ClearPath MCP Encryption
Steve Koss, Distinguished Engineer and Chief Architect
The What and Why of Encryption
• Terminology
–
–
–
–
Symmetric Key Encryption
Public Key Encryption (PKE)
Certificates
SSL/TLS - Combines all three
• Why Encrypt
– Reduces the chance of data exposure
– Makes Auditors Happy 
© 2012 Unisys Corporation. All rights reserved.
2
Data Privacy Capabilities
Overview
• Encryption of data across networks
–
–
–
–
File transfer via FTP/SFTP/NFT/DMV
Terminal emulator sessions
Transport Layer Security/Secure Sockets
IPsec – packet layer encryption
• Encryption of data at rest
– Tape encryption
– Disk encryption
• Security Center – Key Management
• Stealth
© 2012 Unisys Corporation. All rights reserved.
3
Network Security
File Transfer Protocols/Products
• Many different methods to transfer and protect files
between MCP and other systems.
–
–
–
–
FTP/FTPS
SFTP (SSH) – introduced in MCP 14.0
Secure File Transfer (NFT)
SAN DataMover
• File transfer capabilities on remote systems determine most
suitable product.
• Security is configurable on all but SFTP (no unsecure
version).
• To use any of these on ClearPath MCP, MCP cryptography
must be available.
© 2012 Unisys Corporation. All rights reserved.
4
Network Security
File Transfer Protocol (FTP)
• File Transfer Protocol (RFC 959) supported by most systems
• Transfers can be secured via SSL/TLS
– IMPLICIT model – two sets of ports (one secure, one insecure)
– EXPLICIT model – one set of ports (usually 21/20) and there are
commands to turn SSL/TLS on/off
• AUTHMODE controls where SSL/TLS is used
– IMPLICIT, EXPLICIT, EXPLICITLOGON, EXPLICITCOMMAND
• New features introduced in MCP 13.1
– Client Certificates – ability to specify an X.509 certificate for
additional validation
– Can allow acceptance of self-signed server certificates
– Can secure data port when control port is not secured.
© 2012 Unisys Corporation. All rights reserved.
5
Network Security
Secure File Transfer Protocol (SFTP)
• Secure File Transfer Protocol (SFTP) is part of the SSH
protocol suite
– Defined by <draft-ietf-secsh-filexfer-02.txt>
• MCP implementation supports version 3 (but does NOT
support all of the commands yet)
• Interoperable with implementations which use openssh()
toolkit (most flavors of Linux) and psftp (part of PuTTY).
• Full list at:
– http://www.support.unisys.com/common/matrices/ViewMatrix.aspx?pla=MCP&n
av=MCP&PageID=649
© 2012 Unisys Corporation. All rights reserved.
6
SFTP
Configuration
• Support for SFTP has been integrated into the
FTPSUPPORT product and can be accessed from:
– Batch FTP Client (COPY)
– Interactive FTP Client (U FTP)
• SFTP configuration is through FTPSUPPORT
configuration file
(*SYSTEM/FTP/SUPPORT/CONFIGURATION)
• Keys and trust are configured through SecurityCenter
– Server public keys (management and trust)
– Usercode public keys (management)
© 2012 Unisys Corporation. All rights reserved.
7
SFTP
Copy – Example #1
Batch Client
• COPY FILENAME (FTPTYPE=IMAGE) TO
DISK(PACK, IPADDRESS=“xxx.xxx.xxx.xxx”,
AUTHMODE=SSH, USERCODE=“GUEST”/”GUEST”)
Interactive Client
1. U FTP
2. AUTHMODE SSH
3. OPEN xxx.xxx.xxx.xxx (with GUEST/GUEST credentials)
4. TYPE IMAGE
5. PUT FILENAME
© 2012 Unisys Corporation. All rights reserved.
