
support
• No client required
• 2,200 ops/sec
• OS independent
• Secure remote
administration
• 10/100/1000 Ethernet
interface
• Supports global
payment processing,
EMV, and Card
Issuance APIs
• 1,200 Visa PIN Verify
operations / sec
• Certifications: FIPS
140-2 Level 3, CC
• Easy GUI-based
administration
SafeNet HSM Product Range Overview
Server
CCEAL
4+ (CA3)
Network
Network
CCEAL 4+
4500+/sec
Embedded
Embedded
Embedded
FIPS 140 Level 2 and Level 3
PKCS 11, Java, CAPI
27/sec
Network
PPO
4500+/sec
450/sec
PPO
27/sec
600/sec
Server/
Network
CCEAL
4+
PPO
7000/sec
1200/sec
Symmetric and Asymmetric
20 x
partitions,
SSL acceleration
EFT Command
Sets
Principles of Best Practice
http://www.safenet-inc.com/library/
DataSecure Platform
File, Folder & Field Encryption
DataSecure – Data Encryption & Control
DataSecure
i450 and i150
Application/dB
Connector Software
DataSecure is the industry’s
most trusted platform to
provide intelligent data
protection for ALL information
assets—both structured and
unstructured from the
Datacenter to the endpoint and
into the cloud
Centralized Policy and
Key Management
Full Disk Encryption
File/Folder Protection
REV 0.1
18
DataSecure – Data Encryption & Control
Web/App
Servers
File Servers
REV 0.1
Mainframes
Endpoint
Devices
19
DataSecure Application Integration
E-Commerce
Application
Reporting
Application
Customer
Database
• Software Libraries
• Microsoft .NET, CAPI
• JCE (Java)
• PKCS#11 (C/C++)
• SafeNet ICAPI (C/C++)
• z/OS (Cobol, Assembler, etc.)
• XML
• Support for virtually all application and web
server environments
DataSecure Database Integration
• Database Connectors
• Oracle 8i, 9i, 10g, 11g
• IBM DB2 version 8, 9
• IBM UDB version 8, 9
• Microsoft SQL Server 2000, 2005, 2008
• Teradata 12
• Application changes not required
• Batch processing tools for managing large
data sets
Customer Database
• Vendor Transparent Database Integration
• SQL Server 2008
• Oracle 11g
DataSecure Tokenization
• DataSecure—acts as the “vault” for sensitive data
DataSecure
Token Manager
values and token by protecting with strong encryption
Secure
Message Layer
and key management
• Token Manager—replaces sensitive data with
DataSecure
format-preserving tokenization via:
• Secure Message Layer - SOA-based interface, callable
from anywhere
• Protected Zone - host of the Secure Message Layer,
Protected
Zone
handles calling DataSecure and generating tokens
Tokenization: Store Sensitive Value
protected zone
datasecure
token service
ProtectApp Connector
ssl
token manager
SQL SERVER
SSL
JDBC
vault
SSL
token generator
ORACLE
SOA
client application
JVM
Tokenization: Retrieve Sensitive Value
protected zone
datasecure
token service
ProtectApp Connector
ssl
token manager
SQL SERVER
SSL
JDBC
vault
SSL
token generator
ORACLE
SOA
client application
JVM
SafeNet DataSecure Interface
SafeNet DataSecure Interface
DataSecure – Data Encryption & Control
Web/App
Servers
File Servers
REV 0.1
Mainframes
Endpoint
Devices
27
ProtectFile Architecture
Endpoint Protection with Centralized Key & Policy Management
ProtectFile PC
ProtectFile Server
• Granular folder and file-level
encryption
• Granular folder- and
file-level encryption
• Independent, passwordbased or token-based user
access control
•Client users use
Native windows
access control
• Key and policy mgmt
on DataSecure for end user
transparency
Corporate
File Server
End User
Laptop
Network Shares
• Key and policy management
on DataSecure for end-user
transparency
• Encrypted files stored locally
or on shared file servers
DataSecure Platform
• Centralized key and policy management
• Comprehensive logging and reporting
• Enterprise scalability and redundancy
• FIPS and CC certified
ProtectFile Sample Policies
• Create policies that align to lines of business
• Granular policies can be defined to control access to
authorized users
Finance Managers – gets full access
to confidential financial spreadsheets
Call center reps can encrypt credit
card numbers for phone orders
Outside Auditors – get access to
sensitive files remotely and offline,
but need to get re-authorized by IT
every 30 days to regain access.
