SafeNet HSM solutions for secure virtual amd physical environments. Marko Bobinac SafeNet PreSales Engineer

Similar documents
On Demand Cryptographic Resources for Your Virtual Data Center and the Cloud: Introducing SafeNet s Crypto Hypervisor

Why AWS CloudHSM Can Revolutionize AWS

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Who s Protecting Your Keys? August 2018

FAIM 14. Cloud Computing. Paul Rad Rackspace, Inc. VP Technology

3 CERTIFICATION AUTHORITY KEY PROTECTION (HSMS)

Data Protection for Virtualized Environments

Securing the Cloud Today: How do we get there?

Adding value to your MS customers

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Building a More Secure Cloud Architecture

Simple Security for Startups. Mark Bate, AWS Solutions Architect

VMware Hybrid Cloud Solution

Security Models for Cloud

W11 Hyper-V security. Jesper Krogh.

CloudHSM Deep-Dive. Dave Walker Specialised Solutions Architect Security/Compliance Amazon Web Services UK Ltd

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

The Road to a Secure, Compliant Cloud

Transform to Your Cloud

Venafi Platform. Architecture 1 Architecture Basic. Professional Services Venafi. All Rights Reserved.

SoftLayer Security and Compliance:

Securing Containers Using a PNSC and a Cisco VSG

Securing Containers Using a PNSC and a Cisco VSG

The Software Driven Datacenter

Speaker Introduction Who Mate Barany, VMware Manuel Mazzolin, VMware Peter Schmitt, Deutsche Bahn Systel Why VMworld 2017 Understanding the modern sec

Unified Computing System Launch. Welcome to Yas Island

The Cloud Changes Nothing and Everything! Amazon.com, Inc. and its affiliates. All rights reserved.

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Cloud Builders. Billy Cox. Director Cloud Strategy Software and Services Group

BUILDING A PATH TO MODERN DATACENTER OPERATIONS. Virtualize faster with Red Hat Virtualization Suite

Venafi HSM Safenet HSM Integration Guide

How to Keep UP Through Digital Transformation with Next-Generation App Development

Cisco Enterprise Cloud Suite Overview Cisco and/or its affiliates. All rights reserved.

Statement of Compliance Cloud Platform

CloudBridge and Get Ready for Desktops and Apps as a Service. Henrik Poulsen

Smarter Systems In Your Cloud Deployment

EMC Strategy Overview: Journey To The Private Cloud

JOURNEY TO YOUR CLOUD. Mika Kotro Sales Development EMC Deutschland GmbH. Copyright 2012 EMC Corporation. All rights reserved.

Virtual KeySecure for AWS

Orchestrating the Cloud Infrastructure using Cisco Intelligent Automation for Cloud

Welcome to the SafeNet Executive Day! Новые ГоризонтыИнформа ционной Безопасности

Vblock Architecture Accelerating Deployment of the Private Cloud

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

RSA Authentication Manager 8.2

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Enterprise & Cloud Security

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

USER GUIDE TO IZO TM PRIVATE CLOUD PORTAL

Increasing Security and Compliance in the Cloud

Why the cloud matters?

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

PKI is Alive and Well: The Symantec Managed PKI Service

Introduction to Virtualization

Introducing. Secure Access. for the Next Generation. Bram De Blander Sales Engineer

Mitigating Risks with Cloud Computing Dan Reis

Cloud Infrastructure and Operations Chapter 2B/8 Page Main concept from which Cloud Computing developed

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Unbound and Oasis KMIP Interoperability

Citrix Workspace Cloud

Enabling Your Cloud with VMware. Rob Rowe Jason Kuipers

Vblock Infrastructure Packages: Accelerating Deployment of the Private Cloud

vshield Administration Guide

SYMANTEC DATA CENTER SECURITY

Cisco Powered Cloud Solutions. Vladimir Joshevski

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

VMworld 2017 Content: Not for publication #CNA1699BE CONFIDENTIAL 2

IBM Cloud for VMware Solutions

Modernize Your Backup and DR Using Actifio in AWS

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

VMWARE SOLUTIONS AND THE DATACENTER. Fredric Linder

Secure & Unified Identity

IBM Spectrum Protect Plus Version Installation and User's Guide IBM

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Busting the top 5 myths of cloud-based authentication

