Data Protection Portfolio

erosjellySecurity

Feb 23, 2014 (3 years and 7 months ago)

138 views

Data Protection Portfolio

Chris Harris

Northern European Pre
-
Sales Manager

SafeNet Data Protection Portfolio

2

Authentication
-

Identity Protection


Offering the broadest
range of
authentication, from
HW smartcard tokens
to mobile phone auth
all managed from a
single platform


The market leader in

certificate based token
authentication


Industry only unified
authentication platform
offering customers the
freedom to adapt


Unique technology
offerings with clienteles
tokens ,high assurance
offerings and more

High Speed Encryption


SafeNet high
-
speed
Encryptors combine
the highest
performance with the
easiest integration and
management.


Unparalleled leverage
across classified and
COTS communication
protection (
FIPS 140
-
2
Level 3)


Best
-
in
-
class Security

Management Center


Solutions for Ethernet,
SONET up to 10Gb


Zero bandwidth loss,
low
-

latency Encryption




The fastest, most
secure, and easiest to
integrate application &
transaction security
solution for enterprise
and government



The market leader in

enterprise
-
grade HSM


Industry Innovator in
Payment HSM


Widest portfolio of
platforms and solutions


SafeNet Delivered its
75,000th HSM


sets
Industry Milestone


Hardware Security
Modules


World’s first and only
unified platform that
delivers intelligent
data protection and
control for ALL
information assets


Centralized policy, key
management, logging
and auditing


Data centric, persistent
protection across
datacenters, endpoints
and into the cloud


Integrated perimeter
data leakage prevention


Appliance based,
Proven scalability and
high performance

DataSecure
-

Encryption and Control

REV 0.1

Authentication Solutions

Authentication
-

Identity Protection

4

REV 0.1

SafeNet’s strong authentication
solutions help our customers meet
organizational and end user needs
enable business growth and achieve
compliance

Token Management
System

Smartcard USB
Tokens

SmartCards

Hybrid
(OTP/SC/Storage)
Tokens

OTP tokens

Software / mobile
Authenticators

Strong Authentication


The Need


Passwords are:


Often easy to crack and easy to guess


Easy to steal: keystroke loggers, phishing attacks


Difficult to remember and use


The cause of high help
-
desk costs


24x7 secure access to
sensitive business
information


Digital signing of
transactions


Secure PCs
and laptops


The Authentication Portfolio


Token assignment,
enrollment
,
revocation, update, replacement


Password reset/change


Auditing, Reporting


Self
-
service options


Integrated with AD/LDAP


SafeWord's

seamless integration
with an Microsoft infrastructure
makes it simple to deploy two
-
factor authentication for VPNs,
Citrix applications, Web
applications, Webmail, and
Outlook Web Access

The Authentication Portfolio

Certificate
-
Based (PKI)

USB devices

Certificate
-
based

Smartcards

Hybrid

OTP

Software

Mobile

eToken

PRO

eToken

PRO
Anywhere

iKey

4000

iKey

1000

eToken

PRO
Smartcard

Smartcard 400

Smartcard 330

Smartcard
330M

eToken

NG
-
OTP

eToken

Flash

eToken

PASS

eToken

Virtual

MobilePASS
:
iPhone
,
BlackBerry,
JAVA capable
Phones,
SMS

Hardware Security Modules

HSM
-

Transaction & Identity Protection

9


SafeNet’s Hardware Security
Modules are the fastest, most
secure, and easiest to integrate
solution for protecting identities,
applications and transactions

CA4

Luna PCM

ProtectServer Gold

Luna PCI

Luna SA / SP

ProtectHost EFT

Luna XML

Luna SX

REV 0.1

What is a HSM, Why use one?


Security


Sensitive cryptographic keys and processes are stored, managed and
protected by dedicated hardware


Performance


Processing bottlenecks are eliminated with hardware cryptographic
acceleration


Auditability


Dedicated hardware provides a clear audit trail for all key materials


SafeNet brings together the HSM technology of three leading
companies to deliver an array of customer choice with regard to
features, certifications, performance and connectivity.


