Authentication - Identity Protection
advertisement
Data Protection Portfolio Chris Harris Northern European Pre-Sales Manager SafeNet Data Protection Portfolio Authentication Identity Protection Hardware Security Modules Offering the broadest range of authentication, from HW smartcard tokens to mobile phone auth all managed from a single platform The market leader in certificate based token authentication Industry only unified authentication platform offering customers the freedom to adapt Unique technology offerings with clienteles tokens ,high assurance offerings and more DataSecure Encryption and Control High Speed Encryption The fastest, most secure, and easiest to integrate application & transaction security solution for enterprise and government World’s first and only unified platform that delivers intelligent data protection and control for ALL information assets SafeNet high-speed Encryptors combine the highest performance with the easiest integration and management. The market leader in enterprise-grade HSM Centralized policy, key management, logging and auditing Unparalleled leverage across classified and COTS communication protection (FIPS 140-2 Level 3) Industry Innovator in Payment HSM Widest portfolio of platforms and solutions SafeNet Delivered its 75,000th HSM — sets Industry Milestone REV 0.1 Data centric, persistent protection across datacenters, endpoints and into the cloud Best-in-class Security Management Center Integrated perimeter data leakage prevention Solutions for Ethernet, SONET up to 10Gb Appliance based, Proven scalability and high performance Zero bandwidth loss, low- latency Encryption 2 Authentication Solutions Authentication - Identity Protection Token Management System Smartcard USB Tokens SmartCards SafeNet’s strong authentication solutions help our customers meet organizational and end user needs enable business growth and achieve compliance Hybrid (OTP/SC/Storage) Tokens OTP tokens Software / mobile Authenticators REV 0.1 4 Strong Authentication – The Need 24x7 secure access to sensitive business information •Passwords are: • Often easy to crack and easy to guess • Easy to steal: keystroke loggers, phishing attacks • Difficult to remember and use • The cause of high help-desk costs Digital signing of transactions Secure PCs and laptops The Authentication Portfolio • SafeWord's seamless integration with an Microsoft infrastructure makes it simple to deploy twofactor authentication for VPNs, • Token assignment, enrollment, Citrix applications, Web revocation, applications, Webmail, andupdate, replacement • Access Password reset/change Outlook Web • Auditing, Reporting • Self-service options • Integrated with AD/LDAP The Authentication Portfolio Certificate- CertificateBased (PKI) based USB devices Smartcards Hybrid OTP Software Mobile eToken PRO eToken NG-OTP eToken PASS eToken Virtual MobilePASS: iPhone, BlackBerry, JAVA capable Phones, SMS eToken PRO Anywhere eToken PRO Smartcard Smartcard 400 iKey 4000 Smartcard 330 iKey 1000 Smartcard 330M eToken Flash Hardware Security Modules HSM - Transaction & Identity Protection Luna SA / SP ProtectHost EFT Luna XML Luna SX SafeNet’s Hardware Security Modules are the fastest, most secure, and easiest to integrate solution for protecting identities, applications and transactions CA4 Luna PCM ProtectServer Gold Luna PCI REV 0.1 9 What is a HSM, Why use one? Security Sensitive cryptographic keys and processes are stored, managed and protected by dedicated hardware Performance Processing bottlenecks are eliminated with hardware cryptographic acceleration Auditability Dedicated hardware provides a clear audit trail for all key materials Introducing the Product Line •SafeNet brings together the HSM technology of three leading companies to deliver an array of customer choice with regard to features, certifications, performance and connectivity. HSM Product Portfolio Luna SA High assurance enterprise-grade HSM Luna PCI Luna CA4 Fast, high-assurance PCI HSM card for hardware key management and crypto acceleration Root key HSM for true hardware key management • 7,000 ops/s • FIPS 140-2 Level 3 • Extensive algorithm support • 10/100 Ethernet interface • Supports two-factor trusted path authentication • Supports two-factor trusted path