Preview only show first 10 pages with watermark. For full document please download

Security

   EMBED

Share

Transcript

NonStop Technical Boot Camp Atalla Security Products Update Susan Langford, PhD and HP Distinguished Technologist Steve Wierenga, CT and HP Distinguished Technologist © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Agenda Atalla Update - Steve NSP/SCA - Susan ESKM - Steve Q & A - Both © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Forward-looking statements This is a rolling (up to three year) Roadmap and is subject to change without notice. This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Hewlett Packard's predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett-Packard may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions. 3 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Atalla HQ: Labs, Eng, QA, Operations, Support HP Moffett Towers Bldg G, 1160 Enterprise Way, Sunnyvale California Solar Impulse 4 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. About Atalla Startup 1972  Tandem 1987  HP 2002  Enterprise Security Products 2012 Trusted security partner in the Financial Services industry Customers are the largest financial institutions and retailers worldwide 35 years experience in data protection, key management, cryptographic performance 250 Million card transactions protected daily by Atalla Technology leader in Host Security Modules and banking standards Leading HSM vendor serving Americas and APJ card payments markets Banks, payments processors, retailers, oil and gas firms, and more… Solutions the support highest government and industry standards ATM, POS, and EFT payments applications and transactions (ANSI X9F, FIPS, PCI-DSS, PTS-HSM) Serve/protect/manage encryption keys for broad range of encryption devices/solutions 5 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Solutions for the New Style of IT Services Advise Printers & Personal Systems Printers PCs Cloud 6 Tablets Transform Manage Converged Infrastructure Servers Mobility Storage Networking Big Data © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Finance HP Software IT Analytics Management Security Security Trends driving security investments A new market adversary 1 Nature and motivation of attacks (Fame to fortune, market adversary) Research Infiltration Discovery Capture Exfiltration Big shifts 2 Transformation of enterprise IT (Delivery and consumption changes) Cloud Big Data Policies and regulations 3 Regulatory pressures (Increasing cost and complexity) Basel III 7 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mobile HP Enterprise Security Products: Focus areas Active Intelligence Application Defense Next Gen. Network Security Information Security Use Big Data intelligence for actionable Security Secure and monitor Mobile/Cloud applications On-Demand Secure next generation virtual and physical networks Secure mission critical transactions and storage HP ArcSight HP Fortify HP TippingPoint HP Atalla Virtual and Physical Data Center 8 Application modernization Networking/SDN © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Critical Business Systems Building security capabilities with HP The adversary ecosystem Disrupting the adversary ecosystem Educate users / use Resea counter intelligence Research rch Infiltration Infiltrati Stop adversary access on FindDiscov and remove ery adversary Discovery Their ecosystem Capture Our enterprise Their ecosystem Exfiltration 9 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Captu Secure the important re asset PlanExfiltrat to mitigate damage ion Our enterprise What does Atalla do? Product lines # # 10 Payments Security Network Security Processor “NSP” Enterprise Secure Key Manager Cryptographic Key Management © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. “ESKM” NonStop Technical Boot Camp Atalla NSP Update Susan Langford, PhD, HP Distinguished Technologist © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Payments Security: Atalla Network Security Processors 12 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Atalla Ax160 NSP Products Hardware Security Module (HSM) Highly secure cryptographic processor Functionality is aimed at financial payments • ATM /EFT/POS • Credit cards and EMV • Stored Value, loyalty cards and funds transfer May be of use for other high-security applications Hardware Active zeroization • • • • 13 State-of-the-art, 2U rack-mountable form factor Locking bezel with two Medeco locks Auto-sensing 10/100/1000 Base-T Ethernet TCP/IP Dual power supply © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Atalla NSPs Hardware Appliance + Firmware Image A10160 Basic Software • High End • 1080 PIN translates/second • Included in module price • Different key management techniques – AKB – more secure: A1.30 – Variant – legacy key management: V1.30 A9160 • Mid Range • 200 PIN translates/second A8160 • Entry Level • 66 PIN translates/second 14 Enhanced Software • Additional charge, sold separately • More Features – AKB – A2.10 – Variant –V2.10 • Uses newer, stronger smartcards © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Introducing SCA-3 – the “new SCA” SCA-2 15 AJ543A C8Z35AA SCA-3 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. NSP/SCA/smartcard compatibility SCA-3 is fully backwards compatible. NSP Enhanced Software requires new smartcards. SCA-2 SCA-3 Standard smartcards Ax150 (support only) Yes Yes Yes No Ax160 Appliance (Std Software) Yes Yes Yes No Ax160 Enhanced Software package No Yes No Yes Standard Smartcards (still available) Yes Yes New Enhanced Smartcards No Yes The NSP Enhanced Software requires an Ax160 model appliance, an SCA-3, and enhanced smartcards to enable this software. 