Database Encryption and HSMs - DOAG

Database Encryption and HSMs

Insert Your Name

Insert Your Title

Insert Date

Andreas Gatz

Principal ConsultantProfessional Services [email protected]

SIG Security Conference, Leipzig

07. Sept. 2011

Agenda

� SafeNet Products and Solutions for Database Encryption and their general functionality• Luna SA and DataSecure• Oracle with Luna SA HSM (TDE) • Oracle with DataSecure (TDE, Column Encryption, Tokenization) • Positioning the different solutions, SafeNet’s Paradigma: 'Keys in

Hardware‘Hardware‘

� Demo: Oracle with DataSecure• Configuration, Key- and User Management• Operation, Key Rotation• Audit, Backup/Recovery

2

SafeNet Fact Sheet

Founded: 1983

Ownership: Private

Global Footprint: with more than 25,000 customers in 100 countries

Employees: Over 1,500 in 25 countries, recognized Security technology

leadership, over 550 security engineers strong

SafeNet is exclusively focused on the protection of high-value information assets.

leadership, over 550 security engineers strong

Accredited: with products certified to the highest security standards

Money that moves: Electronic intrabanking transfers -- $1 trillion a day (Swift)

Digital identities: PKI identities for governments and F-100 companies

High-value software: 80 million hardware keys

Classified information: Government communications security

SafeNet protects:

3

Company Business Areas

� Identity protection and verification

� Transaction protection and proofing

� Data encryption and control

� Communication infrastructure

SOLUTIONS MARKETS

Enterprise

Government

� Communication infrastructureprotection

� SW Anti-Piracy Protection

� SW License Entitlement & Mgmt

Software PublishersService Providers

Device and Equipment Vendors

4

Available Database Encryption TechnologyEncryption Technology

5

Application Level Encryption

APP LAYER CryptoService

Crypto API

DB LAYER

App Server

DataSecure

+ Addresses wide range of confidentiality threats+ Granular encryption control− Not application transparent

6

OS LAYER OS LAYER

DB Server

+ SafeNet enhancements: Keys in Hardware, millions of keys,versioned keys, audit trail, LDAP & MS-AD integration

Database Level Encryption

APP LAYER DB LAYERCryptoService

App Server

enc

dec

DataSecure, Luna SA

Master-keys

+ Application transparent+ Encryption processing central – not spread amongst applications− Performance impact on DB server

7

OS LAYER OS LAYER

DB Server

+ SafeNet enhancements: takes Oracle wallet (keys) into Hardware, key migration, audit trail

OS Level Encryption

APP LAYER

Crypto

DB LAYERI/O Sub-system

App Server

DataSecureMaster-keys

+ Application transparent− No separation of duties on database layer− Attention: privilege escalation

8

OS LAYERCryptoServiceOS LAYER

system

DB Server

enc, dec

+ SafeNet enhancements: Keys in Hardware, versioned keys, audit trail, LDAP & MS-AD integration

Encryption File System Driver

Crypto Service Level Encryption

APP LAYER CryptoServiceDB LAYER

DataSecure

App Server

Ext.

Procs

+ Encrypt only sensitive columns+ DML transparent − Eventually not DDL transparent

9

OS LAYER OS LAYER

+ SafeNet enhancements: Keys in Hardware, millions of keys,key migration, audit trail, LDAP & MS-AD integration

DB Server

Tokenization with Encryption

APP LAYER DB LAYER

DataSecure

TokenManager

CryptoService

Token DB

+ Replace sensitive data with non-sensitive token + Reduces audit scope drastically− Only small pieces of data (CCnums, PANs, etc.)

10

OS LAYER OS LAYER

+ SafeNet enhancements: Keys in Hardware, millions of keys,key migration, audit trail, LDAP & MS-AD integration

App Server DB Server

SafeNet HSM and Luna SA Basics

11

� Provide higher level of security and trust in separating crypto-graphic keys physically and logically from data and applications

� Securely generate and protect sensitive cryptographic keysthroughout their lifecycle, in dedicated and accredited hardware

� Provide and accelerate cryptographic operations, like Encryption, Decryption, Signing, Time Stamping, Hashing, MAC’ing, etc.

Purpose of HSMs

� Protect customized and sensitive applications deployed in un-trusted or hostile environments

� Offer standard security APIs, like PKCS#11, MS-CAPI/CNG, JCA/JCE, also XML, proprietary APIs, EFT (Electronic Fund Transfer, protocols for financial markets)

12

Keys In Hardware Paradigm

Why Keys in Hardware?