authentication • Extensive algorithm support • Extensive Algorithm support • Supports common certificate authorities (Microsoft, Entrust, Verisign, RSA, etc.) • 5,500+ ops/s • Certifications: FIPS 140-2 Level 3, CC EAL 4+ • Full platform support • Secure remote administration • Supports partitioning • Hardware secured remote administration • FIPS 140-2 Level 3 certified Luna PCM Portable, cost-effective PCMCIA HSM card for hardware key management and crypto acceleration • Versions for document signing, key export for registration of tokens, and signing and back up of key material to a token • FIPS 140-2 Level 2 • Extensive algorithm support HSM Product Portfolio ProtectServer Gold Cost-effective highassurance PCI HSM card for customizable hardware key management • Up to 600 ops/s • Easy GUI-based administration • Customizable interface • FIPS 140-2 Level 3 • Extensive algorithm support • Secure remote administration Luna SP Protected Application Execution Environment • 5,500+ ops/s • Certifications: FIPS 140-2 Level 3 • Executes sensitive application processing tasks. • Web service interface to application clients. • Signed code prevents unauthorised execution • Leverages tried and trusted Java security model • Hardware secured remote administration Luna XML ProtectHost EFT High assurance enterprise-grade HSM for XML environments High assurance HSM for financial payment systems • XML interface (WSDL) encapsulates crypto functions, enabling rapid integration development • PIN generation & verification • FIPS 140-2 Level 3 • Extensive algorithm support • No client required • 2,200 ops/sec • OS independent • Secure remote administration • 10/100/1000 Ethernet interface • Supports global payment processing, EMV, and Card Issuance APIs • 1,200 Visa PIN Verify operations / sec • Certifications: FIPS 140-2 Level 3, CC • Easy GUI-based administration SafeNet HSM Product Range Overview Server CCEAL 4+ (CA3) Network Network CCEAL 4+ 4500+/sec Embedded Embedded Embedded FIPS 140 Level 2 and Level 3 PKCS 11, Java, CAPI 27/sec Network PPO 4500+/sec 450/sec PPO 27/sec 600/sec Server/ Network CCEAL 4+ PPO 7000/sec 1200/sec Symmetric and Asymmetric 20 x partitions, SSL acceleration EFT Command Sets Principles of Best Practice http://www.safenet-inc.com/library/ DataSecure Platform File, Folder & Field Encryption DataSecure – Data Encryption & Control DataSecure i450 and i150 Application/dB Connector Software DataSecure is the industry’s most trusted platform to provide intelligent data protection for ALL information assets—both structured and unstructured from the Datacenter to the endpoint and into the cloud Centralized Policy and Key Management Full Disk Encryption File/Folder Protection REV 0.1 18 DataSecure – Data Encryption & Control Web/App Servers File Servers REV 0.1 Mainframes Endpoint Devices 19 DataSecure Application Integration E-Commerce Application Reporting Application Customer Database • Software Libraries • Microsoft .NET, CAPI • JCE (Java) • PKCS#11 (C/C++) • SafeNet ICAPI (C/C++) • z/OS (Cobol, Assembler, etc.) • XML • Support for virtually all application and web server environments DataSecure Database Integration • Database Connectors • Oracle 8i, 9i, 10g, 11g • IBM DB2 version 8, 9 • IBM UDB version 8, 9 • Microsoft SQL Server 2000, 2005, 2008 • Teradata 12 • Application changes not required • Batch processing tools for managing large data sets Customer Database • Vendor Transparent Database Integration • SQL Server 2008 • Oracle 11g DataSecure Tokenization • DataSecure—acts as the “vault” for sensitive data DataSecure Token Manager values and token by protecting with strong encryption Secure Message Layer and key management • Token Manager—replaces sensitive data with DataSecure format-preserving tokenization via: • Secure Message Layer - SOA-based interface, callable from anywhere • Protected Zone - host of the Secure Message Layer, Protected Zone handles calling DataSecure and generating tokens Tokenization: Store Sensitive Value protected zone datasecure token service ProtectApp Connector ssl token manager SQL SERVER SSL JDBC vault SSL token generator ORACLE SOA client application JVM Tokenization: Retrieve Sensitive Value protected zone datasecure token service ProtectApp Connector ssl token manager