certes crypto flow introductory overview new solutions - april 2015

Certes CryptoFlow Overview

CONFIDENTIAL

<name> CertesNetworks.com

Certes Networks

Leader in IT security solutions protecting sensitive data traffic §  More than 7,000 units deployed in 70 countries around the world §  Perfect 15 year track record:

Not One Hack of any customer on our watch §  CryptoFlow VPNs: patented, trademarked data traffic security with

multiple unique capabilities §  Only vendor focused solely on securing your sensitive data in motion

  No performance hit on firewalls, routers, switches, applications   Simple one-and-done security policies and key management

Blocks main attack vectors in data breaches over last two years

Certes Networks Confidential 2

Root of the IT Security Crisis Borderless Enterprises

Digitized sensitive data, apps, distributed DC, hosted, virtualized,

Cloud

Mobile employees, remote offices, shared

BYOD devices, contractors, IoT

Firewalls Fall Short

Access for working = access for hacking

Once past firewall, all bets are off; insider risk too

Crypto Chaos

Fragmentation: VPNs, IPsec, SSL, HTTPS; each app, each hop

Key Management & Performance trade-offs:

frequently no encryption used

“Trusted” Network

No encryption

IPsec

HTTPS

SSL#3

Access Attacks

SSL#4

No encryption

SSL#1

SSL#2


Risk & Breach Cost

$793,000

$820,000

$837,000

$1,002,000

$1,018,000

$1,038,000

$1,234,000

$1,473,000

$1,556,000

Maximum Liability per Compliance Lapse

Payment Card Industry Data Security Standard (PCI DSS)

Securities and Exchange Commission (SEC) regulations

Global privacy regulations

Health Insurance Portability and Accountability Act (HIPAA)

COBIT Operational Standards

Sarbanes-Oxley (SOX, JSOX) United States Federal Rules of Civil

Procedure (Legal Discovery) 'Green' Compliance requirements

United States Patriot Act

•  Forced trade-off between security and app or network performance •  Is the cost of a lapse worth the performance gain? •  Is the risk really evaluated or is security sacrificed just to get stuff done?

Source: Aberdeen Group study


Crypto Chaos

•  Encryption tools are fragmented: hop by hop, app by app, device by device, user by user

•  Very hard to ensure end-to-end security of sensitive networked applications, especially when shared internally and externally

•  Encryption tied to infrastructure, huge performance hits


When Firewalls Fail

“Trusted” Network

No encryption Attacks


Perimeter Based

Defenses

Discrepancy

•  Once an attacker is past the firewall, they are free to hack and steal §  No internal cryptography of networked apps

•  Most internal security products focus on detecting threats and responding §  Aim to reduce discovery of intrusion from weeks

to minutes

•  Instead, CryptoFlows focus on containing and minimizing the damage §  Cryptographic segmentation of traffic made easy

How We Solve It: CryptoFlows Application-Aware and User-Aware virtual overlays, connecting users to applications over any network … “SDN meets Security” §  One-and-Done

§  Single point of control for all app traffic, over any network, to any user on any device §  End-to-end encryption along the entire data path; site to site, server to user, site to cloud, etc. §  Includes internal network encryption: no one accesses the app except by CryptoFlow

§  Borderless §  Encryption policy that “follows” users, secures both internal and external app flows §  Proactive security, protection when the firewalls fail

§  Hitless §  Secure traffic with no performance hit on network or apps, simple key management

§  Seamless §  Separated and independent from the network and the apps §  No changes to network, apps, or firewalls; use them as before


HypervisorvSS

CryptoFlow Enforcer appliances/COTS

CryptoFlow Virtual, Cloud,

on third-party devices

Flow-through, automated

encryption policies

CryptoFlow for mobile end-points

CryptoFlow: One and Done


•  Application-Aware & User-Aware virtual overlays … app-specific virtual networks

•  One point of control: security manager controls data in motion protection, offloads from network infrastructure and staff

•  Blocks top attack vector exploited in Target, Home Deport, Sony, Anthem

•  Cuts Shadow IT Risk: roll out new apps very quickly with minimal security delay

LAN/WAN/Internet /Cloud

Hypervisor

Corporate: mesh, hub …

Secure Backup / DR

Secures control nodes, sensors, kiosks, IOT

Secures traffic between distributed sites

Hypervisor

Virtualized Data Center traffic

Cloud apps, infrastructure

•  WAN, LAN, Internet, Wifi, Cloud; MPLS, Ethernet, IP •  Hitless security with keys you control •  5 Mbps – 10 Gbps •  DC-to-DC, DR, Remote Office, IoT (Kiosks) •  Records, finance, comms, VoIP, video, backup