• The location of cryptographic keys is well defined and always exactly known. The same applies for possible physical backups.

• When keys are stored in software an attacker needs only to find a copy of the server’s backup files and wait for or actively find a vulnerability.

• Hardware-secured digital signing with hardware-based backup enables physical-world security mechanisms to be applied to the protection of keys.

What does Keys In Hardware

Mean?

• Applications communicate with keys stored in the HSM via a client – but keys NEVER leave the HSM

How are Keys Protected?

• To access keys stored in hardware an attacker must:• Gain entrance to the environment where the HSM device has been deployed.• Locate and steal the HSM device, which is typically stored in a physically secured safe or locked

down in a data center.• Disassemble the device without damaging it, including removing the potting material many tamper-

resistant HSMs use.• Reverse engineer the flash contents of the device to find the key material.

13

HSM Portfolio

Luna CA4

Luna EFT

Luna XML

Luna SA / SP

SafeNet’s Hardware Security Modules are the fastest, most secure, and easiest to integrate solution for protecting identities, applications and transactions

Luna G5

Protect-Server

Luna PCI

Luna SX

14

Luna SA Architecture

15

Software Architecture

Data Flow

Microsoft CAPI/CNG/EKM

Sun Java JCE/JCA

User applications, Test Tools, Utilities

Physical Connection

Conf

Driver Interface NTLA

Luna SA

Luna Dock Driver

Luna PCI Driver

Luna PCI

Luna Dock PCMCIA Card Reader

PED

PKCS#11

Conf file

16

High Availability & Load Balancing

Network Trust Links

ApplicationHosts

� Hosts/Clients are registered on HA Luna SA’s

� Load balancing is controlled by the NTL agent (client)

• “Least-Busy” cycling of requests between on-line SA’s

• Dynamic replication of crypto key material

17

Oracle TDE with Luna SA

18

Transparent Data Encryption

Challenge• Master keys traditionally stored on database software• Key management functions reduce system performance

SolutionLuna SA and Luna PCI HSMs protect key material and provide database encryption capabilities delivering separation of key material from the data with true keys in hardware design, throughout the key lifecycle

Increased Security• Increased security through separation of cryptographic keys from encrypted data• Data can be encrypted by using keys that only the database user has access to on the external

EKM/HSM

Benefits

EKM/HSM• FIPS 140-2 Level 3-validated security• Multi-factor authentication features

Ease of Installation and Management• Reduce cost and complexity of management with a platform that is easy to manage and support• Provides built-in support for different types of event handling and rich query semantics• Reduce development cost by utilizing existing skill sets and investments in Oracle’s development

platform• Tailor to needs of the business with flexible deployment options

19

Oracle Transparent Data EncryptionColumn Encryption

20

Oracle Transparent Data EncryptionTablespace Encryption

Note: In Oracle 11g R2 same master key for column and table space encryption21

Database Encryption with HSM

�

• HSM used for Master Key storage & crypto operations

• FIPS 140-2 level 3 compliant

• Luna PCI crypto module inside Luna SA is CC EAL 4+ compliant

• PKCS#11 Interface for Oracle Wallet or MS-CAPI Interface for MS SQL Server

Application Server

Luna SA

��

��

��

��

Master key Storage

DB Server

Luna SA

22

Oracle TDE and Luna SA

� Centralized Key Management• Luna SA as the centralized secure location for TDE Master keys

� Strong protection for TDE master key• TDE master key never leaves the Luna SA • High assurance protection for TDE master key

� Transparency• No changes to applications required• No changes to applications required• Allows encryption of all data types normally used to store privacy

relevant information:• Numbers and Text• Scanned documents (medical, financial documents)

� Other known restrictions for Oracle TDE may remain (1):supported data types, encrypt indexed columns with salt, encrypt foreign key, rekey operation for table space enc, etc.