Introducing the Product Line

HSM Product Portfolio

Luna SA



High assurance

enterprise
-
grade HSM



5,500+ ops/s



Certifications: FIPS


140
-
2 Level 3, CC EAL 4+



Full platform support



Secure remote


administration



10/100 Ethernet interface



Extensive algorithm


support



Supports partitioning



Hardware secured remote
administration


Luna PCM



Portable, cost
-
effective
PCMCIA HSM card for
hardware key management
and

crypto acceleration



Versions for document


signing, key export for


registration of tokens,


and signing and back up


of key material to a token



FIPS 140
-
2 Level 2



Extensive algorithm


support

Luna CA4



Root key HSM for

true hardware key
management



FIPS 140
-
2 Level 3


certified



Extensive algorithm


support



Supports two
-
factor


trusted path


authentication



Supports common


certificate authorities


(Microsoft, Entrust,


Verisign, RSA, etc.)

Luna PCI



Fast, high
-
assurance

PCI HSM card for

hardware key management
and

crypto acceleration



7,000 ops/s



FIPS 140
-
2 Level 3



Supports two
-
factor


trusted path


authentication



Extensive Algorithm


support

HSM Product Portfolio

Luna XML



High assurance

enterprise
-
grade HSM for
XML environments



XML interface (WSDL)


encapsulates crypto


functions, enabling rapid


integration development



FIPS 140
-
2 Level 3



Extensive algorithm


support



No client required



2,200 ops/sec



OS independent



Secure remote


administration



10/100/1000 Ethernet


interface

ProtectHost EFT



High assurance


HSM for financial


payment systems



PIN generation &


verification



Supports global


payment processing,


EMV, and Card


Issuance APIs



1,200 Visa PIN Verify


operations / sec



Certifications: FIPS


140
-
2 Level 3, CC



Easy GUI
-
based


administration

Luna SP



Protected Application
Execution Environment



5,500+ ops/s



Certifications: FIPS


140
-
2 Level 3



Executes sensitive
application processing tasks.



Web service interface to
application clients.



Signed code prevents
unauthorised execution



Leverages tried and
trusted Java security model



Hardware secured remote
administration



ProtectServer Gold



Cost
-
effective high
-

assurance PCI HSM

card for customizable
hardware key

management



Up to 600 ops/s



Easy GUI
-
based


administration



Customizable interface



FIPS 140
-
2 Level 3



Extensive algorithm


support



Secure remote


administration

SafeNet HSM Product Range Overview


FIPS 140 Level 2 and Level 3

Network

Network

Network

Server

Embedded


PKCS 11, Java, CAPI

CCEAL
4+
(CA3)

20 x

partitions,

SSL acceleration

4500+/sec

4500+/sec

450/sec

7000/sec

PPO

PPO

Symmetric and Asymmetric

27/sec

Embedded

600/sec

Embedded

27/sec

CCEAL 4+

1200/sec

Server/

Network

CCEAL
4+

PPO

EFT Command

Sets

Principles of Best Practice

http://www.safenet
-
inc.com/library/

DataSecure

Platform

File, Folder & Field Encryption

18


DataSecure is the industry’s
most trusted platform to
provide intelligent data
protection for ALL information
assets

both structured and
unstructured from the
Datacenter to the endpoint and
into the cloud



.

DataSecure

i450 and i150

Application/dB
Connector Software

Centralized Policy and
Key Management

Full Disk Encryption

File/Folder Protection

REV 0.1

DataSecure



Data Encryption & Control

Mainframes

Web/App

Servers

Endpoint

Devices

File Servers

19

REV 0.1

DataSecure



Data Encryption & Control


Software Libraries


Microsoft .NET, CAPI


JCE (Java)


PKCS#11 (C/C++)


SafeNet ICAPI (C/C++)


z/OS (Cobol, Assembler, etc.)


XML



Support for virtually all application and web
server environments

DataSecure Application Integration

Reporting

Application

Customer

Database

E
-
Commerce

Application

DataSecure Database Integration


Database Connectors


Oracle 8i, 9i, 10g, 11g


IBM DB2 version 8, 9


IBM UDB version 8, 9


Microsoft SQL Server 2000, 2005, 2008


Teradata 12



Application changes not required



Batch processing tools for managing large
data sets



Vendor Transparent Database Integration


SQL Server 2008


Oracle 11g

Customer Database


DataSecure

acts as the “vault” for sensitive data
values and token by protecting with strong encryption
and key management


Token Manager

replaces sensitive data with
format
-
preserving tokenization via:


Secure Message Layer
-

SOA
-
based interface, callable
from anywhere


Protected Zone
-

host of the Secure Message Layer,
handles calling DataSecure and generating tokens



