Channel FAQ: Smartcrypt Appliances Q: When were Smartcrypt appliances announced? A: announced the release of our Smartcrypt virtual and physical appliances on September 19, 2017. Smartcrypt Enterprise Manager 200v: a virtual appliance for encryption and key management Smartcrypt Enterprise Manager 300h: a hardware appliance with a FIPS 140-2 Level 3 hardware security module (HSM) Smartcrypt Enterprise Manager 300r: a hardware appliance with a full-entropy quantum random number generator (RNG) Smartcrypt Enterprise Manager 350: a hardware appliance with both the HSM and RNG Q: What do the Smartcrypt appliances do? A: The Smartcrypt appliances allow security managers to define encryption policies and monitor encryption and decryption activity across the organization. Smartcrypt automates key management, eliminating the complexity of key generation, exchange, synchronization, and rotation. It also applies security policy, provisions encryption functionality for users, devices, and servers, and controls the data discovery features. Both Smartcrypt Enterprise Manager 200v and 300 series contain the Smartcrypt Enterprise Manager software with a built-in key store and a hardened operating system. They offer automatic failover, high availability, support for agents in multiple geographies, and multitenancy. The 300h adds a FIPS 140-2 Level 3 HSM, the 300r adds a full-entropy quantum RNG, and the 350 adds both the HSM and RNG. The 300 series also provide the ability to store, create, and manage third party keys that conform to the KMIP standard. These are plug-andplay offerings for companies who don t want to spend the time or effort to connect their key management software to their own app and database infrastructures. Q: What is the value proposition for an HSM? A: A Hardware Security Module (HSM) stores master keys for designated encryption keys that Smartcrypt uses for its encryption. Each HSM has multiple secure cryptoprocessor chips to prevent tampering, and the HSM will also delete the key upon detecting tampering. The HSM provides not assurance that keys will remain safe, but also is FIPS 140-2 Level 3 validated, which is required by many financial and government organizations to protect their data, and has the ability to store, create, and manage third party keys that conform to the KMIP standard.
Q: What is FIPS 140-2 Level 3? A: FIPS 140 is a standard published by NIST to apply requirements for cryptographic modules for use by the U.S. federal government. FIPS 140-2 Level 3 requires physical tamper resistance, authentication, and separation between the different interfaces in the cryptographic modules. Cryptographic modules must meet Level 3 requirements in order to be authorized for purchase by many government agencies (and other commercial organizations, especially in finance). Also, be aware that FIPS 140-2 Level 3 certifications are for the HSMs, not for the entire appliance. Q: Does virtual appliance have any FIPS rating? A: The virtual appliance has not yet been submitted for FIPS 140-2 Level 1 compliance. Please let your Channel Account Manager know if/when customers are asking for this. Q: Do the software clients (Smartcrypt Agent or clients) have any FIPS rating? A: Smartcrypt for Windows does have a FIPS mode option that when enabled will cause the agent to use FIPS certified algorithms and modules. Find more information on meeting FIPS 140-2 Requirements with Smartcrypt here: https://www.pkware.com/solutions/bymandate/fips-140-2-compliance Q: Are there any regulations for data protection that require FIPS that customers might not be aware of? A: Many government entities require encryption to be performed in accordance with FIPS. Many financial services institutions that take their queues from the US federal government have adopted the use of FIPS 140-2 as well. That said, PCI-DSS, HIPAA/HiTech, DFS-500, GDPR, etc. do not specifically mandate encryption be performed in accordance with FIPS. Q: Can a virtual and physical appliance work together? A: This configuration is not supported, although there are no known technical limitations. If you get requests for this, please reach out to your Channel Account Manager. Q: Can someone migrate from a hardware appliance to a virtual appliance in the future? A: This is supported and the process to migrate is as simple as adding additional nodes to the existing cluster and then promoting them to master while disconnecting the original (hardwarebased) nodes. Q: Is there any way to share keys between physical and virtual? E.g. if a customer wants a physical appliance on premise but wants a virtual appliance in the cloud or in a remote data center, is this possible? A: All keys are shared between all appliances in the same cluster, regardless of whether or not they are physical or virtual. For hybrid environments where customers wish to run an Appliance in a cloud like AWS or Azure, please consult with your Channel Account Manager before discussing.