Certes CryptoFlow Net


Certes CryptoFlow App


•  Any app matched to user over any connectivity •  BYOD, employer provided, ruggedized, third party; employees, suppliers, partners, contractors •  Users never have to configure or trigger VPNs •  Makes it very easy to roll out new enterprise apps securely … no security delays … cuts Shadow IT temptation

Simple Mobile Security for iOS •  User enrolls only once

§  Simple download from Apple App Store §  Uses same corporate credentials as regular

directory services §  CryptoFlow Creator syncs with directory §  User’s directory profile determines which

apps are permitted to access

•  VPN triggers whenever designated app is used

•  System denies connection for non-authorized apps

•  Complements Mobile Device Management, Enterprise Mobility Management §  We are one-stop-shop for protecting

data in motion instead of data at rest


CryptoFlow LAN

•  Strong crypto segmentation of internal enterprise application flows •  Isolates sensitive applications, controls access for only authorized users •  Based on user roles, blocking #1 attack vector when firewalls fail


CryptoFlow B2B

•  Safely extends internal applications to external partners, including contractors, suppliers, trading partners and others


•  Limits authorized business partners to only the applications they need •  Protecting sensitive applications when business partners have been

compromised

How It Works •  CryptoFlow Creator management system syncs with directory •  Users have same security profile as for enterprise apps, sign-on policies


How It Works •  Admin identifies user, app, encryption policy •  CryptoFlow engine pushes policies to encryptors •  Policies automatically enforced. One and done.


Solution examples


Hypervisor

Corporate

Backup / DR Control nodes, sensors

Data center interconnect Hypervisor

Virtualized Data Centers


Secure application access for mobile users

§  Traditional corporate DC applications

§  Virtualized, cloud applications

Secure interconnect between data centers §  Top performance across MPLS / WAN links; enterprise controls keys §  Disaster Recovery, Data Center Backups

Secure connectivity for remote kiosks, smart grid, IoT §  Encrypted Bank ATM machine – financial and PCI DSS privacy

Compliant real-time communications of sensitive data §  Financial services, healthcare, education, government, including real-time data for

voice, video, messaging


CryptoFlow Benefits

  Fragmented: different VPNs, encryption, security controls for each segment, layer, app

  Performance: encryption cuts network capacity in half, degrades app performance

  Scaling: complex tunnels, fragmented control take hours & network rocket science to scale

  Rigid: firewall encryption based on static border; easily bypassed by mobile and cloud, can’t follow apps or devices

Security Challenge Certes Solution ü  One and Done: Centrally

managed, end-to-end, Layers 2, 3, 4, very simple key management

ü  Hitless: zero impact; line-rate encryption does not cut performance of networks or apps

ü  Seamless: Separates security from network, management, apps; automatic topology configuration

ü  Borderless: End-to-end protection of any app over any network: CryptoFlow VPNs


Simple security: faster, safer deployment of enterprise applications

Borderless Applications Network Perimeter

Threat Protection

Threat Containment

Competitive Comparison

Hypervisor

Fragmented by hop Point-to-point, manual Burden on performance Complex to scale

Hypervisor

Fragmented by app Not in enterprise control Burden on performance Scaling limited by apps

Hypervisor

Fragmented by app, device, network Point protection (DMZ border) Static, network-based Complex to scale

Network equipment vendors

Security vendors: Firewalls, IDS/IPS, RAS

Application vendors, cloud providers


Hypervisor

ü  Flow-through security policies & key management

ü  Fluid security follows users ü  End-to-end protection ü No burden on network or app

Why Certes? §  Security of data in motion is all we do §  Solutions are independent of network and applications

Ø  No impact on network or apps Ø  Vendor neutral – bundles with any solution set Ø  Flexible deployment: variable speed appliance, virtual, Cloud

§  Certes’ products make IT projects more successful Ø  No security roadblocks: point-and-click encryption for new application roll-out Ø  No performance issues: hitless even for real-time apps Ø  Extend applications across untrusted networks

§  Single point of control: all apps, all data, all connectivity §  Blocks the #1 attack vector

HypervisorvSS

CryptoFlow Enforcer appliances/COTS

CryptoFlow Virtual, Cloud,

on third-party devices

Flow-through, automated

encryption policies

CryptoFlow for Mobile endpoints


Thank You

Channel Program

Go-to-Market

Betas &

POCS

Security Manager

Network / Apps

Manager

CIOs

Security VARs Fishnet,

Cipherdata, etc.

Network / IT VARs

DiData, Presidio, NACR, etc.