SQL SERVER SSL JDBC vault SSL token generator ORACLE SOA client application JVM SafeNet DataSecure Interface SafeNet DataSecure Interface DataSecure – Data Encryption & Control Web/App Servers File Servers REV 0.1 Mainframes Endpoint Devices 27 ProtectFile Architecture Endpoint Protection with Centralized Key & Policy Management ProtectFile PC ProtectFile Server • Granular folder and file-level encryption • Granular folder- and file-level encryption • Independent, passwordbased or token-based user access control •Client users use Native windows access control • Key and policy mgmt on DataSecure for end user transparency Corporate File Server End User Laptop Network Shares • Key and policy management on DataSecure for end-user transparency • Encrypted files stored locally or on shared file servers DataSecure Platform • Centralized key and policy management • Comprehensive logging and reporting • Enterprise scalability and redundancy • FIPS and CC certified ProtectFile Sample Policies • Create policies that align to lines of business • Granular policies can be defined to control access to authorized users Finance Managers – gets full access to confidential financial spreadsheets Call center reps can encrypt credit card numbers for phone orders Outside Auditors – get access to sensitive files remotely and offline, but need to get re-authorized by IT every 30 days to regain access. (Policy can be configured based on any set amount of time.) Customer contracts sent to the call center are saved to a shared file server by the Call Center reps where they are automatically encrypted and strict access control is applied. IT Administrators – they get access to perform routine maintenance, but cannot see any files that have been encrypted (IT sees only cipher text). Market analysts are able to access and share their competitive analysis on seasonal opportunities in the Finance folder, but only see cipher text if they try to click on the spreadsheet with analyst salary information. ProtectFile Features and Benefits Features Benefits Full data lifecycle protection Encryption of files on servers, laptops, removable media, email, mobile handsets, and virtually anywhere it travels Auditor-approved, compliance ready solution Centralized auditing and logging capabilities to monitor attempted access and changes to your keys, users and authorization policies. Data-centric data protection Secures the data itself, versus the perimeter or devices. Compatibility with cloud computing environments due to the data-centric approach of the solution Highly scalable and redundant Designed for and proven within large enterprises Standards-based security FIPS and CC certification for the DataSecure key manager Flexible integration options Password and PKI multi-factor authentication Endpoint security including mobile data protection Protects mobile devices using ProtectFile Mobile DataSecure – Data Encryption & Control Web/App Servers File Servers REV 0.1 Mainframes Endpoint Devices 31 SafeNet ProtectDrive The world’s highest rated and most cost-effective full disk and removable media encryption solution. Protects sensitive data and ensures compliance with the lowest operating costs. Protect Drive Perfect 5 Star Review From SC Magazine Full disk and removable storage media encryption Pre-boot authentication; two-factor authentication support Security FIPS 140-2 validated; Common Criteria EAL4 Robust encryption (up to AES-256) Strong key management, optionally in hardware Ease of Use Ease of Management High performance - transparent to end user Single sign-on for pre-boot and Windows logon Central management via Active Directory or ADAM Large scale network installation using pre-set policies Reporting for compliance and security auditing Pre-boot Authentication If smart card and password logon has been enabled user inserts smart card or presses Enter. After inserting his smart card the user only needs to enter his PIN. For password logon the user enters his Windows user credentials. Broad Platform Support • ProtectDrive: The only disk encryption solution with a track record of successfully protecting servers, including RAID arrays, as well as laptops and workstations. • Smart Phone Support – ProtectMobile supports Windows Mobile today, with 