16 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Enhanced Smartcards NSP Enhanced Software New Features Functionality • PIN & Component printing • Multiple MFKs • RSA commands (ARKEY) included • EMV RSA signatures supported Usability • Remote reboot • Remote management of USB files • Performance monitoring • Set Clock Moving forward – making managing your HSMs easier 17 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Security • SCA uses longer key sizes & new smart cards • SSL/TLS channel host to NSP • “whitelist” of host IP addresses • PCI-HSM mode • Share data now split so configuration is on USB drive NSP Enhanced Software Features PIN and key component printing – Multiple MFKs – Provides the ability for the host application to print customer PIN letters and key component forms. Provides the ability to support a maximum of 10 separate (low transaction volume) institutions within one physical NSP. • For security purposes, the printer is connected to the second NIC on the Network Security Processor • The host application must send the print commands to a separate command port. • Commands are turned on for finite time & number of calls • A10160 only • Optional feature • Separate MFK, security policies & security admins 18 This feature also eliminates the requirement to utilize multiple Network Security Processors when changing the Master File Key. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Monitoring your NSP Automated Crypto health checks • a complete set of cryptographic tests are performed automatically at power on. • Daily self test: specify a time-of-day when cryptographic self-tests are to be performed. NSP CPU performance monitoring Useful information for capacity planning. • Determine what percentage of the Network Security Processor is in use. • Obtain command usage statistics is provided. – PIN verification failures – Sanity check failures – CVV/CVC/CSC failures – MAC verification failures – Number of times an enabled command has been processed by the Network Security Processor 19 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Managing your NSP Enhance remote manageability – Security administrators are no longer required to travel to a remote datacenter to update the configuration or software version running in the Network Security Processor. • remotely manage files on the USB flash memory device • Stop and restart the Network Security Processor. Secure clock adjustment Provides the ability to set the Network Security Processor’s system clock. • This ensures that all system and security audit logs contain accurate timestamps in local time, not universal coordinated time. • Secure dual control operation 20 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Upgraded SCA/smartcard crypto & protocol Goal: improve security as transparently as possible What you see What you don’t • • • • • • • • • • 21 New smartcards required Installation of the certificate (for now) 2 people required to enroll an NSP in association No share recovery card RSA 2048-bit instead of 1024 AES-256 instead of 2-key 3DES CMAC instead of CBC-MAC Random IV instead of all zeros for CBC RSA keys generated within smart card NIST SP800-56C and SP800-108 key derivation instead of variants & ad hoc techniques • NIST SP800-56B bilateral RSA key agreement instead of PCKS#1 v1.5 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. SSL/TLS – certificate authority We only support acting as our own CA First NSP • • • • Generates its own CA key Generate a server key Signs the server key with the CA key User must manually accept CA key on host side Other NSPs • User does not want to manually accept every NSP individually • CA key is stored encrypted under the MFK on the USB • Copy the encrypted CA key to each NSP to have same CA in all 22 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Additional SSL Points SSL v3 and TLS only Cipher Selection • We only support RSA for public key • We only support AES and 3DES for symmetric No client certificates • Added a list of allowed IP addresses Limited configuration choices 23 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Shares Share Data is now stored on the USB Shares are generated by encrypting data with a random key, then creating shares of that random key • Key has been updated to AES-256 • Shares stored on shareholder smartcard (1 share per card) Encrypted Data (MFK, PMFK, config data, etc) stored on USB • • • • Data is Encrypted & MACed Needed room for Multiple-MFKs Lets the data keep current configuration Saves last configuration, but only one back No Share Recovery Card 24 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. NSP PCI-HSM Mode Need to be directly attached for SCA when using RSA, but