#MicroFocusCyberSummit SecureData Sentry Accelerate your migration - - PowerPoint PPT Presentation

#MicroFocusCyberSummit

#MicroFocusCyberSummit

SecureData Sentry

Alistair Rigg & Phil Sewell

Accelerate your migration to cloud workloads

Enterprise Cloud Trends and Risks

Cloud Trends Security Risks and Concerns

Cloud is the

#1 target

for security spend increase by Chief Security Officers2 An average of

27

different cloud apps and services are used by an enterprise1

1: The 2018 Global Cloud Data Security Study, by Ponemon Institute LLC, 2018 2: 2017 Security Priorities, survey of Chief Security Officers, IDG, 2017

Spinning up cloud workloads at the speed your business demands Adopting XaaS IT solutions for hybrid computing

• pex economies

Accessing data for business processes and analytics

But Data Protection Must Not Hinder:

Protect “de-identified” data at global scale Transfer protected/ingested data to the cloud Maintain real-world value, control – usability Eliminate the need to decrypt or use live data

Solution: Use De-identified Data in the Cloud

First name: John Last name: Smith Company: ACME First name: Kijx Last name: Yöecä Company: aICb

Micro Focus Confidential

6

Top Data Security Challenges in the Cloud

Cloud customers need a data-centric approach for cloud data protection

Platform concerns Multi-tenancy Gaps in controls Compliance

× Lack of control

• ver platform

× Insider threats, malicious code in a shared environment PaaS IaaS SaaS

IaaS PaaS SaaS

× Lack of protection across multi-cloud and on-premises × Stricter legislation, GDPR, HIPAA × Data residency

7

Voltage SecureData: End-to-End Security in the Cloud

De-identified data provides end-to-end protection, across hybrid environments, accelerating DevOps Platform agnostic Neutralizes threats End-to-End Coverage Meets Compliance Protection

embedded into the data itself

Data unusable for

attacker/ insider

Data protected

in-transit, in-use, at rest

Encrypted data

may not trigger penalties PaaS IaaS SaaS

IaaS PaaS SaaS

Voltage Stateless Key Management

• No key database to store, manage or compromise
• High performance and scalability for modern IT

Encryption and tokenization technologies

• Customize solutions to meet exact requirements

and regulatory mandates (e.g., PCI, anonymization)

Broad platform support

• Consistency from on-premises to hybrid cloud
• Structured and unstructured data coverage
• Agnostic for Linux, Hadoop, Windows, AWS, IBM

z/OS, HPE NonStop, Vertica, Teradata, etc. support

Quick time-to-value

• Complete end-to-end protection within a common

approach to deploying Voltage data protection across endpoints

• Format-preservation maintains transparency, usability
• Sentry accelerates deployment with non-disruption

8

Voltage SecureData Platform

Voltage SecureData Management Console

Voltage SecureData

Voltage SecureData Web Services API (REST, SOAP) Voltage SecureData native APIs (C, Java, C#, .NET) Voltage SecureData Command Lines & Automated File Parsers Voltage SecureData File Processor Voltage SecureData Sentry

API

Voltage SecureData Cloud: Data-centric Cloud Protection

SecureData management infrastructure running natively in cloud-hosted environments

9

• Deployed directly within Azure

and AWS

• Accelerates adopting new business

models – spin up DevOps with data protection

• Innovate more easily and accelerate

time to value, combined with SecureData Sentry

• Native protection on AWS with

SecureData Cloud for AWS – reduces

• pex on-premises

10

Voltage SecureData – Data Security Platform

Policy controlled data protection and masking services & clients Business applications, data stores and processes

Voltage SecureData

iOS and Android devices Volume Key Management Voltage SecureData Web Services API (REST, SOAP) Voltage SecureData Command Lines & Automated File Parsers Voltage SecureData native APIs (C, Java, C#, .NET) Voltage SecureData File Processor Voltage SecureData Native UDFs Voltage SecureData z/Protect, z/FPE Partner integrations Voltage SecureData Sentry Payment terminals Mobile apps Volumes and storage Enterprise applications Production databases ETL & data integration suites 3rd party applications Teradata, Hadoop & Vertica Voltage Nonstop Applications & Databases Mainframe applications & databases Network Interceptors Web/cloud applications (AWS, Azure) SaaS apps Payment systems

