Amazon Web Services provides a highly reliable, scalable, low-cost infrastructure platform in the cloud that powers hundreds of thousands of businesses in 190 countries around the world.
Thales is an APN Advanced Technology partner that collaborates to remove companies’ cloud adoption barriers. AWS has several resources discussing how the best encryption and key management solutions available – including our own – have been incorporated into AWS:
P.O. Box 81226
From credit card information, patient data, and social security numbers to customer email addresses—the most valuable information and assets of an enterprise reside in databases. When migrating that data to AWS EC2, Thales ProtectDB provides transparent column-level encryption of structured data residing in databases.
The solution enables large amounts of sensitive data to be moved in and out of the data stores rapidly by efficiently encrypting and decrypting specific fields in databases that may contain millions of records. Thales ProtectDB is extremely scalable and works across multiple data centers in distributed enterprises.
Deployed in tandem with Thales KeySecure hardware or virtual appliance, ProtectDB offers centralized key and policy management to ensure encrypted data remains secure throughout its lifecycle. The solution provides a single interface for logging, auditing, and reporting access to protected data and encryption keys, a critical feature for compliance and data protection.
Thales ProtectDB features built-in, automated key rotation and data re-keying, a critical feature for compliance and data protection. The highly-scalable solution enables isolation of sensitive data in a shared infrastructure, separation of duties, and improved compliance with a variety of regulations including, but not limited to, credit card numbers for Payment Card Industry Data Security Standard (PCI DSS).
Thales Virtual KeySecure for AWS Marketplace centralizes key management for Thales ProtectV-secured virtual instances, as well as other use cases, using a hardened virtual security appliance that runs in the AWS cloud.
The combination of Thales Virtual KeySecure and Thales ProtectV enables organizations to unify encryption and control across virtualized and cloud infrastructure, increasing security and compliance for sensitive data residing in AWS EC2 instances.
Thales Virtual KeySecure allows organizations to quickly deploy centralized key management in high-availability, clustered configurations. Additionally, Thales Virtual KeySecure ensures that organizations maintain ownership of their encryption keys at all times by hardening the appliance OS and enforcing encryption of the entire virtual appliance.
Thales Tokenization protects sensitive data (primary account numbers, social security numbers, phone numbers, passwords, email addresses, etc.) stored on Amazon EC2 by replacing it with a unique token that is stored, processed or transmitted in place of the clear data.
Using Format Preserving Tokenization (FPT), Thales Tokenization preserves the length and format of the sensitive data. Thales Tokenization is also flexible in its ability to support a variety of token formats, such as last four, first six, custom formats, and regular expression. The solution utilizes Web APIs for easy deployment, requires no changes to existing databases and applications, and is extremely scalable across multiple data centers in the distributed enterprise.
Deployed with Thales KeySecure hardware or virtual appliance for centralized key and policy management, Thales Tokenization provides a single, centralized interface for logging, auditing, and reporting access to protected data, keys, and tokens.
Tokenization also features built-in, automated key rotation and data re-keying, a critical feature for compliance and data protection. Compliant with PCI Tokenization Guidelines and VISA Tokenization Best Practices, Tokenization is an ideal solution for organizations with high compliance costs as it significantly reduces regulatory scope, facilitates the annual audit process, and results in reduced total cost of ownership.
Thales ProtectV encrypts entire virtual machine instances and attached storage volumes while ensuring complete isolation of data and separation of duties. Thales ProtectV StartGuard pre-boot authentication ensures that no virtual machine instance can be launched without proper authorization. The copies and snapshots of virtual machine instances are tracked and are impossible to instantiate without authorized access.
Thales ProtectV, available on AWS Marketplace, enables organizations to unify encryption and control across virtualized and cloud environments, improving business agility and lowering costs by securely migrating even the most sensitive, highly regulated data to the cloud.
Organizations choose between several levels of assurance and deployment modes for centralized key management and retain access to and control of encryption keys at all times.
Thales ProtectApp, when integrated with AWS SDKs, provides customer-controlled client-side object encryption for storage in Amazon’s Simple Storage Service (S3). ProtectApp’s Java API and AWS SDK for Java interoperate to form an encryption client that provides keys as input to applications in order to encrypt an object before loading it to storage.
Thales KeySecure—either on-premises or as a hardened virtual appliance run in an AWS EC2 environment—work with the Thales/AWS encryption client to store the cryptographic keys and offload cryptographic functions in order to encrypt data prior to archiving in S3 without impacting performance.
The Thales/AWS encryption client gives customers control of their data by encrypting it within the application before it is uploaded to S3. AWS customers can ensure their data will be unreadable by unauthorized users since encryption occurs in the customer’s control before AWS storage receives the data and the KeySecure appliance protects the corresponding encryption keys.
In this setup, AWS administrators can manage the storage environment but never have access to cleartext data nor the keys to render the data as cleartext.
Thales ProtectFile provides data security with automated file encryption of unstructured data contained in S3 servers. Thales ProtectFile deploys in tandem with Thales KeySecure, and encrypts flat files that contain sensitive data, such as text documents, spreadsheets, bitmap images, and vector drawings.
Encryption keys and policies are managed on the Thales KeySecure appliance, improving security and reducing operational overhead. Thales ProtectFile enables data-centric security by rendering files containing sensitive data useless to attackers.
As opposed to systems that secure a perimeter or device, Thales ProtectFile secures the data itself, ensuring that files are protected regardless of whether the file resides in S3 or on your desktop. For customers that need to demonstrate that they maintain control of their data even as it resides in the cloud, Thales ProtectFile is the perfect solution.
Amazon Web Services (AWS) Simple Storage Service (S3), one of the leading cloud storage solutions, is used by companies all over the world to power their IT operations for a variety of use cases.
AWS CloudHSM uses Thales Luna Network HSM to provide a “rentable” hardware security module (HSM) service that dedicates a single-tenant appliance located in the AWS cloud for a customer’s cryptographic storage needs.
CloudHSM allows customers to generate, store and manage the keys to their encryption deployment using a FIPS 140-2 validated hardware security module located in the same center as their data.
With an HSM, only authorized users can access stored encryption keys making it an essential tool for demonstrating data control for security audits and regulators.
SafeNet Crypto Command Center remotely administers AWS CloudHSMs hosted on AWS, enabling enterprise and service providers to take full advantage of the benefits of virtualization including easy access and reduced total cost of ownership, without compromising security or compliance.
With the market's first true crypto hypervisor, organizations can manage one to thousands of CloudHSMs from one central location. Easily provision crypto services by partitioning CloudHSMs in a manner that makes a single appliance behave as if it is many appliances with cryptographic keys kept secure from the other partitions.
The result is a single appliance, or a device pool of appliances, that can serve many lines of business and applications at once. Additionally, the rightful key owner retains control of the keys—even in multi-tenant environments—through role separation and crypto isolation for administrators and owners.
Amazon WorkSpaces is a managed desktop computing service in the cloud. It allows customers to access and easily provision cloud-based desktops with the device of their choice.
Building on Thales’s award winning authentication service, Thales Trusted Access combines authentication and access management in a fully integrated cloud service. Our service lets you transform your business and operate securely in the cloud by preventing data breaches, simplifying access for users, and enabling compliance.
Our customers include over 25,000 organizations and 30 million users worldwide across all industries. Partnering with Thales for the long term, they trust our innovative access management and authentication services to help them securely adopt new ways of doing business on mobile, and in the cloud.
Thales Authentication Service (SAS) is now Thales Trusted Access (STA), for STA RADIUS integrations, please refer to STA RADIUS Integration guides page on Thales Customer Portal
The AWS BYOK solution enables customers to generate their own AES-256 bit key on Thales Luna HSMs and export this key to AWS KMS. As part of the export process, a public key (wrapping key) will be used to wrap off the AES-256 bit key. To export the AES-256 bit key from the HSM, the key must be generated with the exportable attribute set to true. In case an existing AES-256 bit key is to be exported, that key must have either the exportable attribute set to true or the modifiable attribute set to true.