VMware vfabric Data Director 2.5 EVALUATION GUIDE

VMware, SQL Server and Encrypting Private Data Townsend Security

App Orchestration 2.0

VMware Cloud on AWS. A Closer Look. Frank Denneman Senior Staff Architect Cloud Platform BU

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for VMware Horizon 6

Echidna Concepts Guide

Private Cloud Public Cloud Edge. Consistent Infrastructure & Consistent Operations

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

Cisco Unified Data Center Strategy

Alliance Key Manager A Solution Brief for Partners & Integrators

Oracle iplanet Web Server Integration Guide

VMware Virtual SAN Technology

Why Gemalto with F5. Trust. Every day. Matija Mandarić, Presales Engineer, Veracomp. February 2017

PAN-OS Integration with SafeNet Luna SA HSM Tech Note PAN-OS 6.0

Datacenter Management and The Private Cloud. Troy Sharpe Core Infrastructure Specialist Microsoft Corp, Education

VMware vcloud Service Definition for a Public Cloud. Version 1.6

Cloud Computing. An introduction using MS Office 365, Google, Amazon, & Dropbox.

The End of Storage. Craig Nunes. HP Storage Marketing Worldwide Hewlett-Packard

Paperspace. Security Primer & Architecture Overview. Business Whitepaper. 20 Jay St. Suite 312 Brooklyn, NY 11201

AWS Security Best Practices

Reference manual Integrated database authentication

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments

The Latest EMC s announcements

Transcription:

SafeNet HSM solutions for secure virtual amd physical environments Marko Bobinac SafeNet PreSales Engineer

Root of trust for your physical and virtual environment 2

But HW doesn t work in a Virtual World? Today s Hardware-based encryption solutions are designed for the physical world! Islands of encryption DNSSEC SSL Database Email Code Sign Time-consuming crypto rollouts Very slow to scale up and down 3

What is needed? Encryption Infrastructure that follows the cloud model! Islands of encryption Centralized Encryption model DNSSEC SSL Database Email Code Sign Benefits: Reduce Costs (Reduce DC presence) Centralize SME Crypto Group Unify Governance and Compliance Centralize services 4

On Demand Cryptographic Resources for Your Virtual Data Center and the Cloud 5

asdasd48rh AsD546F4dfgf ddfgdfghjkd6g 54R Where do we start?... With a hypervisor for encryption Introducing the SafeNet Crypto Hypervisor! VMware hypervisor c. 2001 O/S Partition O/S Isolation Dynamic resource allocation Crypto Hypervisor c. 2013 HSM Partition HSM Isolation Dynamic crypto allocation Application Application Operating System Hypervisor Hardware Platform Dynamic Crypto Resource Crypto Hypervisor Crypto Hardware Platform (HSM) SafeNet Confidential and Proprietary

Crypto Hypervisor Components SafeNet Luna SA 5.2 HSM SafeNet Crypto Hypervisor Bundle Includes: Crypto Command Center Software SafeNet Luna G5 Local PED II PED II Keys Crypto Command Center SafeNet PED II SafeNet Luna G5 SafeNet Confidential and Proprietary

Rollout crypto services in minutes, not days Before After 1 Requestor contacts IT 1 Requestor contacts central security team 2 3 IT helps Requestor buy an HSM IT or Requestor sets up HSM Virtualization means no need for additional HW purchase or setup 4 IT or Requestor configures HSM 2 Security team sends login info for catalog 5 6 Generate cert on client server Manually copy server cert to HSM 3 Requestor logs into catalog & makes request 7 8 Manually copy HSM cert to server Manually add cert to trusted lists 4 Automated Security team runs CHv auto-script assigning virtual HSM to requestor 9 Create/register server on HSM 10 11 Assign HSM partition to client Requestor points app to HSM 5 Requestor points app to HSM SafeNet Confidential and Proprietary 8

Crypto Hypervisor: Designed for operational cloud model 6 Apps can now migrate to cloud 1 On-demand crypto delivery 5 Part of New VM Rollout Process 4 Encryption now a cloud enabler 3 2 Self-service portal for users New crypto services spin up easily

Adding Devices Adding appliances works similar to how adding a pool works. The dialog is visible to the right The credentials section contains the Luna Shell administrator credentials for the appliance. This can be for the default admin account or another account with admin privileges. In this release it is up to the CCC administrator to supply correct appliance configuration details. They are not automatically retrieved from the Luna SA appliance.

