Securing Microsoft
Adding value to your MS customers Authentication - Identity Protection Hardware Security Modules DataSecure - Encryption and Control Disc Encryption Offering the broadest range of authentication, from HW smartcard tokens to mobile phone auth all managed from a single platform Use your Tokens for MS Certificates Authentication to UAG and other MS Applications Ability to mix MS cert environments with OTP Fully integrated with AD for ease of use Proven customer base The fastest, most secure, and easiest to integrate application & transaction security solution for enterprise and government The market leader in enterprise-grade HSM Integrated with multiple Microsoft applications FIM, SharePoint, Scalable can be shared across applications FIPS 140-2 L3/CC EAL 4 Proven customer base World s first and only unified platform that delivers intelligent data protection and control for ALL information assets Integrated with Microsoft SQL Scalable with other Databases/mixed environments FIPS 140-2 L2 CC EAL Proven customer base SafeNet Disc encryption is fully integrated with Active Directory and ADAM Fully integrated with AD and ADAM Full disk and removable storage media encryption Pre-boot authentication; two-factor authentication support FIPS 140-2 validated; Common Criteria EAL4 Proven customer base REV 0.1 2
Microsoft HSM Integrations Microsoft OCSP Forefront Identity Manager (FIM) Threat Gateway Forefront Threat Gateway helps protect against malware and other threats SafeNet Products using Active Directory for Unified Access Gateway (UAG) securing Active Directory Certificate Services (PKI) MSSQL 2008 R2 Database Encryption SafeNet Luna SA provides SSL key management, key security and performance acceleration to the TMG server and its users Active Directory Rights Services (ADRMS) SharePoint
Microsoft HSM Integrations SafeNet Products using Active Directory for Microsoft OCSP Forefront Identity Manager (FIM) securing Threat Gateway Active Directory Certificate Services (PKI) Microsoft Certificate Services creates and manages public key certificates used within PKI environments. SafeNet Luna SA, Luna PCI and Luna CA4 provide root and subordinate key management and key protection Unified Access Gateway (UAG) MSSQL 2008 R2 Database Encryption SafeNet Authentication tokens protect end entity credentials Active Directory Rights Services (ADRMS) SharePoint
Microsoft HSM Integrations Microsoft OCSP Forefront Identity Manager (FIM) Threat Gateway Microsoft SQL Server offers a complete approach to managing, accessing and delivering information across an organisation SafeNet Products using Active Directory for Unified Access Gateway (UAG) securing Active Directory Certificate Services (PKI) MSSQL 2008 R2 Database Encryption SafeNet Luna SA, PCI and DataSecure protect MS SQL key material (TDE, EKM) and provide database encryption capabilities delivering separation of key material from the data, as well as enhanced key management Active Directory Rights Services (ADRMS) SharePoint
HSM = Hardware Security Module HSMs are High Security cryptographic Engines Value in the Name Hardware HSMs are Key Managers for high value processes/transactions HSMs come in 2 different key management design philosophies: Keys stored in hardware H Keys stored in software but moved around with a hardware based master key Benefits an HSM should provide: Trusted Key Lifecycle Audit No unknown copies of keys Trusted backup Cryptographic acceleration Offload Reduced dev time Easy APIs Significant Certifications savings Reduced Litigation exposure Scalability both for performance and redundancy
SafeNet HSMs are pre-integrated with the Following MS Applications: SQL (will be first to support SQL R2 New SQL enc book 2 SFNT HSM chapters) AD Certificate Services (CA) RMS OCSP IIS ISA FIM Authenticode OCS (office Communication Server) * All of these have SFNT Integrations guides available. Each integration is tested by SFNT Re-tested with each new version (SFNT MS)
Extensible Key Luna HSM achieves First EKM SQL Server 2008 R2 support Luna HSM Luna PCI Two form factors Luna SA network attached Luna PCI PCI Adapter SQL Server 2008 R2 DEK FIPS 140-2 Level 3 Validated Common Criteria EAL4+ Certified Client App Client App Encrypted Data Page EKM secure key storage and encryption processing Flexible options: Master Key, KEK, and DEK support
What s Extensible Key (EKM)? EKM is SQL Server 2008 R2 s interface to HSMs Provided by SFNT EKM API Works Easily with SQL EKM addresses the management challenge of key proliferation with Transparent Data Encryption (TDE) SFNT HSM enhances: Auditable Key of critical keys Separation of SQL admin access to critical keys Secure Hardware based backup of critical keys Offload from SQL server processing Performance of cryptographic operations Meets certification needs: PCI DSS FIPS Common Criteria