8
SFTP
Copy – Example #2
Batch Client
Remote username defaults to
calling usercode, but can be
overridden
• COPY [SFTP] FILENAME
(FTPSITE=“SSH_CLIENT_SERVICENAME=‘SSH_USER’”)
TO DISK(IPADDRESS=“xxx.xxx.xxx.xxx”)
Interactive Client
1. U FTP
FTP will prompt for the remote
Username during the OPEN
2. AUTHMODE SSH
3. SSH_CLIENT_SERVICENAME “SSH_USER”
4. OPEN xxx.xxx.xxx.xxx
5. PUT FILENAME
© 2012 Unisys Corporation. All rights reserved.
9
SFTP
Server configuration
• To configure the MCP software as an SSH Server:
– Create a public key for server’s identity (default name is
SSH_SSHKEY)
– Modify *SYSTEM/FTP/SUPPORT/CONFIGURATION
[LIBRARY SECTION]
INITIATE_SSH_SERVER = SSHSUPPORT
• Detailed information can be found in FAQ 5847 on the
Product Support Website and in standard MCP 14.0
documentation.
– FAQ 5847 also contains the list of software (Interim
Corrections) which must be downloaded.
© 2012 Unisys Corporation. All rights reserved.
10
SFTP Enhancements in MCP 15.0
• Server support for Windows SFTP clients.
The ClearPath SFTP Server transfers files with the following
Windows SFTP clients.
• WinSCP
• Attachmate Reflection FTP Client
• FileZilla FTP Client
- We’ll update the compatibility matrix on the support website.
• Server support to append to ClearPath files.
SFTP clients can append data to the end of existing ClearPath files.
Example using WinSCP
put -append TransactionHistory
© 2012 Unisys Corporation. All rights reserved.
11
Network Security
Secure File Transfer (NFT)
• Secure File Transfer for ClearPath MCP allows data
transfer between two MCP hosts
• New Feature introduced in MCP 13.1
– Does NOT require BNA network connectivity
– MCP file attributes of source file are retained across the transfer
– Can also be secured with SSL/TLS (cryptography support
required)
– Hazardous files controlled with the RESTRICTUNWRAP
system security option
– Transfers initiated with COPY [FTP] command or FTP
Interactive and Batch clients
© 2012 Unisys Corporation. All rights reserved.
12
Secure File Transfer (NFT)
Securing Hazardous Files
Hazardous files (codefiles for example) are marked restricted unless:
– The RESTRICTUNWRAP system security option at the destination
host is reset
– or –
− The Library RESTRICTED option is reset by the FTP Administrator
at the destination host
- and The RESTRICTED option is reset in the COPY command and the
usercode at the destination host is a security administrator
© 2012 Unisys Corporation. All rights reserved.
13
Secure File Transfer (NFT)
New MCPDATA transfer type
• Transfers use data transfer type “MCPDATA”
− COPY [FTP] TEST/CASE_1/= (FTPTYPE = MCPDATA) FROM
DISK (PACK, IPADDRESS = “124.39.225.14”, USERCODE =
SYSTEST/105639)
• Copies all files under the TEST/CASE_1 directory on the remote MCP host to
the local host
• All attributes, including FILEKIND, are retained at the destination host.
• No BNA network is required.
© 2012 Unisys Corporation. All rights reserved.
14
Secure File Transfer (NFT)
Copying of codefiles
COPY [FTP] (SYSTEST)OBJECT/TESTFILE
(FTPTYPE=MCPDATA, FTPSITE=“OPT - RESTRICTED”) FROM
TESTPACK(PACK) TO USERPACK (PACK,
HOSTNAME=MCPEAST,USERCODE=ABC/ABC)
• The codefile (SYSTEST)OBJECT/TESTFILE on TESTPACK is copied to
USERPACK at the remote MCP host, MCPEAST
• Resetting the RESTRICTED option prevents the codefile from being marked
restricted, but only if user ABC is a security administrator at MCPEAST
© 2012 Unisys Corporation. All rights reserved.
15
Secure File Transfer (NFT)
Network Security
• Data transmission can be secured by Secure Sockets Layer
(SSL/TLS)
• Specify the level of security required for the file transfer (using the
SSLMODE attribute)
– EXPLICIT
– IMPLICIT
Command and data path are secured, different control ports are used.
