RSA Key Manager

egyptiannorweiganInternet and Web Development

Oct 31, 2013 (3 years and 11 months ago)

79 views

RSA Key Manager

Enterprise
-
wide Encryption Keys Management


David Mateju

RSA Sales Consultant

david.mateju@rsa.com

RSA


The Big Picture

IT infrastructure

information

Encryption

Store, Transport

SIEM

Security I
nformation and Event Management

DLP

Data Loss
Prevention

Access

Authentication,
Authorization
,

Anti
-
fraud Solutions

RSA


The Big Picture

IT infrastructure

information

RSA

Encryption and

Key Management Suite



RSA

enVision Platform

RSA

Data Loss

Prevention
Suite

RSA

Access Manager


RSA

Federated Identity


Manager


RSA

SecurID


RSA

Digital


Certificate


Solutions


RSA

Identity


Protection

and


Verification Suite

Encryption Commonly Used to Protect
Sensitive Data Throughout Infrastructure

SAN

LAN

Clients

Servers

WAN

DB or File Based

SAN Based

Application Based

Platform Based

Host Based

5

RSA Key Manager

Enterprise
-
Wide Key Management

RSA Key Manager (RKM)

1. Generate Keys

2. Securely Distribute Keys

3. Vault Keys

4. Expire / Turnover Keys

5. Monitor + Audit

Policy
-
based Interface

Apps/DB

FS/CMS

Storage

6

RSA Key Manager Solutions

RSA Key Manager for

the Datacenter

RSA Key Manager with

Application Encryption

Sensitive data encrypted within
applications at point of capture

Application Encryption Clients
-

Comprehensive platform and
language support

C, Java, .NET, Cobol, CICS

Linux, Mainframe, Unix, Windows

Encryption performed using RSA
BSAFE® technology


Integrates with host, SAN switch,
and native tape encryption
solutions from RSA, EMC, and
third parties

Current integrations include
PowerPath, Connectrix/Cisco,
Oracle and Native Tape


Application Encryption Client

Integration modules EMC & 3
rd

party encryption

RKM Server

7

Returns

RSA Key Manager with Application Encryption

Local Store

Payment Processing

RSA Key Manager

Server

TevpWURkQOyHTlJVlHeT2A==

TevpWURkQOyHTlJVlHeT2A==

Capture Card Info

Request encryption key if not

cached locally in memory or on disk

Encrypt Card Data

Request Credit Card Data

Return unencrypted data to user

Datacenter Operations

RSA Key Manager with Application Encryption

RSA Application Encryption Client

RKM Server

(available as SW or Appliance)




Application

HMAC

Encrypt

Decrypt

GetKey

Key Cache

RSA Key Manager Server

RSA Key Manager Application Encryption Client
Supported Platform Matrix



RSA Key Manager for the Datacenter

Host
-
based Encryption


EMC PowerPath

Name: XYZ

SSN: 1234567890

Amount: $123,456

Status: Gold

PowerPath

Encryption

EMC Storage

Any Host

Heterogeneous Storage System Encryption

RKM Server

@!$%!%!%!%%^&

*&^%$#&%$#$%*!^

@*%$*^^^^%$@*)

%#*@(*$%%%%#@

Encryption takes place in the SAN switch

Encryption management integrated into MDS Fabric
Manager

Integrates with RSA Key Manager for comprehensive
encryption key lifecycle management

Key 1

Key 2

Key 3

Active Keys

(in Fabric)

Key ‘n’

Cisco Fabric

Manager

RSA Key

Manager

API

RSA Key Manager for the Datacenter

SAN Fabric
-
based Encryption


Cisco / EMC Connectrix MDS

RKM for the Datacenter: Solution Overview

Solution

Encryption
Source

Interoperability/

Support

PowerPath Encryption with RSA

Host

EMC Symmetrix, CLARiiON

Solaris, Windows, AIX, Linux, HP
-
UX
(2H)



Cisco/Connectrix MDS Storage Media
Encryption with RKM

SAN Fabric

Cisco MDS
-
enabled platforms

(9200 and 9500 series), 9222i switch;
Requires 18/4 Port Multiprotocol
Services Module

IBM Native Tape Encryption with RKM

Tape Drive

IBM TS1120 Tape Drives; TS3400/3500
Libraries; IBM Encryption Key
Manager (EKM)

RSA Key Manager Server


Software

Supported Platform Matrix



Scenario 1

Scenario 2

Scenario 3

Scenario 4

Operating
System

Windows
®
2003
Server R2 (Intel
®
x86
32
-
bit)

Red Hat
®
Enterprise Linux
®
AS 4.0 (Intel
x86 32
-
bit)

Solaris™ 9 or 10
(UltraSparc v9 32
-
bit)

App Server

Apache Tomcat
5.5.25

WebLogic™ 9.0a

WebSphere
®
6.1

WebLogic 9.0

Web Server

IIS 6.0

Apache HTTP Server 2.0.52b

Apache HTTP Server
2.0.61

DB Server

SQL Server 2005

Oracle
®
10G Release 2 RAC

RSA Access
Manager

Access Manager 6.0

Clear Trust Agent 4.7

JVM

Sun JRE™ 1.5

IBM JRE 1.5

Sun JRE 1.5

HSM

nCipher™ netHSM™



Firmware: 2.18.13



CipherTools: 1.0.0.8



Support Utilities: 10.15

SafeNet Luna SA 4.1.0
-
9


Firmware: 4.6.1

SafeNet Luna PCI 3000


Firmware: 4.6.1

RSA Key Manager Server


Appliance



Preinstalled server


OS: rPath Linux


App Server: Apache Tomcat


Web Server: Apache


Database: Oracle Std Edition


JVM: Sun JRE 1.5


RSA Key Manager for PCI Compliance

PCI 3.6.1
-

Strong Encryption Keys

Symmetric Key Generation

Industry Strength Algorithms


AES, 3DES, HMAC

PCI 3.6.2
-

Secure Key Distribution

Mutually authenticated server communication
via SSL

PCI 3.6.3
-

Secure Key Vaulting


Secured Key Storage

Restricted Access to Key Manager Server


Tiered admin rights (Super, User, Key)

No Administrator has access to key material

PCI 3.6.4
-

Periodic Changing of
Keys/ Key Lifecycle management

Deletion of unused or compromised keys

Compliant to National Institute of Standards
and Technology (NIST) recommendations

PCI 3.6.5
-

Destroy unused /
compromised keys

Key Policy Definition

Key Expiration

Key Rotation

Support for Key Attributes

Key Usage Audit and Logs

Provides PCI audit trail by logging all events

Requirement

How RKM App Encryption Addresses It