1 © SafeNet Confidential and Proprietary SafeNet KeySecure with Luna HSM Management

2 Why Is Centralized Key Management Needed? The Unmanageable Cost of Diverse Encryption Systems Challenges:  Time: Managing diverse encryption systems manually, decreases operational effectiveness while increasing risks  Data Loss / Operational Disruptions: Up to 39 percent of organizations who have experienced key loss also lose data permanently or disrupt business operations.  Proof of Compliance: Demonstrate which appliances, devices, applications are using encryption keys and where they are geographically located  Maintenance Costs: Heterogeneous systems mean no economy of scale for maintenance costs. Each encryption system and key management solution could have 15-20% annual maintenance fees. * Source: trust catalyst, 2009 Encryption & Key Management Industry Benchmark Report According to Gartner: “by 2015, 30% of organizations under regulatory mandates will not have deployed some form of encryption to secure data assets, and 50% will suffer data loss and/or experience regulatory sanctions”. *

3 Pain Points of Decentralization  Limited Administrative Transparency Fragmented policy and fragmented key management Differing hardware, policies, devices in different business units within the enterprise No clear view of keys and key states on the HSM  Operational Inefficiencies Key management is an after-thought Manual audit reviews Require different administrative functions for key management – admin skill sets Multiple key vaults in multiple locations  Audit Deficiencies & Failures Irregular key rotation Compliance (NIST , PCI-DSS, etc.) “…organizations should exert significant pressure on cryptographic solution vendors to support the cryptographic keys in their systems being open to management by third-party OASIS-KMIP-compliant key managers. Without this, organizations will continue to have a siloed key management approach with each and every encryption deployment.”

4 Why Should Customers Choose SafeNet? SafeNet KeySecure manages a diverse range of cryptographic key types. KeySecure benefits from a clear vision leading to full support of KMIP which will enable management of a large number of encryption solutions and vendors. Only SafeNet KeySecue can provide OASIS KMIP integration with Luna SA/PCI and other KMIP based platforms. Our solution is application agnostic, meaning applications do not need to be tailored to work with KeySecure. In addition to HSM management, KeySecure features comprehensive coverage for storage and archive encryption. “To date, only one major cryptographic vendor that possesses its own key manager offering has suggested as part of a road map discussion that it would tentatively support a third-party OASIS KMIP-compliant key manager managing its cryptographic keys.”~ Eric Ouellet, Analyst, Gartner

5 Drivers for Our Success in the HSM Space Mitigate RISK with a defense in depth approach to hardware and system design COST Offer cost-effective hardware solutions that can secure keys for multiple concurrent applications on a single appliance USABILITY Provide distinct operational roles and remote management capabilities for maximum flexibility in a wide range of organizations Helping customers successfully achieve the correct balance of risk mitigation, cost effectiveness and usability

6 Mitigate RISK by empowering a centralized administrative team with tools that provide a real time view of the infrastructure and ensures consistent security policy enforcement COST Offer solutions that enable our customers to manage and monitor their existing HSM centrally, for reduced administrative costs USABILITY Provide a streamlined and intuitive user interface that facilitates HSM management, and simplifies the audit process Helping customers successfully achieve the correct balance of risk mitigation, cost effectiveness and usability KeySecure in HSM Environments KeySecure provides a centralized view of all the keys in an enterprise including the association between encryption keys and the applications using these keys as well as key metadata such as creation date of the key.

7 Mapping the Feature Set of KeySecure

8 HSM With Multiple Partitions Audit Log Key Secure Application + HSM with EKM Client Database + HSM with EKM Client Initialization Activation KeySecure Web Browser Centralized Administration of SafeNet HSMs with KeySecure KMIP KeySecure Centrally see all keys created and used by HSM Stores and manages key attributes Centralized audit for compliance

9 KeySecure 6.1 and HSM EKM Client Features Provides a real time view of key state, location, and type. Some attributes can be changed to facilitate greater organization or the consolidation of key management systems over time. Key Monitoring Enables customers to centrally initiate remote key creation, modification and deletion. Key foundry will allow organizations to assign oversight of HSMs and their respective keys to a few experienced, trusted, and centralized administrators. Remote Key Foundry Streamlines the client registration process Clients can be installed and configured over a period of time Most of the registration process is completed automatically Registration approval is performed asynchronously by the KeySecure administrator. This is to allow administrators to match the fingerprints of the certificates to enhance the security of the overall solution. Automated Client Registration Supported Key Types:

10 SafeNet Management Console Key Secure Unique IDAlgorithm Primary Key NameCreation Date Other Key NamesKey Format Owner UsernamePolicy Object TypeKey Size Meta-Data Fields Key Creation Key Deletion Key Modification Logged Events SignVerify CKA_EXTRACTABLE EncryptDecrypt CKA_NEVER_EXTRACTABLE Wrap KeyUnwrap Key CKA_ALWAYS_SENSITIVE* Derive KeyContent Commitment CKA_MODIFIABLE CKA_PRIVATECKA_SENSITIVE* Attribute Descriptions Key Monitoring Improved Insight and Security Through Monitoring of Key Attributes KeySecure logs events providing valuable information for an Enterprise to act upon Reports key creations/deletions by the application and sends key metadata information to KeySecure View key status on demand Monitor for: Key Creations Key Deletions Key Modifications KeySecure provides on demand and real-time monitoring HSM key activity throughout the enterprise, or one or more business units. KeySecure reports events, such as key creations, deletions, and modifications, enabling customers to detect unauthorized activity and manually take the steps necessary to mitigate any potential security threat.

11 Remote Key Foundry: Centrally Invoking Key Creation in SafeNet HSMs HSM with Multiple Partitions at Remote Office/Data Center Security PC Logon VPN Clients SSL Client Certificates Create Key Using Template 1 Create Key Using Template 2 Create Key Using Template 3 Create Key Using Template 4 Key Secure Central Management Location Trusted Security Expert(s) 1 Trusted Security Expert Uses KS management console to select appropriate key attributes/template and being invocation process. 2 HSM partition creates key and transmits key meta data back to KS 3 Key meta data can be viewed/managed through the KS management console Remote Key Foundry enables customers to centrally initiate remote key creation, modification and deletion, and will allow organizations to assign oversight of HSMs and their respective keys to a few experienced, trusted, and centralized administrators.

12 SSL Tunnel Automated HSM Registration Certificate Required Signed Cert (but not yet authorized) Install EKM Client Authorize Partition ID Installation software prompts installation technician for configuration information IP address of KS, HSM user PIN, policy settings Client automatically sets up the SSL tunnel Client automatically creates certificate in HSM, sends it to KeySecure, and sends cert request KeySecure sends a signed, but unauthorized cert to client Client sends the an authorization request to KeySecure along with a Partition ID for identification KS Admin verifies request with out of band information (including partition ID), and accepts registration Central Management KeySecure KeyArchive Backup / Archive Audit Log Policy alarms HSM KMIP Client (In Future Releases) KeySecure centralizes and automates the client registration process. This ensures only authorized HSM clients are supported with KeySecure for greater security and administrative control.

13 KeySecure Enhances this Balance! LOWER TOTAL COST OF OWNERSHIP EASE OF USE RISK MITIGATION  Empower a Centralized Administrative Team  Ensure consistent security policy application across an enterprise  Centralized view of HSMs, keys and Key States  GUI Interface  Reduced Dependency on PED Devices  Reduced administrative costs  Streamlined HSM setup process  More efficient audit process Helping customers successfully achieve the correct balance of risk mitigation, cost effectiveness and usability

14 Thank You!