Vormetric Data Security

Transcription

1 Vormetric Data Security Simplifying Data Security for the Enterprise

2 Agenda! Introductions! Vormetric Overview! Data Security Architecture Challenges! Product Architecture & Use Cases! Q&A

3 Data - The New Global Currency saw an all time high of 855 Incidents, 174 Million records compromised 96% of attacks were categorised as not highly difficult % of records compromised involving Laptops - <1% Total Percentage of Records compromised involving SERVERS: 94% Source: 2012 Verizon Data Breach Inves5ga5ons Report Source: 2012 Verizon Data Breach Investigations Report

4 Vormetric Summary! Data security Simplified! Physical, Virtual, Cloud! Protect Structured & Unstructured Data! File, Application and Database Servers! Windows, Linux, Unix and Big Data Platforms! Disruptive Architecture - Re perimeter the data! Firewall like policy engine for privileged user / application access! Transparency / Rapid Deployment / Time to value! Security on Demand Service with consistent policy across multiple use cases! V5 Architecture! Vertical & Horizontal Scalability

5 Who is Vormetric?! Founded in 2001! Purpose:! To Simplify Data Security! Customers: Customers Worldwide! OEM Partners:! IBM Guardium Data Encryption! Symantec NetBackup! Technology Partners! Intel! Imperva

6 Drivers for Data Security! Compliance to regulations! PCI, HITECH, State PII laws, EU laws, Int l Laws! Customer or executive mandates! Increasing customer contractual demands to encrypt data! Limit or reduce personnel allowed to access sensitive data! Executive mandating encryption for safe harbor or to avoid breach notification! Outsourcing enablement! Better Defense and Depth Data Security! Protect against threats that can cause a breach! Transformational technology! Virtualization, Cloud 6

7 Data Security Architecture Challenges

8 Data Access Tiers! Network Tier! Data moves between Applications, Users, and Systems! Application Tier! Data is used by applications from either a Database or Storage(flat files)! Database Tier! Data is structured in the Database for easy access and indexing! System Tier! Servers run the Applications and Databases that need access to their data! Storage Tier! Ultimately data is stored in some form of storage DAS, NAS, SAN, etc

9 Challenges of Data Security! Not Transparent! Changes to business processes, applications, and databases are disruptive! It s too data type specific! Must support multiple architectures! Performance Suffers! Encryption is traditionally impacts performance negatively! Is it strong enough?! Do privileged users have access to this data?! How are the keys protected yet still available?! Are duties separated?! Too Hard to Adopt! Difficult to understand! Difficult to implement! Difficult to maintain

10 Data Defense in Depth Strategy Audit Security Management Domains Privileged User Access Control Separation of Roles & Need to Know Key Management Encryption Data Assets

11 Layered Enterprise Security Network Security Layers of Defense Firewalls IDS / IPS Content filtering DLP IAM Internet WAF Applications Application Tier Data Security Layers of Defense DAM Encryption Database Operating System Database Tier Server Tier Encryption Data Storage Tier

12 Data Security Simplified! Transparent! Must be transparent to business processes, end users, and applications! Data type neutral any data, anywhere! Strong! Privileged users should not have access to sensitive data! Firewall your data approved users and applications allowed, deny all others.! Bulletproof key management! Efficient! SLA, User, and Application performance must remain acceptable! Encryption overhead can approach zero! Easy! Easy to Understand! Easy to Implement! Easy to Manage

13 Technical Issues with Other Encryption Approaches! Changes are hard to implement and maintain! Application level encryption is too complex! Column level encryption and tokenization requires too many changes and introduces performance problems! No/Poor Key Management! Native Database Encryption doesn t have key management and is platform specific! Separation of Duties Required! Full disk encryption and Inline Encryption provides no protection except when media is stolen

14 Vormetric Data Security Product and Architecture Review

15 Vormetric Data Security Product Suite! Vormetric Encryption! Purpose: Transparent Data Encryption and Access Control of structured and unstructured data! Use Cases: Database Encryption, Application Data Encryption, Privileged User Data Access Control! Vormetric Key Management! Purpose: Provide Key Management for other Encryption platforms! Use Cases: Application Encryption, TDE Key Management! Vormetric Key Vault! Purpose: Securely store and report on Security Materials! Use Cases: Key Vaulting, Certificate Vaulting, Vaulting of other Security materials.

16 Vormetric Data Security Encryption Agent Vormetric Encryption Vormetric Key Management Key Agent Data Security Manager Unstructured Oracle 11gR2 TDE Encryption Agent Vormetric Key Vault Key Agent Database SQL Server 2008 TDE

17 Vormetric Encryption Architecture and Use Cases

18 Vormetric Encryption Capabilities Data Encryption Data Access Control Audit Data Access! Encrypts file, directory and raw devices! Transparent to:! Applications! Databases! Storage Infrastructure! Integrated Key Management! Firewall-like access controls for data access! Separate data access from data management for systems privileged users(root, SA, etc )! Granular data access logging! Granular control of what events are logged

19 Vormetric Encryption Components Data Security Manager File System Agent! Centralized Policy, Key, and Audit Manager! Multiple Domains Logical Separation of Hosts, Keys, Policies, and Vormetric Administrators! FIPS Certified! File System or Volume Encryption! Overlays on existing FS or Volumes! Transparent to Storage, Applications, and Databases! Enforces policy for encryption and access controls! Highly Efficient Block Encryption! Supports: Linux, Unix, Windows Servers Slide No: 19

20 Vormetric Encryption Architecture Users Application Database Policy is used to restrict access to sensitive data by user and process information provided by the OS. OS FS Agent SSL/TLS File System SAN, NAS, DAS Storage *communication is only required at system boot

21 Vormetric Encryption Use Cases Database Encryption! Usage: Encrypt Tablespace, Log, and other DB files! Common Databases: Oracle, MSSQL, DB2, Sybase, Informix, MySQL Unstructured Data Encryption! Usage: Encrypt and Control access to any type of data used by LUW server! Common Data Types: Logs, Reports, Images, ETL, Audio/Video Recordings, Documents, Big Data! Examples: FileNet, Documentum, Nice, Hadoop, Home Grown, etc Cloud Encryption! Usage: Encrypt and Control Access to data used by Cloud Instances! Common Cloud Providers: Amazon EC2, Rackspace, MS Azure

22 Vormetric Encryption Policy Vormetric Policy Firewall Rules Rules have Criteria and Effects Criteria Effects! User/Group, Process, Data Location, Type of I/O, Time! Permission: Permit or Deny! Encryption Key: Yes or No! Audit: Yes or No The Rules of a policy work like a firewall rule engine 1. Receive criteria from request. 2. Try to match Criteria to Rules. Start at the top. 3. On first match apply the associated Effect. 4. If no match, then deny

23 Policy Example Oracle Tablespace # User Process Ac?on Effects oracle oracle_binaries * permit, apply_key root admin_tools read permit, audit * * * deny, audit, apply_key Policy Benefits ü Database encrypjon, without changing database schema or applicajon code. ü Remove custodial risk of root level user Copyright 2012 Vormetric, Inc. - Proprietary and Confidential. All Rights Reserved.

24 Technical Benefits! Transparent! No changes required to Database, Application or Storage! Data type neutral any data type! Strong! System privileged users can be restricted from accessing sensitive data! Firewall your data approved users and applications allowed, deny all others.! Integrated Key Management! Efficient! SLA, User, and Application performance are maintained! Encryption overhead is minimal! Rapid Deployment! Easy! Easy to Understand! Easy to Implement! Easy to Manage

25 Q&A Thank you!

26 Vormetric / Imperva

27 Protect Server Data Log Files Password files Config Files Archive File Share Archive Content Multi Needs ERP CRM Payment CMS Custom Apps IIS APACHE WebLogic DB2 Oracle SQL Sybase MySQL File Servers FTP Servers Servers Others Log Files Password files Config files Archive Data Files Transaction Logs Exports Backup DAS SAN NAS VM CLOUD

28 Layered Enterprise Security Network Security Layers of Defense Firewall IDS / IPS Content filtering DLP IAM Internet WAF Applications Application Tier Data Security Layers of Defense DAM Encryption Database Operating System Data Tier Server Tier Encryption Data Storage Tier

29 Imperva+Vormetric Protect Your Data Network Security Layers of Defense Firewall IDS / IPS Content filtering DLP IAM Internet Applications Application Tier Data Security Layers of Defense Database Operating System Data Tier Server Tier Data Storage Tier

30 Layered Database Security Solution Users Applications Imperva Awareness of Database users & rights Database Activity audit & access controls Database Operating System Data Vormetric Database file encryption, OS-level audit & access controls Encryption key management

31 Imperva and Vormetric Threat Coverage Users Applications Imperva Typical Threats: Unauthorized access to sensitive database data Database Operating System Data Vormetric Typical Threats: Unauthorized system access to data, mitigate risk of lost media (server, disk)

32 Solution Requirements! Transparent auditing & security controls! Real-Time visibility into access activity! Control privileged user access, viewing and manageability! Easy to deploy and manage across heterogeneous environments! Minimal impact to operations

33 Imperva-Vormetric Solution Sensitive information protection, access control and usage monitoring! Capture Usage Details! Encrypt sensitive data and manage keys! Control User Access! Application users! Privileged users! System users! Report & Analyze

34 Imperva + Vormetric! Imperva SecureSphere Data Security Suite: Protect high-value business databases in the data center! Audit and monitor user access to sensitive data across heterogeneous database platforms! Generate alerts or block access when prohibited or anomalous database access occurs! Advanced analytics and reporting to accelerate incident response and forensic investigation! Vormetric Data Security: Encrypt, audit and control access to sensitive data files! Transparent encryption of structured (database) and unstructured data! Physical, virtual and cloud environments! Integrated encryption key management and management for Transparent Data Encryption keys! Protect against external threats (hackers with user credentials) and most internal threats (IT admins, etc)

