Download presentation
Presentation is loading. Please wait.
Published byHengki Chandra Modified over 6 years ago
1
RSA Key Manager Enterprise-wide Encryption Keys Management David Mateju RSA Sales Consultant
2
RSA – The Big Picture information Encryption
Store, Transport IT infrastructure information Access Authentication, Authorization, Anti-fraud Solutions DLP Data Loss Prevention SIEM Security Information and Event Management
3
RSA Encryption and Key Management Suite
RSA – The Big Picture RSA Encryption and Key Management Suite RSA Access Manager RSA Federated Identity Manager RSA SecurID RSA Digital Certificate Solutions RSA Identity Protection and Verification Suite IT infrastructure information RSA Data Loss Prevention Suite RSA enVision Platform
4
Encryption Commonly Used to Protect Sensitive Data Throughout Infrastructure
Application Based DB or File Based Host Based SAN Based Encryption can be applied in many ways to protect sensitive data from the many threats it faces. Through widely used tools such as Secure Sockets Layer, for example, encryption is a core technology for protecting data as it moves across a network. But in this presentation, I’d like to focus on encryption as it’s used to protect data at rest. Encryption can be deployed at various levels, depending on the threats one is most concerned about. For example, if the primary issue is to protect sensitive data when storage is being re-purposed or serviced, then platform-based encryption implemented in a storage array or in an encrypting tape drive is an excellent solution. Implementing encryption at the Storage Area Network, or SAN level, such as with EMC Connectrix solutions, provides protection against similar threats, but with the benefit of implementing and managing the encryption in fewer places. Implementation at the host level, such as with EMC PowerPath, protects against additional threats such as interception of data as it moves from the host to storage. Encryption at the database or file level provides finer-grained protection, enabling selective encryption of files to enforce access privileges for those files. Finally, encryption at the application level, such as with RSA BSAFE provides the greatest control over exactly which data elements are encrypted. With this context in place, let’s look at the RSA encryption solutions in more detail. Platform Based Clients LAN SAN WAN Servers
5
RSA Key Manager Enterprise-Wide Key Management
RSA Data Security System Briefing 18-Sep-18 RSA Key Manager Enterprise-Wide Key Management Apps/DB FS/CMS Storage Our enterprise key management system referred to as RSA Key Manager, can be thought of as a central, enterprise-wide, encryption management system. It provides 5 main services, all wrapped around a policy based interface. Those services are generating keys, securely distribute keys, vault keys, life cycle keys and monitor and audit keys. All again wrapped around a policy based interface which allows you to define these five elements for various policies and then implement those across multiple encryption points. RSA Key Manager (RKM) 1. Generate Keys 2. Securely Distribute Keys 3. Vault Keys 4. Expire / Turnover Keys 5. Monitor + Audit Policy-based Interface 5 - Confidential - 5
6
RSA Key Manager Solutions
RSA Data Security System Briefing 18-Sep-18 RSA Key Manager Solutions RKM Server RSA Key Manager with Application Encryption RSA Key Manager for the Datacenter With RSA Key Manager, we provide enterprise wide key management. With RSA Key Manager with Application Encryption, sensitive data can be encrypted within the application at the point of capture. We offer comprehensive platform and language support for our application encryption clients with support for Linux, Mainframe, Unix, and Windows clients. With RSA Key Manager for the Datacenter, we provide key management for encryption solutions from RSA, EMC, and third parties. In both cases, the RSA Key Manager Server can be leveraged for centralized key management across the enterprise. Application Encryption Client Integration modules EMC & 3rd party encryption Sensitive data encrypted within applications at point of capture Application Encryption Clients- Comprehensive platform and language support C, Java, .NET, Cobol, CICS Linux, Mainframe, Unix, Windows Encryption performed using RSA BSAFE® technology Integrates with host, SAN switch, and native tape encryption solutions from RSA, EMC, and third parties Current integrations include PowerPath, Connectrix/Cisco, Oracle and Native Tape 6 - Confidential - 6
7
RSA Key Manager with Application Encryption
RSA Data Security System Briefing 18-Sep-18 RSA Key Manager with Application Encryption Request encryption key RSA Key Manager Server Request Key Payment Processing Request CC# One of the benefits of RSA Key Manager with Application Encryption is that it helps customers comply with PCI requirements for encryption and key management while facilitating the sharing of encrypted data. In this example, [click 1], credit card data is captured at a point of sale terminal at a retail branch. [click 2] The POS terminal will request an encryption key if the key is not cached locally in memory or on disk. [click 3] The credit card data is now encrypted. Since the credit card data is encrypted at point of capture, it is then protected as it sent over the network. [click 4] However, access to the credit card data may be required by the returns application. [click 5] Again, the return application can request an encryption key from the RSA Key Manager Server if the key is not cached locally or in memory on disk. [click 6] As an application that has permission to decrypt the data, a key is granted and the credit data can be read. Without a centralized key management solution like RSA Key Manager with Application Encryption, in many cases, customers will need to maintain silos of encryption across the IT infrastructure. This becomes very difficult and expensive to manage plus it creates more risk that encryption keys can be compromised. Benefits of RSA Key Manager for Retail Use Case Credit card number protected in transit and at rest (Best practice: Encrypt at point of capture) Secure key storage and distribution Lifecycle key management Restricted access TevpWURkQOyHTlJVlHeT2A== TevpWURkQOyHTlJVlHeT2A== Returns Local Store Capture Card Info Request encryption key if not cached locally in memory or on disk Encrypt Card Data Request Credit Card Data Return unencrypted data to user 7 Datacenter Operations - Confidential - 7
8
RSA Key Manager with Application Encryption
RSA Application Encryption Client RSA Key Manager Server Application HMAC Encrypt Decrypt GetKey Key Cache RKM Server (available as SW or Appliance) The RSA Key Manager with Application Encryption consists of two major components – a client that is embedded with the application (a Point of Sale Application in this example) and the RSA Key Manager Server. The server is where the encryption keys are securely generated and stored. The communication between the client and server is over a mutually authenticated and secure SSL connection.