SIs Accenture, CSC, IBM

OEMs NFV, SPs:

TrendMicro, Ciena, Cyan, AT&T, Tata

Enterprise end customers


Why Resell Certes? Certes’ CryptoFlow VPNs simplify security of any network or networked application

Ø  Security does not block projects: sell and deploy new applications and infrastructure faster

CryptoFlow VPNs secure all corporate traffic over any network

Ø  Point-and-click to extend any enterprise application to any site: sell more application seats

Ø  Deploy multi-site solutions: sell more application servers, more regional site devices (VoIP phones, gateways)

Certes’ solutions are resale friendly, plug-and play Ø  No more complex firewall or VPN re-architecting: deploy quickly and

painlessly for earlier project completion


Reseller overview •  General qualifications

§  Established business with focus on network solutions or vertical markets in Healthcare, Finance, Government, Utilities, etc.

§  Long term relationships with enterprises §  Commercial relationship with distributors or willingness to follow

qualification process

•  Relationship §  NDA §  Sales & Marketing Agreement reflecting Gold, Silver or Bronze

tier


Reseller Tier Summary Gold Silver Bronze

Lead referral Y Y Y

Co-op marketing funds Y Y N

Participation in Certes marketing events Y Y Y

Training credits linked to volume Y N N

Web site listing Y Y Y

Access to Certes Partner Portal Y Y Y

Not-for-resale (NFR) demo or lab units Y Y Y

Customized joint marketing plan Y Y N

Joint customer support program Y N N

Co-branded collateral Y Y Y

Rebate (up to 2%) linked to volume Y N N

Lead registration Y Y Y

Use of logo Y Y Y


Plug-and-Play Implementation

The hard way – IPsec Tunneling

IP (Public or Private), MPLS, or Ethernet

Expansion = Headaches

Manual configuration of point-to-point IPsec tunnels • Scaling complexity: Hours to deploy per site • Performance hits, limited throughput • Multicast issues • Maintenance headaches, lack of administrative visibility • Complex network engineering to fulfill security manager’s mandate • Practical trade-offs between security, scale or performance



•  Group keys are generated centrally •  Distributed securely over TLS

Groups are created based on security policies TrustNet Manager used to provision CEPs Keys and policies are securely delivered to CEPs

Certes Enforcement Points

TrustNet Manager Server & Database

Group A

Group B

2. Policies are defined in TrustNet Manager

Group Keying – Does Not Impact Networking


Encryption enforced!


3. Encryption is in effect

Secondary Data Center

Primary Data Center

Branch Offices

Data is encrypted, sent in the clear, or discarded at wire-speed Traffic flows and application performance are preserved No tunnels are created


Product Details

Scalable Policy and Key Management

Significance/Differentiation •  Multi-layer encryption/authentication policy management (L2, L3, L4) •  Secure key generation, distribution and rotation for group keying with

fail-safe rekey and policy updates •  Clustered architecture for high availability and scalability •  Simple yet powerful drag and drop security policy builder •  Role based access control - delegate or retain management

responsibilities •  Fail-safe rekey and policy updates with hitless rekey


Certes Enforcement Point (CEP) Hardware: HW accelerated variable speed network encryption appliances with aggregate throughputs from 3 Mbps - 10Gbps VSE – Variable Speed Encryption

Software: Network transparent L2 Ethernet frame, L3 IPsec based encryption with IP header preservation, L4 UDP/TCP payload encryption and Virtual IP Tunnelling

VSE Speed/ Platform

CEP 10 VSE

CEP 100 VSE

CEP 1000 VSE

CEP 10G VSE

3 Mbps √

6 Mbps √

10 Mbps √

25 Mbps √ √

50 Mbps √ √

75 Mbps √

100 Mbps √ √

155 Mbps √ √

250 Mbps √ √

500 Mbps √ √

650 Mbps √ √

1 Gbps √ √

2.5 Gbps √

5 Gbps √

10 Gbps √


Cloud & VM Encryption

Significance •  Security is viewed as a critical enabler of Iaas Cloud adoption •  Encrypts traffic from Cloud to Data Center (across WAN) or from Server to Server within

the cloud •  TrusntNet Manager allows clients to maintain control or policies and keys (this is an

important consideration for regulatory compliance •  This is the only scalable solution for cryptographic isolation of sensitive workloads

Customer/Market Reception •  Earned Gartner Cool Vendor award for Cloud Security •  High levels of interest generated at Cloud Security Alliance and other events •  Developed for integrated solutions

Virtual CEP (vCEP)

Hypervisor

Physical server NIC

remote local

mgmt

vSS

Cloud Network

Local Data

Center


CryptoFlow for Mobile CryptoFlow

Data Center

WAN Internet

CF CryptoFlow

User DeviceEnrollment

Active Directory

CFE

LDAP

CryptoFlow

Sales

CFE

CryptoFlow

Cloud

CFD

CryptoFlows and Keys

vCFE CryptoFlow

X


•  iOS available GA 2Q2015 •  Integrates with Active Directory / LDAP •  Policies applied based on user profile •  Simple one-time device registration •  CryptoFlows automatically provisioned by system

per user per device •  Users can be modified, revoked as required

Use Cases


Hypervisor

Corporate

Backup / DR Control nodes, sensors

Data center interconnnect Hypervisor

Virtualized Data Centers


§  Secure application traffic to remote sites

Ø  Regional offices connect to HQ as hub and spoke – banking, financial services (privacy compliance)