Q: Should I lead with hardware? A: does not have a preference to lead with hardware. Provide customers with the hardware and virtual options first and then software as the last option. 1. Lead with hardware security mandates / actual value and perceived value by customer 2. Virtual appliance if hardware isn t required what type of VM environment is required? 3. Software version mention if customers have issue with 1 and 2 Q: What is the value proposition for an RNG? A: Almost all random number generators (RNGs) use algorithms to produce strings of data that appear to be random. However, all these strings of data can be determined from much shorter initial values, known as a seed. Therefore, if the seed is compromised, so too are all the random numbers. In contrast, Smartcrypt Enterprise Manager 300r and 350 appliances uses quantum measurements of an internal laser. The strings of data not appear to be random, but don t come from a seed that could be compromised. This is often called true RNG or full-entropy RNG. In practice, seed-based RNGs (often called pseudo-random RNGs ) are generally considered sufficient, even for high-security applications. However, some government and financial customers may desire the extra security of not having seeds. Q: If customers don t use an HSM or qrng, does that mean their virtual or software solution is less secure? A: If they don t have a hardware root of trust, or a full-entropy random number generator, it is decidedly less secure. Specifically, if the Smartcrypt Manager s master password is not stored in an HSM, it must be stored on the file system. While this can be encrypted on the file system with a key that the application server can access, this process can be reversed by an administrator with sufficient privileges. An HSM allows for separation of duties and adds an additional layer of security that must be compromised during an attack. Q: If hardware fails what is the RMA/Support process? A: DOA units will be immediately replaced from inventory. Post deployment failures will be handled by /Q-Labs support staff. All servers are on 24x7 w/ 4hr response time for parts replacement. To date, Q-Labs has not experienced a single HSM (Thales) failure or a qrng card failure. Q: Can a secure back-up be easily restored to new appliance? A: Smartcrypt Appliances have 1-click restore functionality for database/system backups that have been stored offline.
Q: What type of network ports and configurations have to be done with hardware? A: See Support Site: https://support.pkware.com/display/appl/smartcrypt+infrastructure+ports+and+protocols Q: Is it 2U or 1U power consumption, hardware specs A: Units are currently 2U. Next year s chassis will be 2U. Sizing guides for the 200v and Software Only manager can be found in the sizing guide: https://support.pkware.com/display/smar/sizing+guide Q: How do I sell the Smartcrypt appliances? A: Ask your Channel Account Manager for the current price list. On the price list, you ll see the following: Smartcrypt Enterprise Manager 200v virtual appliance Smartcrypt Enterprise Manager 300h appliance Smartcrypt Enterprise Manager 300r appliance Smartcrypt Enterprise Manager 350 appliance For customers who will be installing these in production environments, you must sell at least two of the same appliance (for automatic failover; we will not sell companies a single point of failure in their production environments). Usually a separate appliance will be needed for lab or disaster recovery (and installed in a different location). Therefore, we expect customers to need a minimum of three appliances to be ordered in most cases. Customers cannot cluster physical appliances with virtual appliances. Q: What are our channel discounts for hardware? A: The Smartcrypt Enterprise Manager 200v is software, so channel partners can get their existing software discounts on the 200v. Please contact your Channel Account Manager to get details of channel discounts on the Smartcrypt hardware appliances. Q: Are there volume discounts for multiple appliances? A: No, we will not publish volume discount pricing for these appliances. If you have an opportunity to sell more than 50 appliances to a single customer, contact your Channel Account Manager and we ll work on the pricing with you. Q: What kind of customers should we target? A: The Smartcrypt Enterprise Manager 200v is suited for any customer that wants to take advantage of a turnkey virtual appliance (saving time and effort on setup and deployment), and who don t need the rigor of an HSM or a true RNG. The Smartcrypt Enterprise Manager 300 series is suited for organizations that need or desire the higher rigor of an FIPS 140-2 Level 3-validated HSM or a true RNG. This includes many financial services organizations and most government agencies. The 300 series also