Atalla HSM

Voltage SecureData Management Console Authentication & authorization sources (e.g. active directory)

11

Voltage SecureData – Data Security Platform

Policy controlled data protection and masking services & clients Business applications, data stores and processes

Voltage SecureData

iOS and Android devices Volume Key Management Voltage SecureData Web Services API (REST, SOAP) Voltage SecureData Command Lines & Automated File Parsers Voltage SecureData native APIs (C, Java, C#, .NET) Voltage SecureData File Processor Voltage SecureData Native UDFs Voltage SecureData z/Protect, z/FPE Partner integrations Voltage SecureData Sentry Payment terminals Mobile apps Volumes and storage Enterprise applications Production databases ETL & data integration suites 3rd party applications Teradata, Hadoop & Vertica Voltage Nonstop Applications & Databases Mainframe applications & databases Network Interceptors Web/cloud applications (AWS, Azure) SaaS apps Payment systems

Atalla HSM

Voltage SecureData Management Console Authentication & authorization sources (e.g. active directory)

Compute Data

Name SS# Credit Card # Kwfdv Cqvzgk 161-82-1292 3712 3486 3545 1001 Veks Iounrfo 200-79-7127 5587 0856 7634 0139 Pdnme Wntob 095-52-8683 5348 9209 2367 2829 Eskfw Gzhqlv 178-17-8353 4929 4333 0934 4379 Jsfk Tbluhm 525-25-2125 4556 2545 6223 1830 Name SSN Credit Card # James Potter 385-12-1199 3712 4567 8901 1001 Ryan Johnson 857-64-4190 5587 0806 2212 0139 Carrie Young 761-58-6733 5348 9261 0695 2829 Brent Warner 604-41-6687 4929 4358 7398 4379 Anna Berman 416-03-4226 4556 2525 1285 1830

Corporate Data Center Voltage Servers Voltage Servers and / or

• Protect on-premises and

deploy protected data to the cloud

• Enable protect & access

within compute workloads

• Deploy Voltage Servers

into AWS and Azure*

• Plan for containerization
• f Voltage Servers
• opening up other cloud
• pportunities, incl.

Google Cloud

• SaaS data protection with

Voltage SecureData Sentry

Platform Support and Design Fundamentals: Securing Cloud Workloads

SecureData Sentry

Amazon Web Services Windows Azure Google Cloud Platform

Salesforce

Microsoft Dynamics CRM

Voltage SecureData Sentry

Addresses CISO Concerns

Accelerates Time-to-Value

(High ROI)

Simplifies Deployment

(Non-Disruptive)

Lowers Cost

• f Compliance

(Transparent)

Centralizes Control

(Comprehensive)

What is Voltage SecureData Sentry?

Data privacy & security compliance & risk reduction Secure analytics, privacy and pseudonymization Hybrid cloud data protection & collaboration

Voltage SecureData

Enterprise, Big Data, Cloud, Mobile and Payments data security - Tokenization, encryption, masking

Voltage SecureData Sentry

Transparent Integration for Cloud SaaS, Enterprise and COTS apps

+

ALM/QC

SecureData Sentry – Data Security for the Cloud

ALM Octane +49 (162) 4297109 Phone Number

Salesforce

Microsoft Dynamics CRM

ALM/QC Voltage SecureData Sentry

SecureData Sentry – Data Security for the Cloud

+49 (162) 4297109 Phone Number +49 (162) 8753109 Format-Preserving

Salesforce

Microsoft Dynamics CRM

17

Demo Example: Salesforce

18

Demo Example: Salesforce

• ALM Octane
• ALM/Quality Center
• Salesforce Classic
• Salesforce Lightning
• Salesforce Health Cloud
• Salesforce Financial Services Cloud
• Office 365
• SugarCRM
• Microsoft Dynamics 365
• Oracle Service Cloud
• SharePoint 2013 and later
• SAP Hybris Cloud4Customer
• ServiceNow
• Symantec Endpoint Protection Cloud
• BMC Remedyforce
• Nimonik
• Fortinet Analyzer
• And many, many more…

19

Supported Application Examples

Salesforce

SAP Hybris

Microsoft

Fortinet

Voltage SecureData Sentry Technologies

Multi-Channel Protection Protocols and APIs:

• HTTP / HTTPS
• SMTP
• ICAP / ICAP-S

Content:

• HTML
• HTML5
• XML
• JSON

Protection Mechanisms:

• Format Preserving Encryption (FPE)
• Format Preserving Hashing (FPH)
• Secure Stateless Tokenization (SST)
• Identity Based Signature/Encryption (AES)
• ...