Microsoft HSM Integrations Microsoft OCSP Forefront Identity Manager (FIM) Threat Gateway Microsoft SharePoint enables users to connect and be empowered through formal and informal business communities SafeNet Products using Active Directory for securing Active Directory Certificate Services (PKI) SafeNet Luna SA provides SSL key management, key security and performance acceleration to the TMG server and its users Unified Access Gateway (UAG) Active Directory Rights Services (ADRMS) SharePoint MSSQL 2008 R2 Database Encryption SafeNet Authentication tokens enable two factor authentication to SharePoint
Microsoft HSM Integrations SafeNet Products using Active Directory for Unified Access Gateway (UAG) Microsoft OCSP Forefront Identity Manager (FIM) securing Threat Gateway Active Directory Certificate Services (PKI) MSSQL 2008 R2 Database Encryption Microsoft AD RMS provides information protection to files and other information, no matter where it goes. SafeNet Luna SA provides key management, key security and performance acceleration to the AD RMS server and its users Active Directory Rights Services (ADRMS) SharePoint
Microsoft HSM Integrations Luna HSM Active Directory Rights Services (ADRMS) RMS Server Certification Licensing Templates Active Directory Authentication Service Discovery Group Membership SQL Server Configuration data Logging Cache
Microsoft HSM Integrations Microsoft OCSP Forefront Identity Manager (FIM) Threat Gateway Microsoft Forefront Unified Access Gateway enables employees to gain seamless remote access to corporate applications and data SafeNet Products using Active Directory for Unified Access Gateway (UAG) Active Directory Rights Services (ADRMS) securing SharePoint Active Directory Certificate Services (PKI) MSSQL 2008 R2 Database Encryption SafeNet Authentication tokens enable two factor authentication to VPN services via OTP or Certificate based Authentication protected by FIPS and Common Criteria validated devices
Microsoft HSM Integrations Microsoft OCSP Forefront Identity Manager (FIM) Threat Gateway Microsoft Active Directory provides the means to manage the identities and relationships that make up an organisation's network SafeNet Products using Active Directory for securing Active Directory Certificate Services (PKI) SafeNet ProtectDrive leverages Active Directory management to deliver full disk encryption Unified Access Gateway (UAG) Active Directory Rights Services (ADRMS) SharePoint MSSQL 2008 R2 Database Encryption SafeNet Authentication tokens provide OTP and Certificate based Authentication integrated with Active Directory
Microsoft HSM Integrations Microsoft OCSP Forefront Identity Manager (FIM) Threat Gateway Microsoft OCSP provides real-time validation of a certificate s status SafeNet Products using Active Directory for Unified Access Gateway (UAG) securing Active Directory Certificate Services (PKI) MSSQL 2008 R2 Database Encryption SafeNet Luna SA and Luna PCI provide key management and key protection ensuring trust in the responses delivered by the OCSP service Active Directory Rights Services (ADRMS) SharePoint
Microsoft HSM Integrations SafeNet Products using Active Directory for Unified Access Gateway (UAG) Microsoft OCSP Active Directory Rights Services (ADRMS) Forefront Identity Manager (FIM) securing SharePoint Threat Gateway Active Directory Certificate Services (PKI) MSSQL 2008 R2 Database Encryption Microsoft Forefront Identity Manager Certificate provides registration authority and certificate management to users and devices SafeNet Luna SA provides key storage and security for the agent private keys, global platform master keys and related Certificate Authority keys used with a FIM CM deployment
Solution Briefs
Microsoft Integration Guide Examples
An Introduction to HSMs HSM Hardware Security Module A HSM is a collection of algorithms, secure key storage, accelerators, key management all inside a tamper resistant unit it s like a box of cryptographic Lego how you put the elements together determines what the HSM does
An Introduction to HSMs Security Sensitive What cryptographic is a HSM, keys and processes Why are use stored, one? managed and protected by dedicated hardware Performance Processing bottlenecks are eliminated with hardware cryptographic acceleration Auditability Dedicated hardware provides a clear audit trail for all key materials
Why Secure Your Keys? HSMs protect against Internal and External attacks HSMs protect against keys being made vulnerable from system crashes HSMs protect against keys being made vulnerable from Viruses or Trojans HSMs limit, control and protect backups
Why Secure Your Keys?