not for AES • • • • Direct attach for enrollment or share card operations Other security administrator actions can be remote Not allowed to derive AES-256 keys from RSA2048 exchange We stuck with AES-256 for consistency & simplicity No keys can be shared between PCI-HSM mode & normal operation • Must be in factory state • This affects shares & associations Has not been re-validated yet, may be OK with change letter • Changes: SCA, shares, and the fact that this is now a mode instead of a build • Commands are now forced off – AES, 75 • RSA key sizes above the MFK strength not allowed (2key = 1024, 3key = 2048) 25 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. NonStop Technical Boot Camp Enterprise Key Management Update Steve Wierenga, Atalla CT, HP Distinguished Technologist © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Information Security: HP Enterprise Secure Key Manager 28 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Enterprise Secure Key Manager (ESKM) Protecting Sensitive Enterprise Data with Cryptographic Key Management Encryption Keys  separate!  Encrypted Data Secure the important asset Customer ROI – reduce costs and risks of: • Admin overhead and human error • Audit/compliance failures or sanctions • Data loss and business interruptions • Media sanitization/disposal services 29 Payment Card Holder Data Electronic Healthcare Records National Security, Defense Intellectual Property Non-Public Business Records Employee Personal Records Customer Personal Information Service Provider Client Data © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Tape Disk Array Storage Networks Server Storage HP Cloud NonStop Why is Key Management important? Encryption is simple, but Key Management is not – Keys are the “little secrets” which protect the “big secrets” Lose the key  Lose your data! Is data protected just by encrypting it? (No!) Event or Threat Risk and Impact Exposing keys or unauthorized access Revealing protected data, noncompliance Loss of authorized access to keys Loss of data access, business interruption Loss or accidental destruction of keys Lose the keys, data loss, business failure Failure to control/monitor/log access Audit failures, increased liability Keys must be securely preserved, protected, and accessible for the life of the data Key Management is a business-critical IT security control and operational service 30 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Unifying Data Protection HP’s Enterprise Key Management Vision 31 Protect Sensitive Data Wherever It Lives Generate and Manage Encryption Keys Securely Meet Standards and Audit/Compliance Disk, Tape, SAN, Devices Cloud, Service Providers Database, Applications Scaleable, Reliable, High Availability FIPS 140-2 Level 2 PCI-DSS, Data Privacy HIPAA/HITECH © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Key Management HP Enterprise Secure Key Manager (ESKM) Secure appliance Generates and serves AES and other key types All hardware/software is included, pre-installed FIPS 140-2 Level 2 validated cryptographic module Keys are always encrypted at rest, in motion SSL with mutual certificate authentication Local Certificate Authority High availability Native symmetric clustering, 2-8 nodes Automatic replication, retry, and client failover Capable of bare-metal restore disaster recovery Mirrored disk, redundant power and cooling 32 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. What’s inside ESKM: Ports and Services Security Administrators Serial Port 22 LDAP Client 389 636 ESKM NTP Server NTP Client 123 Ports and FTP, SFTP, SSH/SCP Monitoring 20 21 22 514 Syslog Server HP ArcSight/SIEM GUI Admin Server Services 161 SNMP Agent NMS ESKM Clients/Users 9443 cert LDAP Server Backup Server 33 SSH n/a IT Services CLI Admin Server SSL Key DB ESKM local CA 9081 FIPS Status Server 9000 cert 9001 KMS Server SSL Cluster Sync SSL cert cert cert Keys, Metadata cert Keys, Users, Policies cert 9080 Health Check Server © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. ESKM Cluster ESKM Reliability, Availability, Recovery ESKM offers multiple layers of protection and recovery for business-critical encryption keys Reliable hardware: >2M hours, no failures Reliable software: >2M hours, no loss of keys or data Mirrored disks; redundant fans, power supplies, and AC power Easy software patch/release installation with fallback option High availability symmetric clusters of 2 – 8 or more ESKM nodes Automatic continuous replication of keys, metadata, policies to all nodes Clients can verify keys have been replicated before using them Automatic client round-robin and failover to all available ESKM cluster nodes Multi-site geographically distributed clusters; client failover may be defined in tiers Backup/restore capability to/from internal, external, and offline storage media ESKM node can be fully restored to a new unit by cluster synchronization or from a backup 34 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP on HP ESKM is HP’s unified Key Management solution for Data Security ESKM Interoperability (also - free ESKM client SDK, developer and test support) HP Storage Enterprise Tape Library encryption With LT0-4, LTO-5, LTO-6 drives HP Storage B-series SAN Encryption Switch and Blade Models HP NonStop Volume Level Encryption Disk and Tape Encryption for NonStop VLE customers HP NonStop security partners (ETI-Net BACKBOX) HP ES hosted Backup/Restore (BUR) service HP IT Backup/Restore (internal) HP public Cloud Services And more coming in 2014… Extending ESKM interoperability across HP Storage and Server encryption solutions 35 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Tape Encryption StoreEver ESL G3 Library Large Enterprise tape library Scales to 96 tape drives, 7000 tape cartridges LTO-4/5/6 tape drive embedded encryption AES-256 GCM mode, unique key per tape Fully integrated with ESKM 36 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Tape Encryption New StoreEver MSL6480 Library Mid-Enterprise LTO tape library New, introduced June 2013 Scales to 6 tape drives, 80 cartridges per 6U unit Expands to 42 tape drives, 560 cartridges per 42U rack LTO-4/5/6 tape drive embedded encryption AES-256 GCM mode, unique key per tape Now integrated with ESKM Firmware release Sept. 2013 37 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP SAN encryption B-Series Encryption SAN Switch and Blade Enterprise Storage Area Network encryption Fibre Channel fabric disk/tape encryption High performance fabric-based encryption Scales non-disruptively 48 to 96 Gbit/sec Standard AES-256 encryption for disk and tape with a single platform Fully integrated with HP ESKM 38 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP NonStop Servers NonStop Volume Level Encryption (VLE) High availability multiprocessor server Integrated CLIM fault-tolerant I/O subsystem Data-at-rest encryption for disk and tape AES-256 (CBC or XTS), unique key per physical disk CLIM online disk encryption and key rotation CLIM delivers keys for attached LTO tape encryption Fully integrated with HP ESKM CLIM auto-enrollment via NSC 39 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP NonStop with ETI-Net BackBox Encryption for BACKBOX® Virtual Tape Controller Encryption for Virtual Tape Volumes Protects data both at-rest and in-flight to disk Transparently emulates LTO encrypted tape Unique key per virtual tape volume media ID Works with or without NonStop VLE VLE: on mount, VLE retrieves key from ESKM Non-VLE: on mount, BackBox retrieves key from ESKM AES-256 GCM, same as LTO tape Fully integrated with HP ESKM HP Enterprise Secure Key Manager cluster ESKM cluster can be shared with VLE/CLIMs ESKMs can be local, remote, or distributed across sites 40 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP ProLiant and BladeSystems HP Secure Encryption: Smart Array Controller based HDD/SSD encryption Previewed in HP Discover 2013 CDA Discovery Zone ESKM 3.1 launched June 2013, live demonstrations and training Session presentation at HP Protect Sept. 2013 September 2013, Washington DC Working with beta customers in Healthcare, Financial Services Demo/session at HP Discover EMEA in December General availablity early 2014 ESKM 3.1 is available now Disclaimer: the information contained herein is subject to change without notice 41 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. What’s New in ESKM 3.1? Announced at HP Discover, June 2013 Supports Big Data deployments Now scales to >25,000 clients, millions of keys Easier to Administer and Maintain Display cluster members and client license ordering information Query and View Keys by Group Enhanced SNMP MIB, ArcSight connector Updated Technology and Security Upgrade available from ESKM 3.0 to 3.1 software Crypto meets latest NIST guidance, SP 800-131A key lengths/algorithms FIPS 140-2 Level 2 validated: Certificate #1922 42 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP enterprise data protection solutions “HP on HP” – internal and external ESKM integrations HP Enterprise Services Hosted and client premises tape Backup/Restore Hosted encrypted disk storage HP Cloud Services Storage and identity protection for clients/users HP IT Datacenter tape Backup/Restore Datacenter encrypted disk storage Fully integrated with HP ESKM 43 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. ESKM deployment best practices For highest availability and security • Always configure 2-node (minimum) ESKM clusters for production environments • When possible, extend clusters across multiple data centers or geographic sites for even greater disaster tolerance/recovery • Schedule regular internal, external media, and offsite backups • Train, enroll, and utilize multiple security officers/administrators • Avoid human single points of failure! • HP has no access to customer keys, nor ability to recover lost customer keys! • Follow the principle of least privilege for administrator roles • Always configure ESKM for FIPS mode operation, SSL, and client certificates • Monitor ESKM logs for unusual activity and retain logs for audit readiness 45 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Atalla Contacts Atalla Orders: 1-800-523-9981 opt#2 [email protected] Atalla Support: 1-800-500-7858 [email protected] Web: www.atalla.com www.hp.com/go/atalla NSP: Susan Langford [email protected] ESKM: Steve Wierenga [email protected] 47 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.