Application-level Encryption
Protect sensitive data and provide selective access depending on users, their roles, and their entitlements
Application-level encryption can be policy-based and geared to specific data protection mandates such as PCI DSS. It can provide targeted protection that is invoked only when necessary. Application level protection can be tightly managed and supervised with dual controls and other layers of procedural protection that, taken together, support compliance reporting obligations.
Challenges
Protecting Keys
Attackers can use development tools, intended for tasks such as application monitoring or debugging, to gain access to encryption keys or simply to turn off application encryption, unlocking information within the application.
Using Pre-certified Cryptographic Implementations
Developers adding encryption to applications are often tempted to implement complex cryptographic algorithms themselves. As this practice can introduce unnecessary security flaws, it’s always best to use pre-certified cryptographic implementations for application-level encryption.
Managing Keys
While adding application level encryption to application code has its challenges, these can be minor when compared to the issue of key management. Because inadequate key management can result in stolen or unusable information, developers need to decide whether to include native key management functionality or rely on external key management systems.
Solutions
Delivering Data Protection
Products and services from Entrust can help you deploy application-level encryption and data protection for your most sensitive applications. With the flexibility to handle a broad spectrum of applications, from fully automated, high-volume applications to tightly supervised, low-volume, but nevertheless highly sensitive applications, Entrust nShield HSM application encryption solutions deliver data protection and operational efficiency.
Creating a Trusted Platform for Cryptographic Processing
Entrust nShield hardware security modules (HSMs) create a trusted platform where cryptographic processes can be performed safely and where key material can be protected and managed securely. This trusted layer overcomes the risks inherent in open system software environments in which applications typically execute.
Enabling Control and Agility
With Entrust nShield HSMs, developers and organizations have the best of all possible worlds—the ability to take advantage of proven and pre-certified cryptographic libraries, use native cryptographic offload and acceleration capabilities, and exploit of a wide range of key management tools to deliver a high degree of control and flexibility.
Benefits
Robust Security
Provide high levels of assurance for cryptographic operations through the use of tamper-resistant hardware. Physically protect higher-level application processes through the unique CodeSafe functionality that enables one to execute sensitive code within the secure execution environment inside the HSM.
Operational Flexibility
Secure a broad range of applications by mapping diverse security policies and processes to a flexible and hardened data protection platform. Accelerate implementation of projects through Entrust nShield HSM partnerships with leading vendors, delivering HSMs that are pre-certified to work with a wide range of applications and development platforms.
High Performance
Take advantage of hardware-based cryptography and maintaining high levels of application performance by offloading cryptographic processes onto the HSM. Simplify compliance reporting through streamlined policy definition to improved auditability of business processes.
Resources
Research and Whitepapers: Security World White Paper
The Entrust nShield Security World architecture supports a specialized key management framework that spans the entire nShield family of general purpose hardware security modules (HSMs). Whether deploying high performance, shareable, network-attached HSM appliances, host-embedded HSM cards or USB-attached portable HSMs, the Security World architecture provides a unified administrator and user experience and guaranteed interoperability whether the customer deploys one or hundreds of devices.
nShield Security World White Paper
Research and Whitepapers: CodeSafe
This white paper describes the unique nShield CodeSafe capability, which enables application code to run within the protected confines of a tamper-resistant nShield Hardware Security Module (HSM). CodeSafe enables users to develop application code to run inside the HSM, providing protection against Advanced Persistent Threats (APTs) as well as insider attacks and hacking. The paper describes the associated toolkit, bundled utilities, and management, and additionally details multiple usage examples where CodeSafe provides high value.