23

(1) – For more details check UK Oracle User Group, C. Dudley, University of Wolverhampton, SIG Director;http://gavinsoorma.com/wp-content/uploads/2011/03/11g_transparent_data_encryption.ppt

DataSecure Basics and

Oracle Encryption with DataSecure

24

DataSecure Platform

� DataSecure Appliance• Centralized policy- and cryptographic

key managment• High-performance encryption • Integrated management interfaces• Hardened Linux appliance • FIPS and Common Criteria certified

� Connector Software

(*)

� Connector Software • Connects DataSecure capabilities to applications, databases,

file servers, desktops/laptops, mainframes, network shares• Load balancing, health checking, connection pooling , SSL

� EdgeSecure Appliance• Centrally managed by DataSecure• Hardened Linux appliance• Small form factor, optimized for remote locations

(*) - formerly: Ingrian25

SafeNet DataSecure PlatformEnterprise Encryption and Key Management

ApplicationServers

Web

Databases

File Servers

Remote Location

z/OS Mainframes

26

Storage/ Tape

Web Servers File Servers

Laptop/Device

Data Center

SafeNetDataSecure®

SafeNetEdgeSecure®

Security

Performance

• Hardware-based, centralized key and policy management• FIPS/CC certified solution• Authentication and authorization

• High performance encryption offload, over 100K TPS• Batch processing for massive amounts of data• Efficient backup/restore capabilities, local encryption option

• Support for heterogeneous environments (app, db, file)

Benefits of the SafeNet DataSecure Platform

Manageability

Availability

Flexibility • Support for heterogeneous environments (app, db, file)• Support for open standards and APIs• Range of enterprise deployment models

• Intuitive, easy-to-use administration• Separation of duties• Centralized policy management

• Enterprise clustering and replication• Load balancing, health checking, and failover• Geographically distributed redundancy

27

SafeNet DataSecure Family PortfolioDataSecure

i450 and i150

� High-Performance Database, File, and Application Encryption

� Locally encrypts sensitive data in remote locations

• High-availability

� Centrally protects and manages crypto keys and security policy in hardware appliance

• Keys are securely stored

Connector Software

� Enable seamless integration with database, application and file servers

• ProtectDB - for database

KeySecurei430

EdgeSecurei10

• Transparently encrypts structured and unstructured data

• High-performance, low latency encryption offload (+100k TPS)

• Intuitive point-and-click administration console

• High-availability and scalability through clustering and load balancing

• FIPS, Common Criteria certification pending

• High-availability appliance for local encryption

• Light, small form factor that is optimized for distributed environments

• Remote management after initial setup

• Backed up by central DataSecure appliance in event of device failure

• Keys are securely stored in a single location for clear separation and definition of boundaries

• Centralized policy management

• Centralized logging, auditing and archiving

• Built-in Certificate Authority (CA)

• Separation of duties (dual control)

• FIPS, Common Criteria validation pending

• ProtectDB - for database encryption (Oracle, IBM DB2, Windows SQL Server, Teradata)

• ProtectApp – for app encryption (.NET, CAPI, JCE, PKCS#11, z/OS, XML and all common app & web servers)

• ProtectFile PC – for desktop/laptop file encryption

• ProtectFile Server – for Windows and Linux

• ProtectFile Mobile

28

• Software Libraries• Microsoft .NET, CAPI• JCE (Java)• PKCS#11 (C/C++)

DataSecure Application Integration

• PKCS#11 (C/C++)• SafeNet ICAPI (C/C++)• z/OS (Cobol, Assembler, etc.)• XML

• Support for virtually all application and web server environments

ReportingApplication

CustomerDatabase

E-CommerceApplication

29

DataSecure Database Integration

• Column based encryption

• Database Connectors• Oracle 8i, 9i, 10g, 11g• IBM DB2 version 8, 9• IBM UDB version 8, 9• Microsoft SQL Server 2000, 2005,

2008• Teradata 12• Teradata 12

• Application changes may not be required

• Batch processing tools for managing large data sets

• Vendor Transparent Database Integration

• SQL Server 2008• Oracle 11g

Customer Database

30

Endpoint Protection with Centralized Key & Policy Management

ProtectFile PC• ��

• ��

��

ProtectFile Server• Granular folder- andfile-level encryption

•Client users useNative windows

ProtectFile Architecture

DataSecure Platform• ��

• ��

��

• ��

��

��

• !��

Native windowsaccess control

• Key and policy mgmton DataSecure for end user transparency

End User Laptop

Network Shares

Corporate File Server

• !��• "�# ��

31

DataSecure vs. HSM

32

Keymanagement

� HSM• PKCS#11, separation of keys slot-based, multiple virtual

slots, 1 user account per slot• Keys in hardware• Amount of keys til end of memory (~1000, <10000)

� DataSecure• Policy based• Key usage defined per user or user groups• Millions of keys (stored/encrypted internally)

33

User-/Rolemanagement

� HSM• PKCS#11 model, 1 user and 1 admin per slot• Strong multi-factor auth for administration of HSM• Roles for admins, backup, named accounts, etc.