(Policy can be configured based on
any set amount of time.)
Customer contracts sent to the call
center are saved to a shared file
server by the Call Center reps where
they are automatically encrypted and
strict access control is applied.
IT Administrators – they get access
to perform routine maintenance,
but cannot see any files that have
been encrypted (IT sees only cipher
text).
Market analysts are able to access
and share their competitive analysis
on seasonal opportunities in the
Finance folder, but only see cipher
text if they try to click on the
spreadsheet with analyst salary
information.
ProtectFile Features and Benefits
Features
Benefits
Full data lifecycle protection
Encryption of files on servers, laptops, removable media,
email, mobile handsets, and virtually anywhere it travels
Auditor-approved, compliance
ready solution
Centralized auditing and logging capabilities to monitor
attempted access and changes to your keys, users and
authorization policies.
Data-centric data protection
Secures the data itself, versus the perimeter or devices.
Compatibility with cloud computing environments due to
the data-centric approach of the solution
Highly scalable and redundant
Designed for and proven within large enterprises
Standards-based security
FIPS and CC certification for the DataSecure key manager
Flexible integration options
Password and PKI multi-factor authentication
Endpoint security including
mobile data protection
Protects mobile devices using ProtectFile Mobile
DataSecure – Data Encryption & Control
Web/App
Servers
File Servers
REV 0.1
Mainframes
Endpoint
Devices
31
SafeNet ProtectDrive
The world’s highest rated and most cost-effective full disk and
removable media encryption solution. Protects sensitive data and
ensures compliance with the lowest operating costs.
Protect Drive
Perfect 5 Star Review
From SC Magazine
 Full disk and removable storage media encryption
 Pre-boot authentication; two-factor authentication support
Security
 FIPS 140-2 validated; Common Criteria EAL4
 Robust encryption (up to AES-256)
 Strong key management, optionally in hardware
Ease of Use
Ease of
Management
 High performance - transparent to end user
 Single sign-on for pre-boot and Windows logon
 Central management via Active Directory or ADAM
 Large scale network installation using pre-set policies
 Reporting for compliance and security auditing
Pre-boot Authentication
If smart card and password logon
has been enabled user inserts smart
card or presses Enter.
After inserting his smart card the user
only needs to enter his PIN.
For password logon the user enters
his Windows user credentials.
Broad Platform Support
• ProtectDrive: The only disk encryption
solution with a track record of
successfully protecting servers, including
RAID arrays, as well as laptops and
workstations.
• Smart Phone Support – ProtectMobile
supports Windows Mobile today, with 1H
2010 additional support of Apple iPhone,
Symbian, Palm
AD/ADAM Management
Leverage what your organization
already knows — Active Directory — to
speed-up deployments and reduce
ongoing management costs.
Other solutions merely link to AD,
whereas ProtectDrive integrates with
AD/ADAM.
Token / Smart Card Support
• Tokens:
•
• SafeNet eToken Pro
• eToken Pro Anywhere
• NG-FLASH
• NG-OTP
• SafeNet iKey 2032
• SafeNet iKey 1000
• SafeNet iKey 4000
• RSA SID800
Cards:
• SafeNet
• CAC/PIVII
• ActivIdentity
• CardOs cards
• Schlumberger
• Cyberflex
• SafeNet SC330; SC 400
• And MANY others
SafeNet is the only vendor
providing tokens/smart cards
and disk/file encryption,
ensuring long term support
and compatibility.
