Comparing VTE and Tokenization

Vormetric
Transparent
Encryption

Slide No: 2

Copyright 2015 Vormetric, Inc. Proprietary and Confidential. All rights reserved.
 Vormetric Transparent Encryption

Privileged Approved Processes

Users and Users
*$^!@#)( John Smith
-|_}?$%- 401 Main
:>> Street

Encrypted Clear Text

& Controlled
Vormetric Security Intelligence
Logs to SIEM User

User
Application

Application
Database
Allow/Block Cloud Admin,
Database Encrypt/Decrypt Storage
Admin, etc
DSM
DSM
File
Systems
File
Volume
Managers
Volume
Systems Managers
Vormetric
Data Security Manager Storage
Storage
*$^!@#)(
virtual or physical appliance -|_}?$%-:>>
Big Data, Databases or Files
Server

Copyright 2015 Vormetric, Inc. Proprietary and Confidential. All rights reserved.
Vormetric User Access Controls (With VTE)
Process and user aware file access policies

HR ERP Directory
Group: HR Vormetric Transparent Encryption
App: ERP
What: Read File
Authorized User Time: 2PM 11/14/2014
Where: HR ERP Directory

Group: Finance
App: IE 9.0
Unauthorized User What: Read File
Time: 5pm 11/14/2014
Where: HR ERP Directory
Access Policy #1
User: HR-Group
Group: SystemAdmin App: ERP
Root User Process: Cat command
Opp: Read Only
What: Read File
Time: 2PM 11/14/2014 Time: Any
Where: HR ERP Directory
Resources: Any

Block access and log attempt

Data

File access polices can be very granular. User access can be controlled by application, allowed operations,
time and the file or resource they attempt to access.

Copyright 2015 Vormetric, Inc. Proprietary and Confidential. All rights reserved.
Policy Example: Structured Data (SQL, Oracle, etc)
# Resource User Process Action Effects

DB and Log files DB Service DB binary read/write permit,

1 account (sqlservr.exe, oracle) encrypt/decrypt

DB and Log files Administrative * read metadata permit, audit

2 accounts only

3 DB and Log files * * * deny, audit

Policy Summary:
Only the DB Service account, using the whitelisted DB binaries have full
1
transparent access to the encrypted DB objects.
2 The privileged administrative accounts are allowed to manage the
encrypted DB objects but have no ability to decrypt the DB objects.
3 Deny and Audit non-conforming data requests at the I/O layer.

Policy Benefits
Database encryption, without changing database schema
or application code.
5
Remove custodial risk of privileged account compromise.

Copyright 2012 Vormetric, Inc. - Proprietary and Confidential. All Rights Reserved.
 Value Proposition for Transparent Encryption

Easy to deployno application changes, no work flow

changes, any storage.
Works in all environments (cloud, BD, physical, virtual)
windows, linux, unix
Privileged user access control
Encryption
Security Intelligence

Slide No: 6

Copyright 2015 Vormetric, Inc. Proprietary and Confidential. All rights reserved.
 Value Proposition Vormetric User Access
Control (UAC)
Separation of privileged users and sensitive user data
Separation of administrative duties
Granular access controls
Secure, reliable, and auditable key management
Detailed security intelligence
Detailed logs
Allowed or denied
Command like 'switch users
SIEM Feed

Slide No: 7

Copyright 2015 Vormetric, Inc. Proprietary and Confidential. All rights reserved.
Islands of Encryption
A disjointed, expensive collection of point products

Database Full Disk Data Token- Cloud File Access

Encryption Encryption Masking ization Encryption Encryption Policies

Customer Physical PHI PCI Cloud Big Privileged

Records Security Migration Data User Control

$ +$ + $ +$ +$ +$ +$
Each use case requires individual infrastructure, management consoles and training

Complex Inefficient Expensive

 Vormetric Data Security Platform
Solving the inefficiencies of point product solutions

2013 2014

Cloud
Managed
Services

Cloud First public

cloud reference

Big Data

Vormetric
Application
PKCS#11 KMIP Compliance
Key
Management Encryption
TDE

App ESM
Security
Intelligence SmartConnector

Slide No: 9
Vormetric Data Security Platform 2.0
Expansion: Tokenization and Data Masking
 Introducing Vormetric
Tokenization with
Dynamic Data Masking

Slide No: 11
 Introducing Vormetric Tokenization

4567-8765-9807-2342 Random

0544-4124-4325-3490 Vormetric 4567-8765-9807-2344 Random w/Luhn

Token Server
0000-0000-0000-0001 Sequential

Credit Card

Token

Use cases:

Reduce PCI scope and support other compliance initiatives

Production database protection
De-identify data in development/test, cloud and big data environments
Prevent admins, hackers, and unauthorized users from looking at sensitive data

Slide No: 12
 Vormetric Tokenization
with Dynamic Data Masking for display security

Accounts Customer
Payable Service

0544-4124-4325-3490 XXXX-XXXX-XXXX-3490

App Servers

Data tokenized in 1234-4567-6789-1234

database
Credit Card
Production
Token or mask
Database

Slide No: 13
 Vormetric Tokenization
Simplifying application-layer tokenization

1 2 3*
DSM
0544-4124-4325-3490 REST API
Customer 5 Vormetric
App Servers
Token Server
(Virtual Appliance)

6
1234-4567-6789-1234
4

1234-4567-6789-1234

Database
Token Vault**
((CC)e, Token) Lookups
Credit Card
* New and expired keys
** Oracle, customer provided, phase 1
Token or mask

Slide No: 14
 Vormetric Tokenization w/
Dynamic Data Masking use case

1 Request 3 4
DSM
0544-4124-4325-3490 REST API
Accounts 6
Payable App Servers Vormetric
Mask
Data Sent
Token Server

7 Response 2
1234-4567-6789-1234
5
Customer
Service
AD/LDAP
1234-4567-6789-1234
Server
Database
(production data tokenized)
Token Vault
((CC)e, Token) Lookups
Credit Card

Token or mask

Slide No: 15
 Vormetric Tokenization
with Dynamic Data Masking

Format Preserving Tokenization (single and multi-use)

Tokenization of numeric & alphanumeric data

Optional Luhn checks for credit card tokenization

RESTful APIs

LDAP/AD integration

Dynamic Data Masking

Virtual Appliance based architecture enables elastic scaling

Slide No: 16
 One Platform One Strategy
Data-at-rest security that follows your data

Physical
Virtual
Outsourced

Enterprise Data Centers Private, Public, Hybrid Clouds

SaaS, PaaS, IaaS

Sources
Nodes
Analytics

Remote Servers Big Data

Slide No: 17
 Transparent Encryption x Tokenization
Transparent Encryption
Encrypt all database
100 % transparent to applications, no
changes required
PCI requirements 3,7 and 10
Access Control by OS (file system)
Easy and Fast to deploy hours
Security Inteligence integration SIEM No
High Performance AES-NI
No Datamasking
LDAP/AD integration
Key Managed and Policy by a Data
Security Platform (DSM)
Transparent Agent, DSM
No change on data flow
Slide No: 18
Tokenization
Change data to token preserve format
Application change required API
PCI requirement 3, 7
Access Control to tokens on application
level
Complex - deployment weeks
Tokenization Server botleneck
Datamasking
LDAP/AD integration
Keys Managed by DSM, policies required
an additional Token Server
Tokenization Server, DSM, Token Vault
Change data flow
Copyright 2015 Vormetric, Inc. Proprietary and Confidential. All rights reserved.
 Strategic IT Organization Data Security
Example corporate-wide data protection strategy

% Use Cases
Secure files and databases With no application changes 70%
(Vormetric Transparent Encryption)

Tokenize SQL, NoSQL databases and big data 10%

(Vormetric Tokenization)

Encrypt database columns

(Vormetric Application Encryption)
10%
Dynamically display role-based masked data
(Vormetric Tokenization with Dynamic Data Masking) 5%
3rd Party Key Management: TDE Keys and NSE Keys
(Vormetric Tokenization with Dynamic Data Masking 5%

100% Vormetric

Slide No: 19
 Vormetric Data Security Platform 2.0
Enabling an enterprise data-at-rest security strategy

Flexible
Enterprise-wide protection and compliance
History of delivering new use cases enabling secure innovation
Scalable
Multi-operating systems across all server environments
Global scale with centralized control
Efficient
High-performance, minimizes system resources
Operational simplicity through consistent deployment
Single Platform = Lower TCO

Tokenization Data Cloud Transparent Application- Key

Masking Encryption Layer Management

Slide No: 20
 Thank you

Learn More
www.vormetric.com
Slide No: 21