– EXPLICITLOGON
– EXPLICITCOMMAND
After logon command path can be optionally unsecured
Data path security is independently selected
COPY [FTP] DATADB (FTPTYPE = MCPDATA) FROM DISK (PACK,
IPADDRESS = “124.39.225.14”, SSLMODE = IMPLICIT, USERCODE =
SYSTEST/105639)
© 2012 Unisys Corporation. All rights reserved.
16
Secure File Transfer (NFT)
Other Issues
– MCPDATA transfers are incompatible with older levels of
FTPSUPPORT
– Non encrypted transfer speeds are similar with NFT
– Encrypted transfers are slower than non-encrypted transfers
– Non-MCP hosts running FTP can be used as store and forward
hosts for MCPDATA transfers
– Documented in the TCP/IP Distributed System Services Operations
Guide
© 2012 Unisys Corporation. All rights reserved.
17
Network Security
SAN DataMover (DMV)
• SAN DataMover provides an efficient way to move large
amounts of disk data (local Windows environment required).
– Between MCP and local Windows environment,
– Between MCP and remote Windows, Linux or UNIX
environment (by way of a local Windows environment)
• Offloads data transfer to Windows environment (freeing
ClearPath MCP MIPS)
• Security Features (introduced in MCP 13.0)
– SSL Support – Secure Communication between Windows
and MCP SAN DataMover Components (requires MCP
Cryptographic Services)
– FTPS & SFTP Support – Secure Remote File Transfer
– Both require MCP Cryptographic Services and
configuration to enable and configure secure transfers.
© 2012 Unisys Corporation. All rights reserved.
18
Network Security
Securing Terminal Emulator Sessions
• Protect data terminal emulator sessions
to MCP servers
• Many options available:
– WebEnabler for ClearPath MCP – supports a
2-tier model – direct SSL connections from
WebEnabler to ClearPath MCP
– Secure TELNET – MCP Telnet can offer
secure and/or unsecure sessions. Controlled
via system security option (SECURECOMM)
– Attachmate INFOConnect and MCP Telnet
can also use a custom encryption protocol
• SSH terminals are not supported at this time.
© 2012 Unisys Corporation. All rights reserved.
19
Network Security
Securing Print Data
• Secure data between MCP and Print Server
• Use the Secure Sockets Layer (SSL) or
Transport Layer Security (TLS) protocols to
protect data
• MCPPRT Server (introduced in MCP 13.1)
– Just Specify SSL in IOHandler Parameter
– See PrintS Guide (8600 1039–514)
• EOM (Depcon) Server (introduced in MCP 13.1)
– Specify SSL in PC and MCP Configuration Files
– See EOM Documentation
© 2012 Unisys Corporation. All rights reserved.
20
IP Security (IPsec)
Security for the IPv6 network
• Can authenticate and/or encrypt each IP packet in a
data stream
• Uses policies to define security at the MCP-to-network
boundary. IP packets can be:
– Forbidden from being transmitted unencrypted
(DISCARD)
– Allowed to be transmitted unencrypted (BYPASS)
– Authenticated or encrypted prior to transmission
(PROTECT)
• Subject to US Government export control
– Packaged in the operating environment encryption option
• Supports 3DES and AES algorithms for packet
encryption
• IPv6 ONLY (no IPv4 support)
© 2012 Unisys Corporation. All rights reserved.
21
Tape / DVD Encryption Enhancements
Tape / DVD Encryption Enhancements
• Provides Enhanced Security for Encrypted Tapes/CDs/
DVDs
– AESGCM encryption, the standard algorithm for tape encryption as
specified by the IEEE
– ESSIV scheme is used with CBC-mode to ensure each tape and
each file on a tape are encrypted using a “random” Initialization
Vector (IV)
– Additional data integrity checking added to encrypted data
• Enhancements are known as Version 2 Media Encryption
– Format of Version 2 encrypted media is different from the original,
Version 1, tape encryption format
© 2012 Unisys Corporation. All rights reserved.