� DataSecure• 1 million local users or LDAP & MS-AD integration• 4-eyes principle• Admin roles with fine granular separation of duties

34

Cryptography

� HSM• Symmetric, asymmetric (incl. ECC)• > 200 crypto mechanisms• Crypto runs in HW (Luna K5/K6)

� DataSecure• AES, DES, RSA• Optimized for data encryption• Crypto runs in SW

35

Functionality & APIs� HSM

• PKCS#11, Java JCA/JCE, MS-CAPI/CNG, XML• TDE• EFT (financial)• KMIP client

� DataSecureDataSecure• ProtectApp: PKCS#11, Java JCA/JCE, MS-CAPI/CNG, ICAPI,

XML• ProtectDB: Oracle, SQL Server, DB2, Teradata• TDE• ProtectFile: NTFS, ext3, NAS (CIFS, NFS)• Tokenization: API, Web service• NetApp integration (with KeySecure) (1)

• KMIP server

36(1) - explained in following slides

Audit / Logging

� HSM• Syslog streaming• Auditable logs• Application logging needed in some scenarios, as

PKCS#11 has some limitations

� DataSecure• Syslog streaming• Auditable logs• Fully PCI-DSS compliant

37

Performance / HA / LB

� HSM• Combined HA and LB• Automatic/dynamic key mirroring in HA mode• Scales up almost linear in HA mode

� DataSecure• Combined HA and LB• Automatic/dynamic key mirroring in HA mode (also

users, roles, policies, etc.)

• Scales up almost linear in HA mode

38

What is KMIPSource:OASIS

� The Key Management Interoperability Protocol (KMIP) enables key lifecycle management. KMIP supports legacy and new encryption applications, supporting symmetric keys, asymmetric keys, digital certificates, and other "shared secrets." KMIP offers developers templates to simplify the development and use of KMIP-enabled applications.

� KMIP defines the protocol for encryption client and key-management

39

� KMIP defines the protocol for encryption client and key-management server communication. Key lifecycle operations supported include generation, submission, retrieval, and deletion of cryptographic keys. Vendors will deliver KMIP-enabled encryption applications that support communication with compatible KMIP key-management servers.

39

An Ideal Enterprise Key Management

File Servers

Application and web servers Databases

Mainframes

Hardware

Laptop/mobile Handset

Mainframes

SafeNet KeySecure

� Secure, Centralized Key Management

� Data-centric Policy Management

� Identity & Access Management

� Visibility via Logging, Auditing, Reporting

Storage

Backup Media

40

SafeNet KeySecure™Enterprise Key Management

� Enterprise Key Management• Centrally managed• Consolidation of keys

� Standard based approach – OASIS KMIP� Broad Coverage

• NAS - StorageSecure• NAS - StorageSecure• SAN - Brocade Encryption Solutions (BES and FS8/18)• KMIP support (NSE/FDE, Quantum Tape Library and other 3rd

Party Support)• ProtectV

� SafeNet Luna PCI K6 module built-in (!)� SafeNet LUNA SA and PCI Management

41

DataSecure and KeySecureEssentially same platform- Different packaging

� DataSecure• Encryption – SafeNet

Ecosystem e.g. ProtectApp, ProtectDB, ProtectFile (Linux)

� KeySecure• Enterprise Key

Management• StorageSecure• KMIP Support

(Linux)• KMIP Support

• KMIP Support• Brocade Encryption

Switch• Migration of DataFort

and LKM

Oracle TDE with DataSecure

43

Oracle TDE with DataSecure

�

• DS used for Master Key storage & crypto operations

• FIPS 140-2 level 2 compliant

• PKCS#11 Interface for Oracle Wallet

Application Server

DataSecure

��

��

��

��

Master key Storage

DB Server

DataSecure

44

DataSecure with ProtectDB

Migration Procedure(from clear to encrypted)

45

Step 1: Identify what data you want to secure and where that data resides.

Database Encryption Process(slide 1 of 8)

CUSTOMERName Account SSN Address City

Irwin M. Fletcher 000234 123456789 411 Main Street

Santa Barbara

Josh Ritter 000115 111122223 1801 21st Ave San Josh Ritter 000115 111122223 1801 21st Ave San Francisco

Steve Garvey 000199 987654321 123 First Ave Brentwood

CUSTOMER Table StructureColumn Name Data Type Length

Name VARCHAR 60

SSN CHAR 9

Address VARCHAR 75

SSN_NEW VARBINARY 16

46

Step 2: Alter table to add columns

Database Encryption Process(slide 2 of 8)

