SafeNet HSM solutions for secure virtual amd physical environments Marko Bobinac SafeNet PreSales Engineer
Root of trust for your physical and virtual environment 2
But HW doesn t work in a Virtual World? Today s Hardware-based encryption solutions are designed for the physical world! Islands of encryption DNSSEC SSL Database Email Code Sign Time-consuming crypto rollouts Very slow to scale up and down 3
What is needed? Encryption Infrastructure that follows the cloud model! Islands of encryption Centralized Encryption model DNSSEC SSL Database Email Code Sign Benefits: Reduce Costs (Reduce DC presence) Centralize SME Crypto Group Unify Governance and Compliance Centralize services 4
On Demand Cryptographic Resources for Your Virtual Data Center and the Cloud 5
asdasd48rh AsD546F4dfgf ddfgdfghjkd6g 54R Where do we start?... With a hypervisor for encryption Introducing the SafeNet Crypto Hypervisor! VMware hypervisor c. 2001 O/S Partition O/S Isolation Dynamic resource allocation Crypto Hypervisor c. 2013 HSM Partition HSM Isolation Dynamic crypto allocation Application Application Operating System Hypervisor Hardware Platform Dynamic Crypto Resource Crypto Hypervisor Crypto Hardware Platform (HSM) SafeNet Confidential and Proprietary
Crypto Hypervisor Components SafeNet Luna SA 5.2 HSM SafeNet Crypto Hypervisor Bundle Includes: Crypto Command Center Software SafeNet Luna G5 Local PED II PED II Keys Crypto Command Center SafeNet PED II SafeNet Luna G5 SafeNet Confidential and Proprietary
Rollout crypto services in minutes, not days Before After 1 Requestor contacts IT 1 Requestor contacts central security team 2 3 IT helps Requestor buy an HSM IT or Requestor sets up HSM Virtualization means no need for additional HW purchase or setup 4 IT or Requestor configures HSM 2 Security team sends login info for catalog 5 6 Generate cert on client server Manually copy server cert to HSM 3 Requestor logs into catalog & makes request 7 8 Manually copy HSM cert to server Manually add cert to trusted lists 4 Automated Security team runs CHv auto-script assigning virtual HSM to requestor 9 Create/register server on HSM 10 11 Assign HSM partition to client Requestor points app to HSM 5 Requestor points app to HSM SafeNet Confidential and Proprietary 8
Crypto Hypervisor: Designed for operational cloud model 6 Apps can now migrate to cloud 1 On-demand crypto delivery 5 Part of New VM Rollout Process 4 Encryption now a cloud enabler 3 2 Self-service portal for users New crypto services spin up easily
Adding Devices Adding appliances works similar to how adding a pool works. The dialog is visible to the right The credentials section contains the Luna Shell administrator credentials for the appliance. This can be for the default admin account or another account with admin privileges. In this release it is up to the CCC administrator to supply correct appliance configuration details. They are not automatically retrieved from the Luna SA appliance.
Initializing a device From the view device page you can initialize the device. If the device uses PED based authenitcation you will need to specify the IP address and port number of a remote PED server to use. Typically this would be a server running on your local machine. 11
Adding Organizations From the main adminstrative page you can add Organizations. In a service provider model these organizations would be clients. In an enterprise view these organizations may be departmental divisions or any other group in the organization which requires an HSM. 12
Adding Catalog Items Catalogs contain Catalog Items which are selectable configurations which organizations can choose from when deploying an HSM service. In this example there are Bronze, Silver and Gold levels of service. Bronze represents a single low capacity, low performance HSM. Silver is a single high performance HSM. And Gold is a High Availability group of partitions with high performance. All 3 choices share the requirement for a PED 13
Initializing the Service In order to initialize a service you must provide a label for the service. This will be used to set the labels on the partition(s) created. A remote PED is required when initializing a service which requires PED authentication. 14
Crypto Command Center summary System (SW) to automate the provisioning of HSM resources Abstracts the management of HSMs from the end user Administrators Manage the crypto for your company Manage the physical HSM devices Determine what crypto services are offered Create a catalog of services for end users Manage who has access to those services Consumers/Users Manage crypto applications that consume crypto services Own their HSM resource when leased Request and release use of HSM resources from catalogues Always in control of their keys! 15
Crypto Hypervisor Extends the Capability of HSMs to Fit the Cloud Model NIST 1 Cloud Definition of Essential Characteristics Legacy HSMs NIST 1 Cloud Definition of Essential Characteristics Crypto Hypervisor On-Demand Self-Service No On-Demand Self-Service Yes Rapid Elasticity No Rapid Elasticity Yes Measured Service Some Measured Service Yes Broad Network Access Yes Broad Network Access Yes Resource Pooling Some Resource Pooling Yes Multi-Tenancy 2 No Multi-Tenancy 2 Yes 1. National Institute of Standards and Technology 2. Multi-Tenancy is an essential characteristic added by the Cloud Security Alliance 16
Production example: AWS CloudHSM Secure Key Storage and Cryptographic Operations http://aws.amazon.com/cloudhsm/
Securing connection HSM - AppServer Past Only physical machines in DataCenter Physical device can be attached to a server Current and future Physical machines (some may never be virtualized) Virtual Machines Physical device is not an option anymore Virtualization should be seen as not just a tool for (server) consolidation, but as a modernization accelerator Thomas Bittman, Gartner VP and Chief of Research 18
VM is Stolen VMs with HTL Host Trust Link Prevents theft of an at-rest VM image Connection to the SA is authorized by a one-time token Includes a step counter that must sync with the SA NTLS depends on an active HTL connection HSM Client VM NTLS X Access Denied Luna SA Today: Stolen VM will not be granted access to SA partition Stolen image does not have OTT, required to establish HTL Link
Secure Audit Log Critical Tamper, HSM init, Audit init, Zeroize Always logged HSM Management change password, create challenge, change policies HSM Access Login/Logout Key Management key creation/deletion Key Usage use of key for crypto ops ( First Use Only flag) External CA_LogExternal API messages Log Management Log management related commands (import/export secret, verify) Meet Audit and Compliance Mandates SafeNet Confidential and Proprietary 21
Summary
HSM Summary Strong general purpose HSM solutions Flexible HSM s (no crypto limitations own algorithms in FW) Long history with HSM s Remote backup & Remote management & Strong user authentication Cloud / Virtual environment HSM s (also as a Service usage)
Děkuji