Additional Features:

• Escaping, e.g. °¿1°kHy7h¿°

Key Management:

• Stateless Key Management
• PDF
• DOCX
• GZIP
• XLSX
• CSV
• REST
• SOAP
• JDBC
• ODBC
• custom and

binary protocols

SecureData Sentry

Integration with the Voltage SecureData Simple API

ssnfpe.protect(SSN) ssnfpe.access(SSNe) SSN: 022-37-2773

Databases Logs, Reports, and Backups Web Application (Java / Linux) Web Form

SSN: 734-81-9292 SSN: 734-81-9292 SSN: 734-81-9292 SSN: 022-37-2773

Customer Service Application (Windows .NET)

Atalla HSMs Management Console Key Servers

Data Protection Alternate Approach with Voltage SecureData Sentry

ssnfpe.protect(SSN) ssnfpe.access(SSNe) SSN: 022-37-2773

Databases Logs, Reports, and Backups Web Application (Java / Linux) Web Form

SSN: 734-81-9292 SSN: 734-81-9292 SSN: 734-81-9292 SSN: 022-37-2773

Customer Service Application (Windows .NET)

SecureData Sentry

Atalla HSMs Management Console Key Servers

Data Protection Approaches with Voltage SecureData Sentry and Direct Integration

Database Web UI Web Application Web Service Layer HTTP REST JDBC SecureData Sentry

1

SecureData Sentry

2

SecureData Sentry

3

SecureData Simple API

UDF

5

SecureData REST API

REST

4

Use Case: Global Financial Services Company

Business Need

• Moving to cloud delivery of business as SaaS
• 40+ Sensitive data types, 100M customers, 3rd Party mandate for

data security

Solution

• Voltage SecureData to encrypt and tokenize sensitive data in

AWS, Azure

• Protect personal, location, mobile device and event data
• On-premise policy enforcement, security operations, audit and

key management

• Business Outcomes
• Unified architecture for streamlined compliance and risk control
• Met 3rd party data protection mandates and audits – in weeks
• Minimized sensitive data exposure in AWS and Azure
• Enabled differentiated services with data security

26

Use case example: Global credit card processor

Name: James Potter CCN: 4171 5678 8765 4321 404 Transaction denied

https:\\paymentservice.com/ticket

Welcome to Payment Services. To open a case please enter the following: Name: James Potter CCN: 4171 5678 8765 4321 Describe your experience: “The transaction failed for an unknown reason.”

Merchant Customer Payment Processor Employee

Name: James Potter CCN: 4171 5678 8765 4321 Describe your experience: “The transaction failed for an unknown reason.” Name: James Potter CCN: 4171 5678 8765 4321 Describe your experience: “The transaction failed for an unknown reason.”

PCI DSS non-compliant ticket handling

27

Microsoft Dynamics CRM

Name: James Potter CCN: 4171 5678 8765 4321 404 Transaction denied

https:\\paymentservice.com/ticket

Welcome to Payment Services. To open a case please enter the following: Name: James Potter CCN: 4171 5678 8765 4321 Describe your experience: “The transaction failed for an unknown reason.”

Merchant Customer

Use case example: Global credit card processor

Name: Kwfdv Cqvzgk CCN: 8B60 3TAZ UYTZ R62P Describe your experience: “biy NKibxaWSjnC 0y93HR 9xD Gi yIRKaqy 7KNU1a.” Name: James Potter CCN: 8B60 3TAZ UYTZ 4321 Describe your experience: “The transaction failed for an unknown reason.”

PCI DSS compliant ticket handling

SecureData Sentry

Payment Processor Employee

28

Microsoft Dynamics CRM

SecureData Sentry high-level architecture

• Discoverable content: HTML, XML, JSON, PDF, CSV, DOCX,

XLSX, GSIP

• Voltage cryptography: FPE, SST, FPH, AES (IBSE),

stateless key management

Name: James Potter CCN: 4171 5678 8765 4321

Name: James Potter CCN: 8B60 3TAZ UYTZ 4321

SecureData Sentry SecureData Sentry Web Proxy Database API

App 1 App 2

SecureData

Cloud/SaaS Apps COTS and Enterprise Databases

SecureData + Sentry Management Console

JDBC, ODBC REST HTTP/S, REST, SOAP, SMTP

Two Modes of Operation:

• Discovery (Learning Mode) – Create and

deploy “Protection Modules” to the engines

• Protection – Applies rules to the live traffic

for enforcement

Name: Kwfdv Cqvzgk CCN: 8B60 3TAZ UYTZ R62P Describe your experience: “biy NKibxaWSjnC 0y93HR 9xD Gi yIRKaqy 7KNU1a.”

29

Microsoft Dynamics CRM

Voltage SecureData Sentry: Flows and Modes

Name: Smith SSN: 123-11-1123

Web Proxy Native xDBC Driver

Wire Protocol HTTP/S HTTP/S xDBC REST/SOAP

Name: Smith SSN: 123-11-1123 Name: Smith SSN: 123-11-1123

Voltage SecureData Sentry: Flows and Modes

Name: Smith SSN: 123-11-1123

Web Proxy Sentry xDBC Driver

Sentry Engine

Stream Content Parsing

Sentry Management Console

ICAP/S

Native xDBC Driver

SQL Wire Protocol HTTP/S HTTP/S xDBC

Voltage SecureData Sentry

Voltage SecureData Key & Web Servers

REST/SOAP

Name: Mzigd SSN: 093-34-3945 Name: °¿1°Mzigd¿° SSN: °¿1°093-34-3945¿°

Protection Mode

Data Access & Protection Salesforce Protection Module Target Variables <App X> Protection Module <App Y> Protection Module Simple API / REST

Deployment Plans

<App X> <App Y> Salesforce

Inspection Mode Data Discovery + Developer Mode

Application Profile Discovery Template Protection Template Inspection Protection Module Variables & Expressions

Configure Protection Proprietary Protocol

Voltage SecureData Sentry: Deployment Options

POC Setup

• Squid Proxy is used
• Proxy is configured directly in

the browser

3128

Name: Smith SSN: 123-11-1123

Name: °¿1°Mzigd¿° Ticket: #1 Prob Name: °¿2°cPaj¿° Ticket: #2 Prob Name: °¿3°Ofa3¿° Ticket: #3 Prob

Linux Server / VM Voltage SecureData Sentry Engine Squid Proxy Linux Virtual Appliance Voltage SecureData Server

ICAP/-S

ServiceNow

• Only corporate proxy is used
• Use of ICAP protocol
• No changes to end user browsers
• Corporate proxy can perform:
• request filtering
• authentication handling
• Corporate proxy might not be able to

forward user information:

• IP of workstation
• userid

Voltage SecureData Sentry: Deployment Options

Corporate Proxy

Corporate Proxy

Name: Smith SSN: 123-11-1123

Name: °¿2°cPaj¿° Ticket: #2 Prob Name: °¿3°Ofa3¿° Ticket: #3 Prob

Linux Server / VM Voltage SecureData Sentry Engine Linux Virtual Appliance Voltage SecureData Server

ICAP/-S

Name: °¿1°Mzigd¿° Ticket: #1 Prob

ServiceNow

• Corporate proxy may not support

ICAP protocol

• Corporate proxy is forwarding

requests to Squid

• No changes to end user browsers
• Corporate proxy can perform:
• request filtering
• authentication handling
• Corporate proxy might not be able to

forward user information:

• IP of workstation
• userid

Voltage SecureData Sentry: Deployment Options

Proxy Chaining

Corporate Proxy

Name: Smith SSN: 123-11-1123

Linux Server / VM Voltage SecureData Sentry Engine Squid Proxy Linux Virtual Appliance Voltage SecureData Server

Name: °¿2°cPaj¿° Ticket: #2 Prob Name: °¿3°Ofa3¿° Ticket: #3 Prob Name: °¿1°Mzigd¿° Ticket: #1 Prob

ServiceNow

Thank You.

#MicroFocusCyberSummit

#MicroFocusCyberSummit