Protected
Zone

DataSecure

Secure

Message Layer

DataSecure

Token Manager

DataSecure Tokenization

Tokenization:
Store Sensitive Value

token manager

client application

SOA

datasecure

vault

protected zone

token generator

JVM

JDBC

ProtectApp Connector

token service

ORACLE

SQL SERVER

SSL

SSL

ssl

Tokenization:
Retrieve Sensitive Value

token manager

client application

SOA

datasecure

vault

protected zone

token generator

JVM

JDBC

ProtectApp Connector

token service

ORACLE

SQL SERVER

SSL

SSL

ssl

SafeNet DataSecure Interface

SafeNet DataSecure Interface

Mainframes

Web/App

Servers

Endpoint

Devices

File Servers

27

REV 0.1

DataSecure



Data Encryption & Control

DataSecure Platform



Centralized key and policy management



Comprehensive logging and reporting

Endpoint Protection with Centralized Key & Policy Management

ProtectFile PC



Granular folder and file
-
level
encryption




Independent, password
-
based or token
-
based user
access control




Key and policy management
on DataSecure for end
-
user
transparency




Encrypted files stored locally
or on shared file servers

ProtectFile Server




Granular folder
-

and

file
-
level encryption




Client users use

Native windows

access control




Key and policy mgmt

on DataSecure for end user
transparency

ProtectFile Architecture

End User
Laptop

Network Shares

Corporate
File Server





Enterprise scalability and redundancy



FIPS and CC certified

Finance Managers


gets full access
to confidential financial spreadsheets

Outside Auditors


get access to
sensitive files remotely and offline,
but need to get re
-
authorized by IT
every 30 days to regain access.
(Policy can be configured based on
any set amount of time.)

IT Administrators


they get access
to perform routine maintenance,
but cannot see any files that have
been encrypted (IT sees only cipher
text).

Call center reps can encrypt credit

card numbers for phone orders

Customer contracts sent to the call
center are saved to a shared file
server by the Call Center reps where
they are automatically encrypted and
strict access control is applied.

Market analysts are able to access
and share their competitive analysis
on seasonal opportunities in the
Finance folder, but only see cipher
text if they try to click on the
spreadsheet with analyst salary
information.


Create policies that align to lines of business


Granular policies can be defined to control access to
authorized users

ProtectFile Sample Policies

ProtectFile Features and Benefits


Features

Benefits

Full data lifecycle protection

Encryption of files on servers, laptops, removable media
,
email, mobile handsets, and v
irtually anywhere it travels

Auditor
-
approved,

compliance
ready solution

Centralized auditing and logging capabilities to monitor
attempted access and changes to your keys, users and
authorization policies.

Data
-
centric data protection

Secures the data
itself
, versus the perimeter or devices.
Compatibility with cloud computing environments due to
the data
-
centric approach of the solution

Highly scalable and redundant

Designed for and proven within large enterprises

Standards
-
based security

FIPS and CC certification

for the DataSecure key manager

Flexible

integration options

Password and PKI multi
-
factor authentication

Endpoint

security including
mobile data protection

Protects mobile devices
using

ProtectFile

Mobile

Mainframes

Web/App

Servers

Endpoint

Devices

File Servers

31

REV 0.1

DataSecure



Data Encryption & Control

Security


Full disk and removable storage media encryption


Pre
-
boot authentication; two
-
factor authentication support


FIPS 140
-
2 validated; Common Criteria EAL4


Robust encryption (
up to AES
-
256
)


Strong key management, optionally in hardware

Ease of Use


High performance
-

transparent to end user


Single sign
-
on for pre
-
boot and Windows logon

Ease of
Management


Central management via Active Directory or ADAM


Large scale network installation using pre
-
set policies


Reporting for compliance and security auditing

The world’s highest rated and most cost
-
effective full disk and
removable media encryption solution. Protects sensitive data and
ensures compliance with the lowest operating costs.

Protect Drive

Perfect 5 Star Review

From

SC Magazine

SafeNet ProtectDrive

Pre
-
boot Authentication

If smart card and password logon

has been enabled user inserts smart

card or presses Enter.


After inserting his smart card the user

only needs to enter his PIN.



For password logon the user enters

his Windows user credentials.

Broad Platform Support


ProtectDrive
: The only disk encryption
solution with a track record of
successfully protecting servers, including
RAID arrays, as well as laptops and
workstations.




Smart Phone Support


ProtectMobile

supports Windows Mobile today, with 1H
2010 additional support of Apple
iPhone
,
Symbian
, Palm

AD/ADAM Management

Leverage what your organization
already knows



Active Directory


to
speed
-
up deployments and reduce
ongoing management costs.


