SlideShare a Scribd company logo

Decision criteria and analysis for hardware-based encryption

Download as PPTX, PDF
Thales e-Security
Thales e-Security

Organizations trying to balance the risk of data breaches against the cost of pervasive encryption often balk at the trade-off. The use of hardware security modules (HSMs) in conjunction with applications that perform encryption improves the protection afforded to encryption keys and the encryption processes themselves, but cost considerations typically limit the scope of their deployment. This slidedeck provides an explanation of criteria to help organizations decide which applications or data would benefit most from hardware-based encryption and key protection. The criteria are designed to make those decisions repeatable, consistent, and specific for any application, based on the organization’s sensitivity to cost, risk tolerance, and performance requirements. Real-world examples are also included! Our why not listen to the webcast: https://www.thales-esecurity.com/knowledge-base/webcasts/sans-webcast

Technology
1 of 20
Decision Criteria and Analysis for Hardware-Based Encryption Sponsored by Thales e-Security © 2016 The SANS™ Institute – www.sans.org
© 2016 The SANS™ Institute – www.sans.org Today’s Speakers Eric Cole, PhD, SANS Analyst and Fellow John Grimm, Senior Director of Security Strategy, Thales e-Security 2
© 2016 The SANS™ Institute – www.sans.org 3 Introduction 2016 Global Encryption Trends Study, Ponemon Institute, February 2016 The ratio of cost to benefit has improved and encryption is now far more common in organizations that rely heavily on Internet- or cloud-connected applications for significant business functions
© 2016 The SANS™ Institute – www.sans.org 4 HSM Hardware-based encryption uses dedicated hardware to perform cryptographic functions, which offloads processing to an independent system, increasing not only security but also performance. In addition to performance, risk and security of keys are also factors in using hardware security module (HSM) encryption
© 2016 The SANS™ Institute – www.sans.org Pros and Cons of HSMs 5
© 2016 The SANS™ Institute – www.sans.org 6 Key Areas to Evaluate When Considering Hardware-Based Encryption Because it is unlikely that every application can benefit enough to justify the additional cost and effort, organizations should deploy hardware-based solutions only for applications with sufficiently high requirements for security and performance. • Application integration • Crypto APIs • Testing and patching
© 2016 The SANS™ Institute – www.sans.org 7 Design Criteria and Analysis: Finding Balance Every organization that has sensitive data can gain from hardware-based encryption, but very few can afford the cost or complexity of applying it to every system and application. • Identify all critical data repositories • Map key business processes • Determine servers that support the processes • Create a threat map • Perform a risk assessment • Prioritize applications • Verify all risk mitigation measures • Do a gap analysis to determine areas of focus
© 2016 The SANS™ Institute – www.sans.org 8 The Criteria In looking at the criteria, hardware-based encryption works very well in environments in which: 1. Verified encryption is critical. 2. Strong key management and protection are required. 3. Performance is important. 4. Initial deployment cost is not the ultimate driver. 5. The organization has control over the application server environment.
© 2016 The SANS™ Institute – www.sans.org Use Case: Digital Cinema HSMs used for: –Content encryption –Digital watermarking –Strong authentication
© 2016 The SANS™ Institute – www.sans.org 10 W A R N I N G Many organizations will initially determine that hardware-based encryption is not a viable or feasible solution because of bad design decisions made when the system was first implemented.
© 2016 The SANS™ Institute – www.sans.org 11
© 2016 The SANS™ Institute – www.sans.org 12 Challenges in Implementing Hardware- Based Encryption 2016 Global Encryption Trends Study, Ponemon Institute, February 2016
© 2016 The SANS™ Institute – www.sans.org Analytical Process for Determining Where to Deploy Hardware-Based Encryption 13
© 2016 The SANS™ Institute – www.sans.org Where and how are HSMs most commonly deployed? • SSL/TLS • Database encryption • Application-level encryption Additional HSM form factors:
© 2016 The SANS™ Institute – www.sans.org 15 Emerging Technologies (1 of 3) Cloud • With the cloud, the hardware and systems are owned and controlled by a third party • Close collaboration with the cloud provider is critical for hardware-based encryption to work • Cloud providers are looking for ways to enhance their customer experience and differentiate themselves • Not uncommon for some cloud providers to offer services that integrate hardware-based encryption
© 2016 The SANS™ Institute – www.sans.org Use Case: Key Management in the Cloud User organization generates own keys on-premise Keys securely transferred to HSMs in the cloud Keys used by, but not accessible to, cloud provider nShield Edge
© 2016 The SANS™ Institute – www.sans.org 17 Emerging Technologies (2 of 3) Virtualization • Hardware-based crypto services for virtualized environments require planning • A “virtualized HSM” would reduce the benefit of hardware-based protection features like anti-tamper • Virtual systems requiring hardware-based encryption need access to a networked-based HSM, or to share access to a PCI HSM on the same server
© 2016 The SANS™ Institute – www.sans.org 18 Emerging Technologies (3 of 3) IoT (Internet of Things) • The IoT typically involves relatively low-end pieces of hardware that focus on a single task, with an emphasis on low power consumption • Directly integrating hardware-based encryption may not be feasible • Many vendors, such as Samsung and other IoT platform providers, are making chips with trusted platform modules for which the device manufacturers can leave a slot
© 2016 The SANS™ Institute – www.sans.org Use Case: Manufacturing HSMs provide: – Root of trust – Secure credentialing (“digital birth certificate”) – Ability to lock/unlock capabilities – Encryption key services – Configuration security (e.g., code signing)
© 2016 The SANS™ Institute – www.sans.org 20 Summary The following is a high-level checklist for deploying hardware-based encryption: • Use risk analysis to drive the overall process of determining an appropriate solution. • Perform cost-benefit analysis. • Calculate the TCO to make sure there are no hidden costs. • Put together a detailed implementation plan to fully understand the complexities involved. • Recognize that changes to existing applications might be needed to accommodate the best solution.