include the ability to store, create, and manage third party keys that conform to the KMIP standard. Of course, each customer is different and may have more or less stringent requirements. Q: Do I need to be certified to sell the Smartcrypt appliances? A: No. But you will need to have a services organization that can properly prepare the customer s infrastructure. We encourage channel partners to charge for assessments and setup where appropriate. Q: How should we help a customer choose between the Smartcrypt Enterprise Manager as a Software Application vs a Virtual Appliance vs a Hardware Appliance? A1: Use this flash card: SEM as Software Application vs Virtual Appliance Windows Software Version Preferred by customers that have significantly invested in their application and database infrastructure. They typically: Have dedicated resources for PKI, networking, app/database management and system recovery. Have standardized on application delivery via IIS and SQL Server Have existing solutions for high availability and load balancing Are using SQL clustering / Always on Technology (AOT) Are comfortable being responsible for service availability and recovery Need to manage 10K to 100K+ Agents that connect to centralized infrastructure Hardware/Virtual Appliance Preferred by customers that prefer to push availability and recovery closer to the vendor. They typically: Prefer to deploy solutions that are selfcontained and turnkey. Have overlapping resources for PKI, networking, app/database management and recovery. Have made a significant investment in vsphere or Hyper-V as part of their business application delivery strategy Prefer to use vendor provided high availability and failover Prefer to have vendor provided replication and backup Need to manage < 50K Agents or support Agents connected to highly decentralized locations (e.g. 7K users in Japan, 7K in UK, 7K in US, etc.) Need an HSM or TRNG
Q: How do Smartcrypt appliances compare to the competition in terms of features? A: /, and Thales/Vormetric, and Micro Focus/Voltage all have appliances. Their high-end hardware appliances all have FIPS 140-2 Level 3 HSMs. When used with Smartcrypt agents, the Smartcrypt Appliances are the key management appliances that: Support true persistent encryption: the protection stays with the data wherever it travels, not just when it resides on a particular drive or server Can manage endpoint (desktop, laptop, and mobile device) and email encryption Can manage both discovery of sensitive data and the remediation of it Of our biggest competitors, we also offer the appliance with a true, full-entropy quantum RNG /, Thales/Vormetric, and Micro Focus/Voltage don t offer this. Our reporting and policy management capabilities are also superior: much more can be controlled through the dashboard than our competitors (who often require CLI work for some basic functionality), and our dashboard is easier to use and more intuitive. Virtual Offerings Smartcrypt Enterprise Mgr 200v k150v k170v k450v Vormetric DSM Voltage SecureData virtual appliance Keys supported 1,000,000 25,000 25,000 1,000,000 10,000+ Not specified FIPS 140-2 support No Level 1 Level 3 (AWS) Level 3 (AWS) Level 1 Level 3 (HPE HSM) Cloud marketplaces AWS AWS AWS, Azure AWS AWS, Azure No KMIP support Coming soon Yes No Price Contact $12,500 Unknown $28,500 $25,000 Unknown
Hardware Offering Smartcrypt Ent Mgr 300h / 300r Smartcrypt Enterprise Mgr 350 k250 k460 Vormetric DSM 6000 Vormetric DSM 6100 Keys supported 1,000,000 1,000,000 25,000 1,000,000 10,000+ Not specified FIPS 140-2 support HSM/ QRNG? Level 3 / None HSM (300h) QRNG (300r) Level 3 Level 1 Level 3 Level 1 Level 3 Both None HSM None HSM KMIP support Yes Coming soon Yes Yes Price Contact $48,950 $25,000 $38,000 $35,000 $45,000 Q: How do our appliances compare to the competition in terms of price? A: requires the purchase of KMIP connectors in addition to the appliances, which can add tens of thousands in costs for the customer (and make price comparisons difficult). As you can see from the above table, we believe our prices are competitive with /, Thales/Vormetric, and Micro Focus/Voltage. Q: Do the appliances include any encryption agents for files, users, etc.? A: No. The appliances are just the brains of the operation very similar to and Vormetric offerings. Customers will still need to purchase and implement Smartcrypt user, desktop, mobile, TDE, server, SDK, or other agents. Q: Since the 300 series is hardware, what s the time needed for delivery? A: Please set the expectation with customers that six weeks will be required for delivery. Q: How do channel partners address customer support for the hardware appliances? A: If you get a call on support and it is related to the software (either the 200v or the Smartcrypt software on the hardware box), support is handled as you handle software support today. If the call is related to hardware or any non-smartcrypt software (for the HSM or the RNG, for example), contact and open a support ticket.
Q: How quickly can we replace a failed appliance? A: will deal with all replacements for failed appliances. We will expedite these processes when appropriate, so customers are offline as little as possible. (Customers should purchase multiple appliances and set up automatic failover and high availability to reduce the risk of downtime, even if one of their appliances fails.) Q: Can I mix and match virtual and physical appliances? A: In most scenarios, customers who order the 300 series usually have to prove compliance (with HSMs, it s often FIPS 140-2 Level 3 validation) throughout their environments. Therefore, companies who mix and-match will likely be unable to prove compliance, which undermines their purchase of the HSM (or qrng) in the first place. There are some edge-case scenarios, but generally speaking, mixing-and matching FIPS-certified and non-fips-certified appliances does not follow best practices, and we ll likely flag quotes that include both physical HSM and virtual or physical non-hsm appliances.