CUSTOMERName Account SSN Address City SSN_NEW

Irwin M. Fletcher

000234 123456789 411 Main Street

Santa Barbara

Josh Ritter 000115 111122223 1801 21st Ave San FranciscoFrancisco



Name VARCHAR 60

SSN CHAR 9

Address VARCHAR 75


47

Step 3: Migrate, encrypt data

Database Encryption Process (slide 3 of 8)


Irwin M. Fletcher 000234 123456789 411 Main Street

Santa Barbara

0xEED95DB775158895…

Josh Ritter 000115 111122223 1801 21st Ave San Francisco

0x21010B370F8752D5…

Steve Garvey 000199 987654321 123 First Ave Brentwood 0xC5187FC3A3286B7F…


Name VARCHAR 60

SSN CHAR 9

Address VARCHAR 75


SafeNet DataSecure

Platform

48

Step 4: Null the original cleartext data



Irwin M. Fletcher

000234 NULL 411 Main Street

Santa Barbara

0xEED95DB775158895…

Josh Ritter 000115 NULL 1801 21st Ave San Francisco

0x21010B370F8752D5…Francisco

Steve Garvey 000199 NULL 123 First Ave Brentwood 0xC5187FC3A3286B7F…

CUSTOMER Table StructureColumn Name

Data Type Length

Name VARCHAR 60

SSN CHAR 9

Address VARCHAR 75


SafeNet DataSecure

Platform

49

Sensitive data is now stored in encrypted format. Application integration can be completed with no further database changes, or…



Name Account SSN Address City SSN_NEW

Irwin M. Fletcher


Santa Barbara

0xEED95DB775158895…


0x21010B370F8752D5…


50

Step 5: Implement database integration: Rename database, create views, triggers and stored procedures to automate updates and inserts


CUSTOMER (View)Name Account SSN Address City

Irwin M. Fletcher

000234 123456789 411 Main Street

Santa Barbara



Irwin M. Fletcher


Santa Barbara

0xEED95DB775158895…


0x21010B370F8752D5…


Francisco


CUSTOMER_NEWName Account SSN Address City SSN_NEW

Irwin M. Fletcher


Santa Barbara

0xEED95DB775158895…


0x21010B370F8752D5…


51

Dynamic Encryption and Decryption of Data via Triggers and Views

Application and Database Encryption Process (Slide 7 of 8)


Irwin M. Fletcher 000234 987654321 411 Main Street Santa Barbara



Subsequent updates and inserts preserve data privacy

Update Trigger



Irwin M. Fletcher 000234 NULL 411 Main Street Santa Barbara 0x5FC09A148B276126…

Josh Ritter 000115 NULL 1801 21st Ave San Francisco 0x21010B370F8752D5…


52

Application and Database Encryption Process (Slide 8 of 8)


Irwin M. Fletcher 000234 987654321 411 Main Street Santa Barbara



Henry Baker 000301 999666555 787 Convention Gilroy

Subsequent updates and inserts preserve data privacy

Update Trigger

Insert Trigger

Henry Baker 000301 999666555 787 Convention Gilroy


Irwin M. Fletcher 000234 NULL 411 Main Street Santa Barbara 0x5FC09A148B276126 …

Josh Ritter 000115 NULL 1801 21st Ave San Francisco 0x21010B370F8752D5…


Henry Baker 000301 NULL 787 Convention San Francisco 0xF5253HU4A4657C3P…

53

Oracle with DataSecure TokenizationTokenization

54

The Need for Tokenization

Addressing regulations:� Organizations are seeking ways to simplify and reduce the scope of PCI-DSS,

of the Payment Card industry data security standard compliance by shrinking the footprint where sensitive data is located throughout their organization.

� By reducing the scope, these organizations can dramatically lower the cost and anxiety of PCI DSS compliance and significantly increase the chance of audit anxiety of PCI DSS compliance and significantly increase the chance of audit success.

� Compliance with the PCI DSS is a combination of documented best practices and technology solutions that protect sensitive data, such as SSN or Credit Card numbers used by more than one application or stored in more than one database.

� SafeNet’s Tokenization Manager solution tackles PCI compliance.

55

Protecting Your Credit Card Numbers� A merchant’s database contains customers’ credit card numbers.• Initially, credit card numbers are stored without encryption, protected only by

access-control measures.• The credit card numbers are used across systems. • The tokenization technology is meant to prevent theft of the credit card

information in storage.� The process replaces card data with randomized numbers which are useless

out of the transaction scope. The real data is then deleted from the merchants DB.DB.

