Data Security and Key Management - Thales e-Security

nShield Remote Administration

Remote Admin

 

nShield Remote Administration

Manage your distantly deployed nShield HSMs from where you are, when you choose.


nShield HSMs often run in physically secure, lights-out data centers in locations distant from the people who manage them. Many organizations find it impractical to gain access to their remote HSMs for routine management tasks. Remote Administration lets you manage your HSMs—including adding applications, upgrading firmware, checking status, and more—from your location, and whenever you choose. This means far less travel to data centers, helping you cut costs and optimize your resources.

Benefits of nShield Remote Administration

  • Eliminates travel to data centers, cutting costs and saving time
  • Reduces downtime
  • Eliminates the risk of carrying cards to remote locations
  • Provides 24 x 7 access to nShield HSMs

Remote Administration is versatile and works with nShield Connect and Solo HSMs. Remote Administration Client software, running in your local office, supports Windows, Linux, and OS X.

 nshield remote admin thumb  Download the nShield Remote Administration Data Sheet

nShield Remote Administration Features

Security Features

Remote Administration was designed with security paramount among its attributes, and incorporates the following functions to safeguard your transactions:

  • Authentication between Remote Administration Cards (smart cards) & HSM
    • Remote Administration Cards (in the local office) and the target HSM mutually authenticate by recognizing each other’s factory-issued warrants (like digital certificates)
  • HSM verification
    • Card-holder confirms the electronic serial number of the HSM
  • User authentication
    • Quorum of card-holders must present passphrases in the presence of a Security Officer, the same as if physically present with the HSM
  • VPN channel
    • Communication between the local workstation and remote HSM secured via VPN and runs over a remote desktop (RDP) or secure shell session
  • FIPS 140-2 certification
    • The Remote Administration Cards and the firmware supporting Remote Administration are FIPS 140-2 Level 3 certified. See specifications tab for details.
  • Firewall protection
    • Trusted Verification Devices (secure card readers) equipped with a firewall to help deter malware from the laptop

Operational Features

Remote Administration allows the vast majority of functions that are otherwise performed in the physical presence of your HSM to be carried out remotely, letting you do the following from the location of your choice:

  • Configure new HSMs once installed in data center—less time in the data center, and security officers needn’t be present—lower overhead
  • Add new HSM applications
  • Upgrade firmware and software for maintenance and other updates
  • Monitor HSM status and re-boot
  • Perform both Operator and Administrator management tasks
  • Easily navigate functions using a simple GUI on the Remote Administration Client (RAC) software


nShield Remote Administration Options 


Remote Administration Starter Kits

Remote Administration Starter Kits enable Remote Administration on nShield Solo and Connect HSMs (standard and plus models). The kits can be used to either upgrade an existing nShield HSM or enable the feature on new purchases.

The kits contain one or more Trusted Verification Devices (TVDs) (secure card readers), Remote Administration Cards (smart cards), and Remote Administration Client software and a license. Kits are sized and priced according to tiers based on the number of HSMs in the estate. The diagram below shows the quantities of Remote Administration Cards and TVDs for each tiered kit.

 

Upgrade Kits

As HSM estates grow, upgrade kits allow customers to migrate to a higher tier by providing additional TVDs, Remote Administration Cards, Remote Administration Client software and licenses. Customers can purchase kits to upgrade from Tier 1 to 2, from Tier 2 to 3, and from Tier 3 to 4.

Replacement Items

The following items are available for purchase once Remote Administration has been activated, and while the number of HSMs remain in the same tier (for instance, to replace lost or damaged items).

Remote Administration Cards

nShield Cards

Trusted Verification Devices

nShields front USB

Software CD (Remote Administration Client)

Thales CD


nShield Remote Administration Specifications

nShield HSMs

Remote Administration works with Solo and Connect nShield HSMs. Remote Administration does not support legacy nShield Solo PCIs.

Remote Administration Client OS compatibility

The Remote Administration Client software, the user interface running locally, is compatible with Windows, Linux, and OS X operating systems.

nShield software compatibility

Remote Administration must be used with v12.xx software and accompanying firmware*. V12.xx can be upgraded from the software versions listed below. (Earlier versions of software will need to be upgraded to these versions before upgrading to v12.xx.)

  • nShield Solo and Connect v11.40 or later
  • nShield Solo+ and Connect+ v11.70 or later (firmware v2.51.10)

Note: nShield Edge is designed as a local HSM and is not compatible with Remote Administration.

FIPS certifications

  • The firmware supporting Remote Administration is FIPS 140-2 Level 3 Certified. NIST listings: Certs 2638, 2640, 2641, 2643, 2644 on csrc.nist.gov.
  • Remote Administration Cards are FIPS 140-2 Level 3 certified. NIST listing: Cert 2764 on csrc.nist.gov.

Related Products