Recommended

Protecting application delivery without network security blind spots
Protecting application delivery without network security blind spotsProtecting application delivery without network security blind spots
Protecting application delivery without network security blind spotsThales e-Security
 
Thales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security
 
Hyperconverged: The Future of Data Centers Presentation
Hyperconverged: The Future of Data Centers PresentationHyperconverged: The Future of Data Centers Presentation
Hyperconverged: The Future of Data Centers PresentationSara Thomason
 
Cloud payments (HCE): a simpler step with Thales HSMs
Cloud payments (HCE): a simpler step with Thales HSMsCloud payments (HCE): a simpler step with Thales HSMs
Cloud payments (HCE): a simpler step with Thales HSMsThales e-Security
 
thales-corporate-presentation 2015
thales-corporate-presentation 2015thales-corporate-presentation 2015
thales-corporate-presentation 2015Sid Atreya | MBA | B.Eng
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016InfinIT - Innovationsnetværket for it
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016InfinIT - Innovationsnetværket for it
 
IDC Security 2014, Endpoint Security in Depth
IDC Security 2014, Endpoint Security in DepthIDC Security 2014, Endpoint Security in Depth
IDC Security 2014, Endpoint Security in DepthKen Tulegenov
 

Recommended

Protecting application delivery without network security blind spots
Protecting application delivery without network security blind spotsProtecting application delivery without network security blind spots
Protecting application delivery without network security blind spotsThales e-Security
 
Thales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security
 
Hyperconverged: The Future of Data Centers Presentation
Hyperconverged: The Future of Data Centers PresentationHyperconverged: The Future of Data Centers Presentation
Hyperconverged: The Future of Data Centers PresentationSara Thomason
 
