Welcome to the SafeNet Executive Day! · And then, there‟s the data itself! How secure is my data...

Welcome to the

SafeNet Executive

Day!

Новые

ГоризонтыИнформа

ционной

Безопасности

Новые Горизонты Информационной

Безопасности

Сергей Кузнецов

Глава Представительства,

SafeNet Европа Б.В. в

России&СНГ

Спонсоры и Участники

Платиновые Спонсоры

• СИС (Сертифицированные Информационные

Системы)

• Demos

Спонсоры и Участники

• IndeedID

• УЦСБ

• DPS (Data Protection Systems)

3

Выводы (Takeaways)

SafeNet 2013 – Представление Новой Компании Safenet в России

У нас есть ответ новым технологическим вызовам современности:

• Виртуализация

• Мобильность

• Облачные вычисления

• Большие Данные

Продолжение инвестирования в Коренной бизнес:

• eToken/iKey, Сертификация ФСТЭК

• HSMs/HSEs, Новые возможности

• DataSecure, Виртуальное устройство

SafeNet в России – серьезные планы по инвестициям:

• Персонал

• Локализация/Сертификация решений

• Доступность обучения

4

Что Вы можете найти в Демо зонах?

Виртуализация

• Стенд УЦСБ Protect-V с Виртуальным устройством KeySecure

• Живая презентация Rami Shalom в секции Protect-V

Мобильность

• Аутентификация – Зона СИС/Safenet

• Интеграция средств Аутентификации с решением Single Sign On –

Стенд IndeedID

Облака

• SAS (Safenet Authentication Service) + Protect Virtual – Стенд УЦСБ

• Crypto HSM – Стенд DPS, Зона Demos/Сейфнет

Большие Данные

• Токенизация – Секция Tokenization

• Storage Secure – Зона Demos/Safenet

• HSE/Senetas – Зона Demos/Safenet

5

SafeNet изменяет привычный рынок

Аутентификация как Сервис (SAS):

• Переход от Капитальных Инвестиций к Операционными Расходам

• Масштабируемость и адаптивность – как часть дизайна решения

• Опция Частного Облака

Безопасность – по прежнему #1 среди барьеров по адоптации и

внедрению Виртуализации (Forrester)

• Первое доступное Энтерпрайз решение. Возможность использования Облачных

Сервисов

HSM – может быть «Виртуализирован»

• Централизация управления, Консолидация ресурсов, Уменьшение времени

предоставления ключей

Storage Secure : защита NAS, самого быстро растущего сегмента

Хранилищ Данный

• Возможность превращения хранилища в Защищенный Облачный Сервис (WEP,

WepDAV)

6

Текущий Статус в России

7

СИС: • Дистрибутор решений Аутентификации

• SAS – контракт в процессе подписания

• Protect-V – контракт в процессе подписания

• Центр Компетенции/Субдистрибутор – Aladdin RD

Demos

• Дистрибутор HSM/HSE

• Storage Secure – в процессе обсуждения

• KeySecure – в процессе обсуждения

• NetApp Дистрибутор NetWell

RAINBOW

• Дистрибутор DataSecure

Модель продаж : Дистрибутор – Партнер – Заказчик

Спасибо

9

9:00 – 9:50 Регистрация участников. Приветственный кофе

9:50 – 10:00 Открытие конференции

Сергей Кузнецов - Глава Представительства SafeNet в России и странах СНГ

10:00 – 10:15 SafeNet - лидер на рынке информационной безопасности. Представление компании

Гари Кларк (Gary Clark) - Генеральный Директор SafeNet в регионе EMEA (Европа,

Ближний Восток и Африка)

10:15 – 10:55 Экспансия данных. Как защитить виртуальный датацентр и облако?

Рами Шалом (Rami Shalom) - Вице-Президент по продуктам и решениям для

шифрования данных и управления данными

10:55 – 11:35 Аутентификация как сервис (AAAS) или почему Ваша компания будет в числе первых,

перешедших на облачную аутентификацию?

Джэйсон Харт (Jason Hart) – Вице-Президент по облачным решениям

11:35 – 12:05 Кофе-брейк. Работа экспертной зоны, демо-стендов партнеров

12:05 – 12:45 Большие Данные (Big Data) наступают. Как сделать информацию доступной, но

защищенной?



12:45 – 13:25 Корень доверия (Root of Trust) - нужен ли он вашим физическим и виртуальным

пространствам?

Герман Бауэр (Hermann Bauer) – Директор по развитию бизнеса в регионе EMEA

(Европа, Ближний Восток и Африка)

Марко Бобинак - Консультант по продуктам компании

13:25 – 13:30 Закрытие Пленарной Сессии. Вопросы и ответы

13:30 – 14:30 Обед

Программа мероприятия

13:30 – 14:30 Обед

Тематические

сессии, часть

1

Сессия 1: SafeNet

Authentication Service

Сессия 2:

Storage Secure

Сессия 3: Hardware

Security Modules

14:30 – 15:15 Ведущие:

Джэйсон Харт, SafeNet,

Михаил Рожнов,

CertSys

Ведущие:

Рами Шалом, SafeNet,

Андрей Лаптев,

SafeNet

Ведущие:

Герман Бауэр, SafeNet,

Владимир Дегтярев, Demos

15:15 – 15:25 Вопросы и ответы Вопросы и ответы Вопросы и ответы




2

ProtectV

Data Secure:

Tokenisation

Solution Demo

Hardware Security Module

EFT

HSE/Senetas

15:50 – 16:35 Ведущие:



CertSys

Ведущие:

Марко Бобинак,

SafeNet,


SafeNet

Ведущие:



17:00 – 18:00 Закрытие мероприятия. Коктейли

10


Corporate Brief &

Presence in Russia &

CIS

Gary Clark

VP EMEA Sales &

Operations, SafeNet

IT Landscape is at a Tipping Point

Consumerization of IT

Shift in Service Deliver

Models

Proliferation of Data to the

Cloud

Increasingly Complex

Threat Landscape

A New Mindset is Needed

Sole Perimeter Security is

No Longer Enough

Breaches Will Happen and

We Must Prepare

Differently

Data is the New Perimeter

State of Data Protection:

Protect What Matters, Where it Matters

SafeNet: The Data Protection Company

We protect the most

money that moves

in the world, $1

trillion daily.

We protect the most

digital identities in

the world.

We protect the

most sensitive

information in

the world.

FOUNDED

1983

REVENUE

~500m

EMPLOYEES

+1,400 In 25

countries

GLOBAL

FOOTPRINT

+25,000 Customers in

100 countries

ACCREDITED

Products certified

to the highest

security standard

Trusted to protect the world‟s most sensitive data

2004

2009

2003

2003

2004

2005

2008

2012

SafeNet: Where We Focus

Identity and Transaction Protection

Data Encryption and Control

Secure Communications

Compliance and Governance

Data Protection in Cloud & Virtual

Environments

Solutions Markets

Enterprise

Government

Software

Publishers &

Cloud

Service Providers

Device and

Equipment

Vendors Software Monetization

Solutions

Data Protection

Solutions

Software licensing and entitlement

management

Cloud service provisioning, control,

management and usage tracking

Software piracy prevention and IP

protection

Technology ISV & Software

Publishers

Retail

Healthcare Government Financial Services

Representative Global Customers

UK Government

SafeNet: Who We Secure

http://www.bcbs.com/

C:/

CIS Customers Trusting SafeNet

…and We Are Ready

Comprehensive Information Lifecycle Protection More ways to protect data than any other vendor- in Databases,

Applications, File Servers, Mainframes, Desktops, Cloud, Virtual

and Mobile.

Trusted by Largest Organizations for Critical Data Proven track record of protecting critical data and transactions –

trillions of dollars in bank transfers, stored streaming videos, and

from M1 tanks to Air Force One.

Confidence with the Most Certified Solutions SafeNet has more FIPS 140-2 and Common Criteria certifications

than any vendor, giving peace of mind to our customers.

High Performance for High Volume Deployment For the largest enterprise deployments - dedicated hardware and

optimized software scales to millions of protected records and

trillions of transactions.

Спасибо

22








Рами Шалом (Rami Shalom) - Вице-Президент по продуктам и решениям

для шифрования данных и управления данными















13:30 – 14:30 Обед


Data protection in the

age of Cloud and

Virtualization

Rami Shalom, VP, DEC

Product Management,

SafeNet

State of Data Security

Security

professionals

believe they will

suffer a breach.

*Based on a SafeNet Survey of 230 security professionals.


Organizations

continue to rely

on the same

technologies.



Doubt in security

industry‘s ability

to detect and

prevent breaches.



Recognition that if

perimeters failed,

high value data

would not be safe.


Cloud migration has a lot to do with it…

Loss of Control Creates New

Security and Compliance Concerns

29

[wrt Virtualization, Forrester] The

insider threat elevates privileged user

management to a whole new level: "I'll

see your domain admin and raise you

one virtualization admin account.‖

My Datacentre

• My Facility

• My machines

• My admins

• My control

• My responsibility

• My accountability

Finance Compliant Customer Regulated Data

Development

Cloud - Starting Point

Direction

Financial: 70% Reduction in IT Infrastructure spend (VMware)

Quality: Automation reduces the volume of

incidents by 27%, and event and incident handling

time by 40% (VMware)

Agility: Provisioning in minutes (from weeks!)

Value

Destination

33 © SafeNet Confidential and Proprietary

Our Datacentre • Our facility

• Our machines

• Our admins

• Our control

• Our responsibility


Their Cloud • Their facility

• Their machines

• Their admins

• Their control

• Their responsibility


Finance Compliant

Customer Regulated Data

Development

Finance Compliant

Customer Regulated Data

Development

Cloud Adoption and Security Concerns

Creating the Perfect Storm

34

Cloud adoption nascent but

soaring b/c of ROI potential

IaaS alone $2.4B -> $6.8B 3 years

Security concerns are the

overwhelming #1 concern for

moving to the cloud.

451 Group, August 2012 report

Who Said?

35 © SafeNet Confidential and Proprietary

―Despite the acknowledged benefits of cloud computing,

wide scale deployment of cloud computing services can

trigger a number of data protection risks, mainly a lack of

control over personal data as well as insufficient

information with regard to how, where and by whom the

data is being processed/sub-processed.‖

It is an independent European advisory body on data

protection and privacy. Its tasks are described in Article 30 of Directive

95/46/EC and Article 15 of Directive 2002/58/EC.

ARTICLE 29 DATA PROTECTION WORKING PARTY

Opinion 05/2012 on Cloud Computing Adopted July 1, 2012

The risk.

Securing The Traditional Infrastructure

Involves securing:

• Datacenter Facilities (Locked doors, alarms, surveillance cameras)

• Physical Network (Firewalls, Routers, VPNs, IDS & IPS)

• Physical Storage (Separate networks, wipe drives)

• Physical Servers (OS updates, disable services, antivirus, enable logging)

• Applications (Apply security patches, run with minimal system privileges)

• Users/Administrators (Directory Services, logging, force password resets, enable two-factor authentication)

Virtualization Introduces Additional

Components to the Datacenter

Datacenter Facilities

Physical Networks

Virtual Networks

Physical Storage

Virtual Storage

Physical Servers

Hypervisor

Virtual Machines

Applications

Users/Administrators

Virtual Administrators

Virtualization Vulnerabilities

39

Securing the Virtualization Layer

Virtual Networks

Virtual Storage

Hypervisor

Virtual Machines (VM)

Virtual Administrators

Management Isolation Jumpbox, indirect access

Administrator Isolation Domain admins, protect root

Virtual Machine Isolation Protect multiple VMs per host

Hypervisor Hardening Follow hardening guide, apply

security updates, host-firewall

Storage Isolation Restrict access, enable Chap for

iSCSI, separate network/vlan.

Network Isolation Separate vMotion, FT, storage,

mgmt and VM traffic, disable

promiscuous mode, VM traffic may

not reach physical network, logical

controls needed

Additional Challenges of Data Center

Consolidation VM VM VM VM VM VM

Physical

Server with

restrictive

security

policy

Physical

Server with

permissive

security

policy

A restricted workload can move from a secure physical

server to an unsecure one without the security admin‘s

knowledge!

Traditional physical security policies do not translate well to a virtual

environment. VMs are more dynamic than physical servers. How can they

be secured without creating air gaps and lowering our ROI.

Multiple copies of the VM exist that can be instantiated without anyone‘s

knowledge if removed from the environment.

Revoking access to sensitive data in the event of a breach is a far

more difficult problem on VMs than on physical servers.

And then, there‟s the data itself!

How secure is my data in a virtualized world?

VMs are easy to copy (and steal.)

Virtual data objects are easy to

move.

Cloud introduces a new class of

privileged users and

administrators—server, storage,

backup, and application—all

operating independently.

VMs have multiple instances,

snapshots and backups of data.

APP APP APP APP

OS OS OS OS

Hypervisor

Compute Layer

Storage

Backup

Snapshots Snapshots

Shredding data capability if

data at risk or switch providers

Who Secures the Cloud?

Challenges in Virtual Datacenters & Clouds

Are all my data instances secure?

How will encryption affect my virtualization solution?

Can I assure only authorized access ?

Can I ―pull the plug‖ on data at risk of exposure?

Data Protection

Prevent leaks or unauthorized access

Who is accessing my data?

Can I enforce an effective access control policy?

Can I present a trusted audit trail?

Control

Set effective access policies

Where are all my data instances?

Can I trace every legitimate copy/ instantiation?

Can I trace unauthorized copying?

Visibility

Where is your data and what is it doing

Control versus Accountability?

“An organization cannot outsource accountability. Ever.” -Cloud Security Alliance

“…outsourcing maintenance of controls is not the same as

outsourcing responsibility for the data overall.” -PCI DSS Cloud Computing Guidelines v2

“…Regarding third-party or public clouds, clients should

consider that while they can outsource the day-to-day

operational management of the data environment, they retain

responsibility for the data they put in the cloud.” -PCI DSS Cloud Computing Guidelines v2

The solution.

State of Data Protection:

Protect What Matters, Where it Matters

WHERE IS YOUR DATA? WHERE ARE YOUR KEYS?

Virtual Machines

File

Server

s

Databases

Site-to-site

Data in Motion

Applications

SaaS Apps

Live Data

1

Virtualized Data

3

Key Management

and Root of Trust

4

Access

5

Stored Data

2

Warning

• Pockets of Encryption

• Operational Inefficiencies

• Audit Deficiencies & Failures

• Sensitive Data Exposure

Protecting What Matters, Where it

Matters

Virtual Machine

SafeNet Solutions for Virtualized

Architectures

Virtual Machine Virtual Machine

Compute Storage Network

Virtual

Compute

CPU

Virtual

Storage

NAS / SAN

Man

ag

em

en

t

Root-of-

trust and

trusted

crypto

Database As-

A-Service

Isolation of

virtual

machines

Strong

Authenticatio

n

Application

Guest OS

Application Application

Guest OS Guest OS

Virtual

Network

Physical

Network

Storage

Encryption

Hypervisor

ProtectV Maintain Control of Your Data Through Your Virtualization

and Cloud Migration

ProtectV Manager VM

VM

ProtectV enables VM encryption to:

• Isolate Virtual Machines and Storage

• Authorize server launches with StartGuard

• Track key access to all copies of your data

• Revoke key access after a breach No need for special discovery of sensitive data

• All data is encrypted, even in archive (ex: snapshots, backups & clones)

StorageSecure Isolate Data in Multi-tenant NAS Environments

51

Health

Solutions

Storage Head

Isolated Data

Shares

Pharmaceutical

Solutions

Patient

Relationship

Medical-

Surgical

•Encryption-enabled separation of data in shared virtual environments

•Separation of inter and intra departmental data

•Protect data belonging to security sensitive departments

•Enables hosting multiple customers on the same HW

Hardware Security

Module (HSM)

Applications

Virtual Machines

Backup

Media

Storage

KeySecure

SafeNet Key Management

Heterogeneous

Open standards-based

Physical or virtual

High assurance

Why Customers Choose SafeNet

Comprehensive Information Lifecycle Protection More ways to protect data than any other vendor- in Databases,

Applications, File Servers, Mainframes, Desktops, and more.

Trusted by Largest Organizations for Critical Data Proven track record of protecting critical data and transactions –

trillions of dollars in bank transfers, stored streaming videos, and

from M1 tanks to Air Force One.

Confidence in the Most Certified Solutions SafeNet has more FIPS 140-2 and Common Criteria certifications

than any vendor, giving peace of mind to our customers.

High Performance for High Volume Deployment For the largest enterprise deployments - dedicated hardware and

optimized software scales to millions of protected records and

trillions of transactions.

Спасибо

55










10:55 – 11:35 Аутентификация как сервис (AAAS) или почему Ваша компания будет в

числе первых, перешедших на облачную аутентификацию?













13:30 – 14:30 Обед


Authentication As A

Service

Why new Cloud based

Authentication solutions

will be adopted by about

50% of the companies by

2017?

Jason Hart CISSP CISM

VP Cloud Solutions

What a great world

Remote Users Internal people 3rd Party Access Branch Offices PDA Users

Users and their workspaces

Today's World

Cloud Applications SaaS Apps

http://www.microsoft.com/en-us/office365/online-software.aspx

Virtual Word – With Virtual Back Doors

Welcome to the Future

Cloud Computing

Virtual Environment

With Virtual Security holes

During the past 15 years with learnt nothing

We have forgotten

Confidentiality

Integrity

Availability

Accountability

Auditability

We have not learnt

a thing?

Welcome to the 3rd Age of Hacking

• 1st Age: Servers • Servers

• FTP, Telnet, Mail, Web.

• These were the things that consumed bytes from a bad guy

• The hack left a foot print

• 2nd Age: Browsers: • Javascript, ActiveX, Java, Image Formats, DOMs

• These are the things that are getting locked down

– Slowly

– Incompletely

• 3rd Age: Mobile devices: Simplest & getting easier • Target the mobile devices to gain someone's password is the

skeleton key to their life and your business

• Totally invisible – no trace

Password Attack

Welcome to the Future of Hacking

Attack channels: web, mail, open services

Targeted attacks against users and business and or

premium resources

Password attack is totally invisible to you

Mobile devices are becoming an easy target for

Advanced persistent threats (APT)

During the Past 7 Days

63

Quoted from the report:

“…..So, it really comes as no surprise that authentication based attacks (guessing, cracking, or reusing valid credentials) factored into about four of every five breaches involving hacking in our 2012 dataset. …

“... 66% of the breaches in our 2013 report took months or even years to discover (62% months, 4% years).”

Verizon‟s annual Data Breach

www

Probe requests

Pro

be r

eq

ue

sts

Live Attack A g a i n s t y o u r V i r t u a l W o r l d . . . . A R P A t t a c k

Protect Everything with SAS

67 67

Online

Storage

Application

Hosting

SAML

Tokens &

Users

Administrator

Agent

RADIUS

API

Private Networks

Corporate

Network

Corporate

Network

Corporate

Network

Corporate

Network

LDAP / Active

Directory

LDAP / Active

Directory

LDAP / Active

Directory

LDAP / Active

Directory

Private Cloud

Services

Public Cloud

Applications

Collaboration

Tools

SAML SAML

SafeNet Authentication:

Provides the ability to rapidly scale, deploy authentication

Simple, easy and low-cost, driving strong authentication into all markets

The most powerful enterprise authentication server in the market

Offer a multi-tenant, multi-tier authentication platform that allows an

almost infinite number of ―virtual‖ authentication servers for you

business

More than Authentication

Automate Service Delivery - features include a policy engine that can automatically provision, suspend or revoke tokens based on changes in the user repository

Scheduled Automated Usage - Audit and Billing Reports

Branding - You can brand everything - Self-service, enrolment and messaging services.

Token Selection - The widest range of authentication token options

More than Authentication

Security - Customers can define their own security controls

and policies

Multi Tenant - The only true Multi Tier platform in the world

Multi Tier - manage centrally or fully devolve all

administration

Service Alerts - Full Automation of user and administrator

alerts

API - Detailed API sets for authentication and administration

Open platform – Every enterprise is different – full

customisation to meet your needs

Multi-tenant architecture • Scales to thousands of business units

• Unlimited numbers of users per business unit

Manage multiple business units from one centralised interface • Unlimited numbers

• Supports multiple domains

Secure • Only view one level down

• Isolation & Access Control

Delegated management for lower tiers • Deliver enhanced service wrappers

• Great for multi-region networks

Inherit capabilities to lower level • SMS / SMTP gateways

• Branding

Virtual Service Provider

Subscriber B

Managed Subscriber

Subscriber A

Enterprise Subscriber (Virtual Service Provider)

Region 1

Region 2

Region 3

Delegated

Multi-Tenant Multi-Tier – Overview

Multi-tenant architecture

• Unlimited Domains

• None Directory stores

• Localisation

Automation

• User fulfilment – Provisioning, Enrolment etc

• User Self healing

• Reports

Secure

• The ability to Manage clients if rights granted by

Client

Branding and region

• Adding of custom SMS Gates

• Everything can be fully Branded

Features

• Meets all markets requirements

Division 1

Regional Office

Helpdesk

Multi-Tenant Multi-Tier

Division 2

Division 3

Division 4

HR

Your Enterprise

Flexibility and Customisation

• Language - by region or Admin

• Alert messages – including language

• SMS Gateways - by region

• Branding - Even by region or business unit

• OTP policy - Even by region or user base

• User experiences

• Role Management

• Reporting

• Pretty much everything

• Even the service you would like to offer

Example Flexibility

SAS offers full automation,

including:

• Token provisioning

• Security rules definition engine

• Once created rules applied

automatically

• Alerts

• SAML service registration

• Self enrolment

• Self service

• Reporting

LDAP

Changes

Auto Update

SAS

Auto-

Provision

User

Self-

Enrollment

Reporting

and Alerts

LDAP / Active Directory / User Source

Corporate

Network

SafeNet supports any user store

via a sync agent

SQL, LDAP, AD ,ODBC, Lotus, Novell, anything (via

custom field mapping)

No schema change

Non intrusive/Read only

Multiple domains

No hardware required

Encrypted transmission of data

Users can also be bulk imported via .csv files and / or

created locally

Corporate

Network

LDAP / Active Directory / User Source

LDAP / Active Directory

/ User Source

Corporate

Network

User Directory Sources

Unified Authentication Platform

76

Custom

Widest Choice of Tokens

Authenticators for every user type – and an increasing

focus on commoditisation

Authenticators that:

Don‘t expire

Seed keys can be owned by the subscriber

Can be easily re-assigned to new users

Easy deployment saves cost and time

A token can be included in the service charge

H/W SMS BlackBerry iOS Android Microsoft Java

Multi Platform

USB Grid Microsoft OSx

Token Choice

78

Choose the right token type for each user:

Phone based

Software

Multiple hard tokens

„Tokenless‟ either SMS or Grid based

Our Authenticators:

Don‟t expire

Can be included in the service charge

Seed keys can be generated by the customer

Can be re-assigned to new users

Self enrollment options reduces administration

OTP & PIN complexity defined by the customer

Provides the lowest overall total cost of ownership

Supporting 3rd party tokens enables an orderly and

cost effective migration

http://www.cryptocard.com/nl/authentication-products-blackshield-tokens/54-blackshield-tokens--kt-series-tokens

http://www.cryptocard.com/nl/authenticatieproducten/blackshield-tokens/52-blackshield-tokens--software-tokens

http://www.cryptocard.com/nl/authentication-products-blackshield-tokens/51-blackshield-tokens-usb-tokens

http://www.cryptocard.com/nl/authenticatieproducten/blackshield-tokens/55-blackshield-tokens--rb-series-tokens

http://www.cryptocard.com/nl/authenticatieproducten/blackshield-tokens/56-blackshield-tokens--display-tokens

http://www.cryptocard.com/nl/authentication-products-blackshield-tokens/54-blackshield-tokens--kt-series-tokens

Customizable

• Icons

• Colors

• Services

• Multi-language

Request Token

• Approve, Issue, Ship workflow

Self-service API (WSDL)

• Build into existing portals

Self Service

User “Aliases”

User has multiple ―IDs‖

• 1 UserID + up to 2

―Aliases‖

• All can use the same

token(s)

• Allows for different

privileges with only 1

token

Standard

User

Applications

Router &

Server

Management

UserID: Bill

UserID: SysAdmin

Finance

Servers

Enterprise

Resources

UserID: Billy

Security

Hardware HSMs Support

• All token seed records encrypted

and protected by HSM

• All encryption/decryption

executed internally by HSM

• Data center to data center

failover

SAML Single Sign on

Single Sign-on

• Authentication at one

allowed SAML site –

access to all allowed

sites

• Logoff at one allowed

site, logged off at all

allowed sites UserID: Bill

Password: ―OTP‖

SAML Assertion

[email protected]

SAML Assertion

[email protected]

SAML Assertion

bill

SafeNet Authentication Architecture

83

SafeNet

Authentication

Service DataCenter

DataCenter

Administrator Users

Tokens

Internet

SMS

Gateway Email via

SMTP

SMS via

HTTP(S)

(Subscriber or

SP selected)

SMS

message

Group

Subscriber

User Self-Service

LDAP Synch

Migration

Solutions

Authentication

Provisioning

Reporting/Alerts

Agents

User Repository Token Repository

Virtual Server

Management

& Admin

Reports

& Alerts

User

service

requests

Authentication

Request Radius

Authentication

Request

SAML

Authentication

Request

SafeNet

Authentication

Self-Enrolment

Portals

Security Policy

Engines

User

Repository

Agent

Access

Devices

Agents

User

information Migrations

Agent

Existing

RADIUS

Server

Global Trends

84

“as-a-Service” is Accepted by Customers

Source: The 451 Group Cloud Computing Market Monitor, August 2012

Authentication-as-a-Service is HOT!

$13bn by 2015, with 47% in North America

SAS is absolutely the hottest product!

“Gartner predicts that, by 2017, more

than 50% of enterprises will choose

cloud-based services as the delivery

option for new or refreshed user

authentication implementations, up from

less than 10% today.”

Gartner MQ for User Authentication, 2012

Leaders in the Market

85

Gartner ranks

SafeNet @ the top

of the Leader‘s

Quadrant

Facing challenges you can‟t address?

SaaS applications

VPNs

Web-based portals Virtual Environments

More users to protect:

employees, partners,

contractors

More data and

applications to protect

More end points being

used

1] CONTROL: It is complex to set

up, and hard to implement

87

The real world

88

2] AUTOMATION: Difficult and

time-consuming to re-provision

existing users, and enrol new

users

89

3] CHOICE: Only one token

choice per user, and can‘t use

existing authentication tokens

during the migration

90

4] TCO: hidden service &

maintenance costs and high

upfront infrastructure costs

91

TCO

92

http://www.google.co.uk/url?sa=i&rct=j&q=busting+the+myths&source=images&cd=&cad=rja&docid=QVvrBdQ7W5Ak9M&tbnid=0uOCBGlMKT8RlM:&ved=0CAUQjRw&url=http://blog.thoughtpick.com/2010/01/5-uncovered-myths-about-getting-retweeted.html&ei=GVsZUZmoFLCV0QWL64CYDQ&bvm=bv.42080656,d.d2k&psig=AFQjCNGdRjnXEvXQaRcSYKYodUOoprIzuQ&ust=1360701957516431

Pricing!

It‘s all about total cost of operation

Includes internal costs

Simple per user per year model, MP tokens

included, no extras

Opex or Capex models

Automate everything - massively reduces

administration costs

Summary

Fully Automated

Protect

Everything & Everyone

Authenticate Your Way Migrate Easily

Lower TCO

Спасибо

96
























13:30 – 14:30 Обед


Сoffee Break

98














12:05 – 12:45 Большие Данные (Big Data) наступают. Как сделать информацию

доступной, но защищенной?

Рами Шалом (Rami Shalom) - Вице-Президент по продуктам и решениям

для шифрования данных и управления данными







13:30 – 14:30 Обед


Data protection for

big data

Rami Shalom, VP, DEC

Product Management,

SafeNet

Data management in the Cloud age

Data management is changing fast:

• Volumes – exponential growth

• Expected Velocity

• Diversity

Traditional systems cannot keep up with the demand

• It‘s simply not designed for that

New approaches are gaining momentum

• Highly flexible

• Scale easily

• Replicable (resilient)

• Cheaper

Big Data!

What is Big Data

“Big data is a collection of data sets so large and

complex that it becomes difficult to process using on-

hand database management tools”

Used for a variety of implementations such as –

• Event collection

• Data crunching

• Unstructured data analysis

• Social networks

• Scientific research – genomic, atmospheric, etc.

• Recently – financial implementations

Big Data – how does it work?!

So what‟s the risk?

App level hacking. No news.

Data isolation –

• What data is stored in each node??

• Where are your nodes??

• who can access your nodes??

Keeping track of your data

• Legit/illegitimate access events

• Data location, expansion and flow

Where is the challenge?!

Where are is the data?

• Where are your nodes?

• What data does each node hold?

• What‘s the lifecycle of each node?

• …

It‘s a new framework

• New flows

• Data capacity

• Ubiquity

Cannot rely on predefined data structures like before

What would it take to

mitigate those risks?

Protect your nodes!

• Make sure no one will access your nodes

• Make sure that wherever they are – they will be safe

• Make sure you can kill a node if needed

Protect your critical data elements

• Credit Card/Identity information

• From legitimate users

• Make sure you comply with regulation

What type of a solution would work?

Encrypt your data for effective isolation

Apply across your data to assure

proper coverage

Make sure you use the right granularity

level

Manage and own your keys!

What‟s available today?

No canned solution to address those risks

No Built in mechanisms nor are they on the roadmap

Different companies offer different pieces which were

repurposed for big data

No vendor offers a complete solution

SafeNet offers the main pieces necessary

Protect Big Data implementations!

What does SafeNet has to offer?

App level data

protection + Secure

access

Node level isolation &

identification

System level data

protection

Overall Key

Management

Storage level data

protection

App level protection ProtectApp

Application level agent

Encrypts data as it enters the system

Persistent protection henceforth

Pros: the ultimate solution! Granular, persistent, extensible

Cons: Code level integration required, intrusive.

Users

Web/Application

Servers

12345 A7DE8

DataSecure

ProtectApp

http://aws.amazon.com/

Node level Protection

ProtectV

Complete protection for each individual

node, using VM level encryption and

isolation

Pre-Boot level protection

Centralized key management

Complete protection of data at rest

FIPS 140-2 L3

Storage

Hypervisor

Hardware Layer

Backup Snapshots

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

Data copied into OS

partition‘s RAM

Data copied into

storage

Introducing ProtectV

Data Protection for the Cloud.

Data used by

financial app

Data copied in

hourly snapshot

App

OS

After

Enjoy Data Security AND Virtualization/Cloud

Storage Security Solution

11

3

Own and manage your keys KeySecure

Unified key lifecycle management solution

Open standards-based, enterprise key

management

High assurance and robustness • Appliance-based, tamper-proof hardware

• FIPS 140-2 level 3

Optional: virtual key management appliance

KeySecure

Summary

Big data introduces new significant risks

Traditional measures do not apply

• Location

• Capacity

• Flows

No built-in and/or canned solutions

It involves multiple pieces

SafeNet offers a crypto framework to mitigate most of

the risk

116


















12:45 – 13:25 Корень доверия (Root of Trust) - нужен ли он вашим физическим и

виртуальным пространствам?

Герман Бауэр (Hermann Bauer) – Директор по развитию бизнеса в

регионе EMEA (Европа, Ближний Восток и Африка)



13:30 – 14:30 Обед


Why a Root of trust of

your physical & virtual

environment is

needed?

Marko Bobinac PreSales Consultant

Agenda

Introduction to HSM‗s

Digital infrastructure on the Front Line

SafeNet HSM‗s

History, Portfolio and Integrations

Root of trust for your physical and virtual environment

How do we get there?

Introducing SafeNet‘s Crypto Hypervisor!

Payment HSM‗s

Introduction to HSM

Think You Don‟t Use Hardware Security Modules?

HSMs secure mobile money payments and verbal banking

transactions made from phones

HSMs secure card data and the delivery of Personal

Identification Numbers (PIN)

HSMs secure entertainment devices, including videogame

consoles and Personal Video Recorders (PVR/DVR)

HSMs secure automated toll booth passes

HSMs secure documents for governments, hospitals, and the court

system

HSMs secure Smart Metering Systems and the delivery of Meter

messages in our homes to Head End Utility systems

HSMs secure Device Manufacturing in the delivery of Trusted Device

Identities we used Every Day

HSMs secure SSL and Web Sites We all use every day

What is an HSM?

Multiple

Application

Servers Application

Key Usage Services

Key

Management

Services

Key Vault Services

Tamper Resistance/Response

Separation of Duties

MFA with M of N Controls

PKCS #11 CAPI / CNG

Java CSP OpenSSL

XML-DIGSIG

Backup/Restore

Export Controls

EKM Interface

Policies FIPS 140-2 Level 3 Common Criteria EAL4+

Offlo

ad

Multiple

Partitions

High Availability

And

Load Balancing

Cryptographic Processing

What do HSM„s do?

An HSM is a collection of algorithms, secure key

storage, accelerators, key management all inside a

tamper resistant unit – it‘s like a box of cryptographic

Lego – how you put the elements together determines

what the HSM does

122

Security Performance Auditability

What is a Hardware Security Module

(HSM)?

A device to keep Business critical crypto keys at the

highest level of security

Accelerate Crypto operations to eliminate bottlenecks

Provides a clear audit trail for all key materials, crypto

operations

We have a wide range of HSM options • Varying performance, storage capacity, and Form Factors,

authentication models

Wide range of SDKs/Toolkits for flexible integration

All with Industry Certifications!

Digital Infrastructures on the Front Line

All IT vendors recommends HSM„s

125

Vs.

Keys in Software Keys in Hardware

Corporate Responsibility

127

Image Credit: [funkwood / Deviant Art]

Will you be here?

“sample of SafeNet HSM Partners and users”

... Or rather there?

http://www.hsbc.com.hk/1/2/home

SafeNet HSM portfolio

Pre-PKI HSM„s

EFT

Electronic Funds Transfer

• There was no public Internet, SSL traffic and Trusted CA‘s prior to 90‘s

• HSMs were used primarily in Card EFT Payments, the Banking, Government and Enterprise

sectors for protection of sensitive data and secure data exchange

• SafeNet (back then Eracom, founded in 1979) was one of the pioneers in HSM technology:

developed the very 1st PC Encryption Card, and

offered HSMs for EFT/Card Payment Security since the early 80s

Traditional PKI Landscape

Certificate Authorities

Registration Authorities

Web Servers Application

Servers

EFT

Traditional PKI Endpoints

The Evolving „Next Generation‟ PKI Landscape

Smart Grid

Digital Invoicing

Code Signing

e-Passports

… and many more

e-Voting

Online Commerce

e-Signatures

EFT

Next-Generation PKI Endpoints

SafeNet HSM Portfolio

133

Luna SA Luna SP Luna PCI Luna G5

PS Internal Express ProtectServer External Luna EFT Luna KMIP

Security for Server Systems | Custom Firmware

Network Attached and Scalable

High Performance Cryptographic Processor

Hardware security for Java-based applications

HSM Portfolio - Transaction & Identity

Protection

Luna PCI

Luna SA

Luna SP

ProtectServer

Offline Key Archive/Starter HSM Luna G5

Electronic Fund Transfer Luna EFT

Luna G5

Luna PCI

Luna SA

Luna SP

ProtectServer

Luna EFT

200 RSA 1024-bit TPS

600 RSA 1024-bit TPS

7,000 RSA 1024-bit TPS | 1,800 ECDSA TPS

7,000 RSA 1024-bit TPS | 1,800 ECDSA TPS

4,000 RSA 1024-bit TPS

HSM Performance Metrics Offering the Best Breadth of Performance in RSA, ECC and Symmetric

Algorithms

Luna G5

Luna PCI

Luna SA

Luna SP

ProtectServer

Perf

orm

ance

Luna EFT 1600 Visa PIN Verifies

Hardware Security Module Integration

HSMs always integrated with application – on same server or network

attached

Application communicates with keys stored in HSM usually via a client -

but Keys NEVER leave the HSM

HSM Usage:

• PKI – Key storage for CAs – signing of Digital Certificates

• EFT – Retail and Banking (PIN processing for Credit/Debit Cards at ATMs

or Point of Sale, Smart Card issuance). PCI DSS requirements

• Customised Applications – document signing, time stamping, ePassport

projects, DNSSEC, AMI

HSM Integrations (a partial general-purpose list)

ActivIdentity 4TRESS

Authentication Server

ActivIdentity ActivID CMS

Microsoft CA Luna SA PKI-

Bundle

Adobe LiveCycle Digital

Signatures ES2

Adobe Lifecycle Document

Security with Luna SA

Apache HTTP Server

BIND/OpenDNSSEC DNSSEC

EJBCA (Primekey)

Emue Technologies Fortress

Entrust Security Manager

IAIK PKCS #11 Provider

IBM Tivoli Access Manager

IBM Websphere MQ

Microsoft ADRMS (& RMS)

Microsoft Authenticode

Microsoft Certificate Enrolment

Microsoft Certificate Services

Microsoft FIM (ILM & CLM)

Microsoft IIS

Microsoft OCSP

Microsoft SharePoint

Microsoft SQL Server

OpenCA

Open SSL

Oracle 11g

Protegrity DPS

Red Hat Certificate Authority

RSA Keon

SafeNet ProtectDrive

SafeNet SMCII

SafeNet Authentication Service

SafeNet Authentication

Manager

SafeNet DataSecure i460

SafeNet KeySecure k460

Sun Java PKCS#11 Provider

Tumbleweed OCSP

Vasco VACMAN Controller

Venafi Encryption Director

Vordel XML Gateway

137

Payment SW Vendors – HSM Integration

Payment Software Vendor Product Name Business Region Served

ACI Base24-eps + TSS Global

ACI / EPS ASx EE

ACI / S1 Postilion Global

ACI / S2 Systems ON/2, OpeN/2 MEA

Arius Asoft EMEA

Banksoft BPS (Banksoft Pre-Personalisation System) EMEA

BPC (Banking Production Centre) SmartVista Global

Compass Plus Tranzware Online, Card Factory EMEA, APAC

CR2 BankWorld EMEA

CSFI u/SWITCHWARE Global

CubeIQ AlphaPIN EMEA

Distra e-switch APAC, EMEA

FIS / EFunds / Oasis Technology Connex, IST/Switch Global

HPS PowerCARD EMEA

Interblocks iSuite iSwitch APAC, MEA

Interpro Switch Americas

i-Sprint USO, AccessMatrix UAS MEA

IWI Net+1 APAC

OpenWay Way4 EMV Issuance EMEA, APAC

Opus / ECS Electra EFT Switch APAC, EMEA

RS2 BankWorks EMEA

S2M SELECT EMEA

Silverlake SIBS APAC

Sparkassen IT Solution Payment Switch EMEA

Sungard CardPro Americas, APAC

Tallyho Online Switch Module Americas, APAC

TAS CARD EMEA

TECS TECS Payment System EMEA

TietoEnator TransMaster EMEA

TPS Iris (Phoenix), Access, Sentinel EMEA

TSYS CTL ONLINE, PRIME, NCRYPT Global

Collis EMV Host Toolkit, PVT Global

Barnes International CPT 3000 EMV PVT EMEA

SafeNet HSM Integrations samples

SafeNet solutions

using HSM

SafeNet Authentication

Manager - SAM

SafeNet Authentication Service - SAS

KeySecure k460

DataSecure i460

SafeNet Management

Console II (for

HighSpeed encryptors)

SafeNet KMIP

(manage keys on HSM)

Root of trust for your physical and virtual

environment

140

… But HW doesn‟t work in a Virtual World? Today‟s Hardware-based encryption solutions are designed for the physical

world!

Islands of

encryption

141

Time-consuming crypto rollouts

Very slow to scale up and down

Limits of encryption today:

Inability to protect & control data centrally

Can’t take full benefits of cloud

DNSSEC SSL Email Code Sign Database

What is needed?

Encryption Infrastructure that follows the

cloud model!

14

2

Benefits:

• Reduce Costs (Reduce DC

presence)

• Centralize SME Crypto Group

• Unify Governance and

Compliance

• Centralize services

Islands of encryption

DNSSEC SSL Email Code Sign Database

Centralized Encryption model

On Demand Cryptographic Resources for

Your Virtual Data Center and the Cloud

143

Where do we start?... With a hypervisor for encryption…

Introducing the SafeNet Crypto Hypervisor!

Crypto Hypervisor c. 2013

• HSM Partition

• HSM Isolation

• Dynamic crypto allocation

VMware hypervisor c. 2001

• O/S Partition

• O/S Isolation

• Dynamic resource allocation

Application

Hypervisor

Operating System

Hardware

Platform

asD

AS

D48

RH

AsD

54

6F

4d

fgf

dd

fgd

fgh

jkD

6G

54

R

Dynamic Crypto Resource

Crypto Hypervisor

Crypto Hardware

Platform (HSM)

Application

Crypto Hypervisor:

Designed for operational cloud model

On-demand

crypto delivery

1

Self-service

portal for users

2

New crypto services

spin up easily

3

Encryption now a

cloud enabler

4

Part of ―New

VM Rollout

Process‖

5

Apps can now

migrate to cloud

6

Three things to know about

Crypto Hypervisor

146

Built for the cloud

• Shared resource pooling, rapid elasticity and multi-tenancy

• Can reduce capital costs up to 95%

Lower TCO

• Take advantage of virtualization

• Deliver high-assurance cryptographic resources in a fraction of the time

• 5 minutes, not 5 hours

Centralized control

• Strong auditing capabilities

• Compliance in the Cloud

• Ensure enterprise-wide consistency of crypto policy

Crypto Hypervisor Extends the Capability of

HSMs to Fit the Cloud Model

147

NIST1 Cloud Definition of

Essential Characteristics

Legacy

HSMs

On-Demand Self-Service No

Rapid Elasticity No

Measured Service Some

Broad Network Access

Yes

Resource Pooling Some

Multi-Tenancy2 No

1. National Institute of Standards and Technology

2. Multi-Tenancy is an essential characteristic added by the Cloud Security Alliance

NIST1 Cloud Definition of

Essential Characteristics

Crypto

Hypervisor

On-Demand Self-Service Yes

Rapid Elasticity Yes

Measured Service Yes

Broad Network Access

Yes

Resource Pooling Yes

Multi-Tenancy2 Yes

What‟s in the Crypto Hypervisor

Crypto Command Center Bundle

Crypto Command Center

SafeNet PED II

SafeNet Luna G5

SafeNet Luna SA 5.2

HSM Includes:

• Crypto Command Center Software

• SafeNet Luna G5

• Local PED II

• PED II Keys

What is Crypto Command Center?

System (SW) to automate the provisioning of HSM resources

Abstracts the management of HSMs from the end user

Administrators

• Manage the crypto for your company

• Manage the physical HSM devices

• Determine what crypto services are offered

• Create a catalog of services for end users

• Manage who has access to those services

Consumers/Users

• Manage crypto applications that consume crypto services

• Own their HSM resource when ‗leased‘

• Request and release use of HSM resources from catalogues

• Always in control of their keys!

149

VM is Stolen…VMs with “HTL” Host Trust

Link

HSM Client VM

NTLS

Luna SA

Today:

• Stolen VM will not be granted access to

SA partition

• Stolen image does not have OTT,

required to establish HTL Link

X Access Denied

• Prevents theft of an at-rest VM image

• Connection to the SA is authorized by a one-time token

HSM Client VM

© SafeNet Confidential and Proprietary

Benefits for Private or Public Cloud…

Reduced Risk • FIPS/CC validated HSM for applications

• Centralized compliance and governance

Increased Efficiency • Fast secure application deployment

Reduced Cost • Centralized crypto experts

• Shared HSM crypto resources

Increased Revenue • New HSM ‗AAS‘ Offering

Production example: AWS CloudHSM

• Secure Key Storage and Cryptographic Operations

http://aws.amazon.com/cloudhsm/

Payment HSM„s and

Use Cases

Hermann Bauer Director HSM Business

Development, EMEA

Agenda

Criticality of Payment and Banking Systems

HSM Payment Solutions and Use Cases • Card Transaction Processing (Acquiring, Switching, Authorisation)

• Card Issuance (Data Preparation, Card Personalisation) of EMV and mag-stripe cards,

plus PIN Issuance

• OTP with EMV Card (Chip Authentication)

• 3D Secure Internet Payments using Payment Card

• Contactless Payment Cards

• NFC Mobile Payments

• OBM (Online Banking Module) for End-to-End Encryption of Online Credentials

• Remote ATM Key Loading

• PCI/P2PE Compliance & Fraud Reduction

• ViewPIN – Secure online delivery/distribution of card PINs to cardholder

• Wholesale Payments / Interbank Funds Transfer

• Check Clearing

154

Insert Your Name

Insert Your Title

Insert Date

Why are Payment & Banking Systems,

as well as their protection, so critical?

Payment Systems

Financial Institutions, PSPs and Electronic Payment Systems • Integal Part of the Global Economy = Infrastructure, Live Blood

Wholesale and Retail Payments very much intertwined • Most Wholesale Payments are the result and the collection of many

small Retail Payments

Regulation and Standardization of Payments market Use of HSMs mandated by card schemes (Visa, MasterCard) and

domestic payment organizations

• EMV, PCI, SEPA, PSD, ...

Financial Institutions & Payment Service Providers very security conscious because MONEY is #1 target of criminals & fraudsters

HSMs critical in protecting MONEY

156

Data Breaches – Victims & Motives of

Attackers

157

Source: 2013 Verizon DBIR

… Well, what a surprise … MONEY

Motives of Hackers

$$$

Steady Growth in Payment Cards, Payment

Transactions & e- and m-Payments

Non-cash payments growth worldwide 7,1% in 2010 (283 bn, 306 bn expected in 2011) • Strong growth rate in developing countries (16,9%)

• Increase of more than 30% in Russia and China

Cards (debit cards and credit cards) biggest driver of non-cash payments volumes globally • Cards accounted for 55.8% of all non-cash payments in 2010

• In 2010, more than one in three non-cash payments were made using a debit card

Rapid growth of e-payments and m-payments • e-commerce activities (e-payments) is forecast to reach 31.4 billion in 2013, 20% sustained growth a year in 2009-13

• payments using mobile device (m-payments) expected to grow even faster, by 52.7% a year to reach 17 billion in 2013.

158

Source: World Payments Report 2012

Insert Your Name

Insert Your Title

Insert Date

Card Transaction Processing

Acquiring, Switching, Authorisation

Card Payment Transaction Security primarily based on symmetric cryptography (DES3)

Security Requirements

• User authentication

• Secure PIN processing (―end-to-end‖ protection requirement)

• Card authentication

• Transaction authentication

• Data confidentiality

• Cryptographic key management…

…involves the use of a certified HSM, mandated by

- international card schemes

- national payment schemes

Card Payment Security Concepts &

Services

160

T IA A S1

Acquirer Switch 1 Issuer A Terminal

Card Transaction Processing - Role of the

HSM

S2

Switch 2

IB

Issuer B

1 2

2 3

PIN operations

1. PIN Encryption

2. PIN Translation

3. PIN Decryption & Verification

Message Authentication operations

1. MAC Generation

2. MAC Translation (Generation/Verification)

3. MAC Verification

Each connected pair of entities share a

Common key to form a key zone

161

Insert Your Name

Insert Your Title

Insert Date

Card & PIN Issuance

Card Management, Data Preparation, Card Personalisation

Card Issuance Card Management, Data Preparation, Card

Personalization Applications

• Production & personalization of smart cards & secure documents

• Card types & environments:

• Payment Cards (EMV & mag-stripe credit/debit cards), Fuel/Fleet Cards

• eID / e-Passport Documents

• eHealth Cards

• Telco/SIM Cards

• Loyalty/Gift Cards

• Corporate ID Cards

• Online Banking & Authentication Cards & Tokens

• Personalization data includes private user information (PAN, PIN), keys and certificates

HSM Usage • Data Preparation: Server side key, PIN, certificate generation for injection into smart card

• Personalization: Encrypted communications (Secure Messaging) with smart card for chip encoding

• High speed/throughput key generation/derivation - may do thousands of cards per hour

• High availability – cannot tolerate stoppage of automated card processing equipment

• Adherence to relevant standards : EMV, ANSI, ZKA, APCA, GlobalPlatform, ICAO, …

• Certifications: FIPS 140-2 Level 3, PCI-HSM

Application Providers • ACI/BellID, AustriaCard, BPC, CardHall/Pronit, CardTek, Compass Plus, Cryptomathic, DataCard,

G&D, Gemalto, Morpho, Mühlbauer, NBS/UbiQ, Oberthur, OpenWay, TSYS CardTech, …

163

Card Issuance – Central Back Office

Bank

HSM Government

Issuer Card Application

Management System

Data Preparation System

Card Manufacturer

OS +

Card

Application

HSM

HSM

Card Production System

Personalisation System

Personalizer / Personalization Bureau

KEK

KEK

KMC

KMC

Chip Manufacturer

OS +

App

encrypted

file(s)

164

Instant Issuance at Branch

165

HSM

PIN Mailing / Key Mailing

166

HSM Features HSM directly attached to printer

PINs never exposed in clear form

(outside of protected HSM

evnvironment)

HSM generates and prints PINs to

PIN Mailers

Support of PIN Mailer layouts in

Postscript format 10)

PIN Printing in Words

USB & Serial Printing

Separate PIN Mailer User Rolers

Extensive Auditing

Insert Your Name

Insert Your Title

Insert Date

OTP with EMV Card

Chip Authentication Program (CAP)

Chip Authentication Program (EMV-CAP)

Payment Card as General-Purpose Secure Authentication Device

Card + Offline Reader

Products: Mastercard CAP & Visa DPA • Two Factor Authentication (2FA)

• Payment Card (Credit or Debit) & PIN

Authentication Process • Payment card inserted into stand-alone reader

• Cardholder authenticates to the chip with PIN entered on the reader (not interceptable)

• Card produces One-time Password (OTP), not susceptible to ―phishing‖ attacks

• Any chip card loaded with standard Mastercard M/Chip or Visa VSDC payment application or stand-alone CAP/DPA card

Advanced feature: Transaction Signing

168

Insert Your Name

Insert Your Title

Insert Date

3D

Verified by Visa

MasterCard SecureCode

3D-Secure Internet Payments

3D-Secure Credit-Card Transactions over the Internet

• A Visa Initiative, but licensed to others:

• Verified by Visa

• MasterCard SecureCode

• JCB J/Secure

• For merchants and financial institutions,

specifies authentication and processing procedures

• Requires some form of card-holder authentication, at

this stage generally keying of a password/PIN

170

3D-Secure - Online Card Payment

Technology Purpose

• Increase e-commerce transactions

• Promote consumer confidence

• Increase member and merchant profitability

Features • Provide global framework for authentication of remote payments

• Reduce operational expense by minimizing chargebacks for unauthorised use

• Can be implemented without special cardholder SW or HW

• Extensible as to authentication methods (e.g. payment smartcards, certificates)

• Enhanceable by Issuer without impacting acquirer or merchant

• Extensible into emerging channels like mobile phones, PDA, digital TV

• Based on globally accepted technical standards

• Provides a centralized archive of payment authentications for use in dispute resolution

3D-Secure Components

• MPI – Merchant Server Plug-In • processes payment messages

• ACS – Access Control Server • Issuing application requiring FIPS 140-2 Level 3 HSM. • CAVV – Authentication code for card generated by HSM • Authenticates card holder, merchant and transactions

171

Insert Your Name

Insert Your Title

Insert Date

Contactless Payments

MasterCard PayPass

Visa PayWave

Contactless Cards

Simpler way to pay, higher convenience, speed

―Tap & Go‖ experience (public transport, parking garages, toll roads, fuel dispensers)

Minimum impact on existing payment infrastructure

2 offerings: • Contactless / (EMV) Chip

• Usually dual interface card (contact and contactless

• Uses standard EMV authentication technologies (SDA/CDA)

• Low-value payments, approved offline by both card and terminal

(for fast transactions)

• Contactless / Mag-Stripe • meaning: for magnetic-stripe payment infrastructures

• potentially other form factors (key fob, watch)

• Online Payments

• New authentication mechanism: Static or Dynamic CVV

(CVC3 / dCVV)

173

http://techunwrapped.com/wp-content/uploads/2012/01/mastercard-paypass-logo.gif

http://www.postbank.de/presse/csmedia/518_828_visa_paywave.jpg

Insert Your Name

Insert Your Title

Insert Date

Mobile Payments

NFC Mobile Payments

NFC Mobile Payments

―Payment Card― ( ) on mobile phone

• NFC used for communications (up to 10 cm distance)

• Payment app resides in SE (Secure Element) on mobile

• UICC, MicroSD, Integrated Chip

Equivalent to contactless/mag-stripe card

No modification to existing (contactless) acceptance infrastructure

No mobile network activity during transaction (payment app on mobile <-> reader/terminal)

New: OTA (over-the-air) personalisation/provisioning

• Issuer Installation (full OTA personalisation)

• Service Provider Installation (pre-installation)

• MasterCard and Visa offer such services

175





Insert Your Name

Insert Your Title

Insert Date

OBM (Online Banking Module)

End-to-End Encryption of Credentials for Internet/Online Banking

Internet Banking E2E Application

Typical internet security from the browser to web server is SSL, terminated at the web server

End-to-end encryption, browser to host, provides totally secure online transactions - end-to-end PIN / password protection

RSA encryption at client with Java applet – HSM decryption and verification at host

Supports numeric (card) PINs and (alphanumeric) passwords (4-30 characters)

PIN/password change option

Application

Server/Host Web Server

Internet

177

Insert Your Name

Insert Your Title

Insert Date

ATM Remote Key Loading

ATM Remote Key Loading

179

RKL means the secure on-line transport to the

ATM of its initial DES/3DES key (A-key, TMK)

using public key techniques, along with associated

key and certificate management.

RKL eliminates the arduous nature of manual key

loading and the associated compliance tracking

Result - dramatically reduced cost and increased

security

PCI-DSS compliant (change keys once per year)

2 Methods:

Certificate-based (Diebold)

Signature-based (NCR, Wincor-Nixdorf)

Insert Your Name

Insert Your Title

Insert Date

PCI-P2PE Compliance & Fraud Reduction

eCommerce & Payment Service Providers

PCI-DSS & PCI-P2PE Compliance

Key Requirements:

• Protect cardholder information (when stored and

transmitted)

Technologies:

• Network segmentation

• Tokenization

• Encryption reduce PCI scope

• Point-to-point encryption (P2PE)

181

What is Point-to-Point Encryption?

Point-to-Point Encryption (P2PE) is encryption of sensitive

data at the Point-of-Interaction (POI) for secure

transmission to a secure boundary where it may be

decrypted, re-encrypted or tokenized.

182

FIPS 140-2 L3 or PCI-HSM certified HSM is required by P2PE decryption provider

Insert Your Name

Insert Your Title

Insert Date

Payment Solutions using other

SafeNet HSMs and Appliances

(Luna SA/PCI, Luna SP, DataSecure)

ViewPIN

Electronic Check Processing

Wholesale Payments / Interbank Funds Transfer

PCI-DSS Compliance – Encryption and Tokenization

Insert Your Name

Insert Your Title

Insert Date

ViewPIN

Secure Online PIN/Credential Delivery

Secure Online PIN/Credential Delivery

ViewPIN - Luna HSM helps provide the only

secure/easy-to-use online EMV PIN delivery solution

Solution allows card issuers to provide a secure

electronic alternative to traditional PIN mailers

Benefits • Instant PIN issuance allowing immediate use of card

• Cost savings associated with not having to issue paper PIN mailers

• Eliminates PIN mailer interception fraud via post

• Provides a competitive advantage

185

Insert Your Name

Insert Your Title

Insert Date

Compliance & Fraud Reduction

DataSecure Powerful Centralized HW-Based Encryption Management

187

• Compliance & Fraud Prevention • Solution built from the ground up to meet compliance requirements (e.g. PCI-DSS)

• Two Methods

Encryption • At DB level (transparently) or Application layer

Tokenization • Tokenization replaces sensitive data (credit cards, social security numbers etc.)

with a surrogate value, a token

• As a result most system components are exposed only to the surrogate value and NOT to the original sensitive data

• Protects sensitive data and eliminates the risk of data-blooming

• Sensitive data does not exist in the system and processing is done only with the token

• Reduces significantly regulatory scope

• Works best on structured data

Insert Your Name

Insert Your Title

Insert Date

Wholesale Payments /

Interbank Funds Transfer

Wholesale Payments (Funds & Securities)

189

Applications

Applications

Directory

Certificate

Authority

Key Management

SSL Acceleration

FIPS certified

SafeNet HSM

SafeNet HSM

Small

Banks

Access Control

via 2 or 3 factor

Financial Transaction

Infrastructure

Payments & Cash Mgt

Treasury & Derivatives

Trade services

Pre-Settlement/trade

Clearing services

Custody services

SafeNet HSM

Large

Banks

Insert Your Name

Insert Your Title

Insert Date

Check Clearing

Check Clearing Process Embedded Example

Check MIRC data & images are captured at the Presenting

Bank

Clearing House Interface (Paying Bank)

Signed & Encrypted

Outward Electronic Check MICR

& image

Clearing House

Luna PCI

Root Key Storage, Signing,

Encryption

Luna PCI


Encryption Luna PCI


Encryption

Signed & Encrypted

Outward Electronic Check MICR

& image

Outward return Check MICR Inward Check MICR &

images

Electronic Check

Archive

Clearing House Interface (Presenting Bank)

Luna SA

User Auth

Auth &

license

control

Auth &

license

control

Database encryption OCSP & Enc data

Sign & Enc data

191

Спасибо

Wrap up - Closing of

the plenary session +

Q&A

Выводы (Takeaways)

SafeNet 2013 – Представление Новой Компании Safenet в России

У нас есть ответ новым технологическим вызовам современности:

• Виртуализация

• Мобильность

• Облачные вычисления

• Большие Данные

Продолжение инвестирования в Коренной бизнес:

• eToken/iKey, Сертификация ФСТЭК

• HSMs/HSEs, Новые возможности

• DataSecure, Виртуальное устройство

SafeNet в России – серьезные планы по инвестициям:

• Персонал

• Локализация/Сертификация решений

• Доступность обучения

194

195
























13:30 – 14:30 Обед


13:30 – 14:30 Обед



1

Сессия 1: SafeNet

Authentication Service

Сессия 2:

Storage Secure

Сессия 3: Hardware

Security Modules

14:30 – 15:15 Ведущие:

Джэйсон Харт, SafeNet,


CertSys

Ведущие:



SafeNet

Ведущие:

Герман Бауэр, SafeNet,






2

ProtectV

Data Secure:

Tokenisation

Solution Demo

Hardware Security Module

EFT

HSE/Senetas

15:50 – 16:35 Ведущие:



CertSys

Ведущие:

Марко Бобинак,

SafeNet,


SafeNet

Ведущие:



17:00 – 18:00 Закрытие мероприятия. Коктейли

196


Welcome to the SafeNet Executive Day! · And then, there‟s the data itself! How secure is my data...

Documents

Transcript of Welcome to the SafeNet Executive Day! · And then, there‟s the data itself! How secure is my data...