From 3fb1367c91a258455deb8679a0649453e6d08fda Mon Sep 17 00:00:00 2001 From: rhall22 Date: Tue, 15 Aug 2023 22:04:32 +0000 Subject: [PATCH] deploy: 27fdfe01c7f5dc756b9b783e95e280f892c1d680 --- ciphertrust/404.html | 4 ++-- ciphertrust/assets/js/6dcd78e6.01c56380.js | 1 - ciphertrust/assets/js/6dcd78e6.d784f411.js | 1 + ...a1191cf.4d24dbd0.js => ca1191cf.3647c38f.js} | 2 +- ...e565dc4.28c6aa68.js => fe565dc4.89dd5bee.js} | 2 +- ...ain.80e90a6f.js => runtime~main.c5483866.js} | 2 +- .../CipherTrust and Active Directory/index.html | 4 ++-- .../blog/Data-Security-in-DevOps/index.html | 4 ++-- ciphertrust/blog/HYOK-in-Azure/index.html | 6 +++--- .../index.html | 4 ++-- ciphertrust/blog/archive/index.html | 4 ++-- ciphertrust/blog/atom.xml | 2 +- .../blog/choosing-a-key-manager/index.html | 4 ++-- ciphertrust/blog/index.html | 6 +++--- ciphertrust/blog/rss.xml | 2 +- ciphertrust/blog/tags/azure/index.html | 6 +++--- .../blog/tags/cloud-key-management/index.html | 6 +++--- .../blog/tags/data-encryption/index.html | 4 ++-- .../tags/data-protection-gateway/index.html | 4 ++-- ciphertrust/blog/tags/data-security/index.html | 4 ++-- ciphertrust/blog/tags/devops/index.html | 6 +++--- ciphertrust/blog/tags/hyok/index.html | 6 +++--- ciphertrust/blog/tags/index.html | 4 ++-- ciphertrust/blog/tags/key-management/index.html | 4 ++-- ciphertrust/docs/category/connectors/index.html | 4 ++-- .../deploy-ciphertrust-platform/index.html | 4 ++-- .../docs/category/key-manager/index.html | 4 ++-- .../docs/connectors/cte-for-k8s/index.html | 4 ++-- .../index.html | 4 ++-- ciphertrust/docs/deploy/aws/index.html | 4 ++-- ciphertrust/docs/deploy/azure/index.html | 4 ++-- ciphertrust/docs/deploy/gcp/index.html | 4 ++-- ciphertrust/docs/intro/index.html | 4 ++-- ciphertrust/docs/key-manager/aws-kms/index.html | 4 ++-- .../build-a-totp-tutorial/index.html | 4 ++-- .../key-manager/cs-object-storage/index.html | 4 ++-- ciphertrust/index.html | 4 ++-- sitemap.xml.gz | Bin 231 -> 231 bytes 38 files changed, 72 insertions(+), 72 deletions(-) delete mode 100644 ciphertrust/assets/js/6dcd78e6.01c56380.js create mode 100644 ciphertrust/assets/js/6dcd78e6.d784f411.js rename ciphertrust/assets/js/{ca1191cf.4d24dbd0.js => ca1191cf.3647c38f.js} (94%) rename ciphertrust/assets/js/{fe565dc4.28c6aa68.js => fe565dc4.89dd5bee.js} (94%) rename ciphertrust/assets/js/{runtime~main.80e90a6f.js => runtime~main.c5483866.js} (96%) diff --git a/ciphertrust/404.html b/ciphertrust/404.html index 123a65a..2777a88 100644 --- a/ciphertrust/404.html +++ b/ciphertrust/404.html @@ -5,13 +5,13 @@ Page Not Found | CipherTrust Learn - +
Skip to main content

Page Not Found

We could not find what you were looking for.

Please contact the owner of the site that linked you to the original URL and let them know their link is broken.

- + \ No newline at end of file diff --git a/ciphertrust/assets/js/6dcd78e6.01c56380.js b/ciphertrust/assets/js/6dcd78e6.01c56380.js deleted file mode 100644 index 847d9c6..0000000 --- a/ciphertrust/assets/js/6dcd78e6.01c56380.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[4162],{8835:e=>{e.exports=JSON.parse('{"blogPosts":[{"id":"HYOK-in-Azure","metadata":{"permalink":"/ciphertrust/blog/HYOK-in-Azure","editUrl":"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2023-08-15-hold-your-own-keys-in-azue.md","source":"@site/blog/2023-08-15-hold-your-own-keys-in-azue.md","title":"HYOK Cloud Key Management Solution for Azure","description":"Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title \\"Cloud Key Management Solution for Azure, Azure Stack and M365.\\" The video was added for this post.","date":"2023-08-15T00:00:00.000Z","formattedDate":"August 15, 2023","tags":[{"label":"HYOK","permalink":"/ciphertrust/blog/tags/hyok"},{"label":"Cloud key Management","permalink":"/ciphertrust/blog/tags/cloud-key-management"},{"label":"devops","permalink":"/ciphertrust/blog/tags/devops"},{"label":"Azure","permalink":"/ciphertrust/blog/tags/azure"}],"readingTime":4.32,"hasTruncateMarker":false,"authors":[{"name":"Scotti Woolery-Price","title":"Partner Marketing Manager, Thales","imageURL":"https://cpl.thalesgroup.com/sites/default/files/content/author/field_image/2022-09/scotti-woolery-price.jpg","key":"scotti"}],"frontMatter":{"slug":"HYOK-in-Azure","title":"HYOK Cloud Key Management Solution for Azure","authors":"scotti","tags":["HYOK","Cloud key Management","devops","Azure"]},"nextItem":{"title":"CipherTrust and Active Directory","permalink":"/ciphertrust/blog/CipherTrust and Active Directory"}},"content":"Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title \\"Cloud Key Management Solution for Azure, Azure Stack and M365.\\" The video was added for this post.\\n\\n### Uncover Your Cybersecurity Blind Spots\\n\\nCybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum\u2019s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks.\\n\\nRanking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today\u2019s enterprises must look for leading-edge solutions that help with data governance and compliance. \\n\\n### Thales Solutions for Microsoft Azure, Azure Stack and M365\\n\\nYou can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365. \\n\\nCCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure.\\n\\n#### CCKM Benefits:\\n*\\tSimplify compliance by taking control of your encryption keys and your data\\n*\\tAchieve cost savings using automated key lifecycle management\\n*\\tSingle pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored\\n*\\tSupport strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan\\n*\\tSupport all major public clouds\\n*\\tFlexible deployment options: on-premises, hybrid cloud, and as a Service\\n\\n\u201cThales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.\u201d \u2013 David Nunez Tejerina, Principal Product Manager, Microsoft\\n\\n### Bring Your Own Key\\nWith Thales\u2019 Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source.\\n\\n\\nimport YoutubeEmbed from \'@site/src/components/YoutubeEmbed\';\\n\\n\\n\\n\\n### Single Pane of Glass, Single Vendor\\nAccording to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor.\\n\\nCCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM.\\n\\n### Multi-Cloud Support\\nOrganizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities.\\nOperational Sovereignty\\n\\nCCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located.\\n\\nFree Trial\\nTry [Data Protection On Demand - 30-Day Free Evaluation](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/marketplace)\\n\\nFor more information see the [Product Brief](https://cpl.thalesgroup.com/resources/encryption/microsoft-azure-advanced-data-protection-solution-brief) and [Solution Brief](https://cpl.thalesgroup.com/resources/encryption/cloud-key-management-ms-azure-solution-brief)"},{"id":"CipherTrust and Active Directory","metadata":{"permalink":"/ciphertrust/blog/CipherTrust and Active Directory","editUrl":"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2023-06-30-ciphertrust-and-active-directory.md","source":"@site/blog/2023-06-30-ciphertrust-and-active-directory.md","title":"CipherTrust and Active Directory","description":"Note - this article was originally posted on Hal\'s blog on March 21, 2023 under the title \\"Thales CipherTrust & Active Directory.\\"","date":"2023-06-30T00:00:00.000Z","formattedDate":"June 30, 2023","tags":[{"label":"data-encryption","permalink":"/ciphertrust/blog/tags/data-encryption"},{"label":"devops","permalink":"/ciphertrust/blog/tags/devops"},{"label":"data-security","permalink":"/ciphertrust/blog/tags/data-security"}],"readingTime":1.915,"hasTruncateMarker":false,"authors":[{"name":"Hal Yaman (B.Sc)","title":"Sales Engineering Manager @ Thales","imageURL":"https://i0.wp.com/cloudoasis.com.au/wp-content/uploads/2019/09/IMG_0054-30x40.jpg?resize=225%2C300&ssl=1","key":"hal"}],"frontMatter":{"slug":"CipherTrust and Active Directory","title":"CipherTrust and Active Directory","authors":"hal","tags":["data-encryption","devops","data-security"]},"prevItem":{"title":"HYOK Cloud Key Management Solution for Azure","permalink":"/ciphertrust/blog/HYOK-in-Azure"},"nextItem":{"title":"Data Security without DevOps Disruption","permalink":"/ciphertrust/blog/Data-Security-in-DevOps"}},"content":"Note - this article was originally posted on Hal\'s blog on March 21, 2023 under the title \\"Thales CipherTrust & Active Directory.\\"\\n\\n![Into Image](./img/Multi-cloud-key-management-onboarding.png) Why should you integrate Thales CipherTrust with your Microsoft Active Directory? What are the benefits of integration, and how is it done? Does Thales CipherTrust Manager (CTM) replace your Active Directory Group policy?\\n\\nIn the previous blog post, we went through the deployment of the CipherTrust Manager in our VMware environment. In today\u2019s post, we will focus our discussion on how to integrate the newly provisioned OVA with the company Active Directory, a necessary step for activities we will discuss in our future posts.\\n\\n## The Why\\n\\nTo streamline the management of your company\u2019s security requirements, and to easily manage your access and control of the company files and directories, it is a good idea to integrate CTM with Active Directory as a source of user management. By doing this, you can assign your policies more easily by basing them on the company AD Users and Groups.\\n\\n## The How\\n\\nNow let\u2019s focus on the fun technical part, the integration. The first step before we start the configuration is to get some information from AD; so, let\u2019s run the following PowerShell command to retrieve the necessary information for our configuration: ![Get ADuser](./img/get_aduser.png)\\n\\nThe output will be as shown below:\\n\\n![AD Info](./img/AD_Info.webp)\\n\\nAfter you have retrieved the above information, we are ready to head back to our CTM and browse to: Access Management -> LDAP. From the top right corner, select \u201c+ Add LDAP\u201c:\\n\\n![CTM_LDAP](./img/CTM_LDAP.webp)\\n\\nOn the pop-up config windows, provide the following information:\\n* Connection Name: any\\n* Server URL: your AD IP/DNS name\\n* Bind DN: CN=Administrator,CN=Users,DC=oasis,DC=org\\n* Server Bind Password: account password\\n* Rood DN: DC=oasis,DC=org\\n* User login name attribute: sAMAccountName\\n![AD_Bind-1](./img/AD_Bind-1.webp)\\n\\nAfter you have tested the configurations to be correct and are ready to accept it, click on the \u201cAdd LDAP\u201d button at the bottom right corner.\\n\\n## Conclusion\\n\\nToday\u2019s blog is very important; this post is setting the foundation for our next exciting topic, Thales Transparent Encryption feature. As you may have noticed, to integrate the CTM with AD is a very simple, but important operation. Next week, we going to use the configuration setup today to access and encrypt the company\u2019s critical data."},{"id":"Data-Security-in-DevOps","metadata":{"permalink":"/ciphertrust/blog/Data-Security-in-DevOps","editUrl":"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2023-04-18-data-security-without-DevOps-disruption.md","source":"@site/blog/2023-04-18-data-security-without-DevOps-disruption.md","title":"Data Security without DevOps Disruption","description":"Note - this article was originally posted on Hal\'s blog on March 24, 2023 under the title \\"CipherTrust Transparent Encryption.\\"","date":"2023-04-18T00:00:00.000Z","formattedDate":"April 18, 2023","tags":[{"label":"data-encryption","permalink":"/ciphertrust/blog/tags/data-encryption"},{"label":"devops","permalink":"/ciphertrust/blog/tags/devops"},{"label":"data-security","permalink":"/ciphertrust/blog/tags/data-security"}],"readingTime":7.465,"hasTruncateMarker":false,"authors":[{"name":"Hal Yaman (B.Sc)","title":"Sales Engineering Manager @ Thales","imageURL":"https://i0.wp.com/cloudoasis.com.au/wp-content/uploads/2019/09/IMG_0054-30x40.jpg?resize=225%2C300&ssl=1","key":"hal"}],"frontMatter":{"slug":"Data-Security-in-DevOps","title":"Data Security without DevOps Disruption","authors":"hal","tags":["data-encryption","devops","data-security"]},"prevItem":{"title":"CipherTrust and Active Directory","permalink":"/ciphertrust/blog/CipherTrust and Active Directory"},"nextItem":{"title":"A Guide to Picking the Right Key Manager for Your Org","permalink":"/ciphertrust/blog/choosing-a-key-manager"}},"content":"Note - this article was originally posted on Hal\'s blog on March 24, 2023 under the title \\"CipherTrust Transparent Encryption.\\"\\n\\nIn many organisations, IT departments are sometimes required to delegate some of their responsibilities to other teams, but at the same time, also required to keep control of the company security. Wait! In the world of security, can data security become a delegated responsibility? If that is a yes, then how?\\n\\nFive years ago, I was pulled into the DevOps team culture and mindset. Since then, I have been lucky enough to manage the building of several DevOps teams. One of the many attributes of the DevOps culture is their autonomy. DevOps teams build in a way that can execute a task from end to end. The teams build up while working through the requirements and functions of the project or product, and with this knowledge, go on to find the most effective way of breaking the silos encountered by traditional teams.\\n\\n### Introduction\\n\\nThe previous paragraph described DevOps as being about speed of delivery and autonomy, which also requires the team to access resources that are not always managed within the team; Active Directory, file shares, and so on are examples of these resources. So, how can you keep your DevOps team focused, but not affect the company processes?\\n\\n### Scenario\\n\\nLet\u2019s put the DevOps information above into context using a real scenario I came across last week with one of the teams I help to build two years ago.\\n\\nCompany A was working on a confidential application for a client; the client was concerned that a breach of their code data would expose their intellectual property to competitors, or would become general knowledge.\\n\\nThe client asked that the following hierarchy be implemented to help mitigate their risk:\\n\\n* Each Team has it own encrypted directory\\n* Only the specific team can access and read the code\\n* Admin can manage the files within all the directories, but cannot read the code\\n\\n### The Challenge\\n\\nFrom those requirements, Company A faces the following challenges:\\n\\n* How to implement access management and encryption at the same time\\n* How to avoid disruption of the DevOps team concept\\n* Delegate security manageability to the DevOps team without affecting the wider company policy\\n\\n### Solution\\n\\nAccess management can be controlled using the company Active Directory; but doing so will complicate the workflow of the DevOps team and will slow the delivery. At the same time, Active Directory and Group Policies do not offer encryption, so the IT department turned to Thales CipherTrust Manager to solve this challenge.\\n\\n### Implementation\\n\\nTo achieve all the security requirements, Company A decided to use CipherTrust Manager with the Transparent Encryption feature. Using Transparent Encryption Live Data Transformation (LDT), Company A can delegate the code data management to the DevOps team, but at the same time, encrypt the data and also keep Admin in control of managing and backing up the code files without compromising security.\\n\\nSo let\u2019s learn how company A uses CipherTrust Manager to keep each team in control.\\n\\n### CipherTrust User and Domain\\n\\nTo delegate responsibilities, the Company A IT team was looking for a multi-tenanted system that can help the department to easily create and assign multiple teams to manage their own security requirements, while remaining isolated from each other. This requirement can be met with Thales CTM by creating a Domain to allow the DevOps team to manage their access control and security needs.\\n\\nTo create a Domain, you first create a user by browsing to **\u201cAccess Management -> Users -> Add User\u201c:**\\n![Add_User](img/adduser.webp)\\n\\nAfter you have added the user, apply the user to **CTE Admins and Clients** by going to **Edit/view** the user. Under **Groups**, Search **CTE** and add to **Admin/Client**:\\n![CTE_Groups](img/CTE_Groups.webp)\\n\\nThe next step is to browse to \u201c**Admin Settings -> Domains**\u201d and click \u201c**Add Domain**\u201c:\\n\\n* Name: DevOps\\n* Admins: devops (the user you just created)\\n* Choose the default CA\\n* Save\\n![Add_Domain](img/Add_Domain.webp)\\n\\nNow you are ready to logout and then login with the user you just created. After logging in again, change the domain to the new domain at the top right corner \u2013 **Switch Domains**:\\n![Switch_Domains](img/switchdomains.webp)\\n\\n### Create a Key\\n\\nTo be able to encrypt the data, we must create a key. Creating a key is very simple with CipherTrust Manager, all you need is to browse to the keys at the left menu and press the \u201c**Add key**\u201c. The next step is to provide a Key name: for example we will create a key name: **LDT_Key** and then press\u201d**Add Key**\u201d to save it.\\n\\nAt the next window, expand the \u201c**Key Access**\u201d option. On the search bar, type \u201c**CTE**\u201d with show all groups, then tick the check boxes for all the Admins and Clients permissions. Press **Update**:\\n![Key_Access](img/keyaccess.webp)\\n\\nNext, browse to \u201c**Key Labels -> CTE**\u201c. Choose **CBC** from the drop down menu\u201d. Press **Update**:\\n![Key_Label](img/Keylable.webp)\\n\\n### Install the Transparent Encryption Agent\\n\\nTo be able to install and use the Transparent Encryption feature, you must install an agent. The first step is to create a \u201c**Registration Token**\u201c; this will be used during the agent installation to add the agent to the CipherTrust Manager. To create the Token, browse to \u201c**Access Management -> Registration Tokens**\u201d and click on \u201c**Add Registration Token**\u201d and complete the following entries:\\n\\n* Provide a Name Prefix: on my case DevOps_token\\n* Local CA: choose the default\\n* Create a token: Base64\\n![Create_Token](img/createToken.webp)\\n\\nCopy the token; then go to your Windows or Linux machine to run the agent installation. During the installation, you will be asked to provide:\\n\\n* Componant to register: File System\\n* CipherTrust Manager IP/Hostname\\n* Enable LDT Feature (FS agent only)\\n* Token\\n\\nAfter the installation is completed and you have successfully rebooted, you will be able to see the registered client on your CipherTrust Manager under: **Transparent Encryption -> Clients**:\\n![CTE_Client](img/CTE_Client.webp)\\n\\nCreating Policies:\\n\\nAfter deploying the agent and connecting it to the CTM, we can focus on creating our polices. As we have four different teams in our example, lets create four policies as shown below:\\n\\n* DevOps_Admin_Team: Access and manage files and directories but can read files content\\n* DevOps_Dev_Team: access only Development directory\\n* DevOps_Ops_Policy: access only operation directory\\n* DevOps_QA_Team: access only QA diretory\\n\\nLet\u2019s create first policy, the **DevOps_Admin_Team** policy by browsing to \u201c**Transparent Encryption -> Policies -> Create policy**\u201c:\\n\\n* Name: DevOps_Admin_Team\\n* Policy Type: Live Data Transformation\\n* Security Rules: + Create Security Rule\\n * User Set \u2013 Select \u2013 Create User Set:\\n * Name: Admin_Team\\n * Create User\\n * Agent \u2013 select Agent\\n * User Type: LDAP\\n * Member Choice: User or Group (on my case I choose group)\\n * gname: group name\\n * Note: repeat the above steps to create all the users for each group (i.e: Admin, Dev, Ops and QA team. on each time you need to create a policy you can easily choose the appropriate group or user)\\n * Action \u2013 Select\\n * All_Ops\\n * Effect \u2013 Select\\n * select permit\\n * ApplyKey only of other group but not Admin group as the admin will not be able to unencrypt the data so a key not required\\n* Key Rules: Create key Rule\\n * Current Key Name: Select \u2013 \u201cclear_key\u201d\\n * Tranformation Key Name: Select \u2013 LTD_Key\\n * Add\\n* Next \u2013 Confirmation \u2013 Save\\n\\nNote: repeat the above steps for all the groups\\n\\n### Create GuardPoint\\n\\nOur last step is to apply these policies to our folders or client. In this example, I will be using a Windows client. So let\u2019s get started:\\n\\nAs we have different teams and policies, each with different access, we must create a different client **GuardPoint**. Browse to **Transparent Encryption -> Clients**. Choose the client \u2013 \u201c**Create GuardPoint**\u201c:\\n\\n* Select Policy: choose DevOps_QA_Team\\n* Path: browse to the QA directory and select \u201cselect Path\u201d\\n* Create\\n\\nNote: repeat for each team and select the appropriate directory\\n![Create_GuardPoint](img/createguardpoint.webp)\\n\\nAfter all the directories are assigned to a group \u2013 on each GuardPoint \u2013 press the policy name and add the right action for each team as shown below; for example:\\n\\n* Development_Team can access, and apply key\\n* Operation_Team no access\\n* Admin_Team access but no key\\n![DevOps_Permission_Group](img/devops_permission_group.webp)\\n\\nNote: repeat for all other GuardPoints\\n\\n### Summary\\n\\nAfter Following the steps described above, you can check that your new configuration works by accessing your Windows machine with a different user; for example, QA, dev, ops or admin, then check to see if you can access or read the files. The above steps are a little involved, more than Active Directory Group Policies; but with CipherTrust you also get the encryption aspect with a full and controlled separation of responsibilities.\\n\\nCompany A was able to achieve their client\u2019s security request; but at the same time, did not affect the team processes, autonomy, and control. At both levels, Company A IT and DevOps, it was a win \u2013 win situation."},{"id":"choosing-a-key-manager","metadata":{"permalink":"/ciphertrust/blog/choosing-a-key-manager","editUrl":"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2022-11-17-how-to-choose-a-key-manager-for-orgs.md","source":"@site/blog/2022-11-17-how-to-choose-a-key-manager-for-orgs.md","title":"A Guide to Picking the Right Key Manager for Your Org","description":"Your company has a ton of daily active users and you have this amazingly efficient architecture to process requests at scale, but your InfoSec team asks you to use a key manager \u2014 there are so many out there, which one do you choose?","date":"2022-11-17T00:00:00.000Z","formattedDate":"November 17, 2022","tags":[{"label":"data-encryption","permalink":"/ciphertrust/blog/tags/data-encryption"},{"label":"key-management","permalink":"/ciphertrust/blog/tags/key-management"}],"readingTime":3.655,"hasTruncateMarker":false,"authors":[{"name":"Pranav Shikarpur","title":"Developer Advocate @ Thales","url":"https://twitter.com/snpranav","imageURL":"https://pbs.twimg.com/profile_images/1615654854642503680/AZA332Xo_400x400.jpg","key":"pranav"}],"frontMatter":{"slug":"choosing-a-key-manager","title":"A Guide to Picking the Right Key Manager for Your Org","authors":"pranav","tags":["data-encryption","key-management"]},"prevItem":{"title":"Data Security without DevOps Disruption","permalink":"/ciphertrust/blog/Data-Security-in-DevOps"},"nextItem":{"title":"A Guide to Data Security Architectures","permalink":"/ciphertrust/blog/a-guide-to-encryption-architectures"}},"content":"Your company has a ton of daily active users and you have this amazingly efficient architecture to process requests at scale, but your InfoSec team asks you to use a key manager \u2014 there are so many out there, which one do you choose?\\n\\nThere are various different types of key managers, but in this post, we\u2019ll cover the three most common key managers:\\n\\n* Native Cloud Key Managers (Ex \u2014 AWS KMS, GCP KMS, Azure Key Vault, etc.)\\n\\n* External Key Managers (Ex \u2014 Thales CipherTrust Manager, etc.)\\n\\n* Hybrid Key Managers (Use the best of both worlds \u2014 Cloud managed services and external key managers)\\n\\n## First, the literal key to security \u2014 HSMs\\n\\nHSM stands for \u201c[Hardware Security Module](https://en.wikipedia.org/wiki/Hardware_security_module)\u201d. These are physical devices that are usually tamper resistant which store keys and perform encrypt, decrypt and other cryptographic operations.\\n\\nHSMs are needed in secure environments such as healthcare or financial institutions where you need to pass compliances such as PCI DSS.\\n\\n## Now Let\u2019s Compare\\n\\nLet\u2019s look at the pros and cons of each to help you decide what would work best for your organization.\\n\\n### Cloud Key Managers\\n\\n\u2705 **Easy Integration with Cloud Managed Services**\\n\\nWhen using cloud key managers like [AWS KMS (Key Management Service)](https://aws.amazon.com/kms/) it can be advantageous as you get the flexibility of AWS managing your keys as well as direct integration into your existing AWS managed services such as [AWS S3](https://aws.amazon.com/s3/), or [AWS RDS (Relational Database Service)](https://aws.amazon.com/rods/), etc.\\n\\n\u2705 **HSMs provisioned and managed by a cloud provider (most of the time \ud83e\udd1e)**\\n\\nMost famous cloud providers have HSMs that they use in their data centers which store your keys, so you don\u2019t have to worry about renting an HSM.\\n\\n**\u274c No Separation of Trust \ud83d\udd75\ufe0f\u200d\u2640\ufe0f**\\n\\nSince your cloud provider now hosts and controls your data and encryption keys. Your user data might not be as safe anymore as the cloud provider with malicious intent could easily decrypt your user data. This does not help in creating a **zero-trust architecture**. While it\u2019s true that your cloud provider has your best interest; there are always hackers lurking around the internet trying to get malicious access to your data, so it\u2019s best to store data in an isolated environment.\\n\\n### External Key Managers\\n\\n**\u2705 Complete Separation of Trust**\\n\\nWhen running a product such as CipherTrust Manager, your architectures are zero-trust by default as 2 different entities have access to either your data or your keys and **NOT both**.\\n\\n**\u274c Build your own custom integrations**\\n\\nUnless the key manager service has connectors, many-a-times, you would need to build your own connectors which could put a lot of engineering debt on your teams.\\n\\n\u26a0\ufe0f** Need to rent out your own HSM**\\n\\nYou\u2019d need to manage your own HSM, but fortunately, there are service providers that will rent out and manage the HSMs (just like a cloud provider) \u2014 so this is neither a pro nor a con. A great example of a hosted HSM is the [Luna HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm).\\n\\n## **Best of Both Worlds \ud83e\udd14**\\n\\nYes, it\u2019s possible! To implement the best data security practices, you would want the ease of integration with cloud-managed services as well as complete separation of trust to isolate encryption keys from data. This method is also called **BYOK **(bring your own key).\\n\\nYou can do this with products such as CipherTrust Manager [Cloud Key Manager](https://cpl.thalesgroup.com/encryption/key-management/ciphertrust-cloud-key-manager). This offers:\\n\\n**\u2705 Direct connection with cloud-managed KMS account**\\n\\nOnce you connect your AWS or GCP or Azure account to CipherTrust Manager as shown in the tutorial linked below, you will be able to manage keys directly from CipherTrust Manager and encrypt data on cloud-managed services.\\n\\n**\u2705 Key Lifecycle Management in a few clicks**\\n\\nIn just a few clicks you can setup key rotation which will rotate your keys every few months and provide the best data security standards for your organization.\\n\\n### How do I implement this?\\n\\nLuckily, it\u2019s easy to implement in 3 simple steps. Here\u2019s a tutorial I made that demos connecting CipherTrust Manager to my AWS KMS (Key Management Service) account and encrypt my AWS managed services such as S3 and RDS.\\n\\nimport YoutubeEmbed from \'@site/src/components/YoutubeEmbed\';\\n\\n\\n\\nNow go ahead and encrypt all your cloud-managed services using this hybrid BYOK approach!\\n\\nIf you have any issues with implementation or questions about data encryption, go to the CipherTrust community and post [a quesiton](https://supportportal.thalesgroup.com/community)."},{"id":"a-guide-to-encryption-architectures","metadata":{"permalink":"/ciphertrust/blog/a-guide-to-encryption-architectures","editUrl":"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2022-10-08-encryption-architectures.md","source":"@site/blog/2022-10-08-encryption-architectures.md","title":"A Guide to Data Security Architectures","description":"Building and deploying applications and services is super exciting. Still, when your security team prevents your application from going into production due to a lack of data encryption \u2014 this can be very annoying.","date":"2022-10-08T00:00:00.000Z","formattedDate":"October 8, 2022","tags":[{"label":"data-encryption","permalink":"/ciphertrust/blog/tags/data-encryption"},{"label":"data-protection-gateway","permalink":"/ciphertrust/blog/tags/data-protection-gateway"}],"readingTime":2.885,"hasTruncateMarker":false,"authors":[{"name":"Pranav Shikarpur","title":"Developer Advocate @ Thales","url":"https://twitter.com/snpranav","imageURL":"https://pbs.twimg.com/profile_images/1615654854642503680/AZA332Xo_400x400.jpg","key":"pranav"}],"frontMatter":{"slug":"a-guide-to-encryption-architectures","title":"A Guide to Data Security Architectures","authors":"pranav","tags":["data-encryption","data-protection-gateway"]},"prevItem":{"title":"A Guide to Picking the Right Key Manager for Your Org","permalink":"/ciphertrust/blog/choosing-a-key-manager"}},"content":"Building and deploying applications and services is super exciting. Still, when your security team prevents your application from going into production due to a lack of data encryption \u2014 this can be very annoying.\\n\\nLet\u2019s take a look at the different data encryption methods that are most commonly used and how we can implement some of them.\\n\\nData encrypted at-rest vs in-transit?\\n=====================================\\n\\nWell, it\u2019s often hard to choose between encrypting a complete Postgres database or encrypting only specific fields of data in the database right before it gets written to a table.\\n\\nThe key difference between the two is that encrypting a database **after** data is written to it is called **data encryption at rest** and encrypting data **before** data is written to a database is called data encryption **in-transit**.\\n\\nThe illustration below should give you a good high-level understanding of the difference. Although data encryption at-rest was a standard encryption practice followed for many years, it involves developers writing and maintaining various different scripts or applications to ensure that the encryption is up to company standards. It is still useful while encrypting file systems and storage. On the other hand, data encryption in-transit is a lot more beneficial at times when you want to make your infrastructure database agnostic and provide high-security standards with significantly low developer effort.\\n\\n![Data Encryption at REST Architecture](https://miro.medium.com/max/720/1*7sOyc7n62Mxsq0cfKsLL0Q.png)\\n\\nNote that from the above diagram we can see that the method of encrypting data in-transit uses a **side-car container** which is a proxy used to intercept every request with sensitive fields or encrypted data and encrypt or decrypt the same respectively.\\n\\n![Data Encryption in-transit Architecture](https://miro.medium.com/max/720/1*9PC9Nv4j_L2LIoWsR4ZIeg.png)\\n\\nAdvantages of Data Encryption in-Transit\\n----------------------------------------\\n\\n**\u2705 No change to applications**\\n\\nThe beauty of doing data-encryption in transit is that you don\u2019t need to worry about changing any of your frontend apps, APIs, or databases. Since the side-car container does field-level encryption, you can granularly control all the data that needs to be encrypted and decrypted by remotely setting access policies from your key manager.\\n\\n**\u2705 Easy to deploy**\\n\\nDeploying a [Data Protection Gateway](https://cpl.thalesgroup.com/encryption/ciphertrust-data-protection-gateway) side-car container is as easy to deploy as logging agents such as DataDog or Prometheus. You can just update your docker-compose, Kubernetes config files or just use Helm to install it.\\n\\n**\u2705 Developers can stop implementing data security policies**\\n\\nNow you can shift the responsibility of setting and implementing data security policies from developers over to InfoSec teams. This significantly helps prevent data breaches or unauthorized data access.\\n\\nDisadvantages of Data Encryption in-Transit\\n-------------------------------------------\\n\\n\u274c **Data encryption is only as strong as policies set**\\n\\nThis applies to any method of data encryption. However, when we perform field-level encryption and decryption, InfoSec teams need to be aware of all data flowing through various API routes to prevent data breaches and unauthorized access to unencrypted data.\\n\\n---\\n\\nHow Do I Implement Data Encryption in-Transit?\\n----------------------------------------------\\n\\nYou\u2019re in luck \ud83d\ude4c because I have a tutorial showing you how to easily implement data encryption in-transit with any of your containerized applications.\\n\\nIn this tutorial, I have used [CipherTrust Manager](https://ciphertrust.io/)\u2019s Data Protection Gateway product which is extremely easy to set up and free to start using\ud83d\udc47\\n\\nimport YoutubeEmbed from \'@site/src/components/YoutubeEmbed\';\\n\\n\\n\\n---\\n\\nNow go ahead and encrypt data in-transit from all your applications using side-car containers.\\n\\nIf you have any issues with implementation or questions about data encryption in-transit, feel free to leave a comment, tweet [@snpranav](https://twitter.com/snpranav), or raise a [GitHub issue](https://github.com/ThalesGroup/learn-ciphertrust/issues/new) :)"}]}')}}]); \ No newline at end of file diff --git a/ciphertrust/assets/js/6dcd78e6.d784f411.js b/ciphertrust/assets/js/6dcd78e6.d784f411.js new file mode 100644 index 0000000..fa908c9 --- /dev/null +++ b/ciphertrust/assets/js/6dcd78e6.d784f411.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[4162],{8835:e=>{e.exports=JSON.parse('{"blogPosts":[{"id":"HYOK-in-Azure","metadata":{"permalink":"/ciphertrust/blog/HYOK-in-Azure","editUrl":"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2023-08-15-hold-your-own-keys-in-azue.md","source":"@site/blog/2023-08-15-hold-your-own-keys-in-azue.md","title":"HYOK Cloud Key Management Solution for Azure","description":"Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title \\"Cloud Key Management Solution for Azure, Azure Stack and M365.\\" The video was added for this post.","date":"2023-08-15T00:00:00.000Z","formattedDate":"August 15, 2023","tags":[{"label":"HYOK","permalink":"/ciphertrust/blog/tags/hyok"},{"label":"Cloud key Management","permalink":"/ciphertrust/blog/tags/cloud-key-management"},{"label":"devops","permalink":"/ciphertrust/blog/tags/devops"},{"label":"Azure","permalink":"/ciphertrust/blog/tags/azure"}],"readingTime":4.32,"hasTruncateMarker":false,"authors":[{"name":"Scotti Woolery-Price","title":"Partner Marketing Manager, Thales","imageURL":"https://cpl.thalesgroup.com/sites/default/files/content/author/field_image/2022-09/scotti-woolery-price.jpg","key":"scotti"}],"frontMatter":{"slug":"HYOK-in-Azure","title":"HYOK Cloud Key Management Solution for Azure","authors":"scotti","tags":["HYOK","Cloud key Management","devops","Azure"]},"nextItem":{"title":"CipherTrust and Active Directory","permalink":"/ciphertrust/blog/CipherTrust and Active Directory"}},"content":"Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title \\"Cloud Key Management Solution for Azure, Azure Stack and M365.\\" The video was added for this post.\\n\\n### Uncover Your Cybersecurity Blind Spots\\n\\nCybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum\u2019s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks.\\n\\nRanking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today\u2019s enterprises must look for leading-edge solutions that help with data governance and compliance. \\n\\n### Thales Solutions for Microsoft Azure, Azure Stack and M365\\n\\nYou can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365. \\n\\nCCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure.\\n\\n#### CCKM Benefits:\\n*\\tSimplify compliance by taking control of your encryption keys and your data\\n*\\tAchieve cost savings using automated key lifecycle management\\n*\\tSingle pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored\\n*\\tSupport strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan\\n*\\tSupport all major public clouds\\n*\\tFlexible deployment options: on-premises, hybrid cloud, and as a Service\\n\\n\u201cThales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.\u201d \u2013 David Nunez Tejerina, Principal Product Manager, Microsoft\\n\\n### Bring Your Own Key\\nWith Thales\u2019 Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source.\\n\\n\\nimport YoutubeEmbed from \'@site/src/components/YoutubeEmbed\';\\n\\n\\n\\n\\n### Single Pane of Glass, Single Vendor\\nAccording to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor.\\n\\nCCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM.\\n\\n### Multi-Cloud Support\\nOrganizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities.\\nOperational Sovereignty\\n\\nCCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located.\\n\\nFree Trial\\nTry [**Data Protection On Demand - 30-Day Free Evaluation!**](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/marketplace)\\n\\nFor more information see the [**Product Brief**](https://cpl.thalesgroup.com/resources/encryption/microsoft-azure-advanced-data-protection-solution-brief) and [**Solution Brief**](https://cpl.thalesgroup.com/resources/encryption/cloud-key-management-ms-azure-solution-brief)."},{"id":"CipherTrust and Active Directory","metadata":{"permalink":"/ciphertrust/blog/CipherTrust and Active Directory","editUrl":"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2023-06-30-ciphertrust-and-active-directory.md","source":"@site/blog/2023-06-30-ciphertrust-and-active-directory.md","title":"CipherTrust and Active Directory","description":"Note - this article was originally posted on Hal\'s blog on March 21, 2023 under the title \\"Thales CipherTrust & Active Directory.\\"","date":"2023-06-30T00:00:00.000Z","formattedDate":"June 30, 2023","tags":[{"label":"data-encryption","permalink":"/ciphertrust/blog/tags/data-encryption"},{"label":"devops","permalink":"/ciphertrust/blog/tags/devops"},{"label":"data-security","permalink":"/ciphertrust/blog/tags/data-security"}],"readingTime":1.915,"hasTruncateMarker":false,"authors":[{"name":"Hal Yaman (B.Sc)","title":"Sales Engineering Manager @ Thales","imageURL":"https://i0.wp.com/cloudoasis.com.au/wp-content/uploads/2019/09/IMG_0054-30x40.jpg?resize=225%2C300&ssl=1","key":"hal"}],"frontMatter":{"slug":"CipherTrust and Active Directory","title":"CipherTrust and Active Directory","authors":"hal","tags":["data-encryption","devops","data-security"]},"prevItem":{"title":"HYOK Cloud Key Management Solution for Azure","permalink":"/ciphertrust/blog/HYOK-in-Azure"},"nextItem":{"title":"Data Security without DevOps Disruption","permalink":"/ciphertrust/blog/Data-Security-in-DevOps"}},"content":"Note - this article was originally posted on Hal\'s blog on March 21, 2023 under the title \\"Thales CipherTrust & Active Directory.\\"\\n\\n![Into Image](./img/Multi-cloud-key-management-onboarding.png) Why should you integrate Thales CipherTrust with your Microsoft Active Directory? What are the benefits of integration, and how is it done? Does Thales CipherTrust Manager (CTM) replace your Active Directory Group policy?\\n\\nIn the previous blog post, we went through the deployment of the CipherTrust Manager in our VMware environment. In today\u2019s post, we will focus our discussion on how to integrate the newly provisioned OVA with the company Active Directory, a necessary step for activities we will discuss in our future posts.\\n\\n## The Why\\n\\nTo streamline the management of your company\u2019s security requirements, and to easily manage your access and control of the company files and directories, it is a good idea to integrate CTM with Active Directory as a source of user management. By doing this, you can assign your policies more easily by basing them on the company AD Users and Groups.\\n\\n## The How\\n\\nNow let\u2019s focus on the fun technical part, the integration. The first step before we start the configuration is to get some information from AD; so, let\u2019s run the following PowerShell command to retrieve the necessary information for our configuration: ![Get ADuser](./img/get_aduser.png)\\n\\nThe output will be as shown below:\\n\\n![AD Info](./img/AD_Info.webp)\\n\\nAfter you have retrieved the above information, we are ready to head back to our CTM and browse to: Access Management -> LDAP. From the top right corner, select \u201c+ Add LDAP\u201c:\\n\\n![CTM_LDAP](./img/CTM_LDAP.webp)\\n\\nOn the pop-up config windows, provide the following information:\\n* Connection Name: any\\n* Server URL: your AD IP/DNS name\\n* Bind DN: CN=Administrator,CN=Users,DC=oasis,DC=org\\n* Server Bind Password: account password\\n* Rood DN: DC=oasis,DC=org\\n* User login name attribute: sAMAccountName\\n![AD_Bind-1](./img/AD_Bind-1.webp)\\n\\nAfter you have tested the configurations to be correct and are ready to accept it, click on the \u201cAdd LDAP\u201d button at the bottom right corner.\\n\\n## Conclusion\\n\\nToday\u2019s blog is very important; this post is setting the foundation for our next exciting topic, Thales Transparent Encryption feature. As you may have noticed, to integrate the CTM with AD is a very simple, but important operation. Next week, we going to use the configuration setup today to access and encrypt the company\u2019s critical data."},{"id":"Data-Security-in-DevOps","metadata":{"permalink":"/ciphertrust/blog/Data-Security-in-DevOps","editUrl":"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2023-04-18-data-security-without-DevOps-disruption.md","source":"@site/blog/2023-04-18-data-security-without-DevOps-disruption.md","title":"Data Security without DevOps Disruption","description":"Note - this article was originally posted on Hal\'s blog on March 24, 2023 under the title \\"CipherTrust Transparent Encryption.\\"","date":"2023-04-18T00:00:00.000Z","formattedDate":"April 18, 2023","tags":[{"label":"data-encryption","permalink":"/ciphertrust/blog/tags/data-encryption"},{"label":"devops","permalink":"/ciphertrust/blog/tags/devops"},{"label":"data-security","permalink":"/ciphertrust/blog/tags/data-security"}],"readingTime":7.465,"hasTruncateMarker":false,"authors":[{"name":"Hal Yaman (B.Sc)","title":"Sales Engineering Manager @ Thales","imageURL":"https://i0.wp.com/cloudoasis.com.au/wp-content/uploads/2019/09/IMG_0054-30x40.jpg?resize=225%2C300&ssl=1","key":"hal"}],"frontMatter":{"slug":"Data-Security-in-DevOps","title":"Data Security without DevOps Disruption","authors":"hal","tags":["data-encryption","devops","data-security"]},"prevItem":{"title":"CipherTrust and Active Directory","permalink":"/ciphertrust/blog/CipherTrust and Active Directory"},"nextItem":{"title":"A Guide to Picking the Right Key Manager for Your Org","permalink":"/ciphertrust/blog/choosing-a-key-manager"}},"content":"Note - this article was originally posted on Hal\'s blog on March 24, 2023 under the title \\"CipherTrust Transparent Encryption.\\"\\n\\nIn many organisations, IT departments are sometimes required to delegate some of their responsibilities to other teams, but at the same time, also required to keep control of the company security. Wait! In the world of security, can data security become a delegated responsibility? If that is a yes, then how?\\n\\nFive years ago, I was pulled into the DevOps team culture and mindset. Since then, I have been lucky enough to manage the building of several DevOps teams. One of the many attributes of the DevOps culture is their autonomy. DevOps teams build in a way that can execute a task from end to end. The teams build up while working through the requirements and functions of the project or product, and with this knowledge, go on to find the most effective way of breaking the silos encountered by traditional teams.\\n\\n### Introduction\\n\\nThe previous paragraph described DevOps as being about speed of delivery and autonomy, which also requires the team to access resources that are not always managed within the team; Active Directory, file shares, and so on are examples of these resources. So, how can you keep your DevOps team focused, but not affect the company processes?\\n\\n### Scenario\\n\\nLet\u2019s put the DevOps information above into context using a real scenario I came across last week with one of the teams I help to build two years ago.\\n\\nCompany A was working on a confidential application for a client; the client was concerned that a breach of their code data would expose their intellectual property to competitors, or would become general knowledge.\\n\\nThe client asked that the following hierarchy be implemented to help mitigate their risk:\\n\\n* Each Team has it own encrypted directory\\n* Only the specific team can access and read the code\\n* Admin can manage the files within all the directories, but cannot read the code\\n\\n### The Challenge\\n\\nFrom those requirements, Company A faces the following challenges:\\n\\n* How to implement access management and encryption at the same time\\n* How to avoid disruption of the DevOps team concept\\n* Delegate security manageability to the DevOps team without affecting the wider company policy\\n\\n### Solution\\n\\nAccess management can be controlled using the company Active Directory; but doing so will complicate the workflow of the DevOps team and will slow the delivery. At the same time, Active Directory and Group Policies do not offer encryption, so the IT department turned to Thales CipherTrust Manager to solve this challenge.\\n\\n### Implementation\\n\\nTo achieve all the security requirements, Company A decided to use CipherTrust Manager with the Transparent Encryption feature. Using Transparent Encryption Live Data Transformation (LDT), Company A can delegate the code data management to the DevOps team, but at the same time, encrypt the data and also keep Admin in control of managing and backing up the code files without compromising security.\\n\\nSo let\u2019s learn how company A uses CipherTrust Manager to keep each team in control.\\n\\n### CipherTrust User and Domain\\n\\nTo delegate responsibilities, the Company A IT team was looking for a multi-tenanted system that can help the department to easily create and assign multiple teams to manage their own security requirements, while remaining isolated from each other. This requirement can be met with Thales CTM by creating a Domain to allow the DevOps team to manage their access control and security needs.\\n\\nTo create a Domain, you first create a user by browsing to **\u201cAccess Management -> Users -> Add User\u201c:**\\n![Add_User](img/adduser.webp)\\n\\nAfter you have added the user, apply the user to **CTE Admins and Clients** by going to **Edit/view** the user. Under **Groups**, Search **CTE** and add to **Admin/Client**:\\n![CTE_Groups](img/CTE_Groups.webp)\\n\\nThe next step is to browse to \u201c**Admin Settings -> Domains**\u201d and click \u201c**Add Domain**\u201c:\\n\\n* Name: DevOps\\n* Admins: devops (the user you just created)\\n* Choose the default CA\\n* Save\\n![Add_Domain](img/Add_Domain.webp)\\n\\nNow you are ready to logout and then login with the user you just created. After logging in again, change the domain to the new domain at the top right corner \u2013 **Switch Domains**:\\n![Switch_Domains](img/switchdomains.webp)\\n\\n### Create a Key\\n\\nTo be able to encrypt the data, we must create a key. Creating a key is very simple with CipherTrust Manager, all you need is to browse to the keys at the left menu and press the \u201c**Add key**\u201c. The next step is to provide a Key name: for example we will create a key name: **LDT_Key** and then press\u201d**Add Key**\u201d to save it.\\n\\nAt the next window, expand the \u201c**Key Access**\u201d option. On the search bar, type \u201c**CTE**\u201d with show all groups, then tick the check boxes for all the Admins and Clients permissions. Press **Update**:\\n![Key_Access](img/keyaccess.webp)\\n\\nNext, browse to \u201c**Key Labels -> CTE**\u201c. Choose **CBC** from the drop down menu\u201d. Press **Update**:\\n![Key_Label](img/Keylable.webp)\\n\\n### Install the Transparent Encryption Agent\\n\\nTo be able to install and use the Transparent Encryption feature, you must install an agent. The first step is to create a \u201c**Registration Token**\u201c; this will be used during the agent installation to add the agent to the CipherTrust Manager. To create the Token, browse to \u201c**Access Management -> Registration Tokens**\u201d and click on \u201c**Add Registration Token**\u201d and complete the following entries:\\n\\n* Provide a Name Prefix: on my case DevOps_token\\n* Local CA: choose the default\\n* Create a token: Base64\\n![Create_Token](img/createToken.webp)\\n\\nCopy the token; then go to your Windows or Linux machine to run the agent installation. During the installation, you will be asked to provide:\\n\\n* Componant to register: File System\\n* CipherTrust Manager IP/Hostname\\n* Enable LDT Feature (FS agent only)\\n* Token\\n\\nAfter the installation is completed and you have successfully rebooted, you will be able to see the registered client on your CipherTrust Manager under: **Transparent Encryption -> Clients**:\\n![CTE_Client](img/CTE_Client.webp)\\n\\nCreating Policies:\\n\\nAfter deploying the agent and connecting it to the CTM, we can focus on creating our polices. As we have four different teams in our example, lets create four policies as shown below:\\n\\n* DevOps_Admin_Team: Access and manage files and directories but can read files content\\n* DevOps_Dev_Team: access only Development directory\\n* DevOps_Ops_Policy: access only operation directory\\n* DevOps_QA_Team: access only QA diretory\\n\\nLet\u2019s create first policy, the **DevOps_Admin_Team** policy by browsing to \u201c**Transparent Encryption -> Policies -> Create policy**\u201c:\\n\\n* Name: DevOps_Admin_Team\\n* Policy Type: Live Data Transformation\\n* Security Rules: + Create Security Rule\\n * User Set \u2013 Select \u2013 Create User Set:\\n * Name: Admin_Team\\n * Create User\\n * Agent \u2013 select Agent\\n * User Type: LDAP\\n * Member Choice: User or Group (on my case I choose group)\\n * gname: group name\\n * Note: repeat the above steps to create all the users for each group (i.e: Admin, Dev, Ops and QA team. on each time you need to create a policy you can easily choose the appropriate group or user)\\n * Action \u2013 Select\\n * All_Ops\\n * Effect \u2013 Select\\n * select permit\\n * ApplyKey only of other group but not Admin group as the admin will not be able to unencrypt the data so a key not required\\n* Key Rules: Create key Rule\\n * Current Key Name: Select \u2013 \u201cclear_key\u201d\\n * Tranformation Key Name: Select \u2013 LTD_Key\\n * Add\\n* Next \u2013 Confirmation \u2013 Save\\n\\nNote: repeat the above steps for all the groups\\n\\n### Create GuardPoint\\n\\nOur last step is to apply these policies to our folders or client. In this example, I will be using a Windows client. So let\u2019s get started:\\n\\nAs we have different teams and policies, each with different access, we must create a different client **GuardPoint**. Browse to **Transparent Encryption -> Clients**. Choose the client \u2013 \u201c**Create GuardPoint**\u201c:\\n\\n* Select Policy: choose DevOps_QA_Team\\n* Path: browse to the QA directory and select \u201cselect Path\u201d\\n* Create\\n\\nNote: repeat for each team and select the appropriate directory\\n![Create_GuardPoint](img/createguardpoint.webp)\\n\\nAfter all the directories are assigned to a group \u2013 on each GuardPoint \u2013 press the policy name and add the right action for each team as shown below; for example:\\n\\n* Development_Team can access, and apply key\\n* Operation_Team no access\\n* Admin_Team access but no key\\n![DevOps_Permission_Group](img/devops_permission_group.webp)\\n\\nNote: repeat for all other GuardPoints\\n\\n### Summary\\n\\nAfter Following the steps described above, you can check that your new configuration works by accessing your Windows machine with a different user; for example, QA, dev, ops or admin, then check to see if you can access or read the files. The above steps are a little involved, more than Active Directory Group Policies; but with CipherTrust you also get the encryption aspect with a full and controlled separation of responsibilities.\\n\\nCompany A was able to achieve their client\u2019s security request; but at the same time, did not affect the team processes, autonomy, and control. At both levels, Company A IT and DevOps, it was a win \u2013 win situation."},{"id":"choosing-a-key-manager","metadata":{"permalink":"/ciphertrust/blog/choosing-a-key-manager","editUrl":"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2022-11-17-how-to-choose-a-key-manager-for-orgs.md","source":"@site/blog/2022-11-17-how-to-choose-a-key-manager-for-orgs.md","title":"A Guide to Picking the Right Key Manager for Your Org","description":"Your company has a ton of daily active users and you have this amazingly efficient architecture to process requests at scale, but your InfoSec team asks you to use a key manager \u2014 there are so many out there, which one do you choose?","date":"2022-11-17T00:00:00.000Z","formattedDate":"November 17, 2022","tags":[{"label":"data-encryption","permalink":"/ciphertrust/blog/tags/data-encryption"},{"label":"key-management","permalink":"/ciphertrust/blog/tags/key-management"}],"readingTime":3.655,"hasTruncateMarker":false,"authors":[{"name":"Pranav Shikarpur","title":"Developer Advocate @ Thales","url":"https://twitter.com/snpranav","imageURL":"https://pbs.twimg.com/profile_images/1615654854642503680/AZA332Xo_400x400.jpg","key":"pranav"}],"frontMatter":{"slug":"choosing-a-key-manager","title":"A Guide to Picking the Right Key Manager for Your Org","authors":"pranav","tags":["data-encryption","key-management"]},"prevItem":{"title":"Data Security without DevOps Disruption","permalink":"/ciphertrust/blog/Data-Security-in-DevOps"},"nextItem":{"title":"A Guide to Data Security Architectures","permalink":"/ciphertrust/blog/a-guide-to-encryption-architectures"}},"content":"Your company has a ton of daily active users and you have this amazingly efficient architecture to process requests at scale, but your InfoSec team asks you to use a key manager \u2014 there are so many out there, which one do you choose?\\n\\nThere are various different types of key managers, but in this post, we\u2019ll cover the three most common key managers:\\n\\n* Native Cloud Key Managers (Ex \u2014 AWS KMS, GCP KMS, Azure Key Vault, etc.)\\n\\n* External Key Managers (Ex \u2014 Thales CipherTrust Manager, etc.)\\n\\n* Hybrid Key Managers (Use the best of both worlds \u2014 Cloud managed services and external key managers)\\n\\n## First, the literal key to security \u2014 HSMs\\n\\nHSM stands for \u201c[Hardware Security Module](https://en.wikipedia.org/wiki/Hardware_security_module)\u201d. These are physical devices that are usually tamper resistant which store keys and perform encrypt, decrypt and other cryptographic operations.\\n\\nHSMs are needed in secure environments such as healthcare or financial institutions where you need to pass compliances such as PCI DSS.\\n\\n## Now Let\u2019s Compare\\n\\nLet\u2019s look at the pros and cons of each to help you decide what would work best for your organization.\\n\\n### Cloud Key Managers\\n\\n\u2705 **Easy Integration with Cloud Managed Services**\\n\\nWhen using cloud key managers like [AWS KMS (Key Management Service)](https://aws.amazon.com/kms/) it can be advantageous as you get the flexibility of AWS managing your keys as well as direct integration into your existing AWS managed services such as [AWS S3](https://aws.amazon.com/s3/), or [AWS RDS (Relational Database Service)](https://aws.amazon.com/rods/), etc.\\n\\n\u2705 **HSMs provisioned and managed by a cloud provider (most of the time \ud83e\udd1e)**\\n\\nMost famous cloud providers have HSMs that they use in their data centers which store your keys, so you don\u2019t have to worry about renting an HSM.\\n\\n**\u274c No Separation of Trust \ud83d\udd75\ufe0f\u200d\u2640\ufe0f**\\n\\nSince your cloud provider now hosts and controls your data and encryption keys. Your user data might not be as safe anymore as the cloud provider with malicious intent could easily decrypt your user data. This does not help in creating a **zero-trust architecture**. While it\u2019s true that your cloud provider has your best interest; there are always hackers lurking around the internet trying to get malicious access to your data, so it\u2019s best to store data in an isolated environment.\\n\\n### External Key Managers\\n\\n**\u2705 Complete Separation of Trust**\\n\\nWhen running a product such as CipherTrust Manager, your architectures are zero-trust by default as 2 different entities have access to either your data or your keys and **NOT both**.\\n\\n**\u274c Build your own custom integrations**\\n\\nUnless the key manager service has connectors, many-a-times, you would need to build your own connectors which could put a lot of engineering debt on your teams.\\n\\n\u26a0\ufe0f** Need to rent out your own HSM**\\n\\nYou\u2019d need to manage your own HSM, but fortunately, there are service providers that will rent out and manage the HSMs (just like a cloud provider) \u2014 so this is neither a pro nor a con. A great example of a hosted HSM is the [Luna HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm).\\n\\n## **Best of Both Worlds \ud83e\udd14**\\n\\nYes, it\u2019s possible! To implement the best data security practices, you would want the ease of integration with cloud-managed services as well as complete separation of trust to isolate encryption keys from data. This method is also called **BYOK **(bring your own key).\\n\\nYou can do this with products such as CipherTrust Manager [Cloud Key Manager](https://cpl.thalesgroup.com/encryption/key-management/ciphertrust-cloud-key-manager). This offers:\\n\\n**\u2705 Direct connection with cloud-managed KMS account**\\n\\nOnce you connect your AWS or GCP or Azure account to CipherTrust Manager as shown in the tutorial linked below, you will be able to manage keys directly from CipherTrust Manager and encrypt data on cloud-managed services.\\n\\n**\u2705 Key Lifecycle Management in a few clicks**\\n\\nIn just a few clicks you can setup key rotation which will rotate your keys every few months and provide the best data security standards for your organization.\\n\\n### How do I implement this?\\n\\nLuckily, it\u2019s easy to implement in 3 simple steps. Here\u2019s a tutorial I made that demos connecting CipherTrust Manager to my AWS KMS (Key Management Service) account and encrypt my AWS managed services such as S3 and RDS.\\n\\nimport YoutubeEmbed from \'@site/src/components/YoutubeEmbed\';\\n\\n\\n\\nNow go ahead and encrypt all your cloud-managed services using this hybrid BYOK approach!\\n\\nIf you have any issues with implementation or questions about data encryption, go to the CipherTrust community and post [a quesiton](https://supportportal.thalesgroup.com/community)."},{"id":"a-guide-to-encryption-architectures","metadata":{"permalink":"/ciphertrust/blog/a-guide-to-encryption-architectures","editUrl":"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2022-10-08-encryption-architectures.md","source":"@site/blog/2022-10-08-encryption-architectures.md","title":"A Guide to Data Security Architectures","description":"Building and deploying applications and services is super exciting. Still, when your security team prevents your application from going into production due to a lack of data encryption \u2014 this can be very annoying.","date":"2022-10-08T00:00:00.000Z","formattedDate":"October 8, 2022","tags":[{"label":"data-encryption","permalink":"/ciphertrust/blog/tags/data-encryption"},{"label":"data-protection-gateway","permalink":"/ciphertrust/blog/tags/data-protection-gateway"}],"readingTime":2.885,"hasTruncateMarker":false,"authors":[{"name":"Pranav Shikarpur","title":"Developer Advocate @ Thales","url":"https://twitter.com/snpranav","imageURL":"https://pbs.twimg.com/profile_images/1615654854642503680/AZA332Xo_400x400.jpg","key":"pranav"}],"frontMatter":{"slug":"a-guide-to-encryption-architectures","title":"A Guide to Data Security Architectures","authors":"pranav","tags":["data-encryption","data-protection-gateway"]},"prevItem":{"title":"A Guide to Picking the Right Key Manager for Your Org","permalink":"/ciphertrust/blog/choosing-a-key-manager"}},"content":"Building and deploying applications and services is super exciting. Still, when your security team prevents your application from going into production due to a lack of data encryption \u2014 this can be very annoying.\\n\\nLet\u2019s take a look at the different data encryption methods that are most commonly used and how we can implement some of them.\\n\\nData encrypted at-rest vs in-transit?\\n=====================================\\n\\nWell, it\u2019s often hard to choose between encrypting a complete Postgres database or encrypting only specific fields of data in the database right before it gets written to a table.\\n\\nThe key difference between the two is that encrypting a database **after** data is written to it is called **data encryption at rest** and encrypting data **before** data is written to a database is called data encryption **in-transit**.\\n\\nThe illustration below should give you a good high-level understanding of the difference. Although data encryption at-rest was a standard encryption practice followed for many years, it involves developers writing and maintaining various different scripts or applications to ensure that the encryption is up to company standards. It is still useful while encrypting file systems and storage. On the other hand, data encryption in-transit is a lot more beneficial at times when you want to make your infrastructure database agnostic and provide high-security standards with significantly low developer effort.\\n\\n![Data Encryption at REST Architecture](https://miro.medium.com/max/720/1*7sOyc7n62Mxsq0cfKsLL0Q.png)\\n\\nNote that from the above diagram we can see that the method of encrypting data in-transit uses a **side-car container** which is a proxy used to intercept every request with sensitive fields or encrypted data and encrypt or decrypt the same respectively.\\n\\n![Data Encryption in-transit Architecture](https://miro.medium.com/max/720/1*9PC9Nv4j_L2LIoWsR4ZIeg.png)\\n\\nAdvantages of Data Encryption in-Transit\\n----------------------------------------\\n\\n**\u2705 No change to applications**\\n\\nThe beauty of doing data-encryption in transit is that you don\u2019t need to worry about changing any of your frontend apps, APIs, or databases. Since the side-car container does field-level encryption, you can granularly control all the data that needs to be encrypted and decrypted by remotely setting access policies from your key manager.\\n\\n**\u2705 Easy to deploy**\\n\\nDeploying a [Data Protection Gateway](https://cpl.thalesgroup.com/encryption/ciphertrust-data-protection-gateway) side-car container is as easy to deploy as logging agents such as DataDog or Prometheus. You can just update your docker-compose, Kubernetes config files or just use Helm to install it.\\n\\n**\u2705 Developers can stop implementing data security policies**\\n\\nNow you can shift the responsibility of setting and implementing data security policies from developers over to InfoSec teams. This significantly helps prevent data breaches or unauthorized data access.\\n\\nDisadvantages of Data Encryption in-Transit\\n-------------------------------------------\\n\\n\u274c **Data encryption is only as strong as policies set**\\n\\nThis applies to any method of data encryption. However, when we perform field-level encryption and decryption, InfoSec teams need to be aware of all data flowing through various API routes to prevent data breaches and unauthorized access to unencrypted data.\\n\\n---\\n\\nHow Do I Implement Data Encryption in-Transit?\\n----------------------------------------------\\n\\nYou\u2019re in luck \ud83d\ude4c because I have a tutorial showing you how to easily implement data encryption in-transit with any of your containerized applications.\\n\\nIn this tutorial, I have used [CipherTrust Manager](https://ciphertrust.io/)\u2019s Data Protection Gateway product which is extremely easy to set up and free to start using\ud83d\udc47\\n\\nimport YoutubeEmbed from \'@site/src/components/YoutubeEmbed\';\\n\\n\\n\\n---\\n\\nNow go ahead and encrypt data in-transit from all your applications using side-car containers.\\n\\nIf you have any issues with implementation or questions about data encryption in-transit, feel free to leave a comment, tweet [@snpranav](https://twitter.com/snpranav), or raise a [GitHub issue](https://github.com/ThalesGroup/learn-ciphertrust/issues/new) :)"}]}')}}]); \ No newline at end of file diff --git a/ciphertrust/assets/js/ca1191cf.4d24dbd0.js b/ciphertrust/assets/js/ca1191cf.3647c38f.js similarity index 94% rename from ciphertrust/assets/js/ca1191cf.4d24dbd0.js rename to ciphertrust/assets/js/ca1191cf.3647c38f.js index 8586fd5..9ba0e42 100644 --- a/ciphertrust/assets/js/ca1191cf.4d24dbd0.js +++ b/ciphertrust/assets/js/ca1191cf.3647c38f.js @@ -1 +1 @@ -"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[7771],{7200:(e,t,a)=>{a.d(t,{Z:()=>d});var o=a(7294),n=a(5697),r=a.n(n),i=a(7373),s=a(9960);const l=e=>{let{href:t}=e;return o.createElement("div",null,o.createElement(s.Z,{href:t},o.createElement("button",{style:{backgroundColor:"#171515"},className:"p-2 my-4 rounded-md border-none cursor-pointer text-white"},"GitHub ",o.createElement(i.RrF,{className:"text-white"}))))},u=e=>{let{href:t}=e;return o.createElement("div",null,o.createElement(s.Z,{href:t},o.createElement("button",{className:"p-2 my-4 rounded-md border-none cursor-pointer"},"View Demo ",o.createElement(i.mGl,null))))},c=e=>{let{href:t,demourl:a}=e;return o.createElement("div",{className:"flex flex-row justify-between"},t?o.createElement(l,{href:t}):o.createElement(o.Fragment,null),a?o.createElement(u,{href:a}):o.createElement(o.Fragment,null))};c.propTypes={href:r().string.isRequired,demourl:r().string};const d=c},7148:(e,t,a)=>{a.d(t,{Z:()=>l});var o=a(7294),n=a(5697),r=a.n(n),i=a(7200);const s=e=>{let{embedId:t,github:a,demourl:n}=e;return o.createElement(o.Fragment,null,o.createElement("div",{className:"video-responsive"},o.createElement("iframe",{width:"853",height:"480",src:`https://www.youtube.com/embed/${t}`,frameBorder:"0",allow:"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture",allowFullScreen:!0,title:"Embedded youtube"})),o.createElement(i.Z,{href:a,demourl:n}))};s.propTypes={embedId:r().string.isRequired};const l=s},7193:(e,t,a)=>{a.r(t),a.d(t,{assets:()=>u,contentTitle:()=>s,default:()=>p,frontMatter:()=>i,metadata:()=>l,toc:()=>c});var o=a(7462),n=(a(7294),a(3905)),r=a(7148);const i={slug:"HYOK-in-Azure",title:"HYOK Cloud Key Management Solution for Azure",authors:"scotti",tags:["HYOK","Cloud key Management","devops","Azure"]},s="HYOK Cloud Key Management Solution for Azure",l={permalink:"/ciphertrust/blog/HYOK-in-Azure",editUrl:"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2023-08-15-hold-your-own-keys-in-azue.md",source:"@site/blog/2023-08-15-hold-your-own-keys-in-azue.md",title:"HYOK Cloud Key Management Solution for Azure",description:'Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.',date:"2023-08-15T00:00:00.000Z",formattedDate:"August 15, 2023",tags:[{label:"HYOK",permalink:"/ciphertrust/blog/tags/hyok"},{label:"Cloud key Management",permalink:"/ciphertrust/blog/tags/cloud-key-management"},{label:"devops",permalink:"/ciphertrust/blog/tags/devops"},{label:"Azure",permalink:"/ciphertrust/blog/tags/azure"}],readingTime:4.32,hasTruncateMarker:!1,authors:[{name:"Scotti Woolery-Price",title:"Partner Marketing Manager, Thales",imageURL:"https://cpl.thalesgroup.com/sites/default/files/content/author/field_image/2022-09/scotti-woolery-price.jpg",key:"scotti"}],frontMatter:{slug:"HYOK-in-Azure",title:"HYOK Cloud Key Management Solution for Azure",authors:"scotti",tags:["HYOK","Cloud key Management","devops","Azure"]},nextItem:{title:"CipherTrust and Active Directory",permalink:"/ciphertrust/blog/CipherTrust and Active Directory"}},u={authorsImageUrls:[void 0]},c=[{value:"Uncover Your Cybersecurity Blind Spots",id:"uncover-your-cybersecurity-blind-spots",level:3},{value:"Thales Solutions for Microsoft Azure, Azure Stack and M365",id:"thales-solutions-for-microsoft-azure-azure-stack-and-m365",level:3},{value:"CCKM Benefits:",id:"cckm-benefits",level:4},{value:"Bring Your Own Key",id:"bring-your-own-key",level:3},{value:"Single Pane of Glass, Single Vendor",id:"single-pane-of-glass-single-vendor",level:3},{value:"Multi-Cloud Support",id:"multi-cloud-support",level:3}],d={toc:c},m="wrapper";function p(e){let{components:t,...a}=e;return(0,n.kt)(m,(0,o.Z)({},d,a,{components:t,mdxType:"MDXLayout"}),(0,n.kt)("p",null,'Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.'),(0,n.kt)("h3",{id:"uncover-your-cybersecurity-blind-spots"},"Uncover Your Cybersecurity Blind Spots"),(0,n.kt)("p",null,"Cybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum\u2019s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks."),(0,n.kt)("p",null,"Ranking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today\u2019s enterprises must look for leading-edge solutions that help with data governance and compliance. "),(0,n.kt)("h3",{id:"thales-solutions-for-microsoft-azure-azure-stack-and-m365"},"Thales Solutions for Microsoft Azure, Azure Stack and M365"),(0,n.kt)("p",null,"You can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365. "),(0,n.kt)("p",null,"CCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure."),(0,n.kt)("h4",{id:"cckm-benefits"},"CCKM Benefits:"),(0,n.kt)("ul",null,(0,n.kt)("li",{parentName:"ul"},"Simplify compliance by taking control of your encryption keys and your data"),(0,n.kt)("li",{parentName:"ul"},"Achieve cost savings using automated key lifecycle management"),(0,n.kt)("li",{parentName:"ul"},"Single pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored"),(0,n.kt)("li",{parentName:"ul"},"Support strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan"),(0,n.kt)("li",{parentName:"ul"},"Support all major public clouds"),(0,n.kt)("li",{parentName:"ul"},"Flexible deployment options: on-premises, hybrid cloud, and as a Service")),(0,n.kt)("p",null,"\u201cThales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.\u201d \u2013 David Nunez Tejerina, Principal Product Manager, Microsoft"),(0,n.kt)("h3",{id:"bring-your-own-key"},"Bring Your Own Key"),(0,n.kt)("p",null,"With Thales\u2019 Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source."),(0,n.kt)(r.Z,{embedId:"2TcaAjfqaEE",mdxType:"YoutubeEmbed"}),(0,n.kt)("h3",{id:"single-pane-of-glass-single-vendor"},"Single Pane of Glass, Single Vendor"),(0,n.kt)("p",null,"According to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor."),(0,n.kt)("p",null,"CCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM."),(0,n.kt)("h3",{id:"multi-cloud-support"},"Multi-Cloud Support"),(0,n.kt)("p",null,"Organizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities.\nOperational Sovereignty"),(0,n.kt)("p",null,"CCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located."),(0,n.kt)("p",null,"Free Trial\nTry ",(0,n.kt)("a",{parentName:"p",href:"https://cpl.thalesgroup.com/encryption/data-protection-on-demand/marketplace"},"Data Protection On Demand - 30-Day Free Evaluation")),(0,n.kt)("p",null,"For more information see the ",(0,n.kt)("a",{parentName:"p",href:"https://cpl.thalesgroup.com/resources/encryption/microsoft-azure-advanced-data-protection-solution-brief"},"Product Brief")," and ",(0,n.kt)("a",{parentName:"p",href:"https://cpl.thalesgroup.com/resources/encryption/cloud-key-management-ms-azure-solution-brief"},"Solution Brief")))}p.isMDXComponent=!0}}]); \ No newline at end of file +"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[7771],{7200:(e,t,a)=>{a.d(t,{Z:()=>d});var o=a(7294),n=a(5697),r=a.n(n),i=a(7373),s=a(9960);const l=e=>{let{href:t}=e;return o.createElement("div",null,o.createElement(s.Z,{href:t},o.createElement("button",{style:{backgroundColor:"#171515"},className:"p-2 my-4 rounded-md border-none cursor-pointer text-white"},"GitHub ",o.createElement(i.RrF,{className:"text-white"}))))},u=e=>{let{href:t}=e;return o.createElement("div",null,o.createElement(s.Z,{href:t},o.createElement("button",{className:"p-2 my-4 rounded-md border-none cursor-pointer"},"View Demo ",o.createElement(i.mGl,null))))},c=e=>{let{href:t,demourl:a}=e;return o.createElement("div",{className:"flex flex-row justify-between"},t?o.createElement(l,{href:t}):o.createElement(o.Fragment,null),a?o.createElement(u,{href:a}):o.createElement(o.Fragment,null))};c.propTypes={href:r().string.isRequired,demourl:r().string};const d=c},7148:(e,t,a)=>{a.d(t,{Z:()=>l});var o=a(7294),n=a(5697),r=a.n(n),i=a(7200);const s=e=>{let{embedId:t,github:a,demourl:n}=e;return o.createElement(o.Fragment,null,o.createElement("div",{className:"video-responsive"},o.createElement("iframe",{width:"853",height:"480",src:`https://www.youtube.com/embed/${t}`,frameBorder:"0",allow:"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture",allowFullScreen:!0,title:"Embedded youtube"})),o.createElement(i.Z,{href:a,demourl:n}))};s.propTypes={embedId:r().string.isRequired};const l=s},7193:(e,t,a)=>{a.r(t),a.d(t,{assets:()=>u,contentTitle:()=>s,default:()=>p,frontMatter:()=>i,metadata:()=>l,toc:()=>c});var o=a(7462),n=(a(7294),a(3905)),r=a(7148);const i={slug:"HYOK-in-Azure",title:"HYOK Cloud Key Management Solution for Azure",authors:"scotti",tags:["HYOK","Cloud key Management","devops","Azure"]},s="HYOK Cloud Key Management Solution for Azure",l={permalink:"/ciphertrust/blog/HYOK-in-Azure",editUrl:"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2023-08-15-hold-your-own-keys-in-azue.md",source:"@site/blog/2023-08-15-hold-your-own-keys-in-azue.md",title:"HYOK Cloud Key Management Solution for Azure",description:'Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.',date:"2023-08-15T00:00:00.000Z",formattedDate:"August 15, 2023",tags:[{label:"HYOK",permalink:"/ciphertrust/blog/tags/hyok"},{label:"Cloud key Management",permalink:"/ciphertrust/blog/tags/cloud-key-management"},{label:"devops",permalink:"/ciphertrust/blog/tags/devops"},{label:"Azure",permalink:"/ciphertrust/blog/tags/azure"}],readingTime:4.32,hasTruncateMarker:!1,authors:[{name:"Scotti Woolery-Price",title:"Partner Marketing Manager, Thales",imageURL:"https://cpl.thalesgroup.com/sites/default/files/content/author/field_image/2022-09/scotti-woolery-price.jpg",key:"scotti"}],frontMatter:{slug:"HYOK-in-Azure",title:"HYOK Cloud Key Management Solution for Azure",authors:"scotti",tags:["HYOK","Cloud key Management","devops","Azure"]},nextItem:{title:"CipherTrust and Active Directory",permalink:"/ciphertrust/blog/CipherTrust and Active Directory"}},u={authorsImageUrls:[void 0]},c=[{value:"Uncover Your Cybersecurity Blind Spots",id:"uncover-your-cybersecurity-blind-spots",level:3},{value:"Thales Solutions for Microsoft Azure, Azure Stack and M365",id:"thales-solutions-for-microsoft-azure-azure-stack-and-m365",level:3},{value:"CCKM Benefits:",id:"cckm-benefits",level:4},{value:"Bring Your Own Key",id:"bring-your-own-key",level:3},{value:"Single Pane of Glass, Single Vendor",id:"single-pane-of-glass-single-vendor",level:3},{value:"Multi-Cloud Support",id:"multi-cloud-support",level:3}],d={toc:c},m="wrapper";function p(e){let{components:t,...a}=e;return(0,n.kt)(m,(0,o.Z)({},d,a,{components:t,mdxType:"MDXLayout"}),(0,n.kt)("p",null,'Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.'),(0,n.kt)("h3",{id:"uncover-your-cybersecurity-blind-spots"},"Uncover Your Cybersecurity Blind Spots"),(0,n.kt)("p",null,"Cybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum\u2019s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks."),(0,n.kt)("p",null,"Ranking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today\u2019s enterprises must look for leading-edge solutions that help with data governance and compliance. "),(0,n.kt)("h3",{id:"thales-solutions-for-microsoft-azure-azure-stack-and-m365"},"Thales Solutions for Microsoft Azure, Azure Stack and M365"),(0,n.kt)("p",null,"You can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365. "),(0,n.kt)("p",null,"CCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure."),(0,n.kt)("h4",{id:"cckm-benefits"},"CCKM Benefits:"),(0,n.kt)("ul",null,(0,n.kt)("li",{parentName:"ul"},"Simplify compliance by taking control of your encryption keys and your data"),(0,n.kt)("li",{parentName:"ul"},"Achieve cost savings using automated key lifecycle management"),(0,n.kt)("li",{parentName:"ul"},"Single pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored"),(0,n.kt)("li",{parentName:"ul"},"Support strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan"),(0,n.kt)("li",{parentName:"ul"},"Support all major public clouds"),(0,n.kt)("li",{parentName:"ul"},"Flexible deployment options: on-premises, hybrid cloud, and as a Service")),(0,n.kt)("p",null,"\u201cThales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.\u201d \u2013 David Nunez Tejerina, Principal Product Manager, Microsoft"),(0,n.kt)("h3",{id:"bring-your-own-key"},"Bring Your Own Key"),(0,n.kt)("p",null,"With Thales\u2019 Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source."),(0,n.kt)(r.Z,{embedId:"2TcaAjfqaEE",mdxType:"YoutubeEmbed"}),(0,n.kt)("h3",{id:"single-pane-of-glass-single-vendor"},"Single Pane of Glass, Single Vendor"),(0,n.kt)("p",null,"According to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor."),(0,n.kt)("p",null,"CCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM."),(0,n.kt)("h3",{id:"multi-cloud-support"},"Multi-Cloud Support"),(0,n.kt)("p",null,"Organizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities.\nOperational Sovereignty"),(0,n.kt)("p",null,"CCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located."),(0,n.kt)("p",null,"Free Trial\nTry ",(0,n.kt)("a",{parentName:"p",href:"https://cpl.thalesgroup.com/encryption/data-protection-on-demand/marketplace"},(0,n.kt)("strong",{parentName:"a"},"Data Protection On Demand - 30-Day Free Evaluation!"))),(0,n.kt)("p",null,"For more information see the ",(0,n.kt)("a",{parentName:"p",href:"https://cpl.thalesgroup.com/resources/encryption/microsoft-azure-advanced-data-protection-solution-brief"},(0,n.kt)("strong",{parentName:"a"},"Product Brief"))," and ",(0,n.kt)("a",{parentName:"p",href:"https://cpl.thalesgroup.com/resources/encryption/cloud-key-management-ms-azure-solution-brief"},(0,n.kt)("strong",{parentName:"a"},"Solution Brief")),"."))}p.isMDXComponent=!0}}]); \ No newline at end of file diff --git a/ciphertrust/assets/js/fe565dc4.28c6aa68.js b/ciphertrust/assets/js/fe565dc4.89dd5bee.js similarity index 94% rename from ciphertrust/assets/js/fe565dc4.28c6aa68.js rename to ciphertrust/assets/js/fe565dc4.89dd5bee.js index 6796a1d..547ed9f 100644 --- a/ciphertrust/assets/js/fe565dc4.28c6aa68.js +++ b/ciphertrust/assets/js/fe565dc4.89dd5bee.js @@ -1 +1 @@ -"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[3328],{7200:(e,t,a)=>{a.d(t,{Z:()=>d});var o=a(7294),n=a(5697),r=a.n(n),i=a(7373),s=a(9960);const l=e=>{let{href:t}=e;return o.createElement("div",null,o.createElement(s.Z,{href:t},o.createElement("button",{style:{backgroundColor:"#171515"},className:"p-2 my-4 rounded-md border-none cursor-pointer text-white"},"GitHub ",o.createElement(i.RrF,{className:"text-white"}))))},u=e=>{let{href:t}=e;return o.createElement("div",null,o.createElement(s.Z,{href:t},o.createElement("button",{className:"p-2 my-4 rounded-md border-none cursor-pointer"},"View Demo ",o.createElement(i.mGl,null))))},c=e=>{let{href:t,demourl:a}=e;return o.createElement("div",{className:"flex flex-row justify-between"},t?o.createElement(l,{href:t}):o.createElement(o.Fragment,null),a?o.createElement(u,{href:a}):o.createElement(o.Fragment,null))};c.propTypes={href:r().string.isRequired,demourl:r().string};const d=c},7148:(e,t,a)=>{a.d(t,{Z:()=>l});var o=a(7294),n=a(5697),r=a.n(n),i=a(7200);const s=e=>{let{embedId:t,github:a,demourl:n}=e;return o.createElement(o.Fragment,null,o.createElement("div",{className:"video-responsive"},o.createElement("iframe",{width:"853",height:"480",src:`https://www.youtube.com/embed/${t}`,frameBorder:"0",allow:"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture",allowFullScreen:!0,title:"Embedded youtube"})),o.createElement(i.Z,{href:a,demourl:n}))};s.propTypes={embedId:r().string.isRequired};const l=s},9847:(e,t,a)=>{a.r(t),a.d(t,{assets:()=>u,contentTitle:()=>s,default:()=>p,frontMatter:()=>i,metadata:()=>l,toc:()=>c});var o=a(7462),n=(a(7294),a(3905)),r=a(7148);const i={slug:"HYOK-in-Azure",title:"HYOK Cloud Key Management Solution for Azure",authors:"scotti",tags:["HYOK","Cloud key Management","devops","Azure"]},s="HYOK Cloud Key Management Solution for Azure",l={permalink:"/ciphertrust/blog/HYOK-in-Azure",editUrl:"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2023-08-15-hold-your-own-keys-in-azue.md",source:"@site/blog/2023-08-15-hold-your-own-keys-in-azue.md",title:"HYOK Cloud Key Management Solution for Azure",description:'Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.',date:"2023-08-15T00:00:00.000Z",formattedDate:"August 15, 2023",tags:[{label:"HYOK",permalink:"/ciphertrust/blog/tags/hyok"},{label:"Cloud key Management",permalink:"/ciphertrust/blog/tags/cloud-key-management"},{label:"devops",permalink:"/ciphertrust/blog/tags/devops"},{label:"Azure",permalink:"/ciphertrust/blog/tags/azure"}],readingTime:4.32,hasTruncateMarker:!1,authors:[{name:"Scotti Woolery-Price",title:"Partner Marketing Manager, Thales",imageURL:"https://cpl.thalesgroup.com/sites/default/files/content/author/field_image/2022-09/scotti-woolery-price.jpg",key:"scotti"}],frontMatter:{slug:"HYOK-in-Azure",title:"HYOK Cloud Key Management Solution for Azure",authors:"scotti",tags:["HYOK","Cloud key Management","devops","Azure"]},nextItem:{title:"CipherTrust and Active Directory",permalink:"/ciphertrust/blog/CipherTrust and Active Directory"}},u={authorsImageUrls:[void 0]},c=[{value:"Uncover Your Cybersecurity Blind Spots",id:"uncover-your-cybersecurity-blind-spots",level:3},{value:"Thales Solutions for Microsoft Azure, Azure Stack and M365",id:"thales-solutions-for-microsoft-azure-azure-stack-and-m365",level:3},{value:"CCKM Benefits:",id:"cckm-benefits",level:4},{value:"Bring Your Own Key",id:"bring-your-own-key",level:3},{value:"Single Pane of Glass, Single Vendor",id:"single-pane-of-glass-single-vendor",level:3},{value:"Multi-Cloud Support",id:"multi-cloud-support",level:3}],d={toc:c},m="wrapper";function p(e){let{components:t,...a}=e;return(0,n.kt)(m,(0,o.Z)({},d,a,{components:t,mdxType:"MDXLayout"}),(0,n.kt)("p",null,'Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.'),(0,n.kt)("h3",{id:"uncover-your-cybersecurity-blind-spots"},"Uncover Your Cybersecurity Blind Spots"),(0,n.kt)("p",null,"Cybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum\u2019s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks."),(0,n.kt)("p",null,"Ranking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today\u2019s enterprises must look for leading-edge solutions that help with data governance and compliance. "),(0,n.kt)("h3",{id:"thales-solutions-for-microsoft-azure-azure-stack-and-m365"},"Thales Solutions for Microsoft Azure, Azure Stack and M365"),(0,n.kt)("p",null,"You can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365. "),(0,n.kt)("p",null,"CCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure."),(0,n.kt)("h4",{id:"cckm-benefits"},"CCKM Benefits:"),(0,n.kt)("ul",null,(0,n.kt)("li",{parentName:"ul"},"Simplify compliance by taking control of your encryption keys and your data"),(0,n.kt)("li",{parentName:"ul"},"Achieve cost savings using automated key lifecycle management"),(0,n.kt)("li",{parentName:"ul"},"Single pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored"),(0,n.kt)("li",{parentName:"ul"},"Support strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan"),(0,n.kt)("li",{parentName:"ul"},"Support all major public clouds"),(0,n.kt)("li",{parentName:"ul"},"Flexible deployment options: on-premises, hybrid cloud, and as a Service")),(0,n.kt)("p",null,"\u201cThales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.\u201d \u2013 David Nunez Tejerina, Principal Product Manager, Microsoft"),(0,n.kt)("h3",{id:"bring-your-own-key"},"Bring Your Own Key"),(0,n.kt)("p",null,"With Thales\u2019 Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source."),(0,n.kt)(r.Z,{embedId:"2TcaAjfqaEE",mdxType:"YoutubeEmbed"}),(0,n.kt)("h3",{id:"single-pane-of-glass-single-vendor"},"Single Pane of Glass, Single Vendor"),(0,n.kt)("p",null,"According to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor."),(0,n.kt)("p",null,"CCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM."),(0,n.kt)("h3",{id:"multi-cloud-support"},"Multi-Cloud Support"),(0,n.kt)("p",null,"Organizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities.\nOperational Sovereignty"),(0,n.kt)("p",null,"CCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located."),(0,n.kt)("p",null,"Free Trial\nTry ",(0,n.kt)("a",{parentName:"p",href:"https://cpl.thalesgroup.com/encryption/data-protection-on-demand/marketplace"},"Data Protection On Demand - 30-Day Free Evaluation")),(0,n.kt)("p",null,"For more information see the ",(0,n.kt)("a",{parentName:"p",href:"https://cpl.thalesgroup.com/resources/encryption/microsoft-azure-advanced-data-protection-solution-brief"},"Product Brief")," and ",(0,n.kt)("a",{parentName:"p",href:"https://cpl.thalesgroup.com/resources/encryption/cloud-key-management-ms-azure-solution-brief"},"Solution Brief")))}p.isMDXComponent=!0}}]); \ No newline at end of file +"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[3328],{7200:(e,t,a)=>{a.d(t,{Z:()=>d});var o=a(7294),n=a(5697),r=a.n(n),i=a(7373),s=a(9960);const l=e=>{let{href:t}=e;return o.createElement("div",null,o.createElement(s.Z,{href:t},o.createElement("button",{style:{backgroundColor:"#171515"},className:"p-2 my-4 rounded-md border-none cursor-pointer text-white"},"GitHub ",o.createElement(i.RrF,{className:"text-white"}))))},u=e=>{let{href:t}=e;return o.createElement("div",null,o.createElement(s.Z,{href:t},o.createElement("button",{className:"p-2 my-4 rounded-md border-none cursor-pointer"},"View Demo ",o.createElement(i.mGl,null))))},c=e=>{let{href:t,demourl:a}=e;return o.createElement("div",{className:"flex flex-row justify-between"},t?o.createElement(l,{href:t}):o.createElement(o.Fragment,null),a?o.createElement(u,{href:a}):o.createElement(o.Fragment,null))};c.propTypes={href:r().string.isRequired,demourl:r().string};const d=c},7148:(e,t,a)=>{a.d(t,{Z:()=>l});var o=a(7294),n=a(5697),r=a.n(n),i=a(7200);const s=e=>{let{embedId:t,github:a,demourl:n}=e;return o.createElement(o.Fragment,null,o.createElement("div",{className:"video-responsive"},o.createElement("iframe",{width:"853",height:"480",src:`https://www.youtube.com/embed/${t}`,frameBorder:"0",allow:"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture",allowFullScreen:!0,title:"Embedded youtube"})),o.createElement(i.Z,{href:a,demourl:n}))};s.propTypes={embedId:r().string.isRequired};const l=s},9847:(e,t,a)=>{a.r(t),a.d(t,{assets:()=>u,contentTitle:()=>s,default:()=>p,frontMatter:()=>i,metadata:()=>l,toc:()=>c});var o=a(7462),n=(a(7294),a(3905)),r=a(7148);const i={slug:"HYOK-in-Azure",title:"HYOK Cloud Key Management Solution for Azure",authors:"scotti",tags:["HYOK","Cloud key Management","devops","Azure"]},s="HYOK Cloud Key Management Solution for Azure",l={permalink:"/ciphertrust/blog/HYOK-in-Azure",editUrl:"https://github.com/thalesgroup/ThalesGroup.github.io/tree/main/ciphertrust/blog/2023-08-15-hold-your-own-keys-in-azue.md",source:"@site/blog/2023-08-15-hold-your-own-keys-in-azue.md",title:"HYOK Cloud Key Management Solution for Azure",description:'Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.',date:"2023-08-15T00:00:00.000Z",formattedDate:"August 15, 2023",tags:[{label:"HYOK",permalink:"/ciphertrust/blog/tags/hyok"},{label:"Cloud key Management",permalink:"/ciphertrust/blog/tags/cloud-key-management"},{label:"devops",permalink:"/ciphertrust/blog/tags/devops"},{label:"Azure",permalink:"/ciphertrust/blog/tags/azure"}],readingTime:4.32,hasTruncateMarker:!1,authors:[{name:"Scotti Woolery-Price",title:"Partner Marketing Manager, Thales",imageURL:"https://cpl.thalesgroup.com/sites/default/files/content/author/field_image/2022-09/scotti-woolery-price.jpg",key:"scotti"}],frontMatter:{slug:"HYOK-in-Azure",title:"HYOK Cloud Key Management Solution for Azure",authors:"scotti",tags:["HYOK","Cloud key Management","devops","Azure"]},nextItem:{title:"CipherTrust and Active Directory",permalink:"/ciphertrust/blog/CipherTrust and Active Directory"}},u={authorsImageUrls:[void 0]},c=[{value:"Uncover Your Cybersecurity Blind Spots",id:"uncover-your-cybersecurity-blind-spots",level:3},{value:"Thales Solutions for Microsoft Azure, Azure Stack and M365",id:"thales-solutions-for-microsoft-azure-azure-stack-and-m365",level:3},{value:"CCKM Benefits:",id:"cckm-benefits",level:4},{value:"Bring Your Own Key",id:"bring-your-own-key",level:3},{value:"Single Pane of Glass, Single Vendor",id:"single-pane-of-glass-single-vendor",level:3},{value:"Multi-Cloud Support",id:"multi-cloud-support",level:3}],d={toc:c},m="wrapper";function p(e){let{components:t,...a}=e;return(0,n.kt)(m,(0,o.Z)({},d,a,{components:t,mdxType:"MDXLayout"}),(0,n.kt)("p",null,'Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.'),(0,n.kt)("h3",{id:"uncover-your-cybersecurity-blind-spots"},"Uncover Your Cybersecurity Blind Spots"),(0,n.kt)("p",null,"Cybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum\u2019s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks."),(0,n.kt)("p",null,"Ranking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today\u2019s enterprises must look for leading-edge solutions that help with data governance and compliance. "),(0,n.kt)("h3",{id:"thales-solutions-for-microsoft-azure-azure-stack-and-m365"},"Thales Solutions for Microsoft Azure, Azure Stack and M365"),(0,n.kt)("p",null,"You can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365. "),(0,n.kt)("p",null,"CCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure."),(0,n.kt)("h4",{id:"cckm-benefits"},"CCKM Benefits:"),(0,n.kt)("ul",null,(0,n.kt)("li",{parentName:"ul"},"Simplify compliance by taking control of your encryption keys and your data"),(0,n.kt)("li",{parentName:"ul"},"Achieve cost savings using automated key lifecycle management"),(0,n.kt)("li",{parentName:"ul"},"Single pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored"),(0,n.kt)("li",{parentName:"ul"},"Support strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan"),(0,n.kt)("li",{parentName:"ul"},"Support all major public clouds"),(0,n.kt)("li",{parentName:"ul"},"Flexible deployment options: on-premises, hybrid cloud, and as a Service")),(0,n.kt)("p",null,"\u201cThales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.\u201d \u2013 David Nunez Tejerina, Principal Product Manager, Microsoft"),(0,n.kt)("h3",{id:"bring-your-own-key"},"Bring Your Own Key"),(0,n.kt)("p",null,"With Thales\u2019 Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source."),(0,n.kt)(r.Z,{embedId:"2TcaAjfqaEE",mdxType:"YoutubeEmbed"}),(0,n.kt)("h3",{id:"single-pane-of-glass-single-vendor"},"Single Pane of Glass, Single Vendor"),(0,n.kt)("p",null,"According to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor."),(0,n.kt)("p",null,"CCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM."),(0,n.kt)("h3",{id:"multi-cloud-support"},"Multi-Cloud Support"),(0,n.kt)("p",null,"Organizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities.\nOperational Sovereignty"),(0,n.kt)("p",null,"CCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located."),(0,n.kt)("p",null,"Free Trial\nTry ",(0,n.kt)("a",{parentName:"p",href:"https://cpl.thalesgroup.com/encryption/data-protection-on-demand/marketplace"},(0,n.kt)("strong",{parentName:"a"},"Data Protection On Demand - 30-Day Free Evaluation!"))),(0,n.kt)("p",null,"For more information see the ",(0,n.kt)("a",{parentName:"p",href:"https://cpl.thalesgroup.com/resources/encryption/microsoft-azure-advanced-data-protection-solution-brief"},(0,n.kt)("strong",{parentName:"a"},"Product Brief"))," and ",(0,n.kt)("a",{parentName:"p",href:"https://cpl.thalesgroup.com/resources/encryption/cloud-key-management-ms-azure-solution-brief"},(0,n.kt)("strong",{parentName:"a"},"Solution Brief")),"."))}p.isMDXComponent=!0}}]); \ No newline at end of file diff --git a/ciphertrust/assets/js/runtime~main.80e90a6f.js b/ciphertrust/assets/js/runtime~main.c5483866.js similarity index 96% rename from ciphertrust/assets/js/runtime~main.80e90a6f.js rename to ciphertrust/assets/js/runtime~main.c5483866.js index e2b9bac..cb53011 100644 --- a/ciphertrust/assets/js/runtime~main.80e90a6f.js +++ b/ciphertrust/assets/js/runtime~main.c5483866.js @@ -1 +1 @@ -(()=>{"use strict";var e,c,a,t,r,f={},d={};function b(e){var c=d[e];if(void 0!==c)return c.exports;var a=d[e]={id:e,loaded:!1,exports:{}};return f[e].call(a.exports,a,a.exports,b),a.loaded=!0,a.exports}b.m=f,b.c=d,e=[],b.O=(c,a,t,r)=>{if(!a){var f=1/0;for(i=0;i=r)&&Object.keys(b.O).every((e=>b.O[e](a[o])))?a.splice(o--,1):(d=!1,r0&&e[i-1][2]>r;i--)e[i]=e[i-1];e[i]=[a,t,r]},b.n=e=>{var c=e&&e.__esModule?()=>e.default:()=>e;return b.d(c,{a:c}),c},a=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,b.t=function(e,t){if(1&t&&(e=this(e)),8&t)return e;if("object"==typeof e&&e){if(4&t&&e.__esModule)return e;if(16&t&&"function"==typeof e.then)return e}var r=Object.create(null);b.r(r);var f={};c=c||[null,a({}),a([]),a(a)];for(var d=2&t&&e;"object"==typeof d&&!~c.indexOf(d);d=a(d))Object.getOwnPropertyNames(d).forEach((c=>f[c]=()=>e[c]));return f.default=()=>e,b.d(r,f),r},b.d=(e,c)=>{for(var a in c)b.o(c,a)&&!b.o(e,a)&&Object.defineProperty(e,a,{enumerable:!0,get:c[a]})},b.f={},b.e=e=>Promise.all(Object.keys(b.f).reduce(((c,a)=>(b.f[a](e,c),c)),[])),b.u=e=>"assets/js/"+({53:"935f2afb",203:"52854e8f",1043:"22cd19bf",1358:"0c214d16",1604:"862626df",1644:"a955af46",1649:"1688fa11",2523:"bb1859e7",2535:"814f3328",2760:"be481ab4",2866:"d603fc62",2949:"04c30974",3089:"a6aa9e1f",3328:"fe565dc4",3405:"0f6413e7",3608:"9e4087bc",3989:"3cab881f",4013:"01a85c17",4017:"540b9e49",4162:"6dcd78e6",4195:"c4f5d8e4",4341:"ce5a9562",4487:"757f0b20",4492:"91df1172",4518:"4ae8f3d8",4662:"bc6e5f49",4759:"d4c97804",5003:"c0ecb8ca",5217:"d3b3a346",5475:"7543aaf2",5556:"3ed7ca38",5904:"4ea4685a",6102:"6cdd39df",6103:"ccc49370",6228:"1c40f8c9",6343:"ba476f62",6537:"e5fb1c1a",7162:"21207236",7419:"cd42dee7",7472:"26f42c93",7771:"ca1191cf",7918:"17896441",8306:"c87c0f6e",8406:"69b9b6ab",8593:"353cbcd5",8610:"6875c492",8623:"efabb5b9",8919:"c3b78955",9024:"ee0ad4c4",9062:"44323124",9514:"1be78505",9671:"0e384e19",9684:"adb1ce2e",9817:"14eb3368",9890:"8deef219"}[e]||e)+"."+{53:"a3ba8b63",203:"a282f9cd",1043:"5b261162",1358:"65308b0e",1604:"5de4452e",1644:"daf89583",1649:"fa21f5fc",2523:"620068ac",2535:"b9dcde67",2760:"c1708c0a",2866:"93a2dce6",2949:"375142e3",3089:"a59b6240",3328:"28c6aa68",3405:"49de6447",3608:"e00963bb",3989:"76796767",4013:"730442dc",4017:"28ae06a6",4162:"01c56380",4195:"cf6f361a",4341:"673d401c",4487:"0764d89a",4492:"1ff65661",4518:"f6e7f9cf",4662:"0dc5eb21",4759:"06d3a425",4972:"70dfa86a",5003:"277fb00d",5217:"d5e04927",5475:"7f378e74",5556:"a0fb190d",5904:"3041c063",6048:"1fa00ef9",6102:"d808e042",6103:"a04a9b88",6228:"87e92fa0",6343:"40f0f956",6537:"04dd07d8",6706:"feac68c1",7162:"59567df6",7419:"c6a78d2d",7472:"0aba38ed",7771:"4d24dbd0",7918:"794fd3ac",8306:"7df4af96",8406:"f70013a9",8593:"b859d460",8610:"7dbfa267",8623:"2deead35",8919:"428f5642",9024:"99f24d23",9062:"1857ddb9",9514:"b9526ad6",9671:"97822535",9684:"343667de",9785:"e5e9bbef",9817:"7e910f19",9890:"c22bc285"}[e]+".js",b.miniCssF=e=>{},b.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),b.o=(e,c)=>Object.prototype.hasOwnProperty.call(e,c),t={},r="docusaurus:",b.l=(e,c,a,f)=>{if(t[e])t[e].push(c);else{var d,o;if(void 0!==a)for(var n=document.getElementsByTagName("script"),i=0;i{d.onerror=d.onload=null,clearTimeout(s);var r=t[e];if(delete t[e],d.parentNode&&d.parentNode.removeChild(d),r&&r.forEach((e=>e(a))),c)return c(a)},s=setTimeout(l.bind(null,void 0,{type:"timeout",target:d}),12e4);d.onerror=l.bind(null,d.onerror),d.onload=l.bind(null,d.onload),o&&document.head.appendChild(d)}},b.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},b.p="/ciphertrust/",b.gca=function(e){return e={17896441:"7918",21207236:"7162",44323124:"9062","935f2afb":"53","52854e8f":"203","22cd19bf":"1043","0c214d16":"1358","862626df":"1604",a955af46:"1644","1688fa11":"1649",bb1859e7:"2523","814f3328":"2535",be481ab4:"2760",d603fc62:"2866","04c30974":"2949",a6aa9e1f:"3089",fe565dc4:"3328","0f6413e7":"3405","9e4087bc":"3608","3cab881f":"3989","01a85c17":"4013","540b9e49":"4017","6dcd78e6":"4162",c4f5d8e4:"4195",ce5a9562:"4341","757f0b20":"4487","91df1172":"4492","4ae8f3d8":"4518",bc6e5f49:"4662",d4c97804:"4759",c0ecb8ca:"5003",d3b3a346:"5217","7543aaf2":"5475","3ed7ca38":"5556","4ea4685a":"5904","6cdd39df":"6102",ccc49370:"6103","1c40f8c9":"6228",ba476f62:"6343",e5fb1c1a:"6537",cd42dee7:"7419","26f42c93":"7472",ca1191cf:"7771",c87c0f6e:"8306","69b9b6ab":"8406","353cbcd5":"8593","6875c492":"8610",efabb5b9:"8623",c3b78955:"8919",ee0ad4c4:"9024","1be78505":"9514","0e384e19":"9671",adb1ce2e:"9684","14eb3368":"9817","8deef219":"9890"}[e]||e,b.p+b.u(e)},(()=>{var e={1303:0,532:0};b.f.j=(c,a)=>{var t=b.o(e,c)?e[c]:void 0;if(0!==t)if(t)a.push(t[2]);else if(/^(1303|532)$/.test(c))e[c]=0;else{var r=new Promise(((a,r)=>t=e[c]=[a,r]));a.push(t[2]=r);var f=b.p+b.u(c),d=new Error;b.l(f,(a=>{if(b.o(e,c)&&(0!==(t=e[c])&&(e[c]=void 0),t)){var r=a&&("load"===a.type?"missing":a.type),f=a&&a.target&&a.target.src;d.message="Loading chunk "+c+" failed.\n("+r+": "+f+")",d.name="ChunkLoadError",d.type=r,d.request=f,t[1](d)}}),"chunk-"+c,c)}},b.O.j=c=>0===e[c];var c=(c,a)=>{var t,r,f=a[0],d=a[1],o=a[2],n=0;if(f.some((c=>0!==e[c]))){for(t in d)b.o(d,t)&&(b.m[t]=d[t]);if(o)var i=o(b)}for(c&&c(a);n{"use strict";var e,c,a,t,r,f={},d={};function b(e){var c=d[e];if(void 0!==c)return c.exports;var a=d[e]={id:e,loaded:!1,exports:{}};return f[e].call(a.exports,a,a.exports,b),a.loaded=!0,a.exports}b.m=f,b.c=d,e=[],b.O=(c,a,t,r)=>{if(!a){var f=1/0;for(i=0;i=r)&&Object.keys(b.O).every((e=>b.O[e](a[o])))?a.splice(o--,1):(d=!1,r0&&e[i-1][2]>r;i--)e[i]=e[i-1];e[i]=[a,t,r]},b.n=e=>{var c=e&&e.__esModule?()=>e.default:()=>e;return b.d(c,{a:c}),c},a=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,b.t=function(e,t){if(1&t&&(e=this(e)),8&t)return e;if("object"==typeof e&&e){if(4&t&&e.__esModule)return e;if(16&t&&"function"==typeof e.then)return e}var r=Object.create(null);b.r(r);var f={};c=c||[null,a({}),a([]),a(a)];for(var d=2&t&&e;"object"==typeof d&&!~c.indexOf(d);d=a(d))Object.getOwnPropertyNames(d).forEach((c=>f[c]=()=>e[c]));return f.default=()=>e,b.d(r,f),r},b.d=(e,c)=>{for(var a in c)b.o(c,a)&&!b.o(e,a)&&Object.defineProperty(e,a,{enumerable:!0,get:c[a]})},b.f={},b.e=e=>Promise.all(Object.keys(b.f).reduce(((c,a)=>(b.f[a](e,c),c)),[])),b.u=e=>"assets/js/"+({53:"935f2afb",203:"52854e8f",1043:"22cd19bf",1358:"0c214d16",1604:"862626df",1644:"a955af46",1649:"1688fa11",2523:"bb1859e7",2535:"814f3328",2760:"be481ab4",2866:"d603fc62",2949:"04c30974",3089:"a6aa9e1f",3328:"fe565dc4",3405:"0f6413e7",3608:"9e4087bc",3989:"3cab881f",4013:"01a85c17",4017:"540b9e49",4162:"6dcd78e6",4195:"c4f5d8e4",4341:"ce5a9562",4487:"757f0b20",4492:"91df1172",4518:"4ae8f3d8",4662:"bc6e5f49",4759:"d4c97804",5003:"c0ecb8ca",5217:"d3b3a346",5475:"7543aaf2",5556:"3ed7ca38",5904:"4ea4685a",6102:"6cdd39df",6103:"ccc49370",6228:"1c40f8c9",6343:"ba476f62",6537:"e5fb1c1a",7162:"21207236",7419:"cd42dee7",7472:"26f42c93",7771:"ca1191cf",7918:"17896441",8306:"c87c0f6e",8406:"69b9b6ab",8593:"353cbcd5",8610:"6875c492",8623:"efabb5b9",8919:"c3b78955",9024:"ee0ad4c4",9062:"44323124",9514:"1be78505",9671:"0e384e19",9684:"adb1ce2e",9817:"14eb3368",9890:"8deef219"}[e]||e)+"."+{53:"a3ba8b63",203:"a282f9cd",1043:"5b261162",1358:"65308b0e",1604:"5de4452e",1644:"daf89583",1649:"fa21f5fc",2523:"620068ac",2535:"b9dcde67",2760:"c1708c0a",2866:"93a2dce6",2949:"375142e3",3089:"a59b6240",3328:"89dd5bee",3405:"49de6447",3608:"e00963bb",3989:"76796767",4013:"730442dc",4017:"28ae06a6",4162:"d784f411",4195:"cf6f361a",4341:"673d401c",4487:"0764d89a",4492:"1ff65661",4518:"f6e7f9cf",4662:"0dc5eb21",4759:"06d3a425",4972:"70dfa86a",5003:"277fb00d",5217:"d5e04927",5475:"7f378e74",5556:"a0fb190d",5904:"3041c063",6048:"1fa00ef9",6102:"d808e042",6103:"a04a9b88",6228:"87e92fa0",6343:"40f0f956",6537:"04dd07d8",6706:"feac68c1",7162:"59567df6",7419:"c6a78d2d",7472:"0aba38ed",7771:"3647c38f",7918:"794fd3ac",8306:"7df4af96",8406:"f70013a9",8593:"b859d460",8610:"7dbfa267",8623:"2deead35",8919:"428f5642",9024:"99f24d23",9062:"1857ddb9",9514:"b9526ad6",9671:"97822535",9684:"343667de",9785:"e5e9bbef",9817:"7e910f19",9890:"c22bc285"}[e]+".js",b.miniCssF=e=>{},b.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),b.o=(e,c)=>Object.prototype.hasOwnProperty.call(e,c),t={},r="docusaurus:",b.l=(e,c,a,f)=>{if(t[e])t[e].push(c);else{var d,o;if(void 0!==a)for(var n=document.getElementsByTagName("script"),i=0;i{d.onerror=d.onload=null,clearTimeout(s);var r=t[e];if(delete t[e],d.parentNode&&d.parentNode.removeChild(d),r&&r.forEach((e=>e(a))),c)return c(a)},s=setTimeout(l.bind(null,void 0,{type:"timeout",target:d}),12e4);d.onerror=l.bind(null,d.onerror),d.onload=l.bind(null,d.onload),o&&document.head.appendChild(d)}},b.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},b.p="/ciphertrust/",b.gca=function(e){return e={17896441:"7918",21207236:"7162",44323124:"9062","935f2afb":"53","52854e8f":"203","22cd19bf":"1043","0c214d16":"1358","862626df":"1604",a955af46:"1644","1688fa11":"1649",bb1859e7:"2523","814f3328":"2535",be481ab4:"2760",d603fc62:"2866","04c30974":"2949",a6aa9e1f:"3089",fe565dc4:"3328","0f6413e7":"3405","9e4087bc":"3608","3cab881f":"3989","01a85c17":"4013","540b9e49":"4017","6dcd78e6":"4162",c4f5d8e4:"4195",ce5a9562:"4341","757f0b20":"4487","91df1172":"4492","4ae8f3d8":"4518",bc6e5f49:"4662",d4c97804:"4759",c0ecb8ca:"5003",d3b3a346:"5217","7543aaf2":"5475","3ed7ca38":"5556","4ea4685a":"5904","6cdd39df":"6102",ccc49370:"6103","1c40f8c9":"6228",ba476f62:"6343",e5fb1c1a:"6537",cd42dee7:"7419","26f42c93":"7472",ca1191cf:"7771",c87c0f6e:"8306","69b9b6ab":"8406","353cbcd5":"8593","6875c492":"8610",efabb5b9:"8623",c3b78955:"8919",ee0ad4c4:"9024","1be78505":"9514","0e384e19":"9671",adb1ce2e:"9684","14eb3368":"9817","8deef219":"9890"}[e]||e,b.p+b.u(e)},(()=>{var e={1303:0,532:0};b.f.j=(c,a)=>{var t=b.o(e,c)?e[c]:void 0;if(0!==t)if(t)a.push(t[2]);else if(/^(1303|532)$/.test(c))e[c]=0;else{var r=new Promise(((a,r)=>t=e[c]=[a,r]));a.push(t[2]=r);var f=b.p+b.u(c),d=new Error;b.l(f,(a=>{if(b.o(e,c)&&(0!==(t=e[c])&&(e[c]=void 0),t)){var r=a&&("load"===a.type?"missing":a.type),f=a&&a.target&&a.target.src;d.message="Loading chunk "+c+" failed.\n("+r+": "+f+")",d.name="ChunkLoadError",d.type=r,d.request=f,t[1](d)}}),"chunk-"+c,c)}},b.O.j=c=>0===e[c];var c=(c,a)=>{var t,r,f=a[0],d=a[1],o=a[2],n=0;if(f.some((c=>0!==e[c]))){for(t in d)b.o(d,t)&&(b.m[t]=d[t]);if(o)var i=o(b)}for(c&&c(a);n CipherTrust and Active Directory | CipherTrust Learn - +

CipherTrust and Active Directory

· 2 min read
Hal Yaman (B.Sc)

Note - this article was originally posted on Hal's blog on March 21, 2023 under the title "Thales CipherTrust & Active Directory."

Into Image Why should you integrate Thales CipherTrust with your Microsoft Active Directory? What are the benefits of integration, and how is it done? Does Thales CipherTrust Manager (CTM) replace your Active Directory Group policy?

In the previous blog post, we went through the deployment of the CipherTrust Manager in our VMware environment. In today’s post, we will focus our discussion on how to integrate the newly provisioned OVA with the company Active Directory, a necessary step for activities we will discuss in our future posts.

The Why

To streamline the management of your company’s security requirements, and to easily manage your access and control of the company files and directories, it is a good idea to integrate CTM with Active Directory as a source of user management. By doing this, you can assign your policies more easily by basing them on the company AD Users and Groups.

The How

Now let’s focus on the fun technical part, the integration. The first step before we start the configuration is to get some information from AD; so, let’s run the following PowerShell command to retrieve the necessary information for our configuration: Get ADuser

The output will be as shown below:

AD Info

After you have retrieved the above information, we are ready to head back to our CTM and browse to: Access Management -> LDAP. From the top right corner, select “+ Add LDAP“:

CTM_LDAP

On the pop-up config windows, provide the following information:

  • Connection Name: any
  • Server URL: your AD IP/DNS name
  • Bind DN: CN=Administrator,CN=Users,DC=oasis,DC=org
  • Server Bind Password: account password
  • Rood DN: DC=oasis,DC=org
  • User login name attribute: sAMAccountName AD_Bind-1

After you have tested the configurations to be correct and are ready to accept it, click on the “Add LDAP” button at the bottom right corner.

Conclusion

Today’s blog is very important; this post is setting the foundation for our next exciting topic, Thales Transparent Encryption feature. As you may have noticed, to integrate the CTM with AD is a very simple, but important operation. Next week, we going to use the configuration setup today to access and encrypt the company’s critical data.

- + \ No newline at end of file diff --git a/ciphertrust/blog/Data-Security-in-DevOps/index.html b/ciphertrust/blog/Data-Security-in-DevOps/index.html index 088a9e8..4ea89a3 100644 --- a/ciphertrust/blog/Data-Security-in-DevOps/index.html +++ b/ciphertrust/blog/Data-Security-in-DevOps/index.html @@ -5,7 +5,7 @@ Data Security without DevOps Disruption | CipherTrust Learn - + @@ -21,7 +21,7 @@ CTE_Client

Creating Policies:

After deploying the agent and connecting it to the CTM, we can focus on creating our polices. As we have four different teams in our example, lets create four policies as shown below:

  • DevOps_Admin_Team: Access and manage files and directories but can read files content
  • DevOps_Dev_Team: access only Development directory
  • DevOps_Ops_Policy: access only operation directory
  • DevOps_QA_Team: access only QA diretory

Let’s create first policy, the DevOps_Admin_Team policy by browsing to “Transparent Encryption -> Policies -> Create policy“:

  • Name: DevOps_Admin_Team
  • Policy Type: Live Data Transformation
  • Security Rules: + Create Security Rule
    • User Set – Select – Create User Set:
      • Name: Admin_Team
      • Create User
        • Agent – select Agent
        • User Type: LDAP
        • Member Choice: User or Group (on my case I choose group)
        • gname: group name
      • Note: repeat the above steps to create all the users for each group (i.e: Admin, Dev, Ops and QA team. on each time you need to create a policy you can easily choose the appropriate group or user)
    • Action – Select
      • All_Ops
    • Effect – Select
      • select permit
      • ApplyKey only of other group but not Admin group as the admin will not be able to unencrypt the data so a key not required
  • Key Rules: Create key Rule
    • Current Key Name: Select – “clear_key”
    • Tranformation Key Name: Select – LTD_Key
    • Add
  • Next – Confirmation – Save

Note: repeat the above steps for all the groups

Create GuardPoint

Our last step is to apply these policies to our folders or client. In this example, I will be using a Windows client. So let’s get started:

As we have different teams and policies, each with different access, we must create a different client GuardPoint. Browse to Transparent Encryption -> Clients. Choose the client – “Create GuardPoint“:

  • Select Policy: choose DevOps_QA_Team
  • Path: browse to the QA directory and select “select Path”
  • Create

Note: repeat for each team and select the appropriate directory Create_GuardPoint

After all the directories are assigned to a group – on each GuardPoint – press the policy name and add the right action for each team as shown below; for example:

  • Development_Team can access, and apply key
  • Operation_Team no access
  • Admin_Team access but no key DevOps_Permission_Group

Note: repeat for all other GuardPoints

Summary

After Following the steps described above, you can check that your new configuration works by accessing your Windows machine with a different user; for example, QA, dev, ops or admin, then check to see if you can access or read the files. The above steps are a little involved, more than Active Directory Group Policies; but with CipherTrust you also get the encryption aspect with a full and controlled separation of responsibilities.

Company A was able to achieve their client’s security request; but at the same time, did not affect the team processes, autonomy, and control. At both levels, Company A IT and DevOps, it was a win – win situation.

- + \ No newline at end of file diff --git a/ciphertrust/blog/HYOK-in-Azure/index.html b/ciphertrust/blog/HYOK-in-Azure/index.html index 84283ab..baa530a 100644 --- a/ciphertrust/blog/HYOK-in-Azure/index.html +++ b/ciphertrust/blog/HYOK-in-Azure/index.html @@ -5,15 +5,15 @@ HYOK Cloud Key Management Solution for Azure | CipherTrust Learn - +

HYOK Cloud Key Management Solution for Azure

· 5 min read
Scotti Woolery-Price

Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.

Uncover Your Cybersecurity Blind Spots

Cybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum’s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks.

Ranking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today’s enterprises must look for leading-edge solutions that help with data governance and compliance.

Thales Solutions for Microsoft Azure, Azure Stack and M365

You can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365.

CCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure.

CCKM Benefits:

  • Simplify compliance by taking control of your encryption keys and your data
  • Achieve cost savings using automated key lifecycle management
  • Single pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored
  • Support strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan
  • Support all major public clouds
  • Flexible deployment options: on-premises, hybrid cloud, and as a Service

“Thales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.” – David Nunez Tejerina, Principal Product Manager, Microsoft

Bring Your Own Key

With Thales’ Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source.

Single Pane of Glass, Single Vendor

According to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor.

CCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM.

Multi-Cloud Support

Organizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities. Operational Sovereignty

CCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located.

Free Trial -Try Data Protection On Demand - 30-Day Free Evaluation

For more information see the Product Brief and Solution Brief

- +Try Data Protection On Demand - 30-Day Free Evaluation!

For more information see the Product Brief and Solution Brief.

+ \ No newline at end of file diff --git a/ciphertrust/blog/a-guide-to-encryption-architectures/index.html b/ciphertrust/blog/a-guide-to-encryption-architectures/index.html index 35dcb74..7df0d83 100644 --- a/ciphertrust/blog/a-guide-to-encryption-architectures/index.html +++ b/ciphertrust/blog/a-guide-to-encryption-architectures/index.html @@ -5,13 +5,13 @@ A Guide to Data Security Architectures | CipherTrust Learn - +

A Guide to Data Security Architectures

· 3 min read
Pranav Shikarpur

Building and deploying applications and services is super exciting. Still, when your security team prevents your application from going into production due to a lack of data encryption — this can be very annoying.

Let’s take a look at the different data encryption methods that are most commonly used and how we can implement some of them.

Data encrypted at-rest vs in-transit?

Well, it’s often hard to choose between encrypting a complete Postgres database or encrypting only specific fields of data in the database right before it gets written to a table.

The key difference between the two is that encrypting a database after data is written to it is called data encryption at rest and encrypting data before data is written to a database is called data encryption in-transit.

The illustration below should give you a good high-level understanding of the difference. Although data encryption at-rest was a standard encryption practice followed for many years, it involves developers writing and maintaining various different scripts or applications to ensure that the encryption is up to company standards. It is still useful while encrypting file systems and storage. On the other hand, data encryption in-transit is a lot more beneficial at times when you want to make your infrastructure database agnostic and provide high-security standards with significantly low developer effort.

Data Encryption at REST Architecture

Note that from the above diagram we can see that the method of encrypting data in-transit uses a side-car container which is a proxy used to intercept every request with sensitive fields or encrypted data and encrypt or decrypt the same respectively.

Data Encryption in-transit Architecture

Advantages of Data Encryption in-Transit

✅ No change to applications

The beauty of doing data-encryption in transit is that you don’t need to worry about changing any of your frontend apps, APIs, or databases. Since the side-car container does field-level encryption, you can granularly control all the data that needs to be encrypted and decrypted by remotely setting access policies from your key manager.

✅ Easy to deploy

Deploying a Data Protection Gateway side-car container is as easy to deploy as logging agents such as DataDog or Prometheus. You can just update your docker-compose, Kubernetes config files or just use Helm to install it.

✅ Developers can stop implementing data security policies

Now you can shift the responsibility of setting and implementing data security policies from developers over to InfoSec teams. This significantly helps prevent data breaches or unauthorized data access.

Disadvantages of Data Encryption in-Transit

Data encryption is only as strong as policies set

This applies to any method of data encryption. However, when we perform field-level encryption and decryption, InfoSec teams need to be aware of all data flowing through various API routes to prevent data breaches and unauthorized access to unencrypted data.

How Do I Implement Data Encryption in-Transit?

You’re in luck 🙌 because I have a tutorial showing you how to easily implement data encryption in-transit with any of your containerized applications.

In this tutorial, I have used CipherTrust Manager’s Data Protection Gateway product which is extremely easy to set up and free to start using👇

Now go ahead and encrypt data in-transit from all your applications using side-car containers.

If you have any issues with implementation or questions about data encryption in-transit, feel free to leave a comment, tweet @snpranav, or raise a GitHub issue :)

- + \ No newline at end of file diff --git a/ciphertrust/blog/archive/index.html b/ciphertrust/blog/archive/index.html index a4ec17b..07ad473 100644 --- a/ciphertrust/blog/archive/index.html +++ b/ciphertrust/blog/archive/index.html @@ -5,13 +5,13 @@ Archive | CipherTrust Learn - +

Archive

Archive

2022

2023

- + \ No newline at end of file diff --git a/ciphertrust/blog/atom.xml b/ciphertrust/blog/atom.xml index 9a9ddf5..1c81fb8 100644 --- a/ciphertrust/blog/atom.xml +++ b/ciphertrust/blog/atom.xml @@ -15,7 +15,7 @@ Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.

Uncover Your Cybersecurity Blind Spots

Cybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum’s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks.

Ranking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today’s enterprises must look for leading-edge solutions that help with data governance and compliance.

Thales Solutions for Microsoft Azure, Azure Stack and M365

You can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365.

CCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure.

CCKM Benefits:

  • Simplify compliance by taking control of your encryption keys and your data
  • Achieve cost savings using automated key lifecycle management
  • Single pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored
  • Support strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan
  • Support all major public clouds
  • Flexible deployment options: on-premises, hybrid cloud, and as a Service

“Thales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.” – David Nunez Tejerina, Principal Product Manager, Microsoft

Bring Your Own Key

With Thales’ Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source.

Single Pane of Glass, Single Vendor

According to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor.

CCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM.

Multi-Cloud Support

Organizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities. Operational Sovereignty

CCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located.

Free Trial -Try Data Protection On Demand - 30-Day Free Evaluation

For more information see the Product Brief and Solution Brief

]]> +Try Data Protection On Demand - 30-Day Free Evaluation!

For more information see the Product Brief and Solution Brief.

]]> Scotti Woolery-Price diff --git a/ciphertrust/blog/choosing-a-key-manager/index.html b/ciphertrust/blog/choosing-a-key-manager/index.html index c016cbb..e376f7a 100644 --- a/ciphertrust/blog/choosing-a-key-manager/index.html +++ b/ciphertrust/blog/choosing-a-key-manager/index.html @@ -5,13 +5,13 @@ A Guide to Picking the Right Key Manager for Your Org | CipherTrust Learn - +

A Guide to Picking the Right Key Manager for Your Org

· 4 min read
Pranav Shikarpur

Your company has a ton of daily active users and you have this amazingly efficient architecture to process requests at scale, but your InfoSec team asks you to use a key manager — there are so many out there, which one do you choose?

There are various different types of key managers, but in this post, we’ll cover the three most common key managers:

  • Native Cloud Key Managers (Ex — AWS KMS, GCP KMS, Azure Key Vault, etc.)

  • External Key Managers (Ex — Thales CipherTrust Manager, etc.)

  • Hybrid Key Managers (Use the best of both worlds — Cloud managed services and external key managers)

First, the literal key to security — HSMs

HSM stands for “Hardware Security Module”. These are physical devices that are usually tamper resistant which store keys and perform encrypt, decrypt and other cryptographic operations.

HSMs are needed in secure environments such as healthcare or financial institutions where you need to pass compliances such as PCI DSS.

Now Let’s Compare

Let’s look at the pros and cons of each to help you decide what would work best for your organization.

Cloud Key Managers

Easy Integration with Cloud Managed Services

When using cloud key managers like AWS KMS (Key Management Service) it can be advantageous as you get the flexibility of AWS managing your keys as well as direct integration into your existing AWS managed services such as AWS S3, or AWS RDS (Relational Database Service), etc.

HSMs provisioned and managed by a cloud provider (most of the time 🤞)

Most famous cloud providers have HSMs that they use in their data centers which store your keys, so you don’t have to worry about renting an HSM.

❌ No Separation of Trust 🕵️‍♀️

Since your cloud provider now hosts and controls your data and encryption keys. Your user data might not be as safe anymore as the cloud provider with malicious intent could easily decrypt your user data. This does not help in creating a zero-trust architecture. While it’s true that your cloud provider has your best interest; there are always hackers lurking around the internet trying to get malicious access to your data, so it’s best to store data in an isolated environment.

External Key Managers

✅ Complete Separation of Trust

When running a product such as CipherTrust Manager, your architectures are zero-trust by default as 2 different entities have access to either your data or your keys and NOT both.

❌ Build your own custom integrations

Unless the key manager service has connectors, many-a-times, you would need to build your own connectors which could put a lot of engineering debt on your teams.

⚠️ Need to rent out your own HSM

You’d need to manage your own HSM, but fortunately, there are service providers that will rent out and manage the HSMs (just like a cloud provider) — so this is neither a pro nor a con. A great example of a hosted HSM is the Luna HSM.

Best of Both Worlds 🤔

Yes, it’s possible! To implement the best data security practices, you would want the ease of integration with cloud-managed services as well as complete separation of trust to isolate encryption keys from data. This method is also called BYOK (bring your own key).

You can do this with products such as CipherTrust Manager Cloud Key Manager. This offers:

✅ Direct connection with cloud-managed KMS account

Once you connect your AWS or GCP or Azure account to CipherTrust Manager as shown in the tutorial linked below, you will be able to manage keys directly from CipherTrust Manager and encrypt data on cloud-managed services.

✅ Key Lifecycle Management in a few clicks

In just a few clicks you can setup key rotation which will rotate your keys every few months and provide the best data security standards for your organization.

How do I implement this?

Luckily, it’s easy to implement in 3 simple steps. Here’s a tutorial I made that demos connecting CipherTrust Manager to my AWS KMS (Key Management Service) account and encrypt my AWS managed services such as S3 and RDS.

Now go ahead and encrypt all your cloud-managed services using this hybrid BYOK approach!

If you have any issues with implementation or questions about data encryption, go to the CipherTrust community and post a quesiton.

- + \ No newline at end of file diff --git a/ciphertrust/blog/index.html b/ciphertrust/blog/index.html index cd0bc94..7c657f9 100644 --- a/ciphertrust/blog/index.html +++ b/ciphertrust/blog/index.html @@ -5,14 +5,14 @@ Blog | CipherTrust Learn - +

· 5 min read
Scotti Woolery-Price

Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.

Uncover Your Cybersecurity Blind Spots

Cybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum’s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks.

Ranking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today’s enterprises must look for leading-edge solutions that help with data governance and compliance.

Thales Solutions for Microsoft Azure, Azure Stack and M365

You can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365.

CCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure.

CCKM Benefits:

  • Simplify compliance by taking control of your encryption keys and your data
  • Achieve cost savings using automated key lifecycle management
  • Single pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored
  • Support strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan
  • Support all major public clouds
  • Flexible deployment options: on-premises, hybrid cloud, and as a Service

“Thales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.” – David Nunez Tejerina, Principal Product Manager, Microsoft

Bring Your Own Key

With Thales’ Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source.

Single Pane of Glass, Single Vendor

According to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor.

CCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM.

Multi-Cloud Support

Organizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities. Operational Sovereignty

CCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located.

Free Trial -Try Data Protection On Demand - 30-Day Free Evaluation

For more information see the Product Brief and Solution Brief

· 2 min read
Hal Yaman (B.Sc)

Note - this article was originally posted on Hal's blog on March 21, 2023 under the title "Thales CipherTrust & Active Directory."

Into Image Why should you integrate Thales CipherTrust with your Microsoft Active Directory? What are the benefits of integration, and how is it done? Does Thales CipherTrust Manager (CTM) replace your Active Directory Group policy?

In the previous blog post, we went through the deployment of the CipherTrust Manager in our VMware environment. In today’s post, we will focus our discussion on how to integrate the newly provisioned OVA with the company Active Directory, a necessary step for activities we will discuss in our future posts.

The Why

To streamline the management of your company’s security requirements, and to easily manage your access and control of the company files and directories, it is a good idea to integrate CTM with Active Directory as a source of user management. By doing this, you can assign your policies more easily by basing them on the company AD Users and Groups.

The How

Now let’s focus on the fun technical part, the integration. The first step before we start the configuration is to get some information from AD; so, let’s run the following PowerShell command to retrieve the necessary information for our configuration: Get ADuser

The output will be as shown below:

AD Info

After you have retrieved the above information, we are ready to head back to our CTM and browse to: Access Management -> LDAP. From the top right corner, select “+ Add LDAP“:

CTM_LDAP

On the pop-up config windows, provide the following information:

· 2 min read
Hal Yaman (B.Sc)

Note - this article was originally posted on Hal's blog on March 21, 2023 under the title "Thales CipherTrust & Active Directory."

Into Image Why should you integrate Thales CipherTrust with your Microsoft Active Directory? What are the benefits of integration, and how is it done? Does Thales CipherTrust Manager (CTM) replace your Active Directory Group policy?

In the previous blog post, we went through the deployment of the CipherTrust Manager in our VMware environment. In today’s post, we will focus our discussion on how to integrate the newly provisioned OVA with the company Active Directory, a necessary step for activities we will discuss in our future posts.

The Why

To streamline the management of your company’s security requirements, and to easily manage your access and control of the company files and directories, it is a good idea to integrate CTM with Active Directory as a source of user management. By doing this, you can assign your policies more easily by basing them on the company AD Users and Groups.

The How

Now let’s focus on the fun technical part, the integration. The first step before we start the configuration is to get some information from AD; so, let’s run the following PowerShell command to retrieve the necessary information for our configuration: Get ADuser

The output will be as shown below:

AD Info

After you have retrieved the above information, we are ready to head back to our CTM and browse to: Access Management -> LDAP. From the top right corner, select “+ Add LDAP“:

CTM_LDAP

On the pop-up config windows, provide the following information:

  • Connection Name: any
  • Server URL: your AD IP/DNS name
  • Bind DN: CN=Administrator,CN=Users,DC=oasis,DC=org
  • Server Bind Password: account password
  • Rood DN: DC=oasis,DC=org
  • User login name attribute: sAMAccountName AD_Bind-1

After you have tested the configurations to be correct and are ready to accept it, click on the “Add LDAP” button at the bottom right corner.

Conclusion

Today’s blog is very important; this post is setting the foundation for our next exciting topic, Thales Transparent Encryption feature. As you may have noticed, to integrate the CTM with AD is a very simple, but important operation. Next week, we going to use the configuration setup today to access and encrypt the company’s critical data.

· 8 min read
Hal Yaman (B.Sc)

Note - this article was originally posted on Hal's blog on March 24, 2023 under the title "CipherTrust Transparent Encryption."

In many organisations, IT departments are sometimes required to delegate some of their responsibilities to other teams, but at the same time, also required to keep control of the company security. Wait! In the world of security, can data security become a delegated responsibility? If that is a yes, then how?

Five years ago, I was pulled into the DevOps team culture and mindset. Since then, I have been lucky enough to manage the building of several DevOps teams. One of the many attributes of the DevOps culture is their autonomy. DevOps teams build in a way that can execute a task from end to end. The teams build up while working through the requirements and functions of the project or product, and with this knowledge, go on to find the most effective way of breaking the silos encountered by traditional teams.

Introduction

The previous paragraph described DevOps as being about speed of delivery and autonomy, which also requires the team to access resources that are not always managed within the team; Active Directory, file shares, and so on are examples of these resources. So, how can you keep your DevOps team focused, but not affect the company processes?

Scenario

Let’s put the DevOps information above into context using a real scenario I came across last week with one of the teams I help to build two years ago.

Company A was working on a confidential application for a client; the client was concerned that a breach of their code data would expose their intellectual property to competitors, or would become general knowledge.

The client asked that the following hierarchy be implemented to help mitigate their risk:

  • Each Team has it own encrypted directory
  • Only the specific team can access and read the code
  • Admin can manage the files within all the directories, but cannot read the code

The Challenge

From those requirements, Company A faces the following challenges:

  • How to implement access management and encryption at the same time
  • How to avoid disruption of the DevOps team concept
  • Delegate security manageability to the DevOps team without affecting the wider company policy

Solution

Access management can be controlled using the company Active Directory; but doing so will complicate the workflow of the DevOps team and will slow the delivery. At the same time, Active Directory and Group Policies do not offer encryption, so the IT department turned to Thales CipherTrust Manager to solve this challenge.

Implementation

To achieve all the security requirements, Company A decided to use CipherTrust Manager with the Transparent Encryption feature. Using Transparent Encryption Live Data Transformation (LDT), Company A can delegate the code data management to the DevOps team, but at the same time, encrypt the data and also keep Admin in control of managing and backing up the code files without compromising security.

So let’s learn how company A uses CipherTrust Manager to keep each team in control.

CipherTrust User and Domain

To delegate responsibilities, the Company A IT team was looking for a multi-tenanted system that can help the department to easily create and assign multiple teams to manage their own security requirements, while remaining isolated from each other. This requirement can be met with Thales CTM by creating a Domain to allow the DevOps team to manage their access control and security needs.

To create a Domain, you first create a user by browsing to “Access Management -> Users -> Add User“: Add_User

After you have added the user, apply the user to CTE Admins and Clients by going to Edit/view the user. Under Groups, Search CTE and add to Admin/Client: CTE_Groups

The next step is to browse to “Admin Settings -> Domains” and click “Add Domain“:

  • Name: DevOps
  • Admins: devops (the user you just created)
  • Choose the default CA
  • Save @@ -24,7 +24,7 @@ CTE_Client

    Creating Policies:

    After deploying the agent and connecting it to the CTM, we can focus on creating our polices. As we have four different teams in our example, lets create four policies as shown below:

    • DevOps_Admin_Team: Access and manage files and directories but can read files content
    • DevOps_Dev_Team: access only Development directory
    • DevOps_Ops_Policy: access only operation directory
    • DevOps_QA_Team: access only QA diretory

    Let’s create first policy, the DevOps_Admin_Team policy by browsing to “Transparent Encryption -> Policies -> Create policy“:

    • Name: DevOps_Admin_Team
    • Policy Type: Live Data Transformation
    • Security Rules: + Create Security Rule
      • User Set – Select – Create User Set:
        • Name: Admin_Team
        • Create User
          • Agent – select Agent
          • User Type: LDAP
          • Member Choice: User or Group (on my case I choose group)
          • gname: group name
        • Note: repeat the above steps to create all the users for each group (i.e: Admin, Dev, Ops and QA team. on each time you need to create a policy you can easily choose the appropriate group or user)
      • Action – Select
        • All_Ops
      • Effect – Select
        • select permit
        • ApplyKey only of other group but not Admin group as the admin will not be able to unencrypt the data so a key not required
    • Key Rules: Create key Rule
      • Current Key Name: Select – “clear_key”
      • Tranformation Key Name: Select – LTD_Key
      • Add
    • Next – Confirmation – Save

    Note: repeat the above steps for all the groups

    Create GuardPoint

    Our last step is to apply these policies to our folders or client. In this example, I will be using a Windows client. So let’s get started:

    As we have different teams and policies, each with different access, we must create a different client GuardPoint. Browse to Transparent Encryption -> Clients. Choose the client – “Create GuardPoint“:

    • Select Policy: choose DevOps_QA_Team
    • Path: browse to the QA directory and select “select Path”
    • Create

    Note: repeat for each team and select the appropriate directory Create_GuardPoint

    After all the directories are assigned to a group – on each GuardPoint – press the policy name and add the right action for each team as shown below; for example:

    • Development_Team can access, and apply key
    • Operation_Team no access
    • Admin_Team access but no key DevOps_Permission_Group

    Note: repeat for all other GuardPoints

    Summary

    After Following the steps described above, you can check that your new configuration works by accessing your Windows machine with a different user; for example, QA, dev, ops or admin, then check to see if you can access or read the files. The above steps are a little involved, more than Active Directory Group Policies; but with CipherTrust you also get the encryption aspect with a full and controlled separation of responsibilities.

    Company A was able to achieve their client’s security request; but at the same time, did not affect the team processes, autonomy, and control. At both levels, Company A IT and DevOps, it was a win – win situation.

· 4 min read
Pranav Shikarpur

Your company has a ton of daily active users and you have this amazingly efficient architecture to process requests at scale, but your InfoSec team asks you to use a key manager — there are so many out there, which one do you choose?

There are various different types of key managers, but in this post, we’ll cover the three most common key managers:

  • Native Cloud Key Managers (Ex — AWS KMS, GCP KMS, Azure Key Vault, etc.)

  • External Key Managers (Ex — Thales CipherTrust Manager, etc.)

  • Hybrid Key Managers (Use the best of both worlds — Cloud managed services and external key managers)

First, the literal key to security — HSMs

HSM stands for “Hardware Security Module”. These are physical devices that are usually tamper resistant which store keys and perform encrypt, decrypt and other cryptographic operations.

HSMs are needed in secure environments such as healthcare or financial institutions where you need to pass compliances such as PCI DSS.

Now Let’s Compare

Let’s look at the pros and cons of each to help you decide what would work best for your organization.

Cloud Key Managers

Easy Integration with Cloud Managed Services

When using cloud key managers like AWS KMS (Key Management Service) it can be advantageous as you get the flexibility of AWS managing your keys as well as direct integration into your existing AWS managed services such as AWS S3, or AWS RDS (Relational Database Service), etc.

HSMs provisioned and managed by a cloud provider (most of the time 🤞)

Most famous cloud providers have HSMs that they use in their data centers which store your keys, so you don’t have to worry about renting an HSM.

❌ No Separation of Trust 🕵️‍♀️

Since your cloud provider now hosts and controls your data and encryption keys. Your user data might not be as safe anymore as the cloud provider with malicious intent could easily decrypt your user data. This does not help in creating a zero-trust architecture. While it’s true that your cloud provider has your best interest; there are always hackers lurking around the internet trying to get malicious access to your data, so it’s best to store data in an isolated environment.

External Key Managers

✅ Complete Separation of Trust

When running a product such as CipherTrust Manager, your architectures are zero-trust by default as 2 different entities have access to either your data or your keys and NOT both.

❌ Build your own custom integrations

Unless the key manager service has connectors, many-a-times, you would need to build your own connectors which could put a lot of engineering debt on your teams.

⚠️ Need to rent out your own HSM

You’d need to manage your own HSM, but fortunately, there are service providers that will rent out and manage the HSMs (just like a cloud provider) — so this is neither a pro nor a con. A great example of a hosted HSM is the Luna HSM.

Best of Both Worlds 🤔

Yes, it’s possible! To implement the best data security practices, you would want the ease of integration with cloud-managed services as well as complete separation of trust to isolate encryption keys from data. This method is also called BYOK (bring your own key).

You can do this with products such as CipherTrust Manager Cloud Key Manager. This offers:

✅ Direct connection with cloud-managed KMS account

Once you connect your AWS or GCP or Azure account to CipherTrust Manager as shown in the tutorial linked below, you will be able to manage keys directly from CipherTrust Manager and encrypt data on cloud-managed services.

✅ Key Lifecycle Management in a few clicks

In just a few clicks you can setup key rotation which will rotate your keys every few months and provide the best data security standards for your organization.

How do I implement this?

Luckily, it’s easy to implement in 3 simple steps. Here’s a tutorial I made that demos connecting CipherTrust Manager to my AWS KMS (Key Management Service) account and encrypt my AWS managed services such as S3 and RDS.

Now go ahead and encrypt all your cloud-managed services using this hybrid BYOK approach!

If you have any issues with implementation or questions about data encryption, go to the CipherTrust community and post a quesiton.

· 3 min read
Pranav Shikarpur

Building and deploying applications and services is super exciting. Still, when your security team prevents your application from going into production due to a lack of data encryption — this can be very annoying.

Let’s take a look at the different data encryption methods that are most commonly used and how we can implement some of them.

Data encrypted at-rest vs in-transit?

Well, it’s often hard to choose between encrypting a complete Postgres database or encrypting only specific fields of data in the database right before it gets written to a table.

The key difference between the two is that encrypting a database after data is written to it is called data encryption at rest and encrypting data before data is written to a database is called data encryption in-transit.

The illustration below should give you a good high-level understanding of the difference. Although data encryption at-rest was a standard encryption practice followed for many years, it involves developers writing and maintaining various different scripts or applications to ensure that the encryption is up to company standards. It is still useful while encrypting file systems and storage. On the other hand, data encryption in-transit is a lot more beneficial at times when you want to make your infrastructure database agnostic and provide high-security standards with significantly low developer effort.

Data Encryption at REST Architecture

Note that from the above diagram we can see that the method of encrypting data in-transit uses a side-car container which is a proxy used to intercept every request with sensitive fields or encrypted data and encrypt or decrypt the same respectively.

Data Encryption in-transit Architecture

Advantages of Data Encryption in-Transit

✅ No change to applications

The beauty of doing data-encryption in transit is that you don’t need to worry about changing any of your frontend apps, APIs, or databases. Since the side-car container does field-level encryption, you can granularly control all the data that needs to be encrypted and decrypted by remotely setting access policies from your key manager.

✅ Easy to deploy

Deploying a Data Protection Gateway side-car container is as easy to deploy as logging agents such as DataDog or Prometheus. You can just update your docker-compose, Kubernetes config files or just use Helm to install it.

✅ Developers can stop implementing data security policies

Now you can shift the responsibility of setting and implementing data security policies from developers over to InfoSec teams. This significantly helps prevent data breaches or unauthorized data access.

Disadvantages of Data Encryption in-Transit

Data encryption is only as strong as policies set

This applies to any method of data encryption. However, when we perform field-level encryption and decryption, InfoSec teams need to be aware of all data flowing through various API routes to prevent data breaches and unauthorized access to unencrypted data.

How Do I Implement Data Encryption in-Transit?

You’re in luck 🙌 because I have a tutorial showing you how to easily implement data encryption in-transit with any of your containerized applications.

In this tutorial, I have used CipherTrust Manager’s Data Protection Gateway product which is extremely easy to set up and free to start using👇

Now go ahead and encrypt data in-transit from all your applications using side-car containers.

If you have any issues with implementation or questions about data encryption in-transit, feel free to leave a comment, tweet @snpranav, or raise a GitHub issue :)

- + \ No newline at end of file diff --git a/ciphertrust/blog/rss.xml b/ciphertrust/blog/rss.xml index 8df0bae..9ce006f 100644 --- a/ciphertrust/blog/rss.xml +++ b/ciphertrust/blog/rss.xml @@ -16,7 +16,7 @@ Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.

Uncover Your Cybersecurity Blind Spots

Cybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum’s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks.

Ranking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today’s enterprises must look for leading-edge solutions that help with data governance and compliance.

Thales Solutions for Microsoft Azure, Azure Stack and M365

You can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365.

CCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure.

CCKM Benefits:

  • Simplify compliance by taking control of your encryption keys and your data
  • Achieve cost savings using automated key lifecycle management
  • Single pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored
  • Support strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan
  • Support all major public clouds
  • Flexible deployment options: on-premises, hybrid cloud, and as a Service

“Thales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.” – David Nunez Tejerina, Principal Product Manager, Microsoft

Bring Your Own Key

With Thales’ Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source.

Single Pane of Glass, Single Vendor

According to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor.

CCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM.

Multi-Cloud Support

Organizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities. Operational Sovereignty

CCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located.

Free Trial -Try Data Protection On Demand - 30-Day Free Evaluation

For more information see the Product Brief and Solution Brief

]]> +Try Data Protection On Demand - 30-Day Free Evaluation!

For more information see the Product Brief and Solution Brief.

]]> HYOK Cloud key Management devops diff --git a/ciphertrust/blog/tags/azure/index.html b/ciphertrust/blog/tags/azure/index.html index 4dd5057..1637c3f 100644 --- a/ciphertrust/blog/tags/azure/index.html +++ b/ciphertrust/blog/tags/azure/index.html @@ -5,15 +5,15 @@ One post tagged with "Azure" | CipherTrust Learn - +

One post tagged with "Azure"

View All Tags

· 5 min read
Scotti Woolery-Price

Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.

Uncover Your Cybersecurity Blind Spots

Cybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum’s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks.

Ranking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today’s enterprises must look for leading-edge solutions that help with data governance and compliance.

Thales Solutions for Microsoft Azure, Azure Stack and M365

You can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365.

CCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure.

CCKM Benefits:

  • Simplify compliance by taking control of your encryption keys and your data
  • Achieve cost savings using automated key lifecycle management
  • Single pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored
  • Support strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan
  • Support all major public clouds
  • Flexible deployment options: on-premises, hybrid cloud, and as a Service

“Thales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.” – David Nunez Tejerina, Principal Product Manager, Microsoft

Bring Your Own Key

With Thales’ Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source.

Single Pane of Glass, Single Vendor

According to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor.

CCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM.

Multi-Cloud Support

Organizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities. Operational Sovereignty

CCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located.

Free Trial -Try Data Protection On Demand - 30-Day Free Evaluation

For more information see the Product Brief and Solution Brief

- +Try Data Protection On Demand - 30-Day Free Evaluation!

For more information see the Product Brief and Solution Brief.

+ \ No newline at end of file diff --git a/ciphertrust/blog/tags/cloud-key-management/index.html b/ciphertrust/blog/tags/cloud-key-management/index.html index 6f64747..59c9873 100644 --- a/ciphertrust/blog/tags/cloud-key-management/index.html +++ b/ciphertrust/blog/tags/cloud-key-management/index.html @@ -5,15 +5,15 @@ One post tagged with "Cloud key Management" | CipherTrust Learn - +

One post tagged with "Cloud key Management"

View All Tags

· 5 min read
Scotti Woolery-Price

Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.

Uncover Your Cybersecurity Blind Spots

Cybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum’s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks.

Ranking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today’s enterprises must look for leading-edge solutions that help with data governance and compliance.

Thales Solutions for Microsoft Azure, Azure Stack and M365

You can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365.

CCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure.

CCKM Benefits:

  • Simplify compliance by taking control of your encryption keys and your data
  • Achieve cost savings using automated key lifecycle management
  • Single pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored
  • Support strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan
  • Support all major public clouds
  • Flexible deployment options: on-premises, hybrid cloud, and as a Service

“Thales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.” – David Nunez Tejerina, Principal Product Manager, Microsoft

Bring Your Own Key

With Thales’ Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source.

Single Pane of Glass, Single Vendor

According to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor.

CCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM.

Multi-Cloud Support

Organizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities. Operational Sovereignty

CCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located.

Free Trial -Try Data Protection On Demand - 30-Day Free Evaluation

For more information see the Product Brief and Solution Brief

- +Try Data Protection On Demand - 30-Day Free Evaluation!

For more information see the Product Brief and Solution Brief.

+ \ No newline at end of file diff --git a/ciphertrust/blog/tags/data-encryption/index.html b/ciphertrust/blog/tags/data-encryption/index.html index cfe4559..91be80d 100644 --- a/ciphertrust/blog/tags/data-encryption/index.html +++ b/ciphertrust/blog/tags/data-encryption/index.html @@ -5,7 +5,7 @@ 4 posts tagged with "data-encryption" | CipherTrust Learn - + @@ -22,7 +22,7 @@ CTE_Client

Creating Policies:

After deploying the agent and connecting it to the CTM, we can focus on creating our polices. As we have four different teams in our example, lets create four policies as shown below:

  • DevOps_Admin_Team: Access and manage files and directories but can read files content
  • DevOps_Dev_Team: access only Development directory
  • DevOps_Ops_Policy: access only operation directory
  • DevOps_QA_Team: access only QA diretory

Let’s create first policy, the DevOps_Admin_Team policy by browsing to “Transparent Encryption -> Policies -> Create policy“:

  • Name: DevOps_Admin_Team
  • Policy Type: Live Data Transformation
  • Security Rules: + Create Security Rule
    • User Set – Select – Create User Set:
      • Name: Admin_Team
      • Create User
        • Agent – select Agent
        • User Type: LDAP
        • Member Choice: User or Group (on my case I choose group)
        • gname: group name
      • Note: repeat the above steps to create all the users for each group (i.e: Admin, Dev, Ops and QA team. on each time you need to create a policy you can easily choose the appropriate group or user)
    • Action – Select
      • All_Ops
    • Effect – Select
      • select permit
      • ApplyKey only of other group but not Admin group as the admin will not be able to unencrypt the data so a key not required
  • Key Rules: Create key Rule
    • Current Key Name: Select – “clear_key”
    • Tranformation Key Name: Select – LTD_Key
    • Add
  • Next – Confirmation – Save

Note: repeat the above steps for all the groups

Create GuardPoint

Our last step is to apply these policies to our folders or client. In this example, I will be using a Windows client. So let’s get started:

As we have different teams and policies, each with different access, we must create a different client GuardPoint. Browse to Transparent Encryption -> Clients. Choose the client – “Create GuardPoint“:

  • Select Policy: choose DevOps_QA_Team
  • Path: browse to the QA directory and select “select Path”
  • Create

Note: repeat for each team and select the appropriate directory Create_GuardPoint

After all the directories are assigned to a group – on each GuardPoint – press the policy name and add the right action for each team as shown below; for example:

  • Development_Team can access, and apply key
  • Operation_Team no access
  • Admin_Team access but no key DevOps_Permission_Group

Note: repeat for all other GuardPoints

Summary

After Following the steps described above, you can check that your new configuration works by accessing your Windows machine with a different user; for example, QA, dev, ops or admin, then check to see if you can access or read the files. The above steps are a little involved, more than Active Directory Group Policies; but with CipherTrust you also get the encryption aspect with a full and controlled separation of responsibilities.

Company A was able to achieve their client’s security request; but at the same time, did not affect the team processes, autonomy, and control. At both levels, Company A IT and DevOps, it was a win – win situation.

· 4 min read
Pranav Shikarpur

Your company has a ton of daily active users and you have this amazingly efficient architecture to process requests at scale, but your InfoSec team asks you to use a key manager — there are so many out there, which one do you choose?

There are various different types of key managers, but in this post, we’ll cover the three most common key managers:

  • Native Cloud Key Managers (Ex — AWS KMS, GCP KMS, Azure Key Vault, etc.)

  • External Key Managers (Ex — Thales CipherTrust Manager, etc.)

  • Hybrid Key Managers (Use the best of both worlds — Cloud managed services and external key managers)

First, the literal key to security — HSMs

HSM stands for “Hardware Security Module”. These are physical devices that are usually tamper resistant which store keys and perform encrypt, decrypt and other cryptographic operations.

HSMs are needed in secure environments such as healthcare or financial institutions where you need to pass compliances such as PCI DSS.

Now Let’s Compare

Let’s look at the pros and cons of each to help you decide what would work best for your organization.

Cloud Key Managers

Easy Integration with Cloud Managed Services

When using cloud key managers like AWS KMS (Key Management Service) it can be advantageous as you get the flexibility of AWS managing your keys as well as direct integration into your existing AWS managed services such as AWS S3, or AWS RDS (Relational Database Service), etc.

HSMs provisioned and managed by a cloud provider (most of the time 🤞)

Most famous cloud providers have HSMs that they use in their data centers which store your keys, so you don’t have to worry about renting an HSM.

❌ No Separation of Trust 🕵️‍♀️

Since your cloud provider now hosts and controls your data and encryption keys. Your user data might not be as safe anymore as the cloud provider with malicious intent could easily decrypt your user data. This does not help in creating a zero-trust architecture. While it’s true that your cloud provider has your best interest; there are always hackers lurking around the internet trying to get malicious access to your data, so it’s best to store data in an isolated environment.

External Key Managers

✅ Complete Separation of Trust

When running a product such as CipherTrust Manager, your architectures are zero-trust by default as 2 different entities have access to either your data or your keys and NOT both.

❌ Build your own custom integrations

Unless the key manager service has connectors, many-a-times, you would need to build your own connectors which could put a lot of engineering debt on your teams.

⚠️ Need to rent out your own HSM

You’d need to manage your own HSM, but fortunately, there are service providers that will rent out and manage the HSMs (just like a cloud provider) — so this is neither a pro nor a con. A great example of a hosted HSM is the Luna HSM.

Best of Both Worlds 🤔

Yes, it’s possible! To implement the best data security practices, you would want the ease of integration with cloud-managed services as well as complete separation of trust to isolate encryption keys from data. This method is also called BYOK (bring your own key).

You can do this with products such as CipherTrust Manager Cloud Key Manager. This offers:

✅ Direct connection with cloud-managed KMS account

Once you connect your AWS or GCP or Azure account to CipherTrust Manager as shown in the tutorial linked below, you will be able to manage keys directly from CipherTrust Manager and encrypt data on cloud-managed services.

✅ Key Lifecycle Management in a few clicks

In just a few clicks you can setup key rotation which will rotate your keys every few months and provide the best data security standards for your organization.

How do I implement this?

Luckily, it’s easy to implement in 3 simple steps. Here’s a tutorial I made that demos connecting CipherTrust Manager to my AWS KMS (Key Management Service) account and encrypt my AWS managed services such as S3 and RDS.

Now go ahead and encrypt all your cloud-managed services using this hybrid BYOK approach!

If you have any issues with implementation or questions about data encryption, go to the CipherTrust community and post a quesiton.

· 3 min read
Pranav Shikarpur

Building and deploying applications and services is super exciting. Still, when your security team prevents your application from going into production due to a lack of data encryption — this can be very annoying.

Let’s take a look at the different data encryption methods that are most commonly used and how we can implement some of them.

Data encrypted at-rest vs in-transit?

Well, it’s often hard to choose between encrypting a complete Postgres database or encrypting only specific fields of data in the database right before it gets written to a table.

The key difference between the two is that encrypting a database after data is written to it is called data encryption at rest and encrypting data before data is written to a database is called data encryption in-transit.

The illustration below should give you a good high-level understanding of the difference. Although data encryption at-rest was a standard encryption practice followed for many years, it involves developers writing and maintaining various different scripts or applications to ensure that the encryption is up to company standards. It is still useful while encrypting file systems and storage. On the other hand, data encryption in-transit is a lot more beneficial at times when you want to make your infrastructure database agnostic and provide high-security standards with significantly low developer effort.

Data Encryption at REST Architecture

Note that from the above diagram we can see that the method of encrypting data in-transit uses a side-car container which is a proxy used to intercept every request with sensitive fields or encrypted data and encrypt or decrypt the same respectively.

Data Encryption in-transit Architecture

Advantages of Data Encryption in-Transit

✅ No change to applications

The beauty of doing data-encryption in transit is that you don’t need to worry about changing any of your frontend apps, APIs, or databases. Since the side-car container does field-level encryption, you can granularly control all the data that needs to be encrypted and decrypted by remotely setting access policies from your key manager.

✅ Easy to deploy

Deploying a Data Protection Gateway side-car container is as easy to deploy as logging agents such as DataDog or Prometheus. You can just update your docker-compose, Kubernetes config files or just use Helm to install it.

✅ Developers can stop implementing data security policies

Now you can shift the responsibility of setting and implementing data security policies from developers over to InfoSec teams. This significantly helps prevent data breaches or unauthorized data access.

Disadvantages of Data Encryption in-Transit

Data encryption is only as strong as policies set

This applies to any method of data encryption. However, when we perform field-level encryption and decryption, InfoSec teams need to be aware of all data flowing through various API routes to prevent data breaches and unauthorized access to unencrypted data.

How Do I Implement Data Encryption in-Transit?

You’re in luck 🙌 because I have a tutorial showing you how to easily implement data encryption in-transit with any of your containerized applications.

In this tutorial, I have used CipherTrust Manager’s Data Protection Gateway product which is extremely easy to set up and free to start using👇

Now go ahead and encrypt data in-transit from all your applications using side-car containers.

If you have any issues with implementation or questions about data encryption in-transit, feel free to leave a comment, tweet @snpranav, or raise a GitHub issue :)

- + \ No newline at end of file diff --git a/ciphertrust/blog/tags/data-protection-gateway/index.html b/ciphertrust/blog/tags/data-protection-gateway/index.html index fceff14..2f07f9e 100644 --- a/ciphertrust/blog/tags/data-protection-gateway/index.html +++ b/ciphertrust/blog/tags/data-protection-gateway/index.html @@ -5,13 +5,13 @@ One post tagged with "data-protection-gateway" | CipherTrust Learn - +

One post tagged with "data-protection-gateway"

View All Tags

· 3 min read
Pranav Shikarpur

Building and deploying applications and services is super exciting. Still, when your security team prevents your application from going into production due to a lack of data encryption — this can be very annoying.

Let’s take a look at the different data encryption methods that are most commonly used and how we can implement some of them.

Data encrypted at-rest vs in-transit?

Well, it’s often hard to choose between encrypting a complete Postgres database or encrypting only specific fields of data in the database right before it gets written to a table.

The key difference between the two is that encrypting a database after data is written to it is called data encryption at rest and encrypting data before data is written to a database is called data encryption in-transit.

The illustration below should give you a good high-level understanding of the difference. Although data encryption at-rest was a standard encryption practice followed for many years, it involves developers writing and maintaining various different scripts or applications to ensure that the encryption is up to company standards. It is still useful while encrypting file systems and storage. On the other hand, data encryption in-transit is a lot more beneficial at times when you want to make your infrastructure database agnostic and provide high-security standards with significantly low developer effort.

Data Encryption at REST Architecture

Note that from the above diagram we can see that the method of encrypting data in-transit uses a side-car container which is a proxy used to intercept every request with sensitive fields or encrypted data and encrypt or decrypt the same respectively.

Data Encryption in-transit Architecture

Advantages of Data Encryption in-Transit

✅ No change to applications

The beauty of doing data-encryption in transit is that you don’t need to worry about changing any of your frontend apps, APIs, or databases. Since the side-car container does field-level encryption, you can granularly control all the data that needs to be encrypted and decrypted by remotely setting access policies from your key manager.

✅ Easy to deploy

Deploying a Data Protection Gateway side-car container is as easy to deploy as logging agents such as DataDog or Prometheus. You can just update your docker-compose, Kubernetes config files or just use Helm to install it.

✅ Developers can stop implementing data security policies

Now you can shift the responsibility of setting and implementing data security policies from developers over to InfoSec teams. This significantly helps prevent data breaches or unauthorized data access.

Disadvantages of Data Encryption in-Transit

Data encryption is only as strong as policies set

This applies to any method of data encryption. However, when we perform field-level encryption and decryption, InfoSec teams need to be aware of all data flowing through various API routes to prevent data breaches and unauthorized access to unencrypted data.

How Do I Implement Data Encryption in-Transit?

You’re in luck 🙌 because I have a tutorial showing you how to easily implement data encryption in-transit with any of your containerized applications.

In this tutorial, I have used CipherTrust Manager’s Data Protection Gateway product which is extremely easy to set up and free to start using👇

Now go ahead and encrypt data in-transit from all your applications using side-car containers.

If you have any issues with implementation or questions about data encryption in-transit, feel free to leave a comment, tweet @snpranav, or raise a GitHub issue :)

- + \ No newline at end of file diff --git a/ciphertrust/blog/tags/data-security/index.html b/ciphertrust/blog/tags/data-security/index.html index ad594ef..d9b9d10 100644 --- a/ciphertrust/blog/tags/data-security/index.html +++ b/ciphertrust/blog/tags/data-security/index.html @@ -5,7 +5,7 @@ 2 posts tagged with "data-security" | CipherTrust Learn - + @@ -22,7 +22,7 @@ CTE_Client

Creating Policies:

After deploying the agent and connecting it to the CTM, we can focus on creating our polices. As we have four different teams in our example, lets create four policies as shown below:

  • DevOps_Admin_Team: Access and manage files and directories but can read files content
  • DevOps_Dev_Team: access only Development directory
  • DevOps_Ops_Policy: access only operation directory
  • DevOps_QA_Team: access only QA diretory

Let’s create first policy, the DevOps_Admin_Team policy by browsing to “Transparent Encryption -> Policies -> Create policy“:

  • Name: DevOps_Admin_Team
  • Policy Type: Live Data Transformation
  • Security Rules: + Create Security Rule
    • User Set – Select – Create User Set:
      • Name: Admin_Team
      • Create User
        • Agent – select Agent
        • User Type: LDAP
        • Member Choice: User or Group (on my case I choose group)
        • gname: group name
      • Note: repeat the above steps to create all the users for each group (i.e: Admin, Dev, Ops and QA team. on each time you need to create a policy you can easily choose the appropriate group or user)
    • Action – Select
      • All_Ops
    • Effect – Select
      • select permit
      • ApplyKey only of other group but not Admin group as the admin will not be able to unencrypt the data so a key not required
  • Key Rules: Create key Rule
    • Current Key Name: Select – “clear_key”
    • Tranformation Key Name: Select – LTD_Key
    • Add
  • Next – Confirmation – Save

Note: repeat the above steps for all the groups

Create GuardPoint

Our last step is to apply these policies to our folders or client. In this example, I will be using a Windows client. So let’s get started:

As we have different teams and policies, each with different access, we must create a different client GuardPoint. Browse to Transparent Encryption -> Clients. Choose the client – “Create GuardPoint“:

  • Select Policy: choose DevOps_QA_Team
  • Path: browse to the QA directory and select “select Path”
  • Create

Note: repeat for each team and select the appropriate directory Create_GuardPoint

After all the directories are assigned to a group – on each GuardPoint – press the policy name and add the right action for each team as shown below; for example:

  • Development_Team can access, and apply key
  • Operation_Team no access
  • Admin_Team access but no key DevOps_Permission_Group

Note: repeat for all other GuardPoints

Summary

After Following the steps described above, you can check that your new configuration works by accessing your Windows machine with a different user; for example, QA, dev, ops or admin, then check to see if you can access or read the files. The above steps are a little involved, more than Active Directory Group Policies; but with CipherTrust you also get the encryption aspect with a full and controlled separation of responsibilities.

Company A was able to achieve their client’s security request; but at the same time, did not affect the team processes, autonomy, and control. At both levels, Company A IT and DevOps, it was a win – win situation.

- + \ No newline at end of file diff --git a/ciphertrust/blog/tags/devops/index.html b/ciphertrust/blog/tags/devops/index.html index 67c0b68..05bbf8f 100644 --- a/ciphertrust/blog/tags/devops/index.html +++ b/ciphertrust/blog/tags/devops/index.html @@ -5,14 +5,14 @@ 3 posts tagged with "devops" | CipherTrust Learn - +

3 posts tagged with "devops"

View All Tags

· 5 min read
Scotti Woolery-Price

Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.

Uncover Your Cybersecurity Blind Spots

Cybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum’s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks.

Ranking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today’s enterprises must look for leading-edge solutions that help with data governance and compliance.

Thales Solutions for Microsoft Azure, Azure Stack and M365

You can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365.

CCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure.

CCKM Benefits:

  • Simplify compliance by taking control of your encryption keys and your data
  • Achieve cost savings using automated key lifecycle management
  • Single pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored
  • Support strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan
  • Support all major public clouds
  • Flexible deployment options: on-premises, hybrid cloud, and as a Service

“Thales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.” – David Nunez Tejerina, Principal Product Manager, Microsoft

Bring Your Own Key

With Thales’ Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source.

Single Pane of Glass, Single Vendor

According to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor.

CCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM.

Multi-Cloud Support

Organizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities. Operational Sovereignty

CCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located.

Free Trial -Try Data Protection On Demand - 30-Day Free Evaluation

For more information see the Product Brief and Solution Brief

· 2 min read
Hal Yaman (B.Sc)

Note - this article was originally posted on Hal's blog on March 21, 2023 under the title "Thales CipherTrust & Active Directory."

Into Image Why should you integrate Thales CipherTrust with your Microsoft Active Directory? What are the benefits of integration, and how is it done? Does Thales CipherTrust Manager (CTM) replace your Active Directory Group policy?

In the previous blog post, we went through the deployment of the CipherTrust Manager in our VMware environment. In today’s post, we will focus our discussion on how to integrate the newly provisioned OVA with the company Active Directory, a necessary step for activities we will discuss in our future posts.

The Why

To streamline the management of your company’s security requirements, and to easily manage your access and control of the company files and directories, it is a good idea to integrate CTM with Active Directory as a source of user management. By doing this, you can assign your policies more easily by basing them on the company AD Users and Groups.

The How

Now let’s focus on the fun technical part, the integration. The first step before we start the configuration is to get some information from AD; so, let’s run the following PowerShell command to retrieve the necessary information for our configuration: Get ADuser

The output will be as shown below:

AD Info

After you have retrieved the above information, we are ready to head back to our CTM and browse to: Access Management -> LDAP. From the top right corner, select “+ Add LDAP“:

CTM_LDAP

On the pop-up config windows, provide the following information:

· 2 min read
Hal Yaman (B.Sc)

Note - this article was originally posted on Hal's blog on March 21, 2023 under the title "Thales CipherTrust & Active Directory."

Into Image Why should you integrate Thales CipherTrust with your Microsoft Active Directory? What are the benefits of integration, and how is it done? Does Thales CipherTrust Manager (CTM) replace your Active Directory Group policy?

In the previous blog post, we went through the deployment of the CipherTrust Manager in our VMware environment. In today’s post, we will focus our discussion on how to integrate the newly provisioned OVA with the company Active Directory, a necessary step for activities we will discuss in our future posts.

The Why

To streamline the management of your company’s security requirements, and to easily manage your access and control of the company files and directories, it is a good idea to integrate CTM with Active Directory as a source of user management. By doing this, you can assign your policies more easily by basing them on the company AD Users and Groups.

The How

Now let’s focus on the fun technical part, the integration. The first step before we start the configuration is to get some information from AD; so, let’s run the following PowerShell command to retrieve the necessary information for our configuration: Get ADuser

The output will be as shown below:

AD Info

After you have retrieved the above information, we are ready to head back to our CTM and browse to: Access Management -> LDAP. From the top right corner, select “+ Add LDAP“:

CTM_LDAP

On the pop-up config windows, provide the following information:

  • Connection Name: any
  • Server URL: your AD IP/DNS name
  • Bind DN: CN=Administrator,CN=Users,DC=oasis,DC=org
  • Server Bind Password: account password
  • Rood DN: DC=oasis,DC=org
  • User login name attribute: sAMAccountName AD_Bind-1

After you have tested the configurations to be correct and are ready to accept it, click on the “Add LDAP” button at the bottom right corner.

Conclusion

Today’s blog is very important; this post is setting the foundation for our next exciting topic, Thales Transparent Encryption feature. As you may have noticed, to integrate the CTM with AD is a very simple, but important operation. Next week, we going to use the configuration setup today to access and encrypt the company’s critical data.

· 8 min read
Hal Yaman (B.Sc)

Note - this article was originally posted on Hal's blog on March 24, 2023 under the title "CipherTrust Transparent Encryption."

In many organisations, IT departments are sometimes required to delegate some of their responsibilities to other teams, but at the same time, also required to keep control of the company security. Wait! In the world of security, can data security become a delegated responsibility? If that is a yes, then how?

Five years ago, I was pulled into the DevOps team culture and mindset. Since then, I have been lucky enough to manage the building of several DevOps teams. One of the many attributes of the DevOps culture is their autonomy. DevOps teams build in a way that can execute a task from end to end. The teams build up while working through the requirements and functions of the project or product, and with this knowledge, go on to find the most effective way of breaking the silos encountered by traditional teams.

Introduction

The previous paragraph described DevOps as being about speed of delivery and autonomy, which also requires the team to access resources that are not always managed within the team; Active Directory, file shares, and so on are examples of these resources. So, how can you keep your DevOps team focused, but not affect the company processes?

Scenario

Let’s put the DevOps information above into context using a real scenario I came across last week with one of the teams I help to build two years ago.

Company A was working on a confidential application for a client; the client was concerned that a breach of their code data would expose their intellectual property to competitors, or would become general knowledge.

The client asked that the following hierarchy be implemented to help mitigate their risk:

  • Each Team has it own encrypted directory
  • Only the specific team can access and read the code
  • Admin can manage the files within all the directories, but cannot read the code

The Challenge

From those requirements, Company A faces the following challenges:

  • How to implement access management and encryption at the same time
  • How to avoid disruption of the DevOps team concept
  • Delegate security manageability to the DevOps team without affecting the wider company policy

Solution

Access management can be controlled using the company Active Directory; but doing so will complicate the workflow of the DevOps team and will slow the delivery. At the same time, Active Directory and Group Policies do not offer encryption, so the IT department turned to Thales CipherTrust Manager to solve this challenge.

Implementation

To achieve all the security requirements, Company A decided to use CipherTrust Manager with the Transparent Encryption feature. Using Transparent Encryption Live Data Transformation (LDT), Company A can delegate the code data management to the DevOps team, but at the same time, encrypt the data and also keep Admin in control of managing and backing up the code files without compromising security.

So let’s learn how company A uses CipherTrust Manager to keep each team in control.

CipherTrust User and Domain

To delegate responsibilities, the Company A IT team was looking for a multi-tenanted system that can help the department to easily create and assign multiple teams to manage their own security requirements, while remaining isolated from each other. This requirement can be met with Thales CTM by creating a Domain to allow the DevOps team to manage their access control and security needs.

To create a Domain, you first create a user by browsing to “Access Management -> Users -> Add User“: Add_User

After you have added the user, apply the user to CTE Admins and Clients by going to Edit/view the user. Under Groups, Search CTE and add to Admin/Client: CTE_Groups

The next step is to browse to “Admin Settings -> Domains” and click “Add Domain“:

  • Name: DevOps
  • Admins: devops (the user you just created)
  • Choose the default CA
  • Save @@ -24,7 +24,7 @@ CTE_Client

    Creating Policies:

    After deploying the agent and connecting it to the CTM, we can focus on creating our polices. As we have four different teams in our example, lets create four policies as shown below:

    • DevOps_Admin_Team: Access and manage files and directories but can read files content
    • DevOps_Dev_Team: access only Development directory
    • DevOps_Ops_Policy: access only operation directory
    • DevOps_QA_Team: access only QA diretory

    Let’s create first policy, the DevOps_Admin_Team policy by browsing to “Transparent Encryption -> Policies -> Create policy“:

    • Name: DevOps_Admin_Team
    • Policy Type: Live Data Transformation
    • Security Rules: + Create Security Rule
      • User Set – Select – Create User Set:
        • Name: Admin_Team
        • Create User
          • Agent – select Agent
          • User Type: LDAP
          • Member Choice: User or Group (on my case I choose group)
          • gname: group name
        • Note: repeat the above steps to create all the users for each group (i.e: Admin, Dev, Ops and QA team. on each time you need to create a policy you can easily choose the appropriate group or user)
      • Action – Select
        • All_Ops
      • Effect – Select
        • select permit
        • ApplyKey only of other group but not Admin group as the admin will not be able to unencrypt the data so a key not required
    • Key Rules: Create key Rule
      • Current Key Name: Select – “clear_key”
      • Tranformation Key Name: Select – LTD_Key
      • Add
    • Next – Confirmation – Save

    Note: repeat the above steps for all the groups

    Create GuardPoint

    Our last step is to apply these policies to our folders or client. In this example, I will be using a Windows client. So let’s get started:

    As we have different teams and policies, each with different access, we must create a different client GuardPoint. Browse to Transparent Encryption -> Clients. Choose the client – “Create GuardPoint“:

    • Select Policy: choose DevOps_QA_Team
    • Path: browse to the QA directory and select “select Path”
    • Create

    Note: repeat for each team and select the appropriate directory Create_GuardPoint

    After all the directories are assigned to a group – on each GuardPoint – press the policy name and add the right action for each team as shown below; for example:

    • Development_Team can access, and apply key
    • Operation_Team no access
    • Admin_Team access but no key DevOps_Permission_Group

    Note: repeat for all other GuardPoints

    Summary

    After Following the steps described above, you can check that your new configuration works by accessing your Windows machine with a different user; for example, QA, dev, ops or admin, then check to see if you can access or read the files. The above steps are a little involved, more than Active Directory Group Policies; but with CipherTrust you also get the encryption aspect with a full and controlled separation of responsibilities.

    Company A was able to achieve their client’s security request; but at the same time, did not affect the team processes, autonomy, and control. At both levels, Company A IT and DevOps, it was a win – win situation.

- + \ No newline at end of file diff --git a/ciphertrust/blog/tags/hyok/index.html b/ciphertrust/blog/tags/hyok/index.html index bcc167e..5ee2922 100644 --- a/ciphertrust/blog/tags/hyok/index.html +++ b/ciphertrust/blog/tags/hyok/index.html @@ -5,15 +5,15 @@ One post tagged with "HYOK" | CipherTrust Learn - +

One post tagged with "HYOK"

View All Tags

· 5 min read
Scotti Woolery-Price

Note - this article was originally posted as a Thalesgroup blog on August 3, 2023 under the title "Cloud Key Management Solution for Azure, Azure Stack and M365." The video was added for this post.

Uncover Your Cybersecurity Blind Spots

Cybersecurity is a strategic risk that should be managed at the highest levels of an organization. In fact, the World Economic Forum’s Global Risk Report 2023 again ranked wide-spread cybercrime as a top-ten critical global threat. Of all the potential global risks to economies and societies including natural disasters, geopolitical conflict, energy supply, global debt and rising inflation, widespread cybercrime ranks #8 on both short term and long-term outlooks.

Ranking in the top ten critical global threats is eye-opening! To help mitigate the risk and unshroud organizational blind spots, today’s enterprises must look for leading-edge solutions that help with data governance and compliance.

Thales Solutions for Microsoft Azure, Azure Stack and M365

You can simplify the way your organization discovers, protects, and controls your sensitive data. With our platform, Thales has integrated the CipherTrust Cloud Key Management (CCKM) solution with Microsoft Azure, Azure Stack and Microsoft 365.

CCKM reduces your operational burden and increases efficiency. CCKM manages and synchronizes native keys, even if you have already created thousands of native cloud keys at your cloud provider. CCKM can help customers demonstrate compliance with internal, industry and national regulatory requirements so that you have the confidence to unblock sensitive workloads that may be stuck on-premises and move them to Azure.

CCKM Benefits:

  • Simplify compliance by taking control of your encryption keys and your data
  • Achieve cost savings using automated key lifecycle management
  • Single pane of glass to help eliminate security holes introduced by human error -- set policies to be applied consistently wherever data is stored
  • Support strategies for workload portability to increase operational resilience as part of a robust business continuity and disaster recovery plan
  • Support all major public clouds
  • Flexible deployment options: on-premises, hybrid cloud, and as a Service

“Thales is a global Microsoft partner focused on delivering solutions for Azure Cloud, Azure Stack and M365, on-premises storage systems, intelligent edge appliances, and cloud-based Microsoft Azure Services. They are working to help customers transform their businesses to drive digital transformation for people, organizations, and industries worldwide. CipherTrust Cloud Key Management has been verified against Microsoft key products, is available on the Azure Marketplace and is simple to adopt for Azure customers.” – David Nunez Tejerina, Principal Product Manager, Microsoft

Bring Your Own Key

With Thales’ Bring Your Own Key (BYOK) functionality, customers can maintain control of sensitive data using external key management services ensuring full encryption capabilities, key lifecycle management, and centralized key management across clouds, regions, accounts, subscriptions, projects, applications, org ids and more. CCKM helps manage native Azure keys, Standard/Premium Key Vaults as well as Managed HSM pools, in addition to BYOK. CipherTrust Manager as well as Luna Network HSM can be used as a key source.

Single Pane of Glass, Single Vendor

According to the Thales 2023 Data Threat Report, 93% of organizations use four or more key management solutions (includes enterprise key manager vendors and cloud provider key managers). CCKM manages all of your encryption keys across clouds and services with a single pane of glass from a trusted vendor.

CCKM integrated with Microsoft Azure, Azure Stack and Microsoft 365 increases efficiency by reducing the operational burden. Giving customers lifecycle control, centralized management within and among clouds, and unparalleled visibility of cloud encryption keys reduces key management complexity and operational costs. Thousands of keys and native key stores are difficult to manage manually, and organizations may be stretched to consistently apply key lifecycle management policies such as rotation, backup and role-based access management across their entire digital estate -- leading to security holes and failed audits. 99% of data breaches occur because of human error. You can shrink the threat surface introduced by human error when you use centralized automated key lifecycle management provided by CCKM.

Multi-Cloud Support

Organizations with multi-cloud are struggling to protect their sensitive data, because while cloud delivers a multitude of benefits these can often be offset by a multitude of challenges. It can also be very time consuming to manage the different native stores and native key management tools across different clouds and on-premises since there is no industry standard. Based on customer testimonials, CCKM can provide a 30x savings in time and cost in managing thousands of native key stores across hybrid multi-cloud environments which can free up IT teams to focus on other urgent business priorities. Operational Sovereignty

CCKM helps organizations to control their digital sovereignty across major public and government clouds including Microsoft Azure, Azure Government, Amazon Web Services, Google Cloud, Oracle Cloud, Salesforce and SAP. The solution enables you to run in different environments to support a strong business continuity plan. CCKM can provide an organization with a holistic view of where all key workloads and sensitive data are located.

Free Trial -Try Data Protection On Demand - 30-Day Free Evaluation

For more information see the Product Brief and Solution Brief

- +Try Data Protection On Demand - 30-Day Free Evaluation!

For more information see the Product Brief and Solution Brief.

+ \ No newline at end of file diff --git a/ciphertrust/blog/tags/index.html b/ciphertrust/blog/tags/index.html index b441f25..8f0390e 100644 --- a/ciphertrust/blog/tags/index.html +++ b/ciphertrust/blog/tags/index.html @@ -5,13 +5,13 @@ Tags | CipherTrust Learn - +

Tags

- + \ No newline at end of file diff --git a/ciphertrust/blog/tags/key-management/index.html b/ciphertrust/blog/tags/key-management/index.html index 5d4d115..f3bccac 100644 --- a/ciphertrust/blog/tags/key-management/index.html +++ b/ciphertrust/blog/tags/key-management/index.html @@ -5,13 +5,13 @@ One post tagged with "key-management" | CipherTrust Learn - +

One post tagged with "key-management"

View All Tags

· 4 min read
Pranav Shikarpur

Your company has a ton of daily active users and you have this amazingly efficient architecture to process requests at scale, but your InfoSec team asks you to use a key manager — there are so many out there, which one do you choose?

There are various different types of key managers, but in this post, we’ll cover the three most common key managers:

  • Native Cloud Key Managers (Ex — AWS KMS, GCP KMS, Azure Key Vault, etc.)

  • External Key Managers (Ex — Thales CipherTrust Manager, etc.)

  • Hybrid Key Managers (Use the best of both worlds — Cloud managed services and external key managers)

First, the literal key to security — HSMs

HSM stands for “Hardware Security Module”. These are physical devices that are usually tamper resistant which store keys and perform encrypt, decrypt and other cryptographic operations.

HSMs are needed in secure environments such as healthcare or financial institutions where you need to pass compliances such as PCI DSS.

Now Let’s Compare

Let’s look at the pros and cons of each to help you decide what would work best for your organization.

Cloud Key Managers

Easy Integration with Cloud Managed Services

When using cloud key managers like AWS KMS (Key Management Service) it can be advantageous as you get the flexibility of AWS managing your keys as well as direct integration into your existing AWS managed services such as AWS S3, or AWS RDS (Relational Database Service), etc.

HSMs provisioned and managed by a cloud provider (most of the time 🤞)

Most famous cloud providers have HSMs that they use in their data centers which store your keys, so you don’t have to worry about renting an HSM.

