Professional Documents
Culture Documents
Encryption Solutions
Table of Contents
Executive Summary
Centralized vs. Distributed Key Storage........................................................................................................1
Distributed Key Storage and Software-based Encryption.....................................................................1
Today, many organizations are Centralized Key Storage with SafeNet DataSecure Platforms.............................................................1
evaluating or implementing Administration and Access Control................................................................................................................2
solutions for encrypting data at Implementation Options....................................................................................................................................2
rest, both as a means to combat Scalability and Performance...............................................................................................................................2
data theft and to ensure Cost of Ownership .............................................................................................................................................3
compliance with a range of About SafeNet .....................................................................................................................................................3
legislative and industry mandates.
For encryption to adequately and
cost-effectively address security
gaps, organizations must manage Centralized vs. Distributed Key Storage
their implementation in a way
that is best suited to their Distributed Key Storage and Software-based Encryption
specific infrastructure and Software-based encryption solutions use a distributed key storage mechanism: keys are stored on
security policies. One of the key the application and database servers on which the data to be encrypted resides.
decisions confronting
organizations considering data at In the simplest case, where only one database server exists, key management is modestly simple.
rest encryption is whether to However, in an enterprise environment, where the number of application and database servers
deploy software-based products often number in the hundreds, it becomes increasingly difficult to manage the cryptographic keys
or hardware-based solutions residing on these servers. In addition, as the complexity of key management increases, the risk of
such as SafeNet™ DataSecure™ not backing-up a key, or losing a key, increases exponentially.
Platforms. This document
outlines the main differences
When organizations use software-based approaches to encrypt data that is stored on back-end
between the two alternatives,
servers and databases, the cryptographic keys are distributed in a decentralized fashion. This
offering information on such
poses security vulnerabilities because database and application servers are often configured
criteria as security, performance,
incorrectly, and not kept up-to-date with the latest security patches, making them easy prey for
and manageability.
cyber attackers outside the organization—and they’re easily accessible to a number of internal
employees that may not have proper security credentials. When cryptographic keys are stored
on unsecured platforms, attackers can gain access to them very quickly because they are often
stored in an easily readable plaintext format. And as more keys are stored on servers, it becomes
even easier to locate and manipulate them.
Additionally, when an encryption key is “at rest” on the internal DataSecure disk, it is twice-
encrypted for added security using several internal SafeNet keys designed for this purpose.
Customers can also choose a DataSecure Platform containing a FIPS 140-2 Level 3-compliant
hardware security module, which supports U.S. government requirements to ensure that the
storage media itself is extremely tamper resistant.
Access to SafeNet platforms is restricted to SafeNet utilities and commands designed to manage
and maintain the SafeNet appliance. The DataSecure appliance has been hardened for security: all
TCP listeners and services typically found on application or database servers do not exist.
Consequently, it is impossible to search for keys residing on the DataSecure platform.
For added security, the platform can be configured so that individual administrators are granted
access only to areas for which they are responsible. DataSecure offers over 20 access control
lists (ACLs), which offer granular control over administrative functions. For example, one
administrator might only b given access to network configuration functions, while another might
only be given access to certificate management controls. This level of granular access control
enables customers to control and closely monitor administration operations. All actions
performed by users and administrators are logged for reporting purposes.
Implementation Options
Software-based encryption solutions generally provide one implementation option: deploying
encryption at the database layer. While this alternative may make sense for certain organizations,
many enterprises need to do encryption elsewhere, sometimes due to infrastructure
requirements or security objectives. With SafeNet, organizations can implement encryption at
multiple tiers within the infrastructure, and a single appliance can be integrated with a number of
Web servers, application servers, and databases. This affords enterprises with a great deal of
flexibility to adapt encryption to their specific performance, implementation, and security
requirements. For example, an organization may choose to have an application server that resides
in a relatively open, insecure portion of the network have permission to do only encrypt
requests, while a database residing in a more secure location would be able to make decryption
calls.
On the other hand, the SafeNet solution offloads all cryptographic operations to the DataSecure
server. This practically alleviates any additional load on the customer’s servers and it permits
DataSecure to scale horizontally. That is, the customer can add as many SafeNet cryptographic
servers as required, by inserting another SafeNet appliance into the cluster. Performance can be
increased as needed and the customer can scale their database encryption as their organization
Cost of Ownership
As illustrated above, it is far more complex to manage keys, users, and security policies with a
software-based encryption solution than with a centralized hardware offering. This complexity
increases as software-based cryptographic solutions are deployed across a large number of
application and database servers and this problem is significantly magnified in an enterprise
environment, where architectures are typically comprised of hundreds of applications and many
databases.
Although software-based encryption solutions typically require a smaller initial investment than a
hardware-based solution, the IT costs of deploying and administering these software-based
solutions in complex enterprise environments often makes the long-terms costs of these
solutions prohibitive.
About SafeNet
In 2007, SafeNet was acquired by Vector Capital, a $2 billion private equity firm specializing in the
technology sector. Vector Capital acquired Aladdin in March of 2009, and placed it under
common management with SafeNet. Together, these leading global companies are the third
largest information security company in the world, which brings to market integrated solutions
required to solve customers’ increasing security challenges. SafeNet’s encryption technology
solutions protect communications, intellectual property and digital identities for enterprises and
government organizations. Aladdin’s software protection, licensing and authentication solutions
protect companies’ information assets and employees from piracy and fraud. Together, SafeNet
and Aladdin have more than 50 years of security expertise in more than 100 countries around
the world. Aladdin is expected to be fully integrated into SafeNet in the future. For more
information, visit www.safenet-inc.com or www.aladdin.com.
SafeNet
Corporate Headquarters
www.safenet-inc.com
©2009 SafeNet, Inc. All rights reserved. SafeNet and the SafeNet logo are registered trademarks of SafeNet, Inc. All
other product names are trademarks of their respective owners.