ONS GLOBAL SECURITY SOLUTIONS

Security Solutions
Liquid Machines | NCipher | Cyber-Ark | Symantec | Trend Micro

NCipher PKI

With new security challenges emerging daily, protecting critical data requires best-of-breed solutions that can evolve and scale to meet new threats and manage risk.
Meeting those requirements is the driving force behind our security solutions. Easily integrated into custom security application deployments or combined with many of the world’s leading commercial security software products, nCipher's products help organizations:

• Guard information assets
• Ensure data privacy
• Secure Internet communications
• Secure the use of cryptographic keys
• Protect application software integrity
• Boost server performance and capacity
• Enforce security management policy
• Reduce security infrastructure administration costs

It’s an approach that has brought nCipher’s products into some of the most secure infrastructures in the world—from the U.S. Department of Defense and Microsoft to Deutsche Bank and PricewaterhouseCoopers. Our products work in unison with software-based security systems and applications that utilize cryptographic techniques to speed and secure communications, protect critical data, preserve software application integrity and streamline the manageability of a secure infrastructure.

Deploying PKI inside Microsoft

Products
nShield : dedicated hardware security module(HSM)
Tamper-resistant protection for all cryptographic keys
Trusted hardware environment for application
code protection
Secure key management
Powerful cryptographic acceleration

FIPS 140-2 Level-3 validated security
PCI card and SCSI form factor for direct server integration

A highly secure server peripheral for the management of cryptographic keys and the protection of sensitive applications With cryptography now a fundamental component of many business-critical processes—authentication, authorization, digital signatures, time-stamping, secure transactions and more—protection of all cryptographic keys as well as the application operations themselves is vital.
That’s why so many organizations around the world have turned to nCipher’s nShield hardware security modules (HSMs) to help them strengthen their security infrastructure.
Offering nCipher’s highest level of cryptographic and application code protection, nShield provides a powerful security platform by:

• Protecting all types of cryptographic keys in FIPS 140-2 Level 3 validated hardware—PKI, SSL, secure communications, etc.—from compromise
• Proven interoperability with leading commercial security applications to ensure rapid deployment and reduced support overhead
• Flexible security platform and versatile toolkits that allow developers to integrate nShield with tailor made cryptographic applications
• Easily installed into most commercial server platforms delivering dedicated cyptographic processing capability
• Enhanced application level security through the secure execution of sensitive application code inside an nShield HSM creates a trusted hardware perimeter for critical security processes
• Enabling the secure management of all cryptographic keys throughout an organization by leveraging nCipher’s unique key management framework, nCipher Security World
• Fully compatible with nCipher's netHSM enabling combinations of different HSM types to be deployed and interchanged as necessary
• Accelerating cryptographic operations and service delivery by offloading cryptographic signing and encryption operations from the server to nShield’s dedicated cryptographic co-processors
• Optional secure remote key management feature, Remote Operator

netHSM: network attached shareable HSM
Redefining the ROI for cryptographic hardware
Shareable HSM
FIPS 140-2 Level-3 validated security
Multi-layer security architecture
Secure network communications
Secure User Interface
Strong authentication of requesting servers
High performance cryptographic processing– up to 1600 TPS
Space efficient 1U Rack mount form factor
The netHSM is a highly secure, network-attached Hardware Security Module (HSM) that provides a shareable cryptographic resource for multiple servers.

Authorized applications that require access to hardware-protected cryptographic keys – from PKI and authentication systems to Web services and SSL – can share access to the netHSM over secured connections. Although dedicated HSMs are appropriate for security applications and servers that demand guaranteed availability and/or processing power, the netHSM provides a cost-effective deployment option for a variety of typical scenarios. The netHSM allows your investment in ‘hard security’ to be spread across multiple applications or servers.