23
Tape / DVD Encryption Enhancements
• Examples
– COPY F/= TO BACKUPTAPE(SERIALNO=“110812”,
ENCRYPT=AESGCM)
• Specifying ENCRYPT=AESGCM by definition creates a Version 2
Encrypted Tape
– COPY F/= TO BACKUPCD(CD, ENCRYPT=AES256,
ENCRYPTVERSION=V2)
• Specifying ENCRYPTVERSION=V2 forces the use of ESSIV when
doing AES with CBC-mode encryption
© 2012 Unisys Corporation. All rights reserved.
24
Tape / DVD Encryption Enhancements
• Migration and Compatibility
– Version 1 is used by default but Version 2 is recommended
– A tape/CD/DVD created using Version 2 Media Encryption cannot
be read on a system that only supports Version 1 tape encryption
– Systems that support Version 2 Media Encryption can read and
write both Version 1 and Version 2 tapes/CDs/DVDs
– Library Maintenance will not support encryption using Version 1 in
software released after October 2015 but decryption of media
created using Version 1 will continue to be supported
– Only Library Maintenance supports the new Media Encryption
Version 2 enhancements – TapeStack and DMUTILITY do not
© 2012 Unisys Corporation. All rights reserved.
25
Tape / DVD Encryption Enhancements
• Operator Controls
– The existing LMENCRYPT SYSOP can now be set to AESGCM
• Thus all tape/CD/DVD copies would be encrypted using AESGCM
unless over-ridden in the COPY statement itself and would be in Media
Encryption Version 2 format
– A new LMDEFENCRYPT SYSOP can be set to “V1” or “V2”
• LMDEFENCRYPT defaults to “V1”
• LMDEFENCRYPT set to “V2” and LMENCRYPT set to “AES256”
causes ESSIV to be used along with AES256 in CBC-mode and creates
the encrypted media in Version 2 format
• LMDEFENCRYPT set to “V1” and LMENCRYPT set to “AES256” uses
AES256 in CBC-mode and creates the media in Version 1 format
© 2012 Unisys Corporation. All rights reserved.
26
Disk Encryption Options
• Encryption Capable SANs
– EMC VMAX: newer versions
– EMC VNX: newer versions
– Must be done at setup time. Can’t change a disk to be encrypted
• BitLocker
– FS1760 Internal Disk
– Can be turned on and off
• DMSII field level “obfuscation”
– Not true encryption
– Can’t search, sort, index, or replicate data with Databridge
• What disk encryption is really for:
– Data protection at time of disk dispose or theft
© 2012 Unisys Corporation. All rights reserved.
27
Management & Configuration
Security Administration
SecurityCenter
• Security Center
– Preferred security administration tool
– PC-based GUI and wizards
– Enables security administrators to define, manage,
and test/assess MCP security.
– Replaces command line/batch tools such as
MAKEUSER and SYSTEM/GUARDFILE.
• Microsoft Management Console “snap-ins”
–
–
–
–
–
–
–
–
Security Policy Management
File Access Management
Cryptographic Services Management
Kerberos Configuration Management
User Account Management
Locum SafeSurvey
Locum SecureAudit
Locum RealTime Config
© 2012 Unisys Corporation. All rights reserved.
29
SecurityCenter
Cryptographic Services Manager
• Used by security administrators to perform key
management (create / import / export / renew)
– SSL keys and certificates (used by WebTS, FTP, Sockets
programs, User Programs)
– Tape encryption keys (introduced in MCP 13.1)
– IPsec keys (symmetric)
– SSH Keys (introduced in MCP 14.0)
• Also used for Certificate Management (SSL clients)
– Certificate Stores
– JAVA Certificate Stores
© 2012 Unisys Corporation. All rights reserved.
30
SecurityCenter
Tape Encryption - Compromised Key Sets
• MCP-based software tape encryption can now mark a set
of tape encryption keys as invalid for writing, and generate
a replacement keyset
• This may be done because:
– A key of the set is thought to be compromised
– The keyset’s lifetime (according to corporate policy) has been
reached
• Compromised keysets can still be used for decryption
(retained indefinitely)
• Only one active keyset per system / MCP mark release.
© 2012 Unisys Corporation. All rights reserved.
