Data Security and Key Management - Thales e-Security

CipherTrust

ciphertrust   

CipherTrust

Flexible monitoring and management of all HSMs across all locations


CipherTrust from Thales e-Security is a comprehensive HSM monitoring and management platform that enables network operations teams to receive 24 x 7 high visibility on the operational status of all HSMs across all locations without the need for any human intervention.  HSMs can now be monitored in a similar way to general IT equipment in data centers. Designed with both security and flexibility in mind, Thales CipherTrust addresses two primary challenges faced by today’s organizations: how to inspect HSMs across multiple data centers in a cost effective and efficient manner and how to know in advance that a potential security, configuration or utilization issue has occurred that may compromise the mission critical infrastructure.

Core status and activities captured by CipherTrust include information on tamper events, individual device configuration and performance utilization keeping users fully informed while helping them proactively respond to potential issues using complementary Thales HSM management tools. Users obtain alerts and warnings directly from CipherTrust via email or via their own Security Information and Event Management (SIEM) tool which is kept up to date every minute by CipherTrust. The result is a dramatic increase in visibility in real-time HSM operation while also providing early warning of potential issues likely to impact the security and operational efficiency of their complete HSM infrastructure.

Thales HSM management tools such as payShield Manager complement CipherTrust by enabling the security teams to manage and make configuration changes to any of the HSMs as a result of information delivered via CipherTrust The first version of CipherTrust is designed for use with payShield HSMs. Future versions will support additional Thales products including the Thales nShield multi-purpose HSM family.

Benefits of CipherTrust

  • Provides 24 x 7 visibility on all HSMs
  • Identifies performance bottlenecks to improve capacity planning
  • Facilitates proactive HSM management responses to potential issues through automatic alerts
  • Reduces costs through background remote operation without human intervention
  • Works seamlessly with existing HSM hardware and software configurations

CipherTrust Features

Security Features 

  • Web server certificate management providing strong authentication as part of the session establishment between the client browser and the CipherTrust application.
  • Clear segregation of roles and responsibilities for Administrators and Group Managers supporting the overall organizational security policy for the HSM groups
  • Implementation of a strong password policy for all system users including control of expiry and automatic logout duration.
  • Inclusion of out-of-band messaging using a one-time-password (OTP) as part of the security process involved when setting up a new user on the system
  • Flexibility to choose the most appropriate algorithms for authentication and privacy to support the SNMPv3 messaging utilized by the HSM in its communications with CipherTrust

Operational Features

  • Implements 24 x 7 automatic monitoring without the need for any human intervention, with the additional benefit of user-definable thresholds for alerts and warnings.
  • Delivers automatic alerts by syslog and/or email as requested covering a wide range of activities including security issues, HSM health status and utilization at both individual device and group level.
  • Avoids the need to visit data centers to manually inspect the operational status and configuration of HSMs, thereby saving time and money and providing both instantaneous and on-demand visibility on all HSMs.
  • Provides immediate notification of any unexpected changes to the configuration of any HSM, facilitating a pro-active response and corrective action if necessary.
  • Filters data specific to each authorized CipherTrust user, enabling Administrators and Group Managers to process only the alerts and warnings appropriate to their area of responsibility.

CipherTrust Options and Accessories

CipherTrust Installation DVD

The CipherTrust application is supplied as an Open Virtual Appliance (OVA) to run on supported Virtual Machine (VM) configurations. Thales enables its users to download the latest version of the application from its support website. As an alternative users can order the application for delivery on a DVD.

Additional endpoint licenses

The basic system provides the ability to monitor up to 5 HSMs. Users can add additional endpoint licenses at any time in steps of 5, 10, 20 or 50. The resultant count is always cumulative and the additional licenses can be applied in any order.

CipherTrust Specifications 

Solution components

  • DVD comprising CipherTrust application as an Open Virtual Appliance (OVA) compatible with selected vSphere ESXi Hypervisor, VMware Player and VWware Workstation virtual platforms
    • Download of VM image supported as alternative to DVD approach
  • Utilizes user-supplied DNS/DHCP server for IP assignment
  • Web based management interface and command line interface (CLI)
    • Firefox and Internet Explorer browser support
  • Flexible endpoint licensing mechanism supporting up to 200 HSMs

HSM Compatibility

  • payShield 9000 with base or custom software version 1.0 or later with SNMPv3 messaging enabled

Virtual Appliance minimum specification

  • 2 CPUs with 2 cores each
  • 8 GB RAM
  • Thin provisioned hard drives
  • Compatible with ESXi 5.1 and later (VM Version 9)

Role-based access control

  • Supports two distinct roles – Administrator and Group Manager
  • Distinct set of tasks applicable to each role supporting clear separation of duties
  • Enhances security in terms of configuration and administration for overall CipherTrust system

Administrator role

  • Create additional  users
  • Create groups of HSMs
  • Assign roles to users
  • Configure and commission system
  • View and monitor group level performance statistics and alerts
  • View and manage system level alerts and events

Group Manager role

  • Enroll HSMs into groups
  • Enable / disable monitoring of specific devices
  • Respond to issues reported on HSM status, utilization and health status
  • View and monitor performance statistics and alerts at both group and device level
  • View individual device details for in-depth analysis
  • Run pre-defined or custom reports for both groups or individual HSMs

Central monitoring capabilities

  • Refreshes utilization statistics for all HSMs on a per minute basis
  • Provides series of warnings based on user defined thresholds
  • Delivers critical alerts based on independent user-defined thresholds
  • Allows users to define the time period for in-depth analysis (last hour, 24 hours, 7 days, 30 days or custom)
  • Delivers alarms via email and remote syslog server
    • Tamper events
    • Fraud detection
    • PIN attacks
    • Services (UDP, TCP etc)

Security

  • Web server certificate management providing client browser to CipherTrust authentication as part of session establishment
  • Secure segregation of roles and responsibilities for Administrators and Group Managers
  • Strong password policy – control of expiry and auto-logout duration.
  • Out of band messaging for one-time-password (OTP) as part of secure new user configuration
  • Choice of algorithms for authentication and privacy

CipherTrust Data Sheet