Other solutions merely link to AD,
whereas ProtectDrive
integrates

with
AD/ADAM.

Token / Smart Card Support


Tokens:


SafeNet eToken Pro


eToken Pro Anywhere


NG
-
FLASH


NG
-
OTP


SafeNet iKey 2032


SafeNet iKey 1000


SafeNet iKey 4000


RSA SID800


Cards:


SafeNet


CAC/PIVII


ActivIdentity


CardOs cards


Schlumberger


Cyberflex


SafeNet SC330; SC 400


And MANY others

SafeNet is the only vendor
providing tokens/smart cards
and disk/file encryption,
ensuring long term support

and compatibility.




No integration worries; no vendor
finger
-
pointing over issues; one contact
point for ongoing support



Passwords are less secure than two
-
factor authentication



At pre
-
boot, token/smart card
credentials provide authentication for OS
log in



Certificate
-
based authentication
provides non repudiation and other
forensic capabilities

Biometric/Smartcard Authentication

ProtectDrive also supports match
-
on
-
card

biometric authentication

SafeNet ProtectDrive


Seamless integration with Active Directory or ADAM


Immediate familiarity


No additional servers/applications to install and manage


100% hard drive encryption by partition or full disk


All data encrypted, registry, temp files, master file table, partition boot record, ...


Wide operating system support


Windows XP, 2000, 2003, 2008 R2, Windows Vista, Windows 7


Rapid Recovery


A suite of recovery tools which enable the safe recovery of a
ProtectDrive

system in as little as
three minutes


Token Support


Support a wide range of PKI tokens, including the
eToken

Pro,
eToken

Pro Anywhere, NG
-
FLASH
and NG
-
OTP

Network & WAN Encryption


SafeNet offers
Layer 2
encryption solutions


Layer 3 solutions
(IPSec) are now
absorbed into routers



Why layer 2? …


SafeNet WAN Encryption

Why Layer 2?


Better Bandwidth Efficiency (up to 50%)


Minimal Ongoing Maintenance
-

Routing Updates Transparent to Encryption


Lowest Cost Solution for Aggregation of Many Sites

Lowest Cost of Ownership


Low Protocol Overhead


Low Latency


Eliminates Complex
QoS

Schemes

Maximum Performance


Fast Reliable Network Integration


Simple Architecture Scales to 1000’s of Devices


Layer 3 Transparent

All L3 Protocols Supported (IPv4, IPv6 and Legacy)

Enterprise Scalability

Layer 3 Competition

Improved Performance

Source: Rochester Institute of Technology

With The Typical Traffic Profile More
Than 50% of Bandwidth Can Be Lost

Simplified Management

Transport


Router

Carrier Edge Router

LAN

Operations
Center

Disaster
Recovery
Location

Operations
Center

Every time
something
changes
here…

Security Policy has
to be updated
here…

and here…

and here!!!

This creates the
potential for network
outages and security
vulnerabilities

IPSec Encryptor

Simplified Management


Layer 2

Transport

Customer Premise Router

Layer 2 Encryptor

Carrier Switch

LAN

Operations
Center

Disaster
Recovery
Location

Operations
Center

When
something
changes
here…

or here…

or here!!!

nothing
changes
here…

No administrative
burden, no outages and
no security policy
changes

Company Confidential

Best Fit for Layer 2 Encryption



Ethernet Encryption



SONET Encryption



Ethernet Encryption

10/1G

100/10M

Security Management Center II


Easy Installation and
Simple Ongoing Management


Intuitive web
-
based GUI


Virtualization Support with
VMWare

and Solaris Zones

Lowest Cost of Ownership


Full Audit and Event logging and Reporting


Secure Remote Management and Encrypted Communications


Integrated Key Manager with Optional Hardware
-
Security

Secure Operations


Simple Management Design for Thousands of Encryptors


Rapid Deployment Tools for Large Installations


Enterprise Class High
-
Availability Features

Scalability / Reliability

SMC II Is The Only Truly Enterprise Class Encryptor
Management Platform

SafeNet Ethernet Encryptor


Simply Deployment and Low Maintenance


Compatible With All Ethernet Topologies


Remote Configuration and Monitoring

Lowest Cost of Ownership


Line Rate AES
-
256 Encryption Up To 10Gbps


No Protocol Overhead and Low latency (< 5
μ
s)


Hitless 2048
-
bit Key Exchange

Maximum Performance


Full
-
Mesh Connections Up To 512 Devices


Available Line Rates Include 10M, 100M, 1G and 10G

Enterprise Scalability

The Only Complete Family of Ethernet Encryptors for All
Performance Levels to Secure Ethernet Networks