9
RSA Key Manager Application Encryption Client Supported Platform Matrix
10
Heterogeneous Storage System Encryption
RSA Key Manager for the Datacenter Host-based Encryption – EMC PowerPath RKM Server Any Host EMC Storage PowerPath Encryption Name: XYZ SSN: Amount: $123,456 Status: Gold @!$%!%!%!%%^& *&^%$#&%$#$%*!^ Heterogeneous Storage System Encryption
11
Active Keys (in Fabric)
RSA Key Manager for the Datacenter SAN Fabric-based Encryption – Cisco / EMC Connectrix MDS Cisco Fabric Manager RSA Key Manager API Active Keys (in Fabric) Key 1 Key ‘n’ Key 2 Key 3 Encryption takes place in the SAN switch Encryption management integrated into MDS Fabric Manager Integrates with RSA Key Manager for comprehensive encryption key lifecycle management
12
RKM for the Datacenter: Solution Overview
Encryption Source Interoperability/ Support PowerPath Encryption with RSA Host EMC Symmetrix, CLARiiON Solaris, Windows, AIX, Linux, HP-UX (2H) Cisco/Connectrix MDS Storage Media Encryption with RKM SAN Fabric Cisco MDS-enabled platforms (9200 and 9500 series), 9222i switch; Requires 18/4 Port Multiprotocol Services Module IBM Native Tape Encryption with RKM Tape Drive IBM TS1120 Tape Drives; TS3400/3500 Libraries; IBM Encryption Key Manager (EKM) Let’s highlight our upcoming solution offerings for RKM for the Datacenter. We should note a few fundamental differences about our different offerings. Many customers will know upon initial conversation which encryption sources they wish to address. PowerPath Encryption with RSA, supported by PowerPath code version 5.2, conducts encryption in the host. Note that PowerPath multipathing is not required to be licensed on the host in order to deploy the V5.2 encryption code. RKM is required as part of the encryption and key management solution. Cisco MDS Storage Media Encryption is conducted in the SAN Fabric and supports SME-enabled MDS switches in the 9200 and 9500 series. The new 9222i switch is offered by Cisco for interoperability with SME. An 18/4 Port Multiprotocol Services module is required for SME. Encryption is integrated into the MDS Fabric Manager and interoperates with RKM. You will be able to sell this solution in two ways: directly through RSA and through EMC with Connectrix, which is our Cisco OEM. RKM is an optional addition to the Storage Media Encryption solution. Encryption for IBM TS1120 tape libraries is conducted natively in the tape drive. IBM Encryption Key Manager (EKM) is the only IBM key management product supporting the TS1120 solution. Additional upcoming solutions include RKM support for File Security Manager for file system security and native database encryption support for Oracle Transparent Data Encryption (or TDE).