Why Secure Your Keys?
Why Secure Your Keys? Experts know the consequences of root-key vulnerabilities All the trust in a CA relies on the fact that it and only it can apply such a signature and that no one else can imitate it. If the CA signing key was to be compromised, all certificates issued by this CA could no longer be trusted, causing the CA to revoke and re-issue certificates under a new signature. This would destroy the trust in the PKI to such a point that subscribers might not want to do business with the CA from then on. (Gord Ireland, Information Technology Services, Bank of Canada)
Why Secure Your Keys?
Why Secure Your Keys?
Why Secure Your Keys? Offers functionality not always available in software-based applications such as 2-factor authentication, Key Generation and Disposal, Key Recovery, Secure Key Distribution, Key Rotation Separates data from key storage delivering an additional level of protection through the physical separation of keys and data
Why Secure Your Keys? Higher performance for hardware-based cryptographic operation Centralized Key and Cryptographic Operation allows the consolidation and simplification of encryption and cryptographic data with centralised key management across the enterprise
Why Secure Your Keys? Best Practice http://www.safenet-inc.com/library/
Luna Product Overview Application Java CAPI, CNG OpenSSL Driver PKCS 11 TLS Win, Sun, Linux, AIX, HP-UX HSMs use Application Programming Interfaces (APIs) for communication these are a standard collection of calls and commands that are interpreted by any given HSM or other device that support them
Luna Product Overview Luna SA Luna PCI Luna CA4 High assurance enterprise-grade HSM 5,500+ ops/s Certifications: FIPS 140-2 Level 3, CC EAL 4+ Full platform support Secure remote administration 10/100 Ethernet interface Extensive algorithm support Supports partitioning Hardware secured remote administration Fast, high-assurance PCI HSM card for hardware key management and crypto acceleration 7,000 ops/s PCI, PCIe form factors FIPS 140-2 Level 3 Supports two-factor trusted path authentication Extensive Algorithm support Root key HSM for true hardware key management FIPS 140-2 Level 3 certified Extensive algorithm support Supports two-factor trusted path authentication Supports common certificate authorities (Microsoft, Entrust, VeriSign, RSA, etc.)
Luna SA, network attached HSM The Luna SA is an Ethernet attached HSM designed to protect critical cryptographic keys and accelerate sensitive cryptographic operations across a wide range of security applications
Luna SA, network attached HSM
Luna SA, network attached HSM The Remote Luna PED SA provides offers full built-in PED functionality High Availability, at remote Key Synchronisation administration workstation, and Redundancy allowing features the deployment with automated of a 'factory reintroduction default' HSM and of the failed ability unitsto remotely initialise it thereby not giving up control of devices to data centre employees Application Servers Load balanced on or off-site devices Remote PED and Remote Administration
Luna SA, network attached HSM
Luna PCI, internal HSM FAST Luna PCI 3000 & 7000 Up to 7000 transactions per second SECURE Keys in hardware PW Auth or PED Auth FIPS 140-2 validated EASY Simple to integrate and deploy
Luna CA4, internal HSM SECURE Keys in hardware FIPS 140-2 validated Under validation to CC EAL 4+ EASY Simple to integrate and deploy with the Luna DOCK II USBattached reader CONVENIENT Removable, easily securable form factor
Luna SA & Luna CA4 PKI Bundle
Hardware Secured Key Best Practice Hardware-Secured Key Generation Keys must be generated on a secure key management Hardware-Secured Key Storage Best Practice: The Key must always be stored on a secure HSM Hardware-Secured Key Backup Best Practice: When Private Keys are backed up, they must be backed up directly to another identical security device Hardware-Secured Digital Signing Best Practice: All certificate signing operations must be performed exclusively within the HSM http://www.safenet-inc.com/library/