 No integration worries; no vendor
finger-pointing over issues; one contact
point for ongoing support
 Passwords are less secure than twofactor authentication
 At pre-boot, token/smart card
credentials provide authentication for OS
log in
 Certificate-based authentication
provides non repudiation and other
forensic capabilities
Biometric/Smartcard Authentication
ProtectDrive also supports match-on-card
biometric authentication
SafeNet ProtectDrive
• Seamless integration with Active Directory or ADAM
• Immediate familiarity
• No additional servers/applications to install and manage
• 100% hard drive encryption by partition or full disk
• All data encrypted, registry, temp files, master file table, partition boot record, ...
• Wide operating system support
• Windows XP, 2000, 2003, 2008 R2, Windows Vista, Windows 7
• Rapid Recovery
• A suite of recovery tools which enable the safe recovery of a ProtectDrive system in as little as
three minutes
• Token Support
• Support a wide range of PKI tokens, including the eToken Pro, eToken Pro Anywhere, NG-FLASH
and NG-OTP
Network & WAN Encryption
SafeNet WAN Encryption
• SafeNet offers Layer 2
encryption solutions
• Layer 3 solutions
(IPSec) are now
absorbed into routers
• Why layer 2? …
Why Layer 2?
Lowest Cost of Ownership
• Better Bandwidth Efficiency (up to 50%)
• Minimal Ongoing Maintenance - Routing Updates Transparent to Encryption
• Lowest Cost Solution for Aggregation of Many Sites
Maximum Performance
• Low Protocol Overhead
• Low Latency
• Eliminates Complex QoS Schemes
Enterprise Scalability
• Fast Reliable Network Integration
• Simple Architecture Scales to 1000’s of Devices
• Layer 3 Transparent –All L3 Protocols Supported (IPv4, IPv6 and Legacy)
Layer 3 Competition
Improved Performance
With The Typical Traffic Profile More
Than 50% of Bandwidth Can Be Lost
Source: Rochester Institute of Technology
Simplified Management
Operations
Center
This creates the
potential for network
outages and security
vulnerabilities
Disaster
Recovery
Location
and here!!!
Transport
Carrier Edge Router
Security Policy has
to be updated
here…
IPSec Encryptor
Router
Every time
something
changes
here…
LAN
Operations
Center
and here…
Simplified Management – Layer 2
No administrative
burden, no outages and
no security policy
changes
Operations
Center
Disaster
Recovery
Location
or here!!!
Transport
or here…
Carrier Switch
nothing
changes
here…
Layer 2 Encryptor
Customer Premise Router
When
something
changes
here…
LAN
Company Confidential
Operations
Center
Best Fit for Layer 2 Encryption
 Ethernet Encryption
 SONET Encryption
10/1G
 Ethernet Encryption
100/10M
Security Management Center II
Lowest Cost of Ownership
• Easy Installation and Simple Ongoing Management
• Intuitive web-based GUI
• Virtualization Support with VMWare and Solaris Zones
Secure Operations
• Full Audit and Event logging and Reporting
• Secure Remote Management and Encrypted Communications
• Integrated Key Manager with Optional Hardware-Security
Scalability / Reliability
• Simple Management Design for Thousands of Encryptors
• Rapid Deployment Tools for Large Installations
• Enterprise Class High-Availability Features
SMC II Is The Only Truly Enterprise Class Encryptor
Management Platform
SafeNet Ethernet Encryptor
Lowest Cost of Ownership
FIPS 140-2
Level 3
Certified
• Simply Deployment and Low Maintenance
• Compatible With All Ethernet Topologies
• Remote Configuration and Monitoring
Maximum Performance
• Line Rate AES-256 Encryption Up To 10Gbps
• No Protocol Overhead and Low latency (< 5 μs)
• Hitless 2048-bit Key Exchange
Enterprise Scalability
• Full-Mesh Connections Up To 512 Devices
• Available Line Rates Include 10M, 100M, 1G and 10G
The Only Complete Family of Ethernet Encryptors for All
Performance Levels to Secure Ethernet Networks
SafeNet SONET Encryptor
Lowest Cost of Ownership
FIPS 140-2
Level 3
Certified
• Simply Deployment and Low Maintenance