31
SecurityCenter
Tape Encryption - Managing Key Sets
To manage sets:
Under MCP Cryptographic
Services, Trusted Keys,
select node:
Tape Encryption Keys
Sets uniquely identified by
• Host name
• Release level
• Set number
© 2012 Unisys Corporation. All rights reserved.
32
SecurityCenter
Tape Encryption - Managing Key Sets
Icon shows state of set:
• Green=Active
• Red=Inactive/Compromised
Only the Active set for the
local host is used to encrypt
All sets are used for
decryption. If a tape was
encrypted with a key of that
set, it will be automatically
decrypted
© 2012 Unisys Corporation. All rights reserved.
33
SecurityCenter
Tape Encryption - Managing Key Sets
Create a set:
Mark set compromised:
• Right-click Tape Encryption Keys
node, select “Create New Keyset”
• Right-click local host’s Active set,
click “Mark as Compromised”
• Current (Highest-numbered) set is
disabled, new set is created
• Selected set is disabled, new set is
created
© 2012 Unisys Corporation. All rights reserved.
34
SecurityCenter
Tape Encryption - Best Practices
• When a new keyset is generated, you must back up the
keyset (via Export) and transport it to any systems that will
need to decrypt tapes created on this host
• Ensure that keys are stored securely
• Ensure that keys are transported between systems
securely
© 2012 Unisys Corporation. All rights reserved.
35
Stealth Solution Suite
You Can’t Hack What You Can’t See
Changing the Security Paradigm
Imagine a World…
Where your sensitive data is
invisible to hackers
And is only visible…
to users you select
© 2012 Unisys Corporation. All rights reserved.
37
Unisys Stealth Solution Suite
An NSA certified enterprise wide security innovation,
incrementally and non-disruptively implemented,
that makes data communication end points invisible on a network
and therefore be removed as a target for hackers.
LAN/ Internet
Stealth can reduce costs through consolidation and virtualization of
a network and adds unprecedented protection to enterprise
information.
© 2012 Unisys Corporation. All rights reserved.
38
Stealth Solution Key Elements
Stealth consists of four important elements:
1
Cryptographic Service Module
2
Information Dispersal Algorithm & Data Reconstitution
Provides FIPS 140-2 certified AES-256 encryption.
Stealth formatted messages can only be reassembled by Stealth.
7. Application
3
4
6. Presentation
Virtual Communities of Interest (COI)
5. Session
Hides users, data and servers from non-COI members.
4. Transport
Stealth
Driver
Executes Very Low in the Protocol Stack
Protects device from attack. No changes required to Applications.
3. Network
2. Link
1. Physical
NIC
© 2012 Unisys Corporation. All rights reserved.
39
Unisys Stealth Solution Suite
Enterprise wide – Consistent Security Approach
Stealth Secure Remote
Access
Stealth Regional
Isolation
Stealth secures information exchanged
over public or private networks from many
geographic locations.
LAN/WAN/
Wireless
Cloud Data Center
Corporate Site
External
Network
Stealth protects data communication for teleworkers
across the Internet superior to traditional
VPN, Solution
using the
Stealth
Stealth driver loaded to a laptop or SSVT.
for Cloud
A Virtual Web Server
B Virtual Web Server
A Virtual App Server
Internet
Stealth Data Center
Segmentation
A Virtual DB Server
Internet
Stealth cloaks the servers running sensitive applications
or storing private information; these servers are not
visible to anyone without the required Stealth crypto keys.
Regional Site
Email
Server
(unprotected)
Protected
App
Server
B Virtual App Server
B Virtual DB Server
In a cloud, Stealth hides virtual workloads
from unauthorized access in single or
multi-tenant environments.
Protected
Database
Server
© 2012 Unisys Corporation. All rights reserved.