Ø  Distributed enterprises connect all sites in a secure mesh (manufacturing, distributed VoIP)

§  Secure applications across untrusted networks Ø  Government communications requiring privacy and high availability

§  Secure interconnect between data centers Ø  Top performance across MPLS / WAN links; enterprise controls keys

§  Secure connectivity for remote kiosks, smart grid Ø  Encrypted ATM machine network – financial and PCI DSS privacy

§  Secure connection between physical and virtual assets Ø  Connect data center to Cloud VMs, migrating between virtual data center and Cloud

§  Secure Disaster Recovery, Data Center Back-up §  Compliant real-time communications of sensitive data

Ø  Hospital network: healthcare data is HIPAA compliant with messaging, VoIP, video

Sample Use Cases


L2 VPLS Dual

Hub & Spoke

Data Center

7 DR Sites

Benefits §  Unified, auditable control of data

in motion across any network to protect classified or sensitive data

§  FIPS and Common Criteria compliant encryption architecture

Where we deploy §  Between Data Centers and recovery

sites §  Between government offices over

foreign telcos and Internet §  10G Availability has major impact in

2012 §  Recertification of FIPS opens US Fed

Gov’t

Government


WAN1

Merchant Banks

Benefits §  Protection of consumer data,

payment cards, financial transactions over any network

§  Verified protection for compliance audits: PCI DSS, GLBA, consumer privacy regulations

Where we deploy §  Between Data Centers §  Connecting banks and financial

hubs or processing centers §  Hub-and-spoke transaction

networks (such as Automated Teller Machines)

WAN2

Financial & Banking


WAN

Data Center

DR Site

Remote Offices

Hospital or Corporate HQ

Benefits §  Single point of control for

healthcare affiliates to protect data in motion

§  Verified protection for compliance audits: HIPAA, GLBA, PCI DSS, etc.

Where we deploy §  Between Data Centers and

recovery sites §  Between hospitals/offices,

physician networks, and Data Centers

Healthcare


Drivers §  Protect customer personal and

financial information §  Businesses are based on customer

trust - security is seen as a competitive necessity

§  Secure Data Replication is critical to online gambling

§  Protection of secret algorithms

Where we deploy §  Between Data Centers and

Administrative offices §  Casinos to Data Centers

L2 WAN Q in Q Trunks

Data Center1

Data Center2

Large enterprise


Service Providers

IPTV Feeds Over Cable

Drivers §  Carriers are getting requests for

encryption - especially from customers converting from legacy connections (Frame/ATM)

§  Potential for security based differentiation

Where we deploy §  Classic IPsec tunnel

replacement §  Managed Service option §  Cable TV Service §  TrustNet Manager is well

suited as a managed service

Super Head End

Fed Integrator Data Centers

Qwest Metro-E Optical Feeds

Multi-dwelling building 10 Cities in 7 States

DR Sites


Application: protect credit cards

HTTPS

EncryptEncrypt

Encrypt

•  PCI Requirement 4: Encrypt transmission of card holder data

•  4.1.1 Encrypt Network transmitting or connected to card holder data

•  4.2 Sending PAN (primary account number messaging later)

•  Challenge•  Encryption after web server

(merchant)•  Encrypt between banks & merchants

•  Solution•  Certes Group Encryption (H&S)•  Centralized TNM•  CEPs at every branch, DC, partner

•  Why Certes?•  Simplicity of deployment across

varied networks•  Zero Application/Network changes

WAN

Data Center

Corp HQ


Application: video conferencing •  Business Requirements

•  Protect Communication Data •  classified information

•  Challenge •  Peer-to-peer, real-time traffic • Application encryption = double

expensive servers •  Solution

• Certes Group Encryption (Mesh) • Centralized TNM • CEPs at every Branch Video

Terminal •  Why Certes?

• Real Time Encryption • Simplicity of large deployment • Centralized management, policy

changes, reporting

WAN

Data Center

Branch Offices

Corp HQ


Application: Cloud adoption •  Business Requirements

• Meet FedRAMP for Cloud services •  Encryption as compensating control

•  Challenge • Security in uncontrolled environment

•  Solution • Certes Group Encryption • Centralized TNM • Multiple CEPs at every DC

•  Why Certes? • Simplicity of large deployment • Scale 10Gbps • No performance hit • Centralized management, policy

changes, reporting

WAN Data Center Data Center

Enterprise Cloud


Thank You

certes crypto flow introductory overview new solutions - april 2015

Internet

encryption ssl

security policies

security solutions

sensitive data traffic

network performance

internal security products

encryption attacks

app traffic