1H 2010 additional support of Apple iPhone, Symbian, Palm AD/ADAM Management Leverage what your organization already knows — Active Directory — to speed-up deployments and reduce ongoing management costs. Other solutions merely link to AD, whereas ProtectDrive integrates with AD/ADAM. Token / Smart Card Support • Tokens: • • SafeNet eToken Pro • eToken Pro Anywhere • NG-FLASH • NG-OTP • SafeNet iKey 2032 • SafeNet iKey 1000 • SafeNet iKey 4000 • RSA SID800 Cards: • SafeNet • CAC/PIVII • ActivIdentity • CardOs cards • Schlumberger • Cyberflex • SafeNet SC330; SC 400 • And MANY others SafeNet is the only vendor providing tokens/smart cards and disk/file encryption, ensuring long term support and compatibility. No integration worries; no vendor finger-pointing over issues; one contact point for ongoing support Passwords are less secure than twofactor authentication At pre-boot, token/smart card credentials provide authentication for OS log in Certificate-based authentication provides non repudiation and other forensic capabilities Biometric/Smartcard Authentication ProtectDrive also supports match-on-card biometric authentication SafeNet ProtectDrive • Seamless integration with Active Directory or ADAM • Immediate familiarity • No additional servers/applications to install and manage • 100% hard drive encryption by partition or full disk • All data encrypted, registry, temp files, master file table, partition boot record, ... • Wide operating system support • Windows XP, 2000, 2003, 2008 R2, Windows Vista, Windows 7 • Rapid Recovery • A suite of recovery tools which enable the safe recovery of a ProtectDrive system in as little as three minutes • Token Support • Support a wide range of PKI tokens, including the eToken Pro, eToken Pro Anywhere, NG-FLASH and NG-OTP Network & WAN Encryption SafeNet WAN Encryption • SafeNet offers Layer 2 encryption solutions • Layer 3 solutions (IPSec) are now absorbed into routers • Why layer 2? … Why Layer 2? Lowest Cost of Ownership • Better Bandwidth Efficiency (up to 50%) • Minimal Ongoing Maintenance - Routing Updates Transparent to Encryption • Lowest Cost Solution for Aggregation of Many Sites Maximum Performance • Low Protocol Overhead • Low Latency • Eliminates Complex QoS Schemes Enterprise Scalability • Fast Reliable Network Integration • Simple Architecture Scales to 1000’s of Devices • Layer 3 Transparent –All L3 Protocols Supported (IPv4, IPv6 and Legacy) Layer 3 Competition Improved Performance With The Typical Traffic Profile More Than 50% of Bandwidth Can Be Lost Source: Rochester Institute of Technology Simplified Management Operations Center This creates the potential for network outages and security vulnerabilities Disaster Recovery Location and here!!! Transport Carrier Edge Router Security Policy has to be updated here… IPSec Encryptor Router Every time something changes here… LAN Operations Center and here… Simplified Management – Layer 2 No administrative burden, no outages and no security policy changes Operations Center Disaster Recovery Location or here!!! Transport or here… Carrier Switch nothing changes here… Layer 2 Encryptor Customer Premise Router When something changes here… LAN Company Confidential Operations Center Best Fit for Layer 2 Encryption Ethernet Encryption SONET Encryption 10/1G Ethernet Encryption 100/10M Security Management Center II Lowest Cost of Ownership • Easy Installation and Simple Ongoing Management • Intuitive web-based GUI • Virtualization Support with VMWare and Solaris Zones Secure Operations • Full Audit and Event logging and Reporting • Secure Remote Management and Encrypted Communications • Integrated Key Manager with Optional Hardware-Security Scalability / Reliability • Simple Management Design for Thousands of Encryptors • Rapid Deployment Tools for Large Installations • Enterprise Class High-Availability Features SMC II Is The Only Truly Enterprise Class Encryptor Management Platform SafeNet Ethernet Encryptor Lowest Cost of Ownership FIPS 140-2 Level 3 Certified • Simply Deployment and Low Maintenance • Compatible With All Ethernet Topologies • Remote Configuration and Monitoring Maximum Performance • Line Rate AES-256 Encryption Up To 10Gbps • No Protocol Overhead and Low latency (< 5 μs) • Hitless 2048-bit