13
RSA Key Manager Server – Software Supported Platform Matrix
Scenario 1 Scenario 2 Scenario 3 Scenario 4 Operating System Windows® 2003 Server R2 (Intel® x86 32-bit) Red Hat® Enterprise Linux® AS 4.0 (Intel x86 32-bit) Solaris™ 9 or 10 (UltraSparc v9 32-bit) App Server Apache Tomcat WebLogic™ 9.0a WebSphere® 6.1 WebLogic 9.0 Web Server IIS 6.0 Apache HTTP Server b Apache HTTP Server DB Server SQL Server 2005 Oracle® 10G Release 2 RAC RSA Access Manager Access Manager 6.0 Clear Trust Agent 4.7 JVM Sun JRE™ 1.5 IBM JRE 1.5 Sun JRE 1.5 HSM nCipher™ netHSM™ Firmware: CipherTools: Support Utilities: 10.15 SafeNet Luna SA Firmware: 4.6.1 SafeNet Luna PCI 3000
14
RSA Key Manager Server – Appliance
Preinstalled server OS: rPath Linux App Server: Apache Tomcat Web Server: Apache Database: Oracle Std Edition JVM: Sun JRE 1.5 OS – CAP is the RSA Common Appliance Platform. This team is building appliance infrastructure for all EMC products. Apache Tomcat Apache Web Server 2.0.61 Oracle® Standard Edition, 10G including Oracle Data Guard Previously a Linux / Tomcat / Apache / Oracle platform was not supported. The platform was picked for a number of reasons: Feedback that customers would have security concerns about a Windows platform. Neither RSA nor EMC had a standing relationship with BEA or IBM for the use of their Application server. RSA has a very strong relationship with Oracle and an agreement for both product licensing and support. RSA Key Manager Note that will work with RKM client 2.2 HSM. This prevents us from shipping an HSM today. The Server can be configured to work with an external HSM, just as our product can today. Licensing / Freeware – All products shipped with the RKM H/W server are fully licensed. RSA Access Manager 6.0
15
RSA Key Manager for PCI Compliance
Requirement How RKM App Encryption Addresses It PCI Strong Encryption Keys Symmetric Key Generation Industry Strength Algorithms AES, 3DES, HMAC PCI Secure Key Distribution Mutually authenticated server communication via SSL PCI Secure Key Vaulting Secured Key Storage Restricted Access to Key Manager Server Tiered admin rights (Super, User, Key) No Administrator has access to key material PCI Periodic Changing of Keys/ Key Lifecycle management Deletion of unused or compromised keys Compliant to National Institute of Standards and Technology (NIST) recommendations PCI Destroy unused / compromised keys Key Policy Definition Key Expiration Key Rotation Support for Key Attributes Key Usage Audit and Logs Provides PCI audit trail by logging all events PCI requirements related to encryption calls for Strong encryption keys to be used. Secure distribution of encryption keys between the various encryption clients and the Key Manager server. Secure vaulting of all encryption keys Periodic changing of keys Deletion of unused or compromised keys Above all this, PCI requires that customers maintain detailed key usage audit logs that can be used to prove compliance to various regulations that call for encryption of sensitive data Now let us take a look as to how RSA Key Manager with application encryption solves each of these requirements RKM generates keys that are suitable for use with industry standard algorithms such as AES and Triple DES either for generating keys used for encrypting and decrypting data or for generation of message authentication code. All keys are randomly generated on the RSA Key Manager Server. The contents of the key are not disclosed to administrators. Administrators reference keys by name and assign them to security policies. Given that the key is needed to encrypt and decrypt data, the key needs to be made available to all of the Key Manager Clients. This means that the key has to be distributed from the Key Manager server to the clients on an as needed basis. RSA Key manager securely distributes the key between the server and the clients using mutually authenticated SSL channel. SSL is the same secure technology that is used by applications such as online banking. Key Manager Server is the centralized server component of a Key Manager deployment. The Key Manager securely stores all symmetric encryption keys that are generated for application encryption. Encryption keys are concatenated with a SHA‐256 digest of the data, encrypted, then stored in the Key Manager Server database. The encryption is done using a Key Encryption Key (KEK), which is stored either protected in memory or on a dedicated Hardware Security Module (HSM). The access to the keys are restricted to only approved administrators through the concept of separation of duties. The administrators are classified as Super administrators - who have access to all administrative functions and all policy information but they do NOT have access to the key material User administrators - who can create key administrators, application groups and set up RKM clients who need to access the server, but they do not have access to any of the crypto policies and key material and Key Administrators : who create and manager crypto policies and manage the lifecycle of encryption keys. They do not have access to the key material either. To emphasize, none of the administrators have access to the key material. RSA Key Manager provides support for the following life cycle management functions: Define cryptographic key policies based on your company’s security policies. The key policy defines the algorithm to be used for generation of the key and also the duration of the key. Key expiration: Administrators can set up a time to live period for keys. When such a time period is completed, the key is automatically expired and a new key is generated. Key rotation: Key rotation is the process where an encryption key is periodically changed based on a policy, usually driven by regulatory requirements. RKM can automatically rotate keys based on the defined cryptographic policies It is possible to add metadata to an encryption key vaulted in the RSA Key Manager. Attributes allow additional information to be associated with encryption keys. For example, you can associate the name of the application that vaulted the encryption key or the name of the department that is using the application that uses the encryption key All unused or compromised keys can be deleted using the RSA Key Manager. If a key is compromised, it will no longer be able to encrypt new data but it will still be available to decrypt existing data that was encrypted using the compromised key. This means you will not lose the data that was encrypted using the compromised key. When encryption is used to comply to regulations such as PCI or PII, auditors require proof of compliance. RSA Key Manager provides valuable key usage audit logs that captures all the run time operations on the RKM Server such as key generation, creation of new key policies and also any errors generated by the server in the event of an abnormal operation. This can then be used to prove compliance – proof to auditors that you indeed did what you said you did
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.