• Shareable cryptographic resource – provides flexible security for multiple servers and multi-site installations, lowering the overall cost of deploying cryptographic hardware
• FIPS 140-2 Level 3 validated security boundary – proven certified security boundary meeting cryptographic best practice
• Unlimited key storage – utilizes nCipher’s Security World key management framework to promote scalability, allowing limitless key storage
• Compatibility with nCipher’s dedicated HSMs – seamless integration with the range of nCipher HSMs enables mixed HSM environments to suit individual requirements and protects existing investments
• Strong access and authorization control – authorization for key use can be specified, on a per-key basis, and can be configured to require smartcard credentials to be presented enabling dual control and split responsibility
• High Availability – the interoperability of nCipher HSMs allows failover and load balancing between multiple netHSMs or mixed configurations of dedicated and network connected units
• High Performance – performance for 1024 bit keys extends to 1600 TPS in 1U form-factor, minimizing expensive rack space requirements
• Enhanced application level security – the secure execution of custom application software inside the netHSM’s internal hardware FIPS security boundary, creates a trusted hardware perimeter for critical security processes

payShield: Hardware security module for e-payments (Hardware Security Module for payment and banking networks)
One HSM to meet all Visa 3-D Secure™ and MasterCard SecureCode cryptographic requirements
Secure cardholder authentication
High-speed cryptographic processing
Handles many EMV and PIN functions
FIPS 140-2 Level 3 protection

payShield—a new breed of HSM

nCipher has developed payShield™ to specifically meet the security needs of card-issuing banks, payment processors, merchants and e-payment solution providers as they implement Visa's 3-D Secure, Mastercard's SecureCode and other standards. Helping organizations build a secure e-payment infrastructure, payShield delivers high-speed cryptographic processing in a tamper-resistant hardware security module that:

• Meets 3-D Secure’s stringent requirements for a FIPS-validated HSM that can securely perform cryptographic functions, such as:

• Executing the cardholder authentication process
• Protecting cardholder passwords and other private data
• Creating digitally signed approvals for merchants

• Supports emerging industry standards and applications beyond 3-D Secure and MasterCard SecureCode, such as EMV smart cards, EFTPOS and ATM PIN processing
• Provides comprehensive key management capabilities for both symmetric and asymmetric keys within a single device as mandated by the 3-D Secure specification
• SCSI or Ethernet connectivity options, provides dedicated cryptographic processing to a single server or the ability to share the load of multiple servers
• Accelerates cryptographic processing to remove performance bottlenecks, enable real-time authentication of customer transactions and significantly increase overall system processing capacity
• Supports special APIs that enable the integration of customized encryption, decryption and signing functions
nForce: Hardware security module and SSL accelerator (For enhanced SSL Web server performance and secure key management

nForce: Hardware Security Module and SSL Accelerator
Powerful SSL Acceleration - up to 1600 TPS
FIPS 140-2 validated protection for SSL keys
Secure key management
Supports the VeriSign Hardware Protected
SSL Certificate
PCI card and SCSI form factor for direct server integration

Delivering improved performance , protection and manageability for SSL-enabled Web servers

SSL (Secure Sockets Layer) has emerged as the de facto standard for securing sensitive online information. Whether for e-commerce transactions over the Web or corporate intranets, SSL provides a mechanism to encrypt information and help establish trust.

Most Web server packages include support of SSL but in many commercial situations, additional steps can be taken to provide higher levels of security and increase system throughput.

The use of SSL on a Web server can present unique and often unexpected challenges. The processing requirements associated with SSL can severely penalize Web site performance and as a result SSL is often used sparingly, only in circumstances when the most sensitive information is exchanged. Worse still, failure to adequately protect the secret cryptographic keys that underpin SSL security can result in a false sense of security, risking loss of trade secrets, customer information and transaction records such as credit card numbers.

nForce is a tamper-resistant hardware security module and SSL accelerator designed to optimize the use of SSL and minimize risks such as key finding attacks. Available as a PCI card or SCSI module, nForce enhances almost any server using SSL by:

• Securing SSL keys and cryptographic operations in FIPS-validated, tamper-resistant hardware
• Accelerating SSL operations by offloading SSL processing from the host server enabling up to 1600 transactions per second from a single nForce with even greater performance achieved by use of multiple nForce devices
• Enabling effective management of SSL keys across multiple HSM equipped Web servers and/or network attached netHSMs
• Lowering security infrastructure costs and administrative burden by eliminating the need to purchase and maintain additional servers to improve SSL performance
• Support for Verisign Hardware Protected SSL Certificates provides public proof of SSL security and server identity

nFast: SSL accelerator (For enhanced SSL Web server performance)
Powerful SSL Acceleration
Maximized transaction throughput
Up to 800 SSL transactions per second

Enhancing Web server performance and eliminating SSL bottlenecks

As the demand for privacy and online security grows, organizations are increasingly turning to the industry-standard security protocol Secure Sockets Layer (SSL) to protect everything from internal communications to e-commerce transactions.

Although the benefit of using SSL is clear, SSL operations put an extremely heavy load on server resources, potentially slowing server performance to a crawl under even moderate traffic conditions.

With the nFast SSL accelerator, organizations can prevent SSL bottlenecks and enhance the use of SSL by:

• Dramatically expanding SSL processing capacity by offloading SSL processing to one of the fastest dedicated SSL accelerators on the market
• Increase customer satisfaction by increasing throughput and enabling organizations to serve customers quickly and dependably—even during peak usage
• Lowering security infrastructure costs and administrative burden by eliminating the need to purchase and maintain new servers to restore SSL performance

nFast 800

A PCI card for Windows, Linux and Solaris that processes up to 800 SSL transactions per second.

nFast 300

A PCI card that supports an extended range of operating systems and specialized APIs and that processes 300 SSL transactions per second.

Document Sealing Engine: Digital signing & time stamping appliance (Network appliance that cryptographically seals, signs & timestamps documents)
DSE 200
nCipher's Document Sealing Engine (DSE 200) is a networked appliance that enables an organization to integrate secure digital signatures and auditable time stamping functionality into new or existing applications. The DSE 200 can create certified digital originals, by establishing an auditable record of a document’s authenticity; securely binding the identity of the document’s originator and the time of its creation to the electronic original. The Document Sealing Engine is an easily deployed and cost-effective solution for organizations that require trustworthy electronic documents that maintain their evidentiary value over time.

The DSE 200 includes a developer’s toolkit containing APIs and example software and supports Solaris, Linux and Windows operating systems and is available as both Java language classes and C language libraries.
Secure auditable time stamping
The Document Sealing Engine is designed to operate with independently provided calibration and audit services. These services offer traceable and secure links to official Coordinated Universal Time (UTC) time sources. Once calibrated via an authenticated secure network connection, the DSE 200 is ready to provide time stamps to any PKIX compliant time stamp request.
Securing PKIs
Many large PKI implementations are forced to rely on a system clock which is vulnerable to tampering. The DSE 200 enhances a PKI by providing an accurate and verifiable time stamp, produced within the tamper-resistant boundary of the nCipher DSE 200 appliance. The time stamp links the signature to the original certificate, allowing the signature to be verified, even if the certificate has expired or has been revoked. It also allows the validity of documents to be checked long after the original digital signature was applied. This eliminates any question about when a document was signed and locks down this crucial vulnerability in many PKI systems.

pdfProof: Organizational PDF signing (Turnkey appliance that signs & timestamps PDF documents)
Even though most organizations recognize the importance of archiving secured digital documents, many have found the cost and logistical barriers to be too high. Deploying a full PKI to digitally sign and time stamp documents can be overly cumbersome and using a trusted third party to provide client certificates for each desktop can quickly become prohibitively expensive.

nCipher's pdfProof is a simple and cost effective turn-key solution, comprising a rack-mounted network appliance and an Adobe Acrobat plug-in, that signs and time stamps PDF files on behalf of a department or organization.

• Digitally signing PDFs at a central point eliminates the cost of digital certificates on multiple desktops
• Managing a single, shared digital certificate simplifies signature validation and reduces the points of risk within the system
• Tamper-resistant hardware protects the central signing engine, keys and time source from compromise

nCipher's pdfProof creates PDFs with historical authenticity that ultimately increases their real evidentiary value. It provides a cost effective solution for proving the origin and integrity of documents and for recording when PDFs were created or revised. This level of proof helps organizations to meet compliance and auditing guidelines, to build secure document archives and to prevent disputes in electronic transactions and regulatory submissions.
SecureDB: Database encryption & access control (Application-transparent, column level database encryption)

Column level encryption
Granular access control
Transparent to legacy and e-commerce applications
Separation of administration and security functions
Integration with FIPS 140-2 Level 3 certified HSMs

SecureDB is a database security solution that delivers column level encryption to data at rest. It provides a simple and cost-effective deployment option, requiring minimal integration at the application level, while delivering granular access control. Through column level encryption selected data records can be protected, not only from external attack, but also from authorized database users without correct permissions. This ensures separation of duty between administration and security functions.

Everyone recognizes that an organisation’s most valuable information often lies ‘at rest’ in a database. In the past perimeter security controls have been used to protect this information by excluding unauthorized people from the network. Not only does this ignore the threat from internal employees it also fails to meet the requirements of modern business. As more and more holes appear in this perimeter; to allow customers, suppliers and partners access to the network, the perimeter security model begins to crumble. In general the response to this challenge has been to focus on encrypting the communications between these users and the network i.e. protecting the data in transit. This has failed to address the one area where sensitive information is most concentrated, the place where an attack would have the most devastating effect – the database.
It has often been stated that perfect security does not exist. This is certainly true for database security - organisations need to assess what and where data is at risk, the impact of compromise and the cost and disruption involved in protecting the data at each point of risk, from application to storage. There are three main approaches to database security:

• File level encryption of the whole database protects database files from theft and directly addresses the major point of risk – data at rest. This approach is simple and cost effective to implement but has a number of disadvantages. As encryption is applied to the file system, any authorized user (or anyone who can access the applications calling on the database) can view all of the data. This lack of granular access means there is no separation of duty between administration and security functions. File level encryption also significantly impacts performance as even the simplest request to the database requires decryption or encryption to be performed. File-level encryption only secures the stored data, it provides no security enhancements within the database nor protection for the communication links to the applications.

• Application Level encryption encrypts data before it's stored in the database. Key management and access management is handled by the application and database queries return encrypted data for decryption by the application. This approach ensures that data is secure from data acquisition to storage and it allows granular, role-based access to the data. The major disadvantages of this approach are cost and disruption. Implementing this approach requires considerable integration and customization effort for each legacy or e-commerce application. As the encryption is extended beyond the database much of this integration work is directed at data in transit rather than at the central point of risk – the data at rest. Alternative technologies such as SSL could achieve these incremental security benefits at less cost and with less disruption.

SecureDB addresses the central requirements of database encryption without necessitating complex application-layer or database server modifications. It combines advanced security and usability for data at rest with smooth and efficient implementation into today’s complex database infrastructures. SecureDB allows fine-grained control over the encryption/decryption of data elements by dual-authenticated, role-based users. This level of control delivers separation of duty; ensuring there are no super-users; even system administrators and security personnel can be prevented from viewing unauthorized data. By selectively protecting the most sensitive data, robust security can be deployed without burdening the entire database or impacting the wider business process. Used in conjunction with SSL, SecureDB can ensure that data is encrypted at each stage, protecting the channels between Web server, application server and database, without the need for costly application-level customization. nCipher Hardware Security Modules can be deployed to strengthen the key management facilities through the use of tamper-resistant, FIPS 140-2 Level 3 cryptographic hardware.

SecureDB Overview and Architecture
SecureDB consists of a centralized management console and lightweight database security adapters installed on each database server. The system architecture is designed to manage multiple database types ensuring that your investment in database security for one database vendor is leveraged to achieve the same level of security for another database type. New databases can be included simply by remotely adding a new adapter for each database server and updating the centralized Management Console.

Hardware Security Module Support
Any encryption-enabled database is only as secure as the security of the digital keys used to encrypt the database. SecureDB supports the deployment of nCipher’s Hardware Security Modules (HSM) for robust key management. Management of the cryptographic keys inside the nCipher nShield HSM, delivers a significant improvement in the security, manageability and scalability of the software key hierarchy. Managing the keys in FIPS 140 Level 3 cryptographic hardware, allows for the secure generation, storage, disposal, archival and recovery of the key. It also allows the secure backup and recovery of keys using nCipher smart card based key management.

SecureOMS: ATM remote key management (Automated key management and remote distribution for ATM networks)
Eliminates the need to manually update ATM keys
Reduces errors in ATM key injection
Delivers significant cost savings across the
ATM fleet
Conforms to ANSI security standards

SecureOMS is a turn-key system that automates the distribution of cryptographic keys that safeguard high-value financial networks. It automatically creates and distributes ATM master keys in full compliance with ANSI standards and with network mandates for Triple-DES and unique keys per ATM. SecureOMS avoids the need to develop home-grown or deploy system specific management capabilities that typically involve expensive and disruptive host system upgrades

Combining leading key management software from I-S-Cubed Inc. and hardware security from nCipher, the SecureOMS system offers the ability to streamline and secure systems for key generation and ATM key loading. It effectively eliminates the requirement for manual key injection, giving tremendous cost savings across ATM networks.

SecureOMS is delivered as a fully configured system comprising the FIPS validated nCipher payShield HSM and I-S-Cubed software running on a fortified Windows 2000 clustering platform that delivers both high availability and the capacity to scale as needed. The enterprise platform includes an SQL database for maximum performance.

• Perform key roll-over or system upgrades on remote equipment: The system eliminates the costs associated with manual key updates with remote key management and distribution directly to ATMs
• Provide strong authentication and authorization of administrators regardless of location: As the most crucial security component, the key management system must be secured against unauthorized access. SecureOMS delivers strong user authentication, coupled with the ability to assign specific roles and privileges
• Interoperate with leading ATM equipment manufacturers: SecureOMS supports the remote key distribution capabilities provided by NCR, Diebold and Wincor-Nixdorf. The system implements both Diebold’s Certificate Based Protocol (CBP) and NCR’s Signature Based Protocol (SBP) that are defined in the emerging ANS X9.24-2 Standard
• Scalability: SecureOMS can scale to manage large numbers of devices across different types of ATM networks
• Provide an irrefutable audit trail: the key management system generates a complete log of all key management activities to permit auditors to verify the absence of irregularities, or to highlight any potential compromise that has occurred
• Meets FIPS 140 requirements for security of financial networks: SecureOMS incorporates FIPS 140-2 Level 3 HSMs to help financial organizations to comply with industry security mandates
Developer Toolkits: Cryptographic security toolkits (For custom application security utilizing hardware-based protection)

Developer Toolkits For custom application security utilizing hardware-based protection
nCipher’s developer toolkits give you the power to build the security you need…without compromise.

The CipherTools, CodeSafe and DSE200 toolkits enable developers to easily integrate hardware security solutions with software applications to create truly secure systems. Armed with the ability to customize application security, you can meet the specific security needs of your organization.

CodeSafe™ Developer Kit
Protect sensitive applications by enabling the sensitive application code to be safely loaded and executed within the confines of a highly secure HSM to deliver tamper-resistant software processes.

CodeSafe SSL™ Developer Kit
Allows the direct termination of an SSL connection inside a FIPS 140-2 Level 3 certified hardware security module; bridging a significant security gap by removing sensitive clear text data from vulnerable servers.

CipherTools™ Developer Kit
Integrate hardware key management into new or existing cryptographic applications to protect cryptographic keys and enhance performance.

DSE200™
nCipher's Document Sealing Engine (DSE 200) is a customizable solution which includes a networked appliance along with a developer’s toolkit, allowing you to integrate secure digital signatures and auditable time stamping functionality into your applications.