� The full 20 CC numbers are replaced with 20 characters token created by defined format

� Only tokens are then present in the data storage systems.

N A CC

5467 1009 4594 5420

Merchant DB Secured DB[Out of PCI Scope]

Credit Card numbers that will be tokenized

Contains tokens representing Credit card numbers

N A CC

5487 9811 0948 5420

56

Tokenization

� Replacement of sensitive structured data (max. 20 chars) with data of a similar size that is not sensitive (a “Token”)

� Stores sensitive data in an encrypted protected zone – apart from the original data now containing only the tokens

� Data format and representation can be preserved

� Token’s may be generated using a variety of formats:

Random First_Two_Last_FourSequential First_Six_Last_FourLast_Four Fixed_NineteenFirst_Six Fixed_Twenty_Last_Four

� Or, token format can be user-defined (with version > v2.0)

57

Solution Architecture (High Level)

DataSecureToken ServersRunning Token

Manager

Java API /Web

Service

Protected Zone

Vault

Application AES 256 Versioned

key

HMAC SHA 256

key

58

Token GenerationToken generation: Plaintext (sensitive information) is sent by application with request for tokenization (Insert Token)

Keyed hash is generated using hash key on DS.

DataSecureToken Servers

Application

HMAC SHA 256

De-tokenization: Token is sent by application with request for plaintext value (Get Token)• Token is looked up• Corresponding ciphertext is decrypted and sent back to the application

Lookup on hash is performed.

If hash exists for the input value, corresponding token is returned.

If no hash exists:• Token is generated• Original value is encrypted• Token, ciphertext, and hash

are written to the token vault

Protected Zone

Vault & Key Table

key

AES 256 Versioned

key

59

��

� � � ��

� $�� %�� #��&'�

� (�� %)(!$��*�++'

� �� ,��-��

� �� $�� -��

� #��

� $�� $��

� ��

� $��. �� /��

Positioning the Solutions

61

Transparent Data Encryption

� No changes to existing applications• No triggers, no views• Some performance impact (but same with all other encryption)

• Build-in key management� No crash-course needed in encryption or key � No crash-course needed in encryption or key

management; just focus on business logic� Oracle Wallet Manager can connect to PKCS#11 libs if

enhanced security level with HSM is needed

62

ProtectDB� Column based, encryption only where needed� Supports heterogeneous DB environments� Encryption offload from DB server – but more network load� PCI-DSS compliancy supported� Supports key migration process� Oracle domain index can be used� Oracle RAC configuration supported� Per instance max. ~2500 Enc Ops under real DB runtime � Per instance max. ~2500 Enc Ops under real DB runtime

conditions� Supported data types: BFILE, BLOB, CHAR, CLOB, DATE,

DECIMAL, LONG, LONG RAW, NCHAR, NUMBER, NUMERIC, NVARCHAR2, VARCHAR, VARCHAR2

� Mostly DML transparent� Not DDL transparent� Difficult if triggers already in place� 3rd party application integration needs testing

63

ProtectFile

� Encryption for unstructed, file-based data� Scenarios where RDBMS not supported or TDE not

applicable/available� For best performance file encryption keys are kept

locally, encrypted under a KEK� Transparent for NTFS, ext3 file systems� Transparent for NTFS, ext3 file systems� Database files can be encrypted on OS level (e.g. data

transfer)

� Avoid user privilege escalation

64

ProtectApp

� Focusses application development in C/C++/C#, .NET, Java

� User auth against DataSecure (with MS-AD, LDAP)

� Supports versioned keys and re-encryption� Full logging/auditing on client and DataSecure� Full logging/auditing on client and DataSecure� Bulk enc/dec calls� Reduced crypto compared to HSMs � No key wrapping (not yet)

65

Tokenization

� Applicable for small pieces of data (SSN, PANs, CCnums)� Some integration work needed (with API or Web service)� No changes to existing databases, 3rd party applications� Token preserves original data format and fits into original

field� Scalable solution � Scalable solution (per instance: max. ~250 ops/sec single calls,

~1000 ops/sec with bulk calls)

� Made for PCI-DSS compliancy �� Reduces scope of audits

66

Demo Setup

67

Demo: ProtectDB, Migrate Data

Laptop withVM machines

Oracle 11g R2on CentOS v5.6

eod

68

DataSecurei150

SafeNet's approach . . .

69

Date post:	16-Oct-2021
Category:	Documents
Upload:	others
View:	8 times
Download:	0 times

Database Encryption and HSMs - DOAG

Documents