❌ No Separation of Trust 🕵️‍♀️

Since your cloud provider now hosts and controls your data and encryption keys. Your user data might not be as safe anymore as the cloud provider with malicious intent could easily decrypt your user data. This does not help in creating a zero-trust architecture. While it’s true that your cloud provider has your best interest; there are always hackers lurking around the internet trying to get malicious access to your data, so it’s best to store data in an isolated environment.

External Key Managers

✅ Complete Separation of Trust

When running a product such as CipherTrust Manager, your architectures are zero-trust by default as 2 different entities have access to either your data or your keys and NOT both.

❌ Build your own custom integrations

Unless the key manager service has connectors, many-a-times, you would need to build your own connectors which could put a lot of engineering debt on your teams.

⚠️ Need to rent out your own HSM

You’d need to manage your own HSM, but fortunately, there are service providers that will rent out and manage the HSMs (just like a cloud provider) — so this is neither a pro nor a con. A great example of a hosted HSM is the Luna HSM.

Best of Both Worlds 🤔

Yes, it’s possible! To implement the best data security practices, you would want the ease of integration with cloud-managed services as well as complete separation of trust to isolate encryption keys from data. This method is also called BYOK (bring your own key).

You can do this with products such as CipherTrust Manager Cloud Key Manager. This offers:

✅ Direct connection with cloud-managed KMS account

Once you connect your AWS or GCP or Azure account to CipherTrust Manager as shown in the tutorial linked below, you will be able to manage keys directly from CipherTrust Manager and encrypt data on cloud-managed services.

✅ Key Lifecycle Management in a few clicks

In just a few clicks you can setup key rotation which will rotate your keys every few months and provide the best data security standards for your organization.

How do I implement this?

Luckily, it’s easy to implement in 3 simple steps. Here’s a tutorial I made that demos connecting CipherTrust Manager to my AWS KMS (Key Management Service) account and encrypt my AWS managed services such as S3 and RDS.

Now go ahead and encrypt all your cloud-managed services using this hybrid BYOK approach!

If you have any issues with implementation or questions about data encryption, go to the CipherTrust community and post a quesiton.

- + \ No newline at end of file diff --git a/ciphertrust/docs/category/connectors/index.html b/ciphertrust/docs/category/connectors/index.html index 471eb95..e6e7b14 100644 --- a/ciphertrust/docs/category/connectors/index.html +++ b/ciphertrust/docs/category/connectors/index.html @@ -5,13 +5,13 @@ Connectors | CipherTrust Learn - +

Connectors

- + \ No newline at end of file diff --git a/ciphertrust/docs/category/deploy-ciphertrust-platform/index.html b/ciphertrust/docs/category/deploy-ciphertrust-platform/index.html index 725dce8..33619f2 100644 --- a/ciphertrust/docs/category/deploy-ciphertrust-platform/index.html +++ b/ciphertrust/docs/category/deploy-ciphertrust-platform/index.html @@ -5,13 +5,13 @@ Deploy CipherTrust Platform | CipherTrust Learn - +

Deploy CipherTrust Platform

Deploy CipherTrust Manager in under 5 minutes on any cloud platform.

- + \ No newline at end of file diff --git a/ciphertrust/docs/category/key-manager/index.html b/ciphertrust/docs/category/key-manager/index.html index c9912ec..9d3902d 100644 --- a/ciphertrust/docs/category/key-manager/index.html +++ b/ciphertrust/docs/category/key-manager/index.html @@ -5,13 +5,13 @@ Key Manager | CipherTrust Learn - +

Key Manager

- + \ No newline at end of file diff --git a/ciphertrust/docs/connectors/cte-for-k8s/index.html b/ciphertrust/docs/connectors/cte-for-k8s/index.html index ac51cd1..bd4f6f2 100644 --- a/ciphertrust/docs/connectors/cte-for-k8s/index.html +++ b/ciphertrust/docs/connectors/cte-for-k8s/index.html @@ -5,7 +5,7 @@ Transparent Encryption for Kubernetes | CipherTrust Learn - + @@ -15,7 +15,7 @@ Create a K8s Policy

  • Permissions to set

    • Action: all_ops
    • Effect: permit, audit, applykey

  • Create a new CBC-CS1 key, and bind it to the resource set cte-k8s-resource-set Policy list

    • Finally, click on Create Policy!

    Configure an NFS volume to protect your file system

    • Create a shared folder for the NFS
    sudo mkdir –p /usr/nfs/cte-k8s
    • Specify the share location to export
    sudo vim  /etc/exports

    ## Add the following line to the file
    /usr/nfs/cte-k8s *(rw,sync,no_root_squash)

    Save the file and run

    sudo exportfs –a

    Start the NFS service

    sudo systemctl enable nfs && \
    sudo systemctl start nfs && \
    sudo systemctl enable rpcbind && \
    sudo systemctl start rpcbind

    Configure the NFS volume in the Kubernetes cluster

    Create the following files

    nfs-pv.yml
    apiVersion: v1
    kind: PersistentVolume
    metadata:
     name: nfs-test-pv
    spec:
     capacity:
     storage: 1Gi
     accessModes:
     - ReadWriteMany
     storageClassName: nfs
     persistentVolumeReclaimPolicy: Retain
     mountOptions:
     - hard
     - nfsvers=4.0
     nfs:
     path: /usr/nfs/cte-k8s/
     server: 10.10.10.7
    nfs-claim.yml
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
    name: nfs-test-claim
    spec:
    storageClassName: nfs
    accessModes:
    - ReadWriteMany
    resources:
    requests:
    storage: 1Gi

    Update the following files accordingly

    cte-csi-storageclass.yaml
    apiVersion: storage.k8s.io/v1
    kind: StorageClass
    metadata:
     name: cte-k8s-storage-class
    provisioner: csi.cte.cpl.thalesgroup.com
    reclaimPolicy: Delete
    volumeBindingMode: Immediate
    allowVolumeExpansion: true
    parameters:
     # Domain name or IP address of the CiperTrust Manager (Required)
     key_manager_addr: <CM_INSTANCE_IP> #This IP address is the CM internal IP address
     # Name of the CipherTrust Manager K8s Storage Group. (Required)
     k8_storage_group: cte-k8s-storage-group
     # Kubernetes Secret with CM registration token (Required)
     registration_token_secret: demo #This name needs to be the same name of the registration token in CM

     client_description: "Azure CTE k8s client"
     # Time in minutes to wait before unregistering from the CiperTrust Manager
     # once all volumes have been unguarded. Parameter must be added as a string
     # integer value. Default "10" minute. (Optional)
     registration_period: "10"
    cte-csi-regtoken.yaml
    apiVersion: v1
    kind: Secret
    metadata:
     name: demo #This is the name of the registration tokens from CM dashboard for CTE k8s
    type: Opaque
    data:
     # This is a base64 encoded registration token. To generate:
     # echo <CM REGISTRATION TOKEN STRING> | base64 -w 0
     registration_token: <YOUR_REG_TOKEN>
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
     name: cte-claim
     annotations:
     # CTE for Kubernetes GuardPolicy name. This GuardPolicy is located on the
     # CipherTrust Manager and should match a policy name available on the
     # storage class for this PVC. (Required)
     csi.cte.cpl.thalesgroup.com/policy: policy1
     # Name of the unprotected source PVC that will be protected by this CTE-PVC.
     # (Required)
     csi.cte.cpl.thalesgroup.com/source_pvc: nfs-test-claim
    spec:
     storageClassName: cte-k8s-storage-class
     accessModes:
     - ReadWriteMany
     resources:
        requests:
        # This parameter is required by Kubernetes but ignored by CTE-CSI.
        storage: 1Gi
    cte-csi-demo-pod.yml
    apiVersion: v1
    kind: Pod
    metadata:
     name: cte-csi-demo
    spec:
     volumes:
     - name: test-vol
     persistentVolumeClaim:
     claimName: cte-claim
     containers:
     - name: ubuntu
     image: ubuntu
     volumeMounts:
     - mountPath: "/data"
     name: test-vol
     command:
     - "sleep"
     - "604800"
     imagePullPolicy: IfNotPresent
     restartPolicy: Always

    Deploy all YAML files

    kubectl apply -f nfs-pv.yaml
    kubectl apply -f nfs-claim.yaml
    kubectl apply -f cte-csi-regtoken.yaml
    kubectl apply -f cte-csi-storageclass.yaml
    kubectl apply -f cte-csi-claim.yaml
    kubectl apply -f cte-csi-demo-pod.yaml

    Verify deployment status

    kubectl get all
    kubectl get pod, pv, pvc
    kubectl get pod –namespace=kube-system

    Get Pod, PV, and PVC details

    kubectl describe pod <pod name>
    kubectl describe pv <pv name>
    kubectl describe pvc <pvc name>

    Now your data should be secured by CTE for K8s connector. You can verify this by going into the pod and creating a new file in the /data folder and verify that it is encrypted on the NFS from your local system.

    - + \ No newline at end of file diff --git a/ciphertrust/docs/connectors/data-encryption-in-transit-docker/index.html b/ciphertrust/docs/connectors/data-encryption-in-transit-docker/index.html index aaa910c..bf24fe4 100644 --- a/ciphertrust/docs/connectors/data-encryption-in-transit-docker/index.html +++ b/ciphertrust/docs/connectors/data-encryption-in-transit-docker/index.html @@ -5,14 +5,14 @@ Data Protection Gateway | CipherTrust Learn - +

    Data Protection Gateway

    This demo shows how you can use a tool like CipherTrust Data Protection Gateway and do field level data encryption with no change to your application's code.

    Pre-requisites

    How does it work?

    Step 1 - Add side-car container

    You need to deploy a sidecar container or an agent that proxies all your requests to your container.

    It looks something like this if you use docker-compose. Note - You can use DPG and CipherTrust manager with any other Kubernetes or Helm deployment.

    docker-compose.yml
    version: '3.1'

    services:
      ciphertrust:
        image: thalesgroup/ciphertrust-data-protection-gateway:latest
        container_name: ciphertrust
        environment:
          - REG_TOKEN=<YOUR_DPG_REG_TOKEN>
          - DESTINATION_URL=http://nextjs:3000
          - DPG_PORT=9005
          - TLS_ENABLED=false
          - KMS=<YOUR_CM_IP>
        ports:
          - 80:9005

    Step 2 - Configure DPG policies

    Setup DPG policies in CipherTrust Manager to encrypt the fields that are encrypted for your POST requests and add a decrypt policy for your HTTP "GET" requests.

    This ensures that the proxy takes care of the encryption and decryption and the database finally ONLY gets encrypted data.

    dpg policy example

    Step 3 - Sit Back and Relax

    Let CipherTrust Manager do all the magic for you while you focus on building great applications.

    For any questions or to request a tutorial check out our community forum.

    - + \ No newline at end of file diff --git a/ciphertrust/docs/deploy/aws/index.html b/ciphertrust/docs/deploy/aws/index.html index 8bd6fe9..342a850 100644 --- a/ciphertrust/docs/deploy/aws/index.html +++ b/ciphertrust/docs/deploy/aws/index.html @@ -5,13 +5,13 @@ Amazon Web Services | CipherTrust Learn - +

    Amazon Web Services

    Deploy CipherTrust Manager CE on Amazon Web Services in under 5 mins

    Get started with CipherTrust Manager Community Edition on Azure you must first deploy the server from the AWS cloud marketplace using Terraform

    Using Terraform

    Pre-requisite Installations

    You need to install the following packages to follow along with this tutorial.

    Terminal
    git clone https://github.com/ThalesGroup/learn-ciphertrust.git
    cd learn-ciphertrust/deploy/terraform/aws/

    2. Login to AWS CLI

    Terminal
    aws configure

    3. Initialize Terraform Modules

    Terminal
    terraform init

    4. Plan and Apply Terraform Configurations

    Terminal
    terraform apply

    For any questions or to request a tutorial check out our community forum.

    - + \ No newline at end of file diff --git a/ciphertrust/docs/deploy/azure/index.html b/ciphertrust/docs/deploy/azure/index.html index 0f99dad..5f4df00 100644 --- a/ciphertrust/docs/deploy/azure/index.html +++ b/ciphertrust/docs/deploy/azure/index.html @@ -5,13 +5,13 @@ Azure | CipherTrust Learn - +

    Azure

    Deploy CipherTrust Manager CE on Azure in under 5 mins

    To get started with CipherTrust Manager Community Edition on Azure you must first deploy the server from the Azure cloud marketplace either using Terraform or directly through the Azure Web Console

    Using Terraform

    Pre-requisite Installations

    You need to install the following packages to follow along with this tutorial.

    Terminal
    git clone https://github.com/ThalesGroup/learn-ciphertrust.git
    cd learn-ciphertrust/deploy/terraform/aws/

    2. Login to Azure CLI

    Terminal
    az login

    3. Initialize Terraform Modules

    Terminal
    terraform init

    4. Plan and Apply Terraform Configurations

    Terminal
    terraform apply

    For any questions or to request a tutorial check out our community forum.

    - + \ No newline at end of file diff --git a/ciphertrust/docs/deploy/gcp/index.html b/ciphertrust/docs/deploy/gcp/index.html index 7d4837a..dc86559 100644 --- a/ciphertrust/docs/deploy/gcp/index.html +++ b/ciphertrust/docs/deploy/gcp/index.html @@ -5,13 +5,13 @@ Google Cloud Platform | CipherTrust Learn - +

    Google Cloud Platform

    Deploy CipherTrust Manager CE on Google Cloud Platform in under 5 mins

    Get started with CipherTrust Manager Community Edition on Azure you must first deploy the server from the GCP cloud marketplace using Terraform

    Using Terraform

    Pre-requisite Installations

    You need to install the following packages to follow along with this tutorial.

    Terminal
    git clone https://github.com/ThalesGroup/learn-ciphertrust.git
    cd learn-ciphertrust/deploy/terraform/aws/

    2. Login to GCloud CLI

    Terminal
    gcloud init

    3. Initialize Terraform Modules

    Terminal
    terraform init

    4. Plan and Apply Terraform Configurations

    Terminal
    terraform apply

    For any questions or to request a tutorial check out our community forum.

    - + \ No newline at end of file diff --git a/ciphertrust/docs/intro/index.html b/ciphertrust/docs/intro/index.html index 5d40d8c..5267a9f 100644 --- a/ciphertrust/docs/intro/index.html +++ b/ciphertrust/docs/intro/index.html @@ -5,14 +5,14 @@ Getting Started | CipherTrust Learn - +

    Getting Started

    Let's discover CipherTrust Manager in less than 5 minutes.

    Deploy CipherTrust Manager CE

    To be able to start using CipherTrust Manager, you must first deploy the product on any cloud platform. Follow the following guides to deploy CipherTrust Manager on:

    After deploying CipherTrust Manager

    After deploying CipherTrust Manager, you can immediately start integrate data encryption into your applications using:

    • CipherTrust Manager API
    • Data Protection Gateway
    • Transparent Encryption for Kubernetes

    Some Demos to Check Out

    Go to the next page to learn how to deploy CipherTrust manager on your Cloud Provider.

    - + \ No newline at end of file diff --git a/ciphertrust/docs/key-manager/aws-kms/index.html b/ciphertrust/docs/key-manager/aws-kms/index.html index 4884473..b604c2f 100644 --- a/ciphertrust/docs/key-manager/aws-kms/index.html +++ b/ciphertrust/docs/key-manager/aws-kms/index.html @@ -5,7 +5,7 @@ Encrypt RDS with AWS KMS | CipherTrust Learn - + @@ -19,7 +19,7 @@ Once you've successfully created the key, you should see a screen similar to this. CCKM AWS success key creation image

    That's it, now you can use this newly created key in any AWS services.

    (Optional) Step 4 - Encrypt AWS S3 bucket with the keys from CipherTrust

    When you create a new AWS S3 bucket on the AWS console, under Encryption configuration, you should see the new key we just created on CipherTrust Select Encryption Key AWS S3

    That's it, now every file uploaded to the newly created S3 bucket will be encrypted with our key managed on CipherTrust Manager.

    For any questions or to request a tutorial check out our community forum.

    - + \ No newline at end of file diff --git a/ciphertrust/docs/key-manager/build-a-totp-tutorial/index.html b/ciphertrust/docs/key-manager/build-a-totp-tutorial/index.html index ec57db0..cc1a90e 100644 --- a/ciphertrust/docs/key-manager/build-a-totp-tutorial/index.html +++ b/ciphertrust/docs/key-manager/build-a-totp-tutorial/index.html @@ -5,14 +5,14 @@ Build a TOTP service | CipherTrust Learn - +

    Build a TOTP service

    Use the top-notch security that CipherTrust Manager provides to build a time-based OTP service for your users' multi-factor authentication.

    Time-based OTPs are a popular version of multi-factor authentication (MFA) used in many services today. The concept of generating them is simple, yet a single blunder could risk all your user's accounts.

    How do Time-based OTPs work?

    Source Twilio.com Image Source: twilio.com

    Time-based OTP's work on a simple concept. When a users sets it up, the device (such as Google Authenticator, Authy, etc) and the server share a secret key. The key is then hashed with the time and the same code can be generated on the server and the user's client device.

    Single Point of Failiure

    If a bad actor gains access to the servers or databases where you store all the secret keys used to generate the OTPs, now all your users accounts could get compromised!

    How do we fix this 👉 Use a KEY MANAGER

    Key Managers like the CipherTrust Platform are designed to store cryptographic keys very securely. This demo is an example where I use the CipherTrust platform to store keys and generate time based OTP codes.

    Quick Start

    This tutorial assumes that you've already setup the CipherTrust Platform. If not, check out our other step-by-step tutorials that show you how to deploy CipherTrust.

    Step 1 - Clone the demo

    Clone the demo project from the learn-ciphertrust repository

    Terminal
    git clone https://github.com/ThalesGroup/learn-ciphertrust.git && cd learn-ciphertrust/learn/key-management/totp-demo/

    Step 2 - Install the required packages

    The important packages that are necessary for this demo:

    • jsonwebtoken - helps authenticate with the CipherTrust Platform's APIs.
    • otplib - JavaScript implementation of the cryptographic timebased-otp standard (AKA - the library that calculates the one time code for the next 30 secs)
    Terminal
    npm install

    Step 3 - Configure your CipherTrust credentials in the .env file

    Terminal
    cp .env.example .env

    Now update the .env file with your CipherTrust credentials.

    Step 3 - Run dev server

    Spin up the demo

    Terminal
    npm run dev

    Breaking down the demo

    Now that you've got the demo setup and played around with it, let's understand how it works. The demo application involves 3 important code-blocks.

    Autheticating with CipherTrust Platform's APIs

    Create a JWT (JSON Web Token) to be able to authenticate and communicate with the CipherTrust Platform's APIs.

    ./src/utils/create-jwt.js
    import axios from "axios";

    // `createJWT` is a helper function that creates a JWT.
    // This function must only called on the server. 
    // If you call it on the client-side you will expose your username and password in every request. DO NOT DO THIS. Just use it in a server-side API call.
    async function createJWT() {
        const response = await axios.post(
            `${process.env.CTM_URL}/api/v1/auth/tokens`,
            {
                username: process.env.CTM_USERNAME,
                password: process.env.CTM_PASSWORD,
            }
        ).catch(err => {
            console.error(err);
            res.status(502).send(err.toString());
        });

        const token = response.data.jwt;

        return token
    }

    export default createJWT;
    info

    Remember to replace process.env.CTM_USERNAME and process.env.CTM_PASSWORD with your CipherTrust Manager username and password or update it in your the .env file

    Creating and Exporting Cryptographic keys

    To initiate the time-based OTP setup, a symmetric key (such as AES256) would be needed, so over here, we create and export a new key on the CipherTrust Platform using the API.

    ./src/utils/create-jwt.js
    import axios from 'axios';

    async function createKey(keyname, jwt) {
        // /api/create-key-proxy rewrites to https://<your_ciphertrust_url>/api/v1/vault/keys2
        // This is done to avoid CORS errors thrown by the browser in the client side.
        const response = await axios.post(
            `/api/create-key-proxy`,
            {
                "name": keyname,
                "algorithm": "aes",
            },
            {
                headers: {
                    "Authorization": `Bearer ${jwt}`
                }
            }
        ).catch(err => {
            console.error("Error creating key: ", err);
            return false
        })

        // Export key from CipherTrust Manager
        // /api/export-key-proxy/<keyId> rewrites to https://<your_ciphertrust_url>/api/v1/vault/keys2/<keyId>/export
        // This is done to avoid CORS errors thrown by the browser in the client side.
        const exportResponse = await axios.post(
            `/api/export-key-proxy/${keyname}`,
            {},
            {
                headers: {
                    "Authorization": `Bearer ${jwt}`
                }
            }
        ).catch(err => {
            console.error("Error exporting key: ", err);
            return false;
        })

        return exportResponse.data.material;
        

    }

    export { createKey };

    Then we load that key into a QR code using the otplib library. Now we have finished setting up a TOTP service using the secure CipherTrust platform as our key manager.

    - + \ No newline at end of file diff --git a/ciphertrust/docs/key-manager/cs-object-storage/index.html b/ciphertrust/docs/key-manager/cs-object-storage/index.html index c7d4c59..569e3b4 100644 --- a/ciphertrust/docs/key-manager/cs-object-storage/index.html +++ b/ciphertrust/docs/key-manager/cs-object-storage/index.html @@ -5,13 +5,13 @@ Client Side Object Storage Encryption for S3 | CipherTrust Learn - +

    Client Side Object Storage Encryption for S3

    Encrypt your files on the client side before sending them to your S3 buckets with just 3 blocks of code.

    Step 1: Authenticate with CipherTrust Manager

    /api/get-jwt.js
    // `createJWT` is a helper function that creates a JWT.
    // This function must only called on the server. 
    // If you call it on the client-side you will expose your username and password in every request. DO NOT DO THIS. Just use it in a server-side API call.
    async function createJWT() {
        const response = await axios.post(
            `${process.env.CTM_URL}/api/v1/auth/tokens`,
            {
                username: process.env.CTM_USERNAME,        // Add CipherTrust manager username to environment
                password: process.env.CTM_PASSWORD,        // Add CipherTrust manager password to environment
            }
        ).catch(err => {
            console.error(err);
            // res.status(502).send(err.toString());
        });

        const token = response.data.jwt;

        return token
    }
    info

    Remember to replace process.env.CTM_USERNAME and process.env.CTM_PASSWORD with your CipherTrust Manager username and password.

    Step 2: Encrypt Data using CipherTrust Manager API

    /api/encrypt.js
    async function encryptData(file, jwt) {
        const fileBase64 = (await getBase64(file)).split(",")[1];
        const cipherText = await axios.post(
            // We are using an encrypt proxy because calling the API from the browser will cause a CORS error. The encrypt proxy will point your API request to the Ciphertrust manager Crypto API.
            `/api/encrypt-proxy`, {
                id: "s3-encrypt-symmetric-key",
                plaintext: fileBase64,
                add: "YXV0aGVudGljYXRl"
            }, {
                // Pass the JWT as a Bearer token.
                headers: {
                    Authorization: `Bearer ${jwt}`
                }
            }).catch(err => {
                console.error(err);
                res.status(502).send(err.toString());
            });

        return cipherText.data;
    }

    Now you can upload this cipher text to AWS S3, Azure Blob Storage or any other object storage.

    Step 3: Decrypt Data

    /api/decrypt.js
    async function decryptData(encryptedData, jwt) {
        const plainText = await axios.post(
            `/api/decrypt-proxy`, {
                ...encryptedData,
                add: "YXV0aGVudGljYXRl"
            }, {
                // Pass the JWT as a Bearer token.
                headers: {
                    Authorization: `Bearer ${jwt}`
                }
            }).catch(err => {
                console.error(err);
            });


        return plainText.data;
    }

    For any questions or to request a tutorial check out our community forum.

    - + \ No newline at end of file diff --git a/ciphertrust/index.html b/ciphertrust/index.html index fe0c2de..7728053 100644 --- a/ciphertrust/index.html +++ b/ciphertrust/index.html @@ -5,13 +5,13 @@ CipherTrust Platform Tutorials | CipherTrust Learn - +

    Reduce Drag of Adding Data Security

    CipherTrust Platform Community Edition allows you to deploy data protection – in minutes instead of weeks

    Try Now

    Self-managed | Always Free

    Watch Demo

    Self-managed | Always Free

    Tools Built to Reduce Drag on Velocity

    Data In-Transit (using Data Protection Gateway)

    Learn how CipherTrust with the Data Protection Gateway (DPG) connector can keep data in transit secure without the need to edit application source code.

    CipherTrust Transparent Encryption for Kubernetes (CTE for K8’s)

    See how to quickly encrypt data on the client side and upload it to your favorite cloud storage provider without worrying about cloud key management solutions.

    Centralize Management of Keys and Policies

    Extend or customize your website layout by reusing React. Docusaurus can be extended while reusing the same header and footer.

    3 Steps To Secure Data

    • Deploy on Any Cloud Provider

      We have marketplace images and terraform configurations for AWS, Google Cloud Platform and Azure.

    • Centralize Key Management

      Use our extensive platform to store and centralize your key management.

    • Integrate Connectors and Secure Data

      Use our vast set of connectors to start securing your data seamlessly

    - + \ No newline at end of file diff --git a/sitemap.xml.gz b/sitemap.xml.gz index 853c050e2fd598b238fe7f9ddf3632dd32ce5b98..13a05a802d10c407daf808d8a442e6c82f4e8aeb 100644 GIT binary patch delta 14 VcmaFP_?(eVzMF$1|Jy{ihX5v01#SQU delta 14 VcmaFP_?(eVzMF&N_M?ex4*@711;zjX