Thales helps organisations comply with CPS234 by addressing APRA Prudential Practice Guidelines (PPG) on Information Security Capability, Policy Framework, Information asset identification and classification, implementation of controls and incident management.
INFORMATION SECURITY CAPABILITY
Guidelines 18: Capability Of Third Parties And Related Parties
- With the CipherTrust Data Security Platform (CDSP), administrators can create a strong separation of duties between privileged administrators and data owners and can enforce very granular, least-privileged-user access management policies, enabling the protection of data from misuse by privileged users.
- CipherTrust Transparent Encryption provides a complete separation of administrative roles, so only authorised users and processes can view unencrypted data.
- Thales OneWelcome Identity platform's fine-grained authorisation capability helps organisations by providing the right amount of access to the right people at the right time.
POLICY FRAMEWORK
Guidelines 21 – A policy hierarchy informed by a set of key principles
- Thales OneWelcome Identity Platform allows organisations to associate devices and other digital identities with primary accounts, authenticate, authorise, collect, and store information about external and internal identities from across many domains.
- SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities. These smart cards can also augment Passwordless authentication initiatives relying on PKI and FIDO technology.
- CipherTrust Transparent Encryption protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases, or infrastructure with MFA feature limits privileged users' sensitive data.
- Thales Luna Hardware Security Modules (HSMs) provide the highest level of encryption security by always storing cryptographic keys in hardware.
- CipherTrust Manager manages key lifecycle tasks including generation, rotation, destruction, import and export, provides role-based access control to keys and policies, supports robust auditing and reporting, and offers developer-friendly REST API. It supports two-factor authentication for administrative access.
- Audit trail of CipherTrust Data Security Platform allows risk owners and auditors to assess and demonstrate compliance against the information security policy framework. CipherTrust Transparent Encryption (CTE) provides detailed data access audit logs and CipherTrust Security Intelligence (CSI) with logs and reports to streamline compliance reporting and speedup threat detection using leading Security Information and Event Management (SIEM) systems.
INFORMATION ASSET IDENTIFICATION AND CLASSIFICATION
Guidelines 26 – Classification of all information assets by criticality and sensitivity
- Classify all information assets by criticality and sensitivity with CipherTrust Data Discovery and Classification, it offers complete visibility into your sensitive data with efficient data discovery, classification, and risk analysis across heterogeneous data stores - the cloud, big data, and traditional environments - in your organisation.
IMPLEMENTATION OF CONTROLS
Guidelines 36 – Information security controls implemented at all stages
- Thales OneWelcome identity & access management solutions limit the access of internal and external users based on their roles and context with strong authentication (MFA), granular access policies and fine-grained authorisation policies. The solution also facilitates external IoT device identity management via the OAuth2 Device Flow specification. Web-connected and user input-constrained devices can be linked with user identity accounts managed by OneWelcome tenants.
- SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities. These smart cards can also augment Passwordless authentication initiatives relying on PKI and FIDO technology.
- Digital Signing for a wide range of applications with Hardware security modules (HSMs) protects the private keys used for secure electronic signatures; it enhances security and ensures compliance.
- CipherTrust Data Security Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases by CipherTrust Transparent Encryption and CipherTrust Tokenisation.
- CipherTrust Transparent Encryption encrypts sensitive data and enforces granular privileged-user-access management policies that can be applied by user, process, file type, time of day, and other parameters.
- CipherTrust Manager centrally manages encryption keys and configures security policies so organisations can control and protect sensitive data with the separation of duties. It streamlines and strengthens key management in enterprise environments over a diverse set of use cases.
Guidelines 44 – MINIMISE EXPOSURE TO PLAUSIBLE WORST CASE SCENARIOS
- Hardware security modules (HSMs) safeguard the cryptographic keys used to secure applications, and sensitive data, it enhances security and ensures compliance.
- CipherTrust Data Security Platform can enforce very granular, least-privileged-user access management policies, enabling protection of data from misuse by privileged users and attackers.
- CipherTrust Transparent Encryption encrypts files, while leaving their metadata in the clear. so IT administrators perform their system administration tasks, without gaining privileged access to the sensitive data residing on the systems they manage.
- CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) continuously monitors processes for abnormal I/O activity and alerts or blocks malicious activity before ransomware can take complete hold of your endpoints and servers.
- CipherTrust Manager offers centralised Administration and Access Control, which unifies key management operations with role-based access controls that prevents unauthorised password changes and alerts on simultaneous logins by the same user.
- Thales OneWelcome Identity Platform allows organizations to virtually (or logically) limit access to confidential resources with the use of MFA (including phishing-resistant authentication) and granular access policies. SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities.
Guidelines 46 (b) - PHYSICAL AND ENVIRONMENTAL CONTROLS
- SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities. These smart cards can also augment Passwordless authentication initiatives relying on PKI and FIDO technology.
Guidelines 54 – CRYPTOGRAPHIC TECHNIQUES TO RESTRICT ACCESS; Guidelines 56 – INFORMATION SECURITY TECHNOLOGY SOLUTIONS & Guidelines 58 – END-USER DEVELOPED/ CONFIGURED SOFTWARE
- Hardware security modules (HSMs) provide the highest level of encryption security by always storing cryptographic keys in hardware and offer strong access controls prevent unauthorised users from accessing sensitive cryptographic material.
- Thales’s portfolio of certificate-based authentication form factors offers strong multi-factor authentication, enabling organisations to address their PKI security needs.
Protect Data in Transit/ Motion
- Thales High Speed Encryptors (HSEs) provide network independent data-in-transit/ motion encryption (Layers 2,3 and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back.
- CipherTrust Manager centrally manages encryption keys and configures security policies so organisations can control and protect sensitive data with the separation of duties.
Protect Data in use
- CipherTrust Vaultless Tokenisation protects data at rest while its policy-based Dynamic Data Masking capability protects data in use. A RESTful API in combination with centralised management and services enables tokenisation implementation with a single line of code per field.
Protect Data At Rest
INCIDENT MANAGEMENT – DETECTION OF SECURITY COMPROMISES
Guidelines 69
- With the CipherTrust data security platform, administrators can create a strong separation of duties between privileged administrators and data owners.In addition, the CipherTrust Manager supports two-factor authentication for administrative access.
- Thales OneWelcome Identity Platform allows organizations to virtually (or logically) limit access to confidential resources with the use of MFA (including phishing-resistant authentication) and granular access policies with analytics reports. It tracks identity events and provides analytics reports.
Attachment A: Security Principles 1. (a)
- CipherTrust Manager offers centralised Administration and Access Control, which unifies key management operations with role-based access controls.
- Hardware security modules (HSMs) safeguard the cryptographic keys used to secure applications and sensitive data, it further enhances security and ensures compliance with an additional layer of protection.
Attachment A: Security Principles 1. (e)
- Thales OneWelcome Identity platform allows organizations to identify and authenticate internal and external users, manages third-party identity efficiently with its delegation management capability and mitigates risks from third-party as well as providing an immediate and an up to date audit trail of all access events to all systems.
- After a user is identified, you can control and coordinate how users gain access to assets, and what they can do with those assets with CipherTrust Enterprise Key Management Solution.
Attachment C: Identity and Access
- Thales OneWelcome identity & access management solutions limit the access of internal and external users based on their roles and context.
- SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities.
Attachment E: Cryptographic Techniques
- Luna HSMs from Thales provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more.
- CipherTrust Data Security Platform can enforce very granular, least-privileged-user access management policies, enabling protection of data from misuse by privileged users and attackers.