Key Exchange Enterprise Scalability • Full-Mesh Connections Up To 512 Devices • Available Line Rates Include 10M, 100M, 1G and 10G The Only Complete Family of Ethernet Encryptors for All Performance Levels to Secure Ethernet Networks SafeNet SONET Encryptor Lowest Cost of Ownership FIPS 140-2 Level 3 Certified • Simply Deployment and Low Maintenance • Line and Path Modes of Operation • Remote Configuration and Monitoring Maximum Performance • Line Rate AES-256 Encryption Up To 10Gbps • No Protocol Overhead and Low latency (< 5 μs) • Hitless 2048-bit Key Exchange Enterprise Scalability • Full-Mesh Connections Up To 512 Devices • OC3, OC12, OC48, OC192 Interfaces Available The SafeNet SONET Encryptor is the Worlds Most Widely Deployed Solution for Protecting SONET and SDH Networks Content Security The need for Content Security Content Security controls what enters Solution Evolution URL Filter Threat Evolution Amateur fame driven Internet Evolution Web 0.1 Web 1.0 Web 2.0 1995-2001 2002-2006 2007-2010 • Static content • Limited bandwidth Web (Spyware, Malware, Inappropriate Tunnelling, Scalable Web/Mail AVbrowsing, IM, P2P,Intelligent, Information loss) & Email (Spam, Phishing, Viruses, Malware) Firewalls and VPNs control Secure GW Professional Spammers, Fraudsters • Dynamic HTML applications who•• Web-based enters bandwidth Increased Organized eCrime • User-generated content • Evasive web applications • Unlimited bandwidth The need for Content Security eSafe Product Family eSafe Web Security Gateway Includes Anti-malware, Anti-virus and Application Filtering. Inspects HTTP and FTP traffic. • Performs real-time deep content analysis of Web 2.0 content • • • Proactively identifies all malicious scripts and malware Strips only the threats, keeps the rest of the web content intact Zero impact on user experience • Control Internet traffic, over 500 apps, e.g. web 2.0, P2P, IM, etc. • • • • Enforce application usage policies & control malicious communications Detects application protocols on any port Prevents Remote Control Prevents Protocol Tunnelling • Blocks all known and unknown anonymous proxies eSafe Product Family eSafe Web Security Gateway Plus Includes Anti-malware, Anti-virus, Application Filtering and Web Filtering (URL Filter). Inspects HTTP and FTP traffic. PLUS • Controls access to inappropriate, non-productive, and potentially malicious sites • Effectively enforce acceptable web use policy • • • 70 different categories More than 100 million categorized sites Up to 150,000 new or revised daily updates eSafe Product Family eSafe Web Security Gateway SSL Inspection of encrypted HTTPS/SSL web traffic. • Scanning of incoming and outgoing SSL encrypted traffic • Ensure policy enforcement and protection on SSL encrypted traffic • Decrypts/encrypts HTTPS/SSL traffic on the fly • Validates certificate policies, issuers, revocations eSafe Product Family eSafe Mail Security Gateway Includes Anti-malware, Anti-virus and Anti-spam. Installed as SMTP relay in DMZ. • Dual anti-spam engine blocks 99% of spam • Proactively blocks malware and zero-hour outbreaks • Strips phishing elements from email messages • Self Management SPAM Quarantine, dramatically reduces administration overhead eSafe Product Family eSafe Reporter Extended Reporting tools with detailed and analytical enterprise-class reports with 240 pre-defined reports • Centralized Dashboards • Centralized Configuration • Centralized Analysis eSafe Product Family Data Loss Prevention: Classification, Enforcement & Monitoring • Classification • • • • • 20 out-of-the-box DLP libraries Coverage for over 150 file types including: All MS Office, Open Office, and PDF files HTML, email, and source code files Archived files • Enforcement • • • • • Log only Block attachments or file upload Archive for later investigation Alert notification to administrator Send email with attachment to administrator Flexible & Scalable Deployment • Flexible Deployment Options • Inline, Bridge, Router and Proxy deployment modes • Multiple Form Factors • Virtual appliance • VMWare • Purpose-built appliances • Reliability & High Availability • Cluster solutions for high availability and redundancy • Integrations with 3rd party Load Balancers • Redundant components on eSafe appliances