35 Vormetric Key Management

36 Vormetric Key Management Capabilities Network HSM Application Encryption! Simplify Key Management for 3 rd Party Encryption Products! Provide Network HSM to Encryption Products via u PKCS#11 (Oracle 11gR2) u EKM (MSSQL 2008 R2)! Enables API level encryption for custom developed Applications! Network HSM Protocols u u PKCS#11 EKM

37 Vormetric Key Management Components Data Security Manager (DSM)! Same DSM as used with all VDS products! FIPS Key Manager with Separation of Duties Application Agent! Provides Network HSM Key Management Services for: u u Oracle 11g R2 TDE (Tablespace Encryption) MSSQL 2008 R2 Enterprise TDE (Tablespace Encryption) u Application Level Encryption

38 TDE Key Architecture before Vormetric Master Encryption keys are stored on the local system in a file with the data by default Oracle / Microsoft TDE TDE Master Encryption Key Local wallet or table

39 TDE Key Architecture with Vormetric TDE Master Encryption Key SSL Connection Application Agent Oracle / Microsoft TDE Database! Vormetric s DSM acts as Network HSM for securing keys for Oracle and Microsoft TDE! Vormetric s Application Agent is installed on the database server

40 Vormetric Application Level Encryption Custom Application Encryption Keys Stored on DSM SSL Connection Application Agent PKCS11, MSCAPI User ApplicaJon! Vormetric s DSM performs Network HSM functions! Vormetric s Application Agent is installed on the application server that will be performing encryption operations! Custom Applications can then utilize the Vormetric Encryption Agent to perform crypto services 1. ApplicaJon send sensijve data securely to the DSM to be encrypted 2. The encrypted data is sent back to the applicajon and then stored in the database

41 Technical Benefits! Transparent! Seamlessly enable Key Management for existing TDE installations! Strong! Remove DBAs from Key Management Duties! Encrypt Data in Custom Applications from the moment the Data is created.! Efficient! Provide high performance HSM services to your TDE installations! Selectively encrypt sensitive Data in Custom Applications! Easy! Automatically replicate your Keys across multiple environments! Easy to follow sample implimentations

42 Vormetric Key Vault

43 Vormetric Key Vault Capabilities Vaulting! Vault Security Materials Symmetric Keys Asymmetric Keys Certificates Other Security Materials (Passwords, etc )

44 Vormetric Key Vault Components Data Security Manager! Same DSM as all other VDS Products! FIPS Certified VMSSC! Command Line tool or API for programmatic vaulting and management of keys

45 Vormetric Key Vault Supported Key Types: Symmetric Asymmetric Certificates Web GUI Command Line / API u Manual Key Import u Key Vault u Reporting u Logging u Bulk Key Import u Scripting Interface u Ingest u Retrieval u Removal

46 Vormetric Key Vault Use Cases Vault keys! Secure storage of Keys and Certificates! Vault other sensitive materials such as (Passwords, CC numbers, etc ) Report on vaulted keys! Centralized tracking, reporting, and alerting of Vaulted Keys! Remove need for manual processes (Spreadsheets, etc)! Alert on expiring keys before it becomes a problem.

47 Vormetric s MetaClear Encryption Clear Text Block- Level File System Metadata File Data Unencrypted Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 Name: J Smith CCN: Exp Date: 04/04 Bal: $5,145,789 SSN: Full Disk / Switch Encryp?on dfjdnk%(amg 8nGmwlNskd 9f Nd&9Dm*Nd dfjdnk%(amg 8nGmwlNskd 9f Nd&9Dm*Ndd xiu2ks0bksjd Nac0&6mKcoS qcio9m*sdopf Vormetric Encryption Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 dfjdnk%(amg 8nGmwlNskd 9f Nd&9Dm*Ndd xiu2ks0bksjd Nac0&6mKcoS qcio9m*sdopf Benefits of Vormetric MetaClear Encryption Encrypts File Data, leaving Metadata in the clear Does not impact Data Management tools like: Replication, Migration, Snapshotting High-Performance Encryption Remove custodial risk enable data management without data visibility.

48 Vormetric Encryption Components Data Security Manager (appliance) Key Management Policy Distribution Centralized Audit Policy Templates and Libraries Separation of Duties Encryp'on for Any File, Any Database, Any Applica'on, Any Device, Anywhere Encryption Expert Agent (SW agent) Access Control Read/Write Control MetaClear Encryption Granular Audit Policy- Based Decryption

49 Data Defense in Depth Strategy Audit Security Management Domains Privileged User Access Control Separation of Roles & Need to Know Key Management Encryption Data Assets