Cloud payments (HCE): a simpler step with Thales HSMs
Cloud payments (HCE): a simpler step with Thales HSMsCloud payments (HCE): a simpler step with Thales HSMs
Cloud payments (HCE): a simpler step with Thales HSMsThales e-Security
 
thales-corporate-presentation 2015
thales-corporate-presentation 2015thales-corporate-presentation 2015
thales-corporate-presentation 2015Sid Atreya | MBA | B.Eng
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016InfinIT - Innovationsnetværket for it
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016InfinIT - Innovationsnetværket for it
 
IDC Security 2014, Endpoint Security in Depth
IDC Security 2014, Endpoint Security in DepthIDC Security 2014, Endpoint Security in Depth
IDC Security 2014, Endpoint Security in DepthKen Tulegenov
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackinghcls
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
DATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWSylvain Martinez
 
Digital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration DatasheetDigital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration DatasheetDigital Shadows
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYSylvain Martinez
 
Demisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is GoodDemisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is GoodRishi Bhargava
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Cristian Garcia G.
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...FireEye, Inc.
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint SecurityBen Rothke
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoPrime Infoserv
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSFidelis Cybersecurity
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Building a Strategic Plan for Your Security Awareness Program
Building a Strategic Plan for Your Security Awareness ProgramBuilding a Strategic Plan for Your Security Awareness Program
Building a Strategic Plan for Your Security Awareness ProgramPriyanka Aash
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
LIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityLIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityRobert Herjavec
 
Protect data effectively with endpoint encryption & data leak prevention
Protect data effectively with endpoint encryption & data leak preventionProtect data effectively with endpoint encryption & data leak prevention
Protect data effectively with endpoint encryption & data leak preventionAdi Saputra
 
protect4s-product-sheet
protect4s-product-sheetprotect4s-product-sheet
protect4s-product-sheetFred van de Langenberg
 
Endpoint Security
Endpoint SecurityEndpoint Security
Endpoint SecurityAhmed Hashem El Fiky
 
Payment Hsm Payshield9000
Payment Hsm Payshield9000Payment Hsm Payshield9000
Payment Hsm Payshield9000Eugene Sushchenko
 
HSM Basic Training
HSM Basic TrainingHSM Basic Training
HSM Basic TrainingMd. Budrul Hasan Bhuiyan
 

More Related Content

What's hot

Ethical hacking
Ethical hackingEthical hacking
Ethical hackinghcls
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
DATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWSylvain Martinez
 
Digital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration DatasheetDigital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration DatasheetDigital Shadows
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYSylvain Martinez
 
Demisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is GoodDemisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is GoodRishi Bhargava
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Cristian Garcia G.
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...FireEye, Inc.
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint SecurityBen Rothke
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoPrime Infoserv
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSFidelis Cybersecurity
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Building a Strategic Plan for Your Security Awareness Program
Building a Strategic Plan for Your Security Awareness ProgramBuilding a Strategic Plan for Your Security Awareness Program
Building a Strategic Plan for Your Security Awareness ProgramPriyanka Aash
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
LIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityLIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityRobert Herjavec
 
Protect data effectively with endpoint encryption & data leak prevention
Protect data effectively with endpoint encryption & data leak preventionProtect data effectively with endpoint encryption & data leak prevention
Protect data effectively with endpoint encryption & data leak preventionAdi Saputra
 

What's hot (20)

Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
 
DATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEW
 
Digital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration DatasheetDigital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration Datasheet
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
 
Demisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is GoodDemisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is Good
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint Security
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAlto
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Building a Strategic Plan for Your Security Awareness Program
Building a Strategic Plan for Your Security Awareness ProgramBuilding a Strategic Plan for Your Security Awareness Program
Building a Strategic Plan for Your Security Awareness Program
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
LIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming SecurityLIFT OFF 2017: Transforming Security
LIFT OFF 2017: Transforming Security
 
Protect data effectively with endpoint encryption & data leak prevention
Protect data effectively with endpoint encryption & data leak preventionProtect data effectively with endpoint encryption & data leak prevention
Protect data effectively with endpoint encryption & data leak prevention
 
protect4s-product-sheet
protect4s-product-sheetprotect4s-product-sheet
protect4s-product-sheet
 
Endpoint Security
Endpoint SecurityEndpoint Security
Endpoint Security
 

Viewers also liked

SSL State of the Union
SSL State of the UnionSSL State of the Union
SSL State of the UnionSander Temme
 
RBMovil Powered by CHARGE Anywhere: MWC
RBMovil Powered by CHARGE Anywhere: MWCRBMovil Powered by CHARGE Anywhere: MWC
RBMovil Powered by CHARGE Anywhere: MWCCHARGE Anywhere
 
TLS State of the Union
TLS State of the UnionTLS State of the Union
TLS State of the UnionSander Temme
 
Futurex Secure Key Injection Solution
Futurex Secure Key Injection SolutionFuturex Secure Key Injection Solution
Futurex Secure Key Injection SolutionGreg Stone
 
[Application guide] IoT Protocol gateway
[Application guide] IoT Protocol gateway[Application guide] IoT Protocol gateway
[Application guide] IoT Protocol gatewaySeth Xie
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
47 restore scenarios from Veeam Backup & Replication v8
47 restore scenarios from Veeam Backup & Replication v847 restore scenarios from Veeam Backup & Replication v8
47 restore scenarios from Veeam Backup & Replication v8Veeam Software
 
Cloud based payments: the future of mobile payments?
Cloud based payments: the future of mobile payments?Cloud based payments: the future of mobile payments?
Cloud based payments: the future of mobile payments?Thales e-Security
 
Le contrat agile ce n'est pas si simple que ça
Le contrat agile ce n'est pas si simple que çaLe contrat agile ce n'est pas si simple que ça
Le contrat agile ce n'est pas si simple que çaFranck Beulé
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Knowledge Group
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseTripwire
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Security for e commerce
Security for e commerceSecurity for e commerce
Security for e commerceMohsin Ahmad
 
Veeam Backup & Replication Tips and Tricks
Veeam Backup & Replication Tips and TricksVeeam Backup & Replication Tips and Tricks
Veeam Backup & Replication Tips and TricksVeeam Software
 

Viewers also liked (20)

Payment Hsm Payshield9000
Payment Hsm Payshield9000Payment Hsm Payshield9000
Payment Hsm Payshield9000
 
HSM Basic Training
HSM Basic TrainingHSM Basic Training
HSM Basic Training
 
SSL State of the Union
SSL State of the UnionSSL State of the Union
SSL State of the Union
 
Mexico trends mx 042116 (003)
Mexico trends mx 042116 (003)Mexico trends mx 042116 (003)
Mexico trends mx 042116 (003)
 
RBMovil Powered by CHARGE Anywhere: MWC
RBMovil Powered by CHARGE Anywhere: MWCRBMovil Powered by CHARGE Anywhere: MWC
RBMovil Powered by CHARGE Anywhere: MWC
 
ROTLD DNSSEC Implementation
ROTLD DNSSEC ImplementationROTLD DNSSEC Implementation
ROTLD DNSSEC Implementation
 
TLS State of the Union
TLS State of the UnionTLS State of the Union
TLS State of the Union
 
Futurex Secure Key Injection Solution
Futurex Secure Key Injection SolutionFuturex Secure Key Injection Solution
Futurex Secure Key Injection Solution
 
[Application guide] IoT Protocol gateway
[Application guide] IoT Protocol gateway[Application guide] IoT Protocol gateway
[Application guide] IoT Protocol gateway
 
Innovation Solutions
Innovation SolutionsInnovation Solutions
Innovation Solutions
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
47 restore scenarios from Veeam Backup & Replication v8
47 restore scenarios from Veeam Backup & Replication v847 restore scenarios from Veeam Backup & Replication v8
47 restore scenarios from Veeam Backup & Replication v8
 
Cloud based payments: the future of mobile payments?
Cloud based payments: the future of mobile payments?Cloud based payments: the future of mobile payments?
Cloud based payments: the future of mobile payments?
 
Le contrat agile ce n'est pas si simple que ça
Le contrat agile ce n'est pas si simple que çaLe contrat agile ce n'est pas si simple que ça
Le contrat agile ce n'est pas si simple que ça
 
Insider threat
Insider threatInsider threat
Insider threat
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Security for e commerce
Security for e commerceSecurity for e commerce
Security for e commerce
 
Veeam Backup & Replication Tips and Tricks
Veeam Backup & Replication Tips and TricksVeeam Backup & Replication Tips and Tricks
Veeam Backup & Replication Tips and Tricks
 

Similar to Decision criteria and analysis for hardware-based encryption

AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceGaurav "GP" Pal
 
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaProteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaCristian Garcia G.
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? Jorge García
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
 
SDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinSDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinZivaro Inc
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAmazon Web Services
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 
FireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudFireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudAmazon Web Services
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldMark Nunnikhoven
 
HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소GE코리아
 
The Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security FrameworkThe Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security FrameworkReal-Time Innovations (RTI)
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingAmazon Web Services
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentPanoptica
 
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?Sophos Benelux
 
Securing Beyond the Cloud Generation
Securing Beyond the Cloud GenerationSecuring Beyond the Cloud Generation
Securing Beyond the Cloud GenerationForcepoint LLC
 

Similar to Decision criteria and analysis for hardware-based encryption (20)

Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
 
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaProteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night?
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture,
 
SDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinSDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same Coin
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS Cloud
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
FireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudFireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the Cloud
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
How to Choose a SandBox - Gartner
How to Choose a SandBox - GartnerHow to Choose a SandBox - Gartner
How to Choose a SandBox - Gartner
 
Secure enterprise mobility
Secure enterprise mobilitySecure enterprise mobility
Secure enterprise mobility
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud World
 
HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소
 
The Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security FrameworkThe Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security Framework
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security Scaling
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdf
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native Development
 
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
 
Securing Beyond the Cloud Generation
Securing Beyond the Cloud GenerationSecuring Beyond the Cloud Generation
Securing Beyond the Cloud Generation
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Decision criteria and analysis for hardware-based encryption

  • 1. Decision Criteria and Analysis for Hardware-Based Encryption Sponsored by Thales e-Security © 2016 The SANS™ Institute – www.sans.org
  • 2. © 2016 The SANS™ Institute – www.sans.org Today’s Speakers Eric Cole, PhD, SANS Analyst and Fellow John Grimm, Senior Director of Security Strategy, Thales e-Security 2
  • 3. © 2016 The SANS™ Institute – www.sans.org 3 Introduction 2016 Global Encryption Trends Study, Ponemon Institute, February 2016 The ratio of cost to benefit has improved and encryption is now far more common in organizations that rely heavily on Internet- or cloud-connected applications for significant business functions
  • 4. © 2016 The SANS™ Institute – www.sans.org 4 HSM Hardware-based encryption uses dedicated hardware to perform cryptographic functions, which offloads processing to an independent system, increasing not only security but also performance. In addition to performance, risk and security of keys are also factors in using hardware security module (HSM) encryption
  • 5. © 2016 The SANS™ Institute – www.sans.org Pros and Cons of HSMs 5
  • 6. © 2016 The SANS™ Institute – www.sans.org 6 Key Areas to Evaluate When Considering Hardware-Based Encryption Because it is unlikely that every application can benefit enough to justify the additional cost and effort, organizations should deploy hardware-based solutions only for applications with sufficiently high requirements for security and performance. • Application integration • Crypto APIs • Testing and patching
  • 7. © 2016 The SANS™ Institute – www.sans.org 7 Design Criteria and Analysis: Finding Balance Every organization that has sensitive data can gain from hardware-based encryption, but very few can afford the cost or complexity of applying it to every system and application. • Identify all critical data repositories • Map key business processes • Determine servers that support the processes • Create a threat map • Perform a risk assessment • Prioritize applications • Verify all risk mitigation measures • Do a gap analysis to determine areas of focus
  • 8. © 2016 The SANS™ Institute – www.sans.org 8 The Criteria In looking at the criteria, hardware-based encryption works very well in environments in which: 1. Verified encryption is critical. 2. Strong key management and protection are required. 3. Performance is important. 4. Initial deployment cost is not the ultimate driver. 5. The organization has control over the application server environment.
  • 9. © 2016 The SANS™ Institute – www.sans.org Use Case: Digital Cinema HSMs used for: –Content encryption –Digital watermarking –Strong authentication
  • 10. © 2016 The SANS™ Institute – www.sans.org 10 W A R N I N G Many organizations will initially determine that hardware-based encryption is not a viable or feasible solution because of bad design decisions made when the system was first implemented.
  • 11. © 2016 The SANS™ Institute – www.sans.org 11
  • 12. © 2016 The SANS™ Institute – www.sans.org 12 Challenges in Implementing Hardware- Based Encryption 2016 Global Encryption Trends Study, Ponemon Institute, February 2016
  • 13. © 2016 The SANS™ Institute – www.sans.org Analytical Process for Determining Where to Deploy Hardware-Based Encryption 13
  • 14. © 2016 The SANS™ Institute – www.sans.org Where and how are HSMs most commonly deployed? • SSL/TLS • Database encryption • Application-level encryption Additional HSM form factors:
  • 15. © 2016 The SANS™ Institute – www.sans.org 15 Emerging Technologies (1 of 3) Cloud • With the cloud, the hardware and systems are owned and controlled by a third party • Close collaboration with the cloud provider is critical for hardware-based encryption to work • Cloud providers are looking for ways to enhance their customer experience and differentiate themselves • Not uncommon for some cloud providers to offer services that integrate hardware-based encryption
  • 16. © 2016 The SANS™ Institute – www.sans.org Use Case: Key Management in the Cloud User organization generates own keys on-premise Keys securely transferred to HSMs in the cloud Keys used by, but not accessible to, cloud provider nShield Edge
  • 17. © 2016 The SANS™ Institute – www.sans.org 17 Emerging Technologies (2 of 3) Virtualization • Hardware-based crypto services for virtualized environments require planning • A “virtualized HSM” would reduce the benefit of hardware-based protection features like anti-tamper • Virtual systems requiring hardware-based encryption need access to a networked-based HSM, or to share access to a PCI HSM on the same server
  • 18. © 2016 The SANS™ Institute – www.sans.org 18 Emerging Technologies (3 of 3) IoT (Internet of Things) • The IoT typically involves relatively low-end pieces of hardware that focus on a single task, with an emphasis on low power consumption • Directly integrating hardware-based encryption may not be feasible • Many vendors, such as Samsung and other IoT platform providers, are making chips with trusted platform modules for which the device manufacturers can leave a slot
  • 19. © 2016 The SANS™ Institute – www.sans.org Use Case: Manufacturing HSMs provide: – Root of trust – Secure credentialing (“digital birth certificate”) – Ability to lock/unlock capabilities – Encryption key services – Configuration security (e.g., code signing)
  • 20. © 2016 The SANS™ Institute – www.sans.org 20 Summary The following is a high-level checklist for deploying hardware-based encryption: • Use risk analysis to drive the overall process of determining an appropriate solution. • Perform cost-benefit analysis. • Calculate the TCO to make sure there are no hidden costs. • Put together a detailed implementation plan to fully understand the complexities involved. • Recognize that changes to existing applications might be needed to accommodate the best solution.