40
Data Center Segmentation
Enterprise Network
•
“Compartmentalize” data center
using Communities of Interest (COI)
instead of physical infrastructure
•
Mitigate Threats
–
–
–
•
Email
Server
(unprotected)
Benefits
–
–
Protected
Server
(Phys or VM)
Protected
App Server
–
–
–
Protected
Database Server
•
Fosters Availability while ensuring
Confidentiality and Data Integrity
Enhances application security by
enforcing “Least Privilege”
Uses existing infrastructure
Security is not Port based
Facilitates regulatory compliance
Cost Savings potential 20%-50%
–
Value: Protect high impact systems
from intrusions on intranet
Theft or Misuse of IP
Compliance Penalties
Minimizes scope of attacks
–
–
Reduce data center complexity; reduce
VLANs and physical segmentation
Re-segment the data center using
Active Directory
Simplified management
© 2012 Unisys Corporation. All rights reserved.
41
Regional Isolation
•
Regional Isolation prevents unauthorized
access to information in the local region
and on the corporate intranet
•
Mitigate Threats
Enterprise Network
–
–
–
A trusted country
Enterprise
MPLS
Stealth GW
•
Benefits
–
–
Stealth Cloaked
Geographic Region
Data communication eavesdropping by
regional telecommunication providers and
governments
Intrusions to corporate intranet
Intrusions to local site from within the
region itself
–
–
Assures only authorized access to
corporate intranet
Protect regional assets from rogue
endpoints
Segregate regional assets based on
“need to know”
Segregate corporate assets based on
“need to know”
Value: Protect corporate data assets in a global topology
© 2012 Unisys Corporation. All rights reserved.
42
Stealth in the Cloud
•
Stealth in the Public or Private Cloud secures
and isolates communication between virtual
resources in a multi-tenant environment
•
Mitigates Threats
Stealth Solution for Cloud
Cloud Data Center
–
A Virtual Web Server
B Virtual Web Server
A Virtual App Server
Internet
B Virtual App Server
A Virtual DB Server
–
•
Theft or Misuse of IP within a tenant and
between tenants
Workload is vulnerability to unauthorized
access from inside or outside the cloud
Benefits
–
–
B Virtual DB Server
–
–
Protection follows the workload, regardless of
where it is physically executing
Provides secure resource sharing within
Communities of Interest
Isolates workloads between different COI
Integrated with Unisys Secure Private Cloud
Solution for seamless deployment
Value: Bring Stealth security to the Cloud
© 2012 Unisys Corporation. All rights reserved.
43
Stealth Solution for Secure Virtual Terminal (SSVT)
• SSVT secures and controls transmission over the
Internet “from anywhere,” locking the
communications channel to targeted endpoints.
• SSVT is deployed via a locked down Secure
USB-based device running Stealth network
security software. This virus-free, trusted
environment is verified at each boot.
• SSVT requires no change to your web enabled
applications
• SSVT enables workers to securely access
– Their own desktop located in the enterprise, via an
RDP session
– Microsoft Remote Desktop Services or other VDI
– Web enabled applications
© 2012 Unisys Corporation. All rights reserved.
44
Stealth Organizational Value
Security
Business Benefits & Priorities
Clients that want to increase security for
their “crown jewel” applications and servers.
Cost
Reduction
Clients that need to protect corporate assets
from regional facilities that may reside in
hostile territories.
Cost Savings
Clients that want the simplicity of
deployment and cost structure of public or
flat networks but cannot sacrifice
security…equally ideal for clients with multitier networks that need to contain costs
while increasing security.
Agility
Commercial
Organizations
Security
Public Sector /
Federal
Agility
Clients that want to simplify data / resource
access management
© 2012 Unisys Corporation. All rights reserved.
