WIRD Data Protection on Demand: Overview
Data Protection On Demand is a cloud-based platform that provides a wide range of on demand HSM and key management services through a simple online marketplace. With Data Protection On Demand, security is made simpler, more cost effective and easier to manage because there is no hardware to buy, deploy and maintain. Click and deploy the protection you need, provision services, add security policies and get usage reporting. Data Protection On Demand offers a one-stop data protection marketplace, with a menu of security applications ranging from securing your keys to digital signing and ensuring the root of trust.
Data Protection On Demand (DPoD)
DPoD is a cloud-based platform provided by WIRD and operated by the Thales Group, which provides a wide range of on-demand key management and encryption services through a simple online marketplace. With Data Protection On Demand, security is made simpler, more cost effective and easier to manage because there is no hardware to buy, deploy and maintain. Customers just click and deploy the services they need, provision users, add devices and get usage reporting in minutes.
WIRD and Thales together can offer you an unbeatable package of just the data protection services, which your enterprise or organisation needs. Just look at all the benefits:
Zero upfront investment
Up and running in less than 5 minutes
OpEx only usage-based billing
SLA On Demand - 99.95% availability
Automatic failover included
Key backups are automatic
Key and crypto operation metrics and reporting
Elastic, automatic scaling
Unrivaled peace of mind If you are a partner interested in integrating Data Protection On Demand into your solutions, we offer technical, marketing, and business development support.
WIRD Data Protection on Demand: Detailed Information
The challenge in providing DPoD: Make HSM protection easily available
Hardware Security Modules, or HSM for short have been around a while. Designed to generated, manage and store cryptographic keys, they are the vault of the data center. However, these purpose build tamper-proof appliances with dedicated crypto chips and circuits do have a quite significant price tag.
In order to manage on-premise HSMs according to the best practices, there are precise operational procedures on how to access the device in security sensitive environments. This may require multiple custodians and 2-Factor authentication of some sort. Resiliency requirements will usually dictate that the service and its data be duplicated / backuped to a secondary site. The same is needed for the encrytion keys, because there is nothing worse than encrypting data and then loosing the keys.
No one wakes up in the morning, feeling a sudden urge to buy some HSMs. Typically, you have the immediate need for some good coffee or tea. Should you have stringent compliance requirements, then the on-site HSAM will be no brainer - but those situations are quite rare. More common is the increasing awareness that we all are potential victim of state driven cyber attacks, and that a higher level of datat protection in needed.
The solution: HSM service, but cloud-based
WIRD Group has been working with the market leader for hardware based security for many years now. We have been advocates of the development of a service offering that provides cloud-based key managagement services. This would dramatically reduce the cost and deployment time for our customers and of course ease the burden of handling a complex crypto appliance in a secure environment .
Today we can now offer such a service in our WIRD Cloud. This is a service oriented solution, that allows you to easily and quickly onboard applications available in a pay-as-you-go model with zero upfront investment. Virtually unlimited crypto management resources are available in an elastic manner, backed by a hardened HSM with the necessary FIPS certifications. It is managed locally in a trusted environment. Integration with other services via a REST interface allows you to gain immediate access to crypto services as part of an Infrastructure as a Code deployment model.
Data Protection On Demand is cloud and infrastructure agnostic and enables multi-tier management, including complete separation of duties, even when managing multiple levels of child accounts (virtual service providers).
Integrations with other services
Now let us draw some scenarios for the implementation of such a DPoD services.
HSM on Demand - If there is no specific shopping tile
Set up and access an HSM on Demand service as a Root of Trust for your organization’s cryptographic operations.
This is a generic HSM on Demand (HSMoD) service which can be used for the supported HSM integrations on DPoD which are not yet available as a specific tile.
Use your HSM to generate and/or store cryptographic keys, establishing a common root of trust across all applications and services. Your key vault can also perform cryptographic operations such as encryption/decryption of Data Encryption keys, protection of secrets (passwords, SSH keys, etc.), and more. More Info
Secure CyberArk Privileged Access Security Solution’s top-level encryption key within an HSM.
HSMoD for CyberArk provides a root of trust for CyberArk Privileged Access Security Solution’s top-level encryption key in an HSM. By generating the server key using HSM-based entropy, HSM on Demand provides secure key storage for CyberArk Privileged Access Security Solution’s system keys.
Together, HSM on Demand for CyberArk secures the master key that is used within the vault, and is hosted in a secure environment. HSM On Demand for CyberArk mitigates this risk by securing the master key being used in a secure vault.
The service provides additional advantages by managing keys and certificates within carefully designed cryptographic boundaries that use robust access control mechanisms so keys are only used for their authorized purpose. More Info
Enable a secure Root of Trust for applications and services providing digital signatures for documents and code.
By using HSMoD for Digital Signing, you can protect the private keys associated with your signing application in an HSM service to avoid the private keys from being stolen or compromised.
By digitally signing software and firmware packages or electronic documents with an HSM as the root of trust, you can ensure the integrity of the signed data and establish the publisher’s identity while protecting the private keys associated with your signing application.
Bringing trust to blockchain transactions to perform the required crypto operations across the distributed system.
HSMoD for Hyperledger stores the private keys used by blockchain Hyperledger members to sign all transactions, and ensures that cryptographic keys cannot be used by unauthorized devices or people for a range of blockchain Hyperledger applications.
HSMoD for Hyperledger protects cryptographic keys, the blockchain system and digital wallets, while ensuring keys are readily available in the cloud once access is granted. HSMoD for Hyperledger provides high assurance security in data centers and the cloud, enabling multi-tenancy of blockchain identities per partition as proof of transaction and for auditing requirements. With HSMoD for Hyperledger, you can secure keys for every role in your Hyperledger framework. More Info
Java Code Signer
HSM on Demand for Java performs code signing operations on Java artifacts using asignature key generated on an HSM.
With HSMoD for Java Code Signer you can generate and protect the private keys used to sign your Java application in an HSM to avoid the private keys from being stolen or compromised
Security is significantly enhanced by generating signing keys and certificates using HSM entropy and Java code signing crypto operations are performed inside the HSM on Demand Service. In addition, this improves performance as cryptographic operations are off-loaded from the signing servers. More Info
Generate and secure your Microsoft Authenticode certificates on an HSM.
HSMoD for Microsoft Authenticode generates and secures Microsoft Authenticode certificates on an HSM and by doing so, provides hardened boundaries for Microsoft Authenticode digital certificates.
HSMoD Service integrates with Microsoft Authenticode to provide a trusted system for protecting the organizational credentials of the software publisher. An HSM on Demand Service secures the keys used by the code signing application within the HSM service. By using HSMoD for Microsoft Authenticode, users can ensure that relevant Microsoft systems, software and hardware products meet approved standards, and prevent signing keys being accessed by any unauthorized entity. More Info
Microsoft Active Directory Certificate Services - ADCS
Secure the keys of your Microsoft Root Certificate Authority (CA) in an HSM.
HSMoD for Microsoft ADCS provides a root of trust for Microsoft Certificate Authority (CA) signing key in an HSM. This enforces hardened boundaries for the CA’s cryptographic signing key, which is used to issue trusted certificates for individuals or systems and devices.
Using an HSMoD service to secure the Microsoft ADCS root key ensures the security of the trust hierarchy.
By providing the root of trust for the CA's public key Microsoft’s security is bolstered for example when configuring applications servers hosting Microsoft ADCS in dispersed data centers. More Info
Microsoft SQL Server
Off-load Microsoft SQL Server cryptographic operations to an HSM.
HSMoD for Microsoft SQL Server enables Microsoft SQL Server cryptographic operations on an HSM. The HSM provides root of trust for storage of keys used in Microsoft SQL. So that encryption keys do not reside with encryption data. Data can be encrypted by using encryption keys that only the database user has access to on in the HSMoD service and cryptographic operations such as key creation, encryption, decryption, etc. can be offloaded to the HSM.
In conjunction with the HSMoD services from Data Protection On Demand, users can ensure secure storage of keys and cryptographic operations such as key creation, deletion, encryption, and decryption, using the Extensible Key Management (EKM) feature. Data can be encrypted by using encryption keys that only the database user has access to on the external EKM/HSM module.
This solution is ideal for on premise or hosted Microsoft SQL environments. More Info
Ensure that data encryption keys used by the native Oracle TDE feature are encrypted with a master key that resides within the HSM.
HSMoD for Oracle TDE provides a secure storage of Oracle TDE encryption keys for on premise or hosted Oracle Enterprise solutions instead of using Oracle Key Vault or Wallet.
The service can also be used in conjunction with Oracle Key Vault to further enhance the security of the encryption keys stored in a hardware device.
HSMoD for Oracle TDE ensures protection of the Master key/s. There is direct integration to Oracle database using PKCS#11. By storing the Master Key or Key Encryption Key (KEK) in an HSM, you can ensure that only authorized services are allowed to request decryption of local data encryption keys known as Data Encryption Keys (DEK). More Info
HSM on Demand for PKI - Private Key Infrastructre
Secure private keys belonging to Certificate
Authorities responsible for establishing a PKI trust hierarchy.
Salesforce Key Broker
Create key material (tenant secrets) for Salesforce and manage your keys and security policies with Salesforce Shield across their lifecycle.
Key Broker for Salesforce enables you to retain control of your keys and align your key management policies across Salesforce environments. The key broker serves as a custodian of keys, providing a consolidated key management directory to manage, search and audit all keys.
Using the Key Broker On Demand for Salesforce, you can design and enforce policies, helping to ensure compliance. To further ensure the security and privacy of your data, you can Bring Your Own Key (BYOK) within the Data Protection On Demand service in the cloud. More Info
Luna HSM Backup
Backup and restore your organisation's on-premises
The Luna HSM Backup is an HSM on Demand (HSMoD) service offering that provides a dedicated backup and restore location for your organization's on-premises Luna HSMs. The Luna HSM Backup allows users to take cryptographic objects from a source Luna HSM partition (the partition that you are backing up) and securely store them on a destination partition (the Luna HSM Backup).
At the moment, DPoD does not support backing up PED authenticated partitions using the Luna Backup HSM. More Info