Delivering Scalable Private Key Security with Hardware

Venafi Advanced Key Protect Data Sheet

Data Sheet

Delivering Scalable Private Key Security with Hardware Security Module Leaders Orchestrating HSM-generated private keys with certificate life cycle automation for SSL/TLS and SSH

Advanced Key Protect at a Glance Hardware Security Modules (HSMs) protect machine identities by generating strong keys for SSL/TLS Venafi Advanced Key Protect powers the use and SSH—these cryptographic keys along with of secure hardware-based cryptographic keys digital certificates serve as machine identities. But, by orchestrating HSM-based generation and previously, when enterprises wanted to combine HSM protection of cryptographically strong keys key generation with certificate life cycle management, combined with certificate automation. they had to rely on custom development or resource- Prerequisites intensive manual processes.With the introduction of • The Venafi Platform Venafi Advanced Key Protect, organizations can now use the Venafi Platform for fast, automated orchestration • One of the following of secure HSM key generation and protection combined - Gemalto SafeNet Network HSM with certificate issuance to improve security, increase - Thales nShield Connect HSM efficiencies and meet compliance requirements. The full key and certificate life cycle is automated without the need for administrator interaction. As the number of severe vulnerabilities and attacks targeting machine identities increases, the need for Benefits strong private keys for SSL/TLS and SSH throughout • Leverage your existing HSM investment for the enterprise is becoming more acute. For example, strong key generation and protection when private keys are stored in files or memory, they • Automate certificates and keys in a FIPS 140‑2 are susceptible to file and memory scraping as well Level 2 environment supported by HSMs as recent side-channel attacks. HSM-generated keys address these risks by producing strong FIPS compliant • Comply with industry and internal security requirements private keys with maximum entropy, using certified random number generation and secure hardware Generate strong keys from a NIST certified • protection for keys. random bit generator (RBG) HSMs have long been used in security-concious • Orchestrate strong keys across your enterprise industries, including Banking, Financial Services, Federal under strict policy control Agencies and Retail. Critical business applications • Eliminate risk of stolen keys from file systems, containing sensitive data, such as PCI, PII and PHI, are software certificate stores and system memory now using HSM key generation and hardware protection of data. www.venafi.com 1 Venafi Advanced Key Protect Data Sheet

HSMs are critical for secure PKI and for the The Solution: Venafi Advanced Key Protect protection of deployed SSL/TLS certificates to Venafi Advanced Key Protect delivers an out-of- critical business applications. Now with the close the-box solution that overcomes these challenges. partnership between Venafi and leading HSM It integrates with industry-leading HSMs, including vendors, management has been dramatically Gemalto and Thales, to leverage strong HSM keys simplified. HSM-generated keys can now be throughout an enterprise. As an add-on module to the accessible at machine speed, even in complex, Venafi Platform, Advanced Key Protect applies policy high-security environments. and workflow controls and enables fast, automated HSM security benefits are so strong that orchestration of keys and certificates. Together, these regulations like PCI-DSS recommend that all private capabilities make it possible for enterprises to ensure cryptographic key material be generated and stored the consistent use of the strongest cryptographic within an HSM to protect in-scope PCI systems. In keys possible. addition, entities doing business with government agencies must adhere to FedRamp standards. Supported Client Versions Beyond standards and regulations, organizations • Gemalto/SafeNet (Luna) client version 6.2.2 can substantially improve their overall security by (plus OpenSSL toolkit 1.0.2 for Apache) leveraging HSMs to protect private cryptographic • Thales Security World client version 12.40.2 key material across the enterprise. Earliest Supported HSM Versions Traditionally, HSMs have only been deployed for a • Gemalto SafeNet Network HSM (formerly Luna SA) narrow set of applications. Despite the improved key models 7000 running software version 5.4.7-1 and strength and overall protection that HSMs provide firmware version 6.10.9 for digital keys, their management burden has kept them from being utilized broadly. With Venafi • Thales nShield Connect HSM Advanced Key Protect, organizations can easily - Connect+: 500+; 1500+; 6000+; expand usage and increase the value they get from Security World version 12.40.2 their HSMs. - Connect XC: Base; Mid; High; HSM Key Management Challenges Security World version 12.40.2 Broad HSM usage without key and certificate life cycle orchestration for SSL/TLS and SSH creates new challenges for organizations that want We evaluated all of the products from the complete visibility into all of their keystores—this is top players in the space. Venafi was the a challenge even for the keys stored in the HSM. clear winner for multiple reasons: Organizations that deploy HSMs widely also lack • Venafi allowed us to keep the entire the ability to centrally manage all their distributed certificate management process in-house. keystores and are unable to consistently apply enterprise policy controls. • Venafi supported all the CA and HSM technologies we use. Previously, when organizations wanted to use • Venafi is extremely flexible and could automation to leverage strong HSM keys, manage satisfy all our immediate needs and the entire key life cycle, and apply policies or anticipated future needs. streamline workflows, they had to create custom Fortune 500 Insurance Company scripts or run manual processes—both of which Source: TechValidate. TVID: 8DA-A8D-6DA require major investments. These largely manual efforts often resulted in high-maintenance, error‑prone solutions that did not scale.

www.venafi.com 2 Venafi Advanced Key Protect Data Sheet

How It Works across the network. In this approach, instead of keeping the private key in the HSM, the key pair Venafi Advanced Key Protect supports two is exported from the HSM and the private key and distinct functions: certificate are installed on the system that will use 1) Central HSM SSL/TLS and SSH Key them. This capability is supported by Gemalto HSMs. Generation with Key and Certificate When an administrator enters application and HSM Installation on Managed Applications information into the Venafi Platform, it triggers these 2) HSM SSL/TLS and SSH Private Key actions by the platform: Protection Combined with Automated Certificate Orchestration • Instructs the HSM to generate a key pair • Retrieves the private key and a certificate-signing 1. Central HSM SSL/TLS and SSH Key request (CSR) from the HSM Generation with Key and Certificate Installation on Managed Applications. • Uses the CSR for certificate enrollment with a certificate authority (CA) There are times when keys need to be stored with the applications they support. Secure key material • Installs the certificate and the private key on the is essential, especially when keys aren’t stored in managed application an HSM. Venafi Advanced Key Protect coordinates 2. HSM SSL/TLS and SSH Private Key the generation of private keys for certificates and Protection Combined with Automated SSH through a central HSM and pairs this with Certificate Orchestration. Venafi certificate issuance and installation. Together, This function is used when a business wants to this provides automated, validated distribution with protect keys using an HSM that is associated with the maximum key entropy for applications. managed applications it supports. With Advanced The Details Key Protect, