banner

Thales Partners

Amazon Web Services (AWS)

Amazon Web Services (AWS)

In 2006, Amazon Web Services (AWS) began offering IT infrastructure services to businesses in the form of web services -- now commonly known as cloud computing. One of the key benefits of cloud computing is the opportunity to replace up-front capital infrastructure expenses with low variable costs that scale with your business. With the Cloud, businesses no longer need to plan for and procure servers and other IT infrastructure weeks or months in advance. Instead, they can instantly spin up hundreds or thousands of servers in minutes and deliver results faster.Today, Amazon Web Services provides a highly reliable, scalable, low-cost infrastructure platform in the cloud that powers hundreds of thousands of businesses in 190 countries around the world. Gemalto is excited to be an APN Advanced Technology partner that collaborates to remove companies’ cloud adoption barriers. AWS has several resources discussing how the best encryption and key management solutions available – including our own – have been incorporated into AWS:

Amazon Web Services (AWS) offers applications that integrate with SafeNet solutions to provide users with powerful data protection solutions. P.O. Box 81226SeattleWA
United StatesNorth Americas98108-1226

Amazon EC2: File and Disk Encryption and SafeNet Tokenization

Amazon EC2File and Disk EncryptionembeddedAmazon EC2: File and Disk Encryption and SafeNet Tokenization

SafeNet Tokenization protects sensitive data (primary account numbers, social security numbers, phone numbers, passwords, email addresses, etc.) stored on Amazon EC2 by replacing it with a unique token that is stored, processed or transmitted in place of the clear data. 

Using Format Preserving Tokenization (FPT), SafeNet Tokenization preserves the length and format of the sensitive data. SafeNet Tokenization is also flexible in its ability to support a variety of token formats, such as last four, first six, custom formats, and regular expression. The solution utilizes Web APIs for easy deployment, requires no changes to existing databases and applications, and is extremely scalable across multiple data centers in the distributed enterprise.

Deployed with SafeNet KeySecure hardware or virtual appliance for centralized key and policy management, SafeNet Tokenization provides a single, centralized interface for logging, auditing, and reporting access to protected data, keys, and tokens. 

Tokenization also features built-in, automated key rotation and data re-keying, a critical feature for compliance and data protection. Compliant with PCI Tokenization Guidelines and VISA Tokenization Best Practices, Tokenization is an ideal solution for organizations with high compliance costs as it significantly reduces regulatory scope, facilitates the annual audit process, and results in reduced total cost of ownership.

Resources & Additional Information

Amazon EC2 and S3: Database and File Encryption and SafeNet ProtectDB

Amazon EC2 and S3Backup and StoragefancyboxAmazon EC2 and S3: Database and File Encryption and SafeNet ProtectDB

From credit card information, patient data, and social security numbers to customer email addresses—the most valuable information and assets of an enterprise reside in databases. When migrating that data to AWS EC2, SafeNet ProtectDB provides transparent column-level encryption of structured data residing in databases. 

The solution enables large amounts of sensitive data to be moved in and out of the data stores rapidly by efficiently encrypting and decrypting specific fields in databases that may contain millions of records. SafeNet ProtectDB is extremely scalable and works across multiple data centers in distributed enterprises.

Deployed in tandem with SafeNet KeySecure hardware or virtual appliance, ProtectDB offers centralized key and policy management to ensure encrypted data remains secure throughout its lifecycle. The solution provides a single interface for logging, auditing, and reporting access to protected data and encryption keys, acritical feature for compliance and data protection. 

SafeNet ProtectDB features built-in, automated key rotation and data re-keying, a critical feature for compliance and data protection. The highly-scalable solution enables isolation of sensitive data in a shared infrastructure, separation of duties, and improved compliance with a variety of regulations including, but not limited to, credit card numbers for Payment Card Industry Data Security Standard (PCI DSS).

Resources & Additional Information

Amazon S3: File Encryption with SafeNet ProtectFile

Granular file encryption for Amazon S3 File and Disk EncryptionembeddedAmazon S3: File Encryption with SafeNet ProtectFile

SafeNet ProtectFile provides data security with automated file encryption of unstructured data contained in S3 servers. SafeNet ProtectFile deploys in tandem with SafeNet KeySecure, and encrypts flat files that contain sensitive data, such as text documents, spreadsheets, bitmap images, and vector drawings. 

Encryption keys and policies are managed on the SafeNet KeySecure appliance, improving security and reducing operational overhead. SafeNet ProtectFile enables data-centric security by rendering files containing sensitive data useless to attackers. 

As opposed to systems that secure a perimeter or device, SafeNet ProtectFile secures the data itself, ensuring that files are protected regardless of whether the file resides in S3 or on your desktop. For customers that need to demonstrate that they maintain control of their data even as it resides in the cloud, SafeNet ProtectFile is the perfect solution.

Resources & Additional Information

Amazon EC2 and S3: Key Management and SafeNet Virtual KeySecure

Amazon EC2 and S3Key ManagementfancyboxAmazon EC2 and S3: Key Management and SafeNet Virtual KeySecure

SafeNet Virtual KeySecure: Try it for 30 days for free in AWS Marketplace

SafeNet Virtual KeySecure for AWS Marketplace centralizes key management for SafeNet ProtectV-secured virtual instances, as well as other use cases, using a hardened virtual security appliance that runs in the AWS cloud. 

The combination of SafeNet Virtual KeySecure and SafeNet ProtectV enables organizations to unify encryption and control across virtualized and cloud infrastructure, increasing security and compliance for sensitive data residing in AWS EC2 instances. 

SafeNet Virtual KeySecure allows organizations to quickly deploy centralized key management in high-availability, clustered configurations. Additionally, SafeNet Virtual KeySecure ensures that organizations maintain ownership of their encryption keys at all times by hardening the appliance OS and enforcing encryption of the entire virtual appliance.

 

Resources & Additional Information:

Amazon EC2: Virtual Disk Encryption and SafeNet ProtectV

Full disk encryption for EC2 instancesFile and Disk EncryptionembeddedAmazon EC2: Virtual Disk Encryption and SafeNet ProtectV

SafeNet ProtectV encrypts entire virtual machine instances and attached storage volumes while ensuring complete isolation of data and separation of duties. SafeNet ProtectV StartGuard pre-boot authentication ensures that no virtual machine instance can be launched without proper authorization. The copies and snapshots of virtual machine instances are tracked and are impossible to instantiate without authorized access.

SafeNet ProtectV, available on AWS Marketplace, enables organizations to unify encryption and control across virtualized and cloud environments, improving business agility and lowering costs by securely migrating even the most sensitive, highly regulated data to the cloud. 

Organizations choose between several levels of assurance and deployment modes for centralized key management and retain access to and control of encryption keys at all times. 

Resources and Additional Information:

AWS CloudHSM: Cloud Services with SafeNet Network HSM

AWS CloudHSMCloud ServicesembeddedAWS CloudHSM: Cloud Services with SafeNet Network HSM

AWS CloudHSM uses SafeNet Network HSM to provide a “rentable” hardware security module (HSM) service that dedicates a single-tenant appliance located in the AWS cloud for a customer’s cryptographic storage needs. 

CloudHSM allows customers to generate, store and manage the keys to their encryption deployment using a FIPS 140-2 validated hardware security module located in the same center as their data. 

With a HSM, only authorized users can access stored encryption keys making it an essential tool for demonstrating data control for security audits and regulators. Additionally, CloudHSM, can be used as a root of trust for SafeNet Virtual KeySecure.

Resources & Additional Information

AWS WorkSpaces: Virtual Desktop Infrastructure and SafeNet Authentication Service

AWS WorkSpacesVirtual Desktop InfrastructureembeddedAWS WorkSpaces: Virtual Desktop Infrastructure and SafeNet Authentication Solutions

Amazon WorkSpaces is a managed desktop computing service in the cloud. It allows customers to access and easily provision cloud-based desktops with the device of their choice.

Building on Thales’s award winning authentication service, SafeNet Trusted Access combines authentication and access management in a fully integrated cloud service. Our service lets you transform your business and operate securely in the cloud by preventing data breaches, simplifying access for users, and enabling compliance.

Our customers include over 25,000 organizations and 30 million users worldwide across all industries. Partnering with Thales for the long term, they trust our innovative access management and authentication services to help them securely adopt new ways of doing business on mobile, and in the cloud.

Resources & Additional Information

SafeNet Authentication Service (SAS) is now SafeNet Trusted Access (STA), for STA RADIUS integrations, please refer to STA RADIUS Integration guides page on Thales Customer Portal

 

Amazon S3: Client-Side Object Encryption with SafeNet ProtectApp

Client-side object encryption for Amazon S3File and Disk EncryptionembeddedAmazon S3: Client-Side Object Encryption with SafeNet ProtectApp

SafeNet ProtectApp, when integrated with AWS SDKs, provides customer controlled client-side object encryption for storage in Amazon’s Simple Storage Service (S3). ProtectApp’s Java API and AWS SDK for Java interoperate to form an encryption client that provides keys as input to applications in order to encrypt an object before loading it to storage.

SafeNet KeySecure—either on-premises or as a hardened virtual appliance run in an AWS EC2 environment—work with the SafeNet/AWS encryption client to store the cryptographic keys and offload cryptographic functions in order to encrypt data prior to archiving in S3 without impacting performance.

The SafeNet/AWS encryption client gives customers control of their data by encrypting it within the application before it is uploaded to S3. AWS customers can ensure their data will be unreadable by unauthorized users since encryption occurs in the customer’s control before AWS storage receives the data and the KeySecure appliance protects the corresponding encryption keys.

In this setup, AWS  administrators can manage the storage environment but never have access to cleartext data nor the keys to render the data as cleartext.

Resources and Additional Information:

Amazon EC2: Virtual Disk Encryption and SafeNet ProtectV

Full disk encryption for EC2 instancesFile and Disk EncryptionembeddedAmazon EC2: Virtual Disk Encryption and SafeNet ProtectV

SafeNet ProtectV encrypts entire virtual machine instances and attached storage volumes while ensuring complete isolation of data and separation of duties. SafeNet ProtectV StartGuard pre-boot authentication ensures that no virtual machine instance can be launched without proper authorization. The copies and snapshots of virtual machine instances are tracked and are impossible to instantiate without authorized access.

SafeNet ProtectV, available on AWS Marketplace, enables organizations to unify encryption and control across virtualized and cloud environments, improving business agility and lowering costs by securely migrating even the most sensitive, highly regulated data to the cloud. 

Organizations choose between several levels of assurance and deployment modes for centralized key management and retain access to and control of encryption keys at all times. 

Resources and Additional Information:

NetApp Cloud ONTAP: Key Management and SafeNet Virtual KeySecure

SafeNet Virtual KeySecure for NetApp Cloud ONTAP is a hardened, 64-bit, virtual security appliance that provides centralized key management and data access policies for NetApp Cloud ONTAP. SafeNet key management simplifies the operational challenges of managing encryption keys, making sure keys are secure and information is always available to authorized users across your NetApp Cloud ONTAP environment. 

SafeNet Virtual KeySecure maintains data confidentiality on NetApp Cloud ONTAP through efficient centralized key management and by enforcing customized security policies surrounding data access. This combination of a modern storage infrastructure and SafeNet key management delivers the peace of mind that your data and its encryption keys are protected against unauthorized access, while simultaneously making the most efficient use of your storage investments. 

SafeNet Virtual KeySecure centralizes all key management activities, including key signing, role-based administration, quorum control, backup and distribution of encryption keys, and an optional hardware root of trust using SafeNet Hardware Security Modules or Amazon CloudHSM service. 

Meeting compliance mandates in the cloud is greatly simplified through verifiable and auditable enterprise key management all keys, certificates, and passwords are securely managed; key ownership is clearly defined; and key lifecycle management is logged to provide a non-repudiative audit trail.