FIPS 140
-
2

Level 3

Certified

SafeNet SONET Encryptor


Simply Deployment and Low Maintenance


Line and Path Modes of Operation


Remote Configuration and Monitoring

Lowest Cost of Ownership


Line Rate AES
-
256 Encryption Up To 10Gbps


No Protocol Overhead and Low latency (< 5
μ
s)


Hitless 2048
-
bit Key Exchange

Maximum Performance


Full
-
Mesh Connections Up To 512 Devices


OC3, OC12, OC48, OC192 Interfaces Available

Enterprise Scalability

The SafeNet SONET Encryptor is the Worlds Most Widely Deployed Solution for
Protecting SONET and SDH Networks

FIPS 140
-
2

Level 3

Certified

Content Security

The need for Content Security



Static content



Limited bandwidth



Dynamic HTML



Web
-
based applications



Increased bandwidth



User
-
generated content



Evasive web applications



Unlimited bandwidth

Internet

Evolution

Threat

Evolution

Solution

Evolution

Web/Mail AV


Intelligent, Scalable
Secure GW


URL Filter


Professional
Spammers, Fraudsters

Organized eCrime

Amateur

fame driven

Web 0.1

1995
-
2001

Web 1.0

2002
-
2006

Web 2.0

2007
-
2010

Firewalls and VPNs control
who
enters

Content Security controls
what
enters


Web

(Spyware, Malware, Inappropriate browsing, IM, P2P, Tunnelling,
Information loss) &
Email

(Spam, Phishing, Viruses, Malware)

The need for Content Security

eSafe Product Family

eSafe

Web Security Gateway

Includes Anti
-
malware, Anti
-
virus and Application Filtering. Inspects HTTP and FTP traffic.



Performs real
-
time deep content analysis of Web 2.0 content


Proactively identifies all malicious scripts and malware


Strips only the threats, keeps the rest of the web content intact


Zero impact on user experience



Control Internet traffic, over 500 apps, e.g. web 2.0, P2P, IM, etc.


Enforce application usage policies & control malicious communications


Detects application protocols on any port


Prevents Remote Control


Prevents Protocol Tunnelling



Blocks all known and unknown anonymous proxies

eSafe

Web Security Gateway Plus

Includes Anti
-
malware, Anti
-
virus, Application Filtering and Web Filtering (URL Filter). Inspects HTTP
and FTP traffic.

PLUS

eSafe Product Family



Controls access to inappropriate, non
-
productive, and potentially
malicious sites


Effectively enforce acceptable web use policy


70 different categories


More than 100 million categorized sites


Up to 150,000 new or revised daily updates

eSafe

Web Security Gateway SSL

Inspection of encrypted HTTPS/SSL web traffic.

eSafe Product Family


Scanning of incoming and outgoing SSL encrypted traffic



Ensure policy enforcement and protection on SSL encrypted traffic



Decrypts/encrypts HTTPS/SSL traffic on the fly



Validates certificate policies, issuers, revocations

eSafe

Mail Security Gateway

Includes Anti
-
malware, Anti
-
virus and Anti
-
spam. Installed as SMTP relay in DMZ.

eSafe Product Family



Dual anti
-
spam engine blocks 99% of spam



Proactively blocks malware and zero
-
hour outbreaks



Strips phishing elements from email messages



Self Management SPAM Quarantine, dramatically reduces administration
overhead

eSafe

Reporter

Extended Reporting tools with detailed and analytical enterprise
-
class reports
with 240 pre
-
defined
reports

eSafe Product Family


Centralized Dashboards



Centralized Configuration



Centralized Analysis

Data Loss Prevention:

Classification, Enforcement & Monitoring

eSafe Product Family


Classification


20 out
-
of
-
the
-
box DLP libraries


Coverage for over 150 file types including:


All MS Office, Open Office, and PDF files


HTML, email, and source code files


Archived files



Enforcement


Log only


Block attachments or file upload


Archive for later investigation


Alert notification to administrator


Send email with attachment to administrator

Flexible & Scalable Deployment


Flexible Deployment Options


Inline, Bridge, Router and

Proxy deployment modes



Multiple Form Factors


Virtual appliance


VMWare


Purpose
-
built appliances



Reliability & High Availability


Cluster solutions for high availability and redundancy


Integrations with 3
rd

party Load Balancers


Redundant components on
eSafe

appliances