45
Stealth Extreme Security
Stealth
Crypto-Module
DIACAP MAC-1 DIACAP MAC-1
Certification
Certification
Network Risk Assessment
CWID 05
JFCOM
AF Comm Agency
JFCOM JIL
IV&V
National Center for
Counter-terrorism and
Cybercrime SOCOM
2005
2006
CWID 05
Combined
Endeavour
USAF
CWID 10
Export License
FIPS 140-2
Certification
Dept of Commerce
NIST
2007
Testbed IO Range
SOCOM
R&D Prototype
2008
2009
2010
CWID 08
CWID 09
CWID 10
DISA
DISA
SOCOM
EUCOM
DIACAP: DoD Information Assurance Certification and Accreditation Process
MAC: Mission Assurance Category (Level 1 is Highest)
DISA: Defence Systems Information Agency
EUCOM : European Command
SOCOM: Special Operations Command
JFCOM: JOINT Forces Command
JIL: Joint Intelligence Laboratory
NSA EAL4+
Certification
NIAP
2011
“Large
Integrator”
Tests and fails
to break Stealth
JUICE 09
GTRI
Private Lab
CECOM
DJC2 PMO
SPAWAR
SSVT Validation:
Failed to compromise
2012
Emerald
Warrior ‘12
SIPRNet
IATT
CWID: Coalition Warrior Interoperability Demonstration
JUICE: Joint User Interoperability Communications Exercise
CECOM: Communications Electronics Command (US Army)
GTRI: Georgia Tech Research Institute
DJC2: Deployable Joint Command and Control
NIST: National Institute of Standards and Technology
NIAP: National Information Assurance Partnership
© 2012 Unisys Corporation. All rights reserved.
46
Stealth – Hot Product at InterOp 2012
© 2012 Unisys Corporation. All rights reserved.
47
Where is Stealth Deployed?
Hertz, NZ uses Stealth to
facilitate PCI DSS compliance
The US Coast Guard uses SSVT for
secure telecommuting
We do use our own product! Unisys uses
Stealth to secure and protect our high value
application and database servers, and for
secure remote telecommuting
A large Midwestern Healthcare Agency is
piloting Stealth to protect servers with
sensitive data
An Australian Military agency
uses Stealth in a secure VDI
Solution
Many Commercial and Government pilots in progress
© 2012 Unisys Corporation. All rights reserved.
48
Stealth at Unisys
Unisys not only sells Stealth to clients, we use it internally too.
Data Center Segmentation:
Secure Remote Access:
•
At Unisys, Stealth has been deployed to
secure some of our critical multi-tier
applications.
•
•
With the web server, application logic and
database on separate COIs, users cannot
ping or even discover the existence of the
application and database servers, ensuring
that these cannot be tampered or hacked
in any way. Users can only access the web
server.
Regional Isolation:
•
Currently in test!
•
More than 200 Unisys employees use
Stealth on their laptops (with dual factor
authentication) in order to securely access
the corporate network when working from
home or when travelling.
Unisys is deploying Stealth incrementally
with our existing commercial VPN solution.
Stealth in the Cloud:
•
Unisys executes Stealth in our outsourcing Cloud environment to service our cloud clients.
© 2012 Unisys Corporation. All rights reserved.
49
Value-based Pricing Model
Client pays relative to the differentiated value they receive from Stealth
Example:
Regional Isolation
Example:
Data Center
Segmentation
Single
Datacenter
Example:
Secure Remote
Access
Multi
Datacenter
Remote
Access,
“VPN”
© 2012 Unisys Corporation. All rights reserved.
50
Unisys Stealth Solution Value
Unprecedented Security and Value
• Protection of private corporate data
• Facilitates regulatory compliance
• Significant cost reduction
• Easy, quick deployment
• Incremental implementation
• Identity-based management
• No application changes
• Highest security performance
© 2012 Unisys Corporation. All rights reserved.
51
Why Unisys Security?
Positive: Gartner’s MarketScope
on Data Center Outsourcing rated
Unisys as “Positive”, 2010.
World’s largest
RFID network
(U.S. Army)
More than 8.1 million
service events managed
per year
Our security solutions can be found
worldwide in 600+ airports, 1,500
government agencies, and in use by
200+ airlines
We have a 6,000-person strong
global field force (> 1,700
cleared)
Strong Performer: The Forrester
Wave™ – Managed Security
Services, 2010
100 million people
use Unisys secure
ID’s
To know more,
visit us at
www.unisys.com/stealth
and view:
YouTube: Stealth Solution
YouTube: Overview of How Stealth Works
© 2012 Unisys Corporation. All rights reserved.
52
Thank You
© 2012 Unisys Corporation. All rights reserved.
53