Initializing a device From the view device page you can initialize the device. If the device uses PED based authenitcation you will need to specify the IP address and port number of a remote PED server to use. Typically this would be a server running on your local machine. 11

Adding Organizations From the main adminstrative page you can add Organizations. In a service provider model these organizations would be clients. In an enterprise view these organizations may be departmental divisions or any other group in the organization which requires an HSM. 12

Adding Catalog Items Catalogs contain Catalog Items which are selectable configurations which organizations can choose from when deploying an HSM service. In this example there are Bronze, Silver and Gold levels of service. Bronze represents a single low capacity, low performance HSM. Silver is a single high performance HSM. And Gold is a High Availability group of partitions with high performance. All 3 choices share the requirement for a PED 13

Initializing the Service In order to initialize a service you must provide a label for the service. This will be used to set the labels on the partition(s) created. A remote PED is required when initializing a service which requires PED authentication. 14

Crypto Command Center summary System (SW) to automate the provisioning of HSM resources Abstracts the management of HSMs from the end user Administrators Manage the crypto for your company Manage the physical HSM devices Determine what crypto services are offered Create a catalog of services for end users Manage who has access to those services Consumers/Users Manage crypto applications that consume crypto services Own their HSM resource when leased Request and release use of HSM resources from catalogues Always in control of their keys! 15

Crypto Hypervisor Extends the Capability of HSMs to Fit the Cloud Model NIST 1 Cloud Definition of Essential Characteristics Legacy HSMs NIST 1 Cloud Definition of Essential Characteristics Crypto Hypervisor On-Demand Self-Service No On-Demand Self-Service Yes Rapid Elasticity No Rapid Elasticity Yes Measured Service Some Measured Service Yes Broad Network Access Yes Broad Network Access Yes Resource Pooling Some Resource Pooling Yes Multi-Tenancy 2 No Multi-Tenancy 2 Yes 1. National Institute of Standards and Technology 2. Multi-Tenancy is an essential characteristic added by the Cloud Security Alliance 16

Production example: AWS CloudHSM Secure Key Storage and Cryptographic Operations http://aws.amazon.com/cloudhsm/

Securing connection HSM - AppServer Past Only physical machines in DataCenter Physical device can be attached to a server Current and future Physical machines (some may never be virtualized) Virtual Machines Physical device is not an option anymore Virtualization should be seen as not just a tool for (server) consolidation, but as a modernization accelerator Thomas Bittman, Gartner VP and Chief of Research 18

VM is Stolen VMs with HTL Host Trust Link Prevents theft of an at-rest VM image Connection to the SA is authorized by a one-time token Includes a step counter that must sync with the SA NTLS depends on an active HTL connection HSM Client VM NTLS X Access Denied Luna SA Today: Stolen VM will not be granted access to SA partition Stolen image does not have OTT, required to establish HTL Link

Secure Audit Log Critical Tamper, HSM init, Audit init, Zeroize Always logged HSM Management change password, create challenge, change policies HSM Access Login/Logout Key Management key creation/deletion Key Usage use of key for crypto ops ( First Use Only flag) External CA_LogExternal API messages Log Management Log management related commands (import/export secret, verify) Meet Audit and Compliance Mandates SafeNet Confidential and Proprietary 21

Summary

HSM Summary Strong general purpose HSM solutions Flexible HSM s (no crypto limitations own algorithms in FW) Long history with HSM s Remote backup & Remote management & Strong user authentication Cloud / Virtual environment HSM s (also as a Service usage)

Děkuji

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback