Tiedon salaaminen tallennusverkossa Luottokorttinumeroiden tokenisointi EMC Forum 2009, Dipoli Jon Estlander, RSA
Agenda Tallennetun tiedon salaaminen Tiedon salaaminen tallennusverkossa RSA Key Manager Luottokorttinumeroiden tokenisointi RSA Tokenization Server HOT!
Tallennetu tiedon salaaminen ( data in rest ) Application Based DB or File Based Host Based SAN Based Clients Platform Based LAN SAN WAN Servers
Tallennetun tiedon salaaminen Kasvava trendi Missä ja miksi tieto salataan USB-muistit, kannettavien levyt, palvelimet Vaatimustenmukaisuus, PCI, tiukennetut tietoturvamääräykset Mihin riskiin tallennetu datan salaaminen auttaa Tallennusmedia varastetaan tai katoaa, luvaton käyttö Suhteutettava tallennetun tiedon tietoturvaluokitukseen Tiedon salaaminen ei poista muita riskejä Oltava linjassa organisaation tietoturvapolitiikan kanssa
Fabric-Based Encryption Solution Provides high level encryption AES-256 (IEEE1619 XTS for disk, 1619.1 GCM for tape) Provides high level compression - GZIP variant before encrypting Non-intrusive installation into the storage fabric Supports heterogeneous storage and tape systems
SAN salaus käytännössä Host/Server Encryption Switch I/O DATAA I/O &G#tE 4 I/O &G#tE 4 RSA Key Manager
RSA Key Manager Industry Leading Interoperability Scales across the enterprise Centralized key management of encryption solutions across the IT stack Key Integration Partners EMC PowerPath and Connectrix Native Tape Application and Database Encryption Alignment with Standards Closely aligned with key management standards RSA Key Manager Server PowerPath Encryption Connectrix Encryption Tape Backup Encryption RSA BSAFE Application Encryption Database Encryption
Active Client Management Secure Zone Central Control Manage key policy centrally for greater security Active Management Send critical key commands down to clients Web Server Access Manager Agent Access Manager Server RSA Access Manager Application Server Key Manager Server Key Manager Admin Console HSM Library Database Server
High Availability and Disaster Recovery Built in clustering Local clustering at each site for high availability Automated process to keep keys available at all times Remote replication RKM has automated remote replication to ensure key protection
Agenda Tallennetun tiedon salaaminen Tiedon salaaminen tallennusverkossa RSA Key Manager Luottokorttinumeroiden tokenisointi RSA Tokenization Server HOT!
Finding the Right Protection for the Job Truncation/Masking Useful for receipts, customer service reps Original card number cannot be recreated Hashing xxxx-xxxx-xxxx-5608 One way encryption Useful for data warehouses, returns Original card number cannot be recreated Questionable security unless keyed or salted Significantly transforms data form and size H&3Jk2)6$m<L63qDs7@mGIwv63%m*w@q
Finding the Right Protection for the Job Tokenization A PAN is securely stored and a token is substituted Token can have similar characteristics to a card number Token has no cryptographic/mathematical relationship to the actual PAN 9837-4930-5838-3493 Encryption PAN is encrypted, and can be stored anywhere Encryption keys must be securely managed Significantly transforms data form and size H&3Jk2)6$m<L63qDs76mG* H&3Jk2)6$w&qm<L63q Ds7@mGIwv63Iw&t3%m%m*w@q73Hte%nF29^!h1d=
Tokenization - Why Use It Reduces code changes No code changes required if clear-text isn t accessed Fewer modifications to GUIs Solves many of the I don t own the application problems Reduces database changes Search capability preserved by referential integrity No need to alter database schemas Decreases Access Management If partial disclosure of clear text (e.g., final-four digits of PAN) is supported then access to de-tokenization is eliminated Reduces integration complexities Minimizes need for cryptographic expertise Eliminates cross-platform complexities introduced by encryption
Data Tokenization Example
Yhteenveto muista edes nämä Tallennetun datan salaaminen eri vaihtoehdot RSA Key Manager avainten hallinta Luottokorttien tokenisointi HOT! - PCI