• Line and Path Modes of Operation
• Remote Configuration and Monitoring
Maximum Performance
• Line Rate AES-256 Encryption Up To 10Gbps
• No Protocol Overhead and Low latency (< 5 μs)
• Hitless 2048-bit Key Exchange
Enterprise Scalability
• Full-Mesh Connections Up To 512 Devices
• OC3, OC12, OC48, OC192 Interfaces Available
The SafeNet SONET Encryptor is the Worlds Most Widely Deployed Solution for
Protecting SONET and SDH Networks
Content Security
The need for Content Security
Content Security controls what enters
Solution
Evolution
URL Filter
Threat
Evolution
Amateur
fame driven
Internet
Evolution
Web 0.1
Web 1.0
Web 2.0
1995-2001
2002-2006
2007-2010
• Static content
• Limited bandwidth
Web (Spyware, Malware,
Inappropriate
Tunnelling, Scalable
Web/Mail
AVbrowsing, IM, P2P,Intelligent,
Information loss) & Email (Spam, Phishing, Viruses, Malware)
Firewalls and VPNs control
Secure GW
Professional
Spammers, Fraudsters
• Dynamic HTML
applications
who•• Web-based
enters bandwidth
Increased
Organized eCrime
• User-generated content
• Evasive web applications
• Unlimited bandwidth
The need for Content Security
eSafe Product Family
eSafe Web Security Gateway
Includes Anti-malware, Anti-virus and Application Filtering. Inspects HTTP and FTP traffic.
• Performs real-time deep content analysis of Web 2.0 content
•
•
•
Proactively identifies all malicious scripts and malware
Strips only the threats, keeps the rest of the web content intact
Zero impact on user experience
• Control Internet traffic, over 500 apps, e.g. web 2.0, P2P, IM, etc.
•
•
•
•
Enforce application usage policies & control malicious communications
Detects application protocols on any port
Prevents Remote Control
Prevents Protocol Tunnelling
• Blocks all known and unknown anonymous proxies
eSafe Product Family
eSafe Web Security Gateway Plus
Includes Anti-malware, Anti-virus, Application Filtering and Web Filtering (URL Filter). Inspects HTTP
and FTP traffic.
PLUS
• Controls access to inappropriate, non-productive, and potentially
malicious sites
• Effectively enforce acceptable web use policy
•
•
•
70 different categories
More than 100 million categorized sites
Up to 150,000 new or revised daily updates
eSafe Product Family
eSafe Web Security Gateway SSL
Inspection of encrypted HTTPS/SSL web traffic.
• Scanning of incoming and outgoing SSL encrypted traffic
• Ensure policy enforcement and protection on SSL encrypted traffic
• Decrypts/encrypts HTTPS/SSL traffic on the fly
• Validates certificate policies, issuers, revocations
eSafe Product Family
eSafe Mail Security Gateway
Includes Anti-malware, Anti-virus and Anti-spam. Installed as SMTP relay in DMZ.
• Dual anti-spam engine blocks 99% of spam
• Proactively blocks malware and zero-hour outbreaks
• Strips phishing elements from email messages
• Self Management SPAM Quarantine, dramatically reduces administration
overhead
eSafe Product Family
eSafe Reporter
Extended Reporting tools with detailed and analytical enterprise-class reports with 240 pre-defined
reports
• Centralized Dashboards
• Centralized Configuration
• Centralized Analysis
eSafe Product Family
Data Loss Prevention:
Classification, Enforcement & Monitoring
• Classification
•
•
•
•
•
20 out-of-the-box DLP libraries
Coverage for over 150 file types including:
All MS Office, Open Office, and PDF files
HTML, email, and source code files
Archived files
• Enforcement
•
•
•
•
•
Log only
Block attachments or file upload
Archive for later investigation
Alert notification to administrator
Send email with attachment to administrator
Flexible & Scalable Deployment
• Flexible Deployment Options
• Inline, Bridge, Router and
Proxy deployment modes
• Multiple Form Factors
• Virtual appliance
• VMWare
• Purpose-built appliances
• Reliability & High Availability
• Cluster solutions for high availability and redundancy
• Integrations with 3rd party Load Balancers
• Redundant components on eSafe appliances