Thales e-security. Security Solutions. PosAm, 06th of May 2015 Robert Rüttgen

Size: px

Start display at page:

Download "Thales e-security. Security Solutions. PosAm, 06th of May 2015 Robert Rüttgen"

Martin Sherman Cunningham
5 years ago
Views:

1 Thales e-security Security Solutions PosAm, 06th of May 2015 Robert Rüttgen

2 Hardware Security Modules Hardware vs. Software Key Management & Security

Deployment Choices For Cryptography Software-based system Numerous

Application Operating System Hardened security system Keys are

Application Operating System Hypervisor Hardware platform CPU Memory

3 Deployment Choices For Cryptography Software-based system Numerous copies of keys across system and backups Software environment Application Operating System Hardened security system Keys are segregated within isolated security environment Software environment Application Operating System Hypervisor Hardware platform CPU Memory Storage Hypervisor Hardware platform CPU Memory Storage Hardware Security Module Back-ups Back-ups 2

4 Thales nshield Products Hardware Security Module

5 Thales nshield Product Family Model nshield Edge nshield Solo nshield Connect Interfaces USB PCI Express 2 x 1 Gbit Ethernet Client licenses included Max # client licenses to 100 Power supplies (hot-swap) Speed variants (TPS) 10 PCIe: 500, to 6000 CipherTools Yes Yes Yes Secure Execution Engine (CodeSafe) No Yes Yes Certifications FIPS Level 2 or 3; or Developer Edition (no FIPS) FIPS140-2 Level 2 or 3, FIPS140-2 Level 3 4

6 Common Security World management Common Security World key management Share keys across all three nshield HSM types 5

7 Compatibility & Interfaces Fully compatible between all Thales nshield product family nshield Edge, nshield Solo and nshield Connect Supports many platforms AIX; HP-UX; Linux; Solaris; Windows Integrates through standard application interfaces Business application PKCS #11 Microsoft CryptoAPI / CNG Java JCE OpenSSL ncore nshield Solo & nshield Connect 6

8 Firewall Firewall Thales HSMs in an enterprise network Internet Demilitarized Zone (DMZ) Internal Network nshield Connect nshield Connect Web Servers 3 Application Servers Databases 3 Business Applications 3 PKI Components PKI Components Subordinate Certificate Authorities 1 Web servers 3 2 Databases 3 Public Key Infrastructures 4 Business Applications Offline Root Certificate Authority nshield Solo or nshield Edge 7

9 nshield Connect Platform & Solutions OBELISK SSL - Network Appliance ntoken (PCIe token) Certification Authority ntoken (PCIe token) Name Acct. # Password XXXXXXXXXXX John Smith trust XXXXXXXXXXX Susan Jones alice Database 8

10 DB System using the Thales nshield Connect Applications Thales nshield Connect protects multiple databases 9

11 nshield Connect Network-Attached HSM 10

12 Clustering and load balancing Cluster nshield Connect for higher availability Adds load-balancing to handle peak loads Build cryptographic services for the enterprise High availability is strong requirement nshield Connect Cluster Web Apps Certificate Authorities OCSP Responders Web Services Databases 11

a power supply Cooling fans are redundant to avoid overheating if a fan fails Fans and

13 Optimized for business continuity Can be connected to two power sources to help ensure business continuity Dual power supplies are hotswappable, requiring no downtime to replace a power supply Cooling fans are redundant to avoid overheating if a fan fails Fans and power supplies are field-replaceable so unit doesn t have to be sent to a service center for repairs 12

14 Physical Specifications Front panel 1 U 19 rack mount (69cm depth) Touch wheel Smart card reader Vents with easy access to fieldreplaceable, redundant fans USB connector for keyboard LCD Power button Clear button Warning LED Back panel Dual, hot-swap power supplies Mains cable retaining bracket 2 x 1 Gigabit Ethernet ports 13

15 Trusted Time Infrastructure Time Source & Time Stamping

Stratum 1 Time Source Master Clock (TMC); NIST ( USA); PTB (Germany); NPL (UK);

16 Trusted Time about Authoritative Time Source Stratum 0 United Coordinated Time (UTC) from GPS Satellite; National Measurement Institution (NMI - GUM) NMI Stratum 1 Time Source Master Clock (TMC); NIST ( USA); PTB (Germany); NPL (UK); CRL (Japan) Stratum 2 Time Stamping Server (ncipher DSE200); NTP Server; Computer System 15

17 Trusted Time Architecture Trusted Time Authority Time Stamp Service NMIs (UTC) Trusted Time Master Clocks Time Stamp Server 14:04:32 03/20/00 Secure Facility at Root Time Trust Service Corporate Application or Secure Time StampsTransaction Server 16

18 Time Stamp Server (DSE 200) Time Stamp Server cryptographically provides Sealing of Documents, Transactions, Logs by applying a digital signature and independently, auditable Time Stamp nshield F3 500 FIPS Level 3 validated HSM Certified by Slovak NBU, MI ČR, MI Hungary Secure Execution Engine (SEE) - code for secure network communications, timing functionality, and authentication execute within HSM boundary Implements Time Signing as specified by the IETF PKIX Time- Stamp RFC (RFC 3161) 17

19 Time Stamp Server (DSE 200) Trusted Agent provides and execute Time Stamps for authorized users inside secure Cryptographic Module FIPS Level 3 validated (HSM) Recipient Time Stamp Server (DSE 200) Time Stamp Request Database PDF, XML, Word, Excel, RTF Sender 18

20 Thales nshield Products for SSL Offload

Today s Challenge Security is obviously a critical question when SSL traffic is being used to carry intellectual property, financial information, personal data of customers and employees, and other

21 Today s Challenge Security is obviously a critical question when SSL traffic is being used to carry intellectual property, financial information, personal data of customers and employees, and other company confidential information Managing SSL encryption keys How keys are protected from direct attack, but also operational issues such as the backup of keys and their recovery in the event of system failures or disasters? How keys are protected against unauthorized use, access to keys is controlled and monitored? 20

22 SSL Keys in the Network - Limitation Appliances Store SSL Key on Hard Disk Critical Key can Exist in Multiple Places and is Vulnerable to Physical and Software Attacks 21

Within the Secure Confines of a FIPS 140-2 Certified HSM

23 nshield HSM Value Added External nshield HSM Enables Hardened Solution Critical Keys are Protected and Managed Within the Secure Confines of a FIPS Certified HSM where they are not Exposed to Physical and Software Attacks 22

24 Use Case: Protecting SSL in Network 23

Secure Key Management and Fast Performance Thales nshield Key Benefits Enhance SSL security protect and manage large number of SSL private keys in FIPS 140-2 Level 3 mode Delivers lifecycle hardware

25 Secure Key Management and Fast Performance Thales nshield Key Benefits Enhance SSL security protect and manage large number of SSL private keys in FIPS Level 3 mode Delivers lifecycle hardware key management Achieve high availability and improved performance with cryptographic offloading Supports Virtual and Cloud-based environments Segregate administration domains Enforce dual controls for mutual supervision Enable security and compliance reporting 24

26 Thales nshield Products Securing User Keys in Microsoft Azure Cloud

27 What is Microsoft RMS? Microsoft Rights Management Services (RMS) Protects data exchanged in collaborative work environment Embeds enforceable security policies right on the document No matter data/file type No matter the platforms Available in two offerings Microsoft Rights Management service (Azure RMS) In the cloud / on-demand Hosted subscription service No infrastructure Cross organizational boundaries Active Directory RMS (AD RMS) On-premise 26

28 What Value Does Thales Add to Microsoft RMS? Safeguards the keys protecting the RMS cryptography Ensure keys are always under the RMS user s control In the cloud Retains sole custody and visibility of tenant key in the cloud Generate, safeguard and manage your own tenant key Independent of Microsoft Never visible to Microsoft On-premise RMS Bring-Your-Own-Key Program Safeguard and manage server key independent of software 27

29 How Does nshield HSM Integrate with Microsoft RMS? In the Cloud On-Premise 28

30 Q&A Thank You! Robert Rüttgen Territory Manager Eastern Europe 29

Adding value to your MS customers

Securing Microsoft Adding value to your MS customers Authentication - Identity Protection Hardware Security Modules DataSecure - Encryption and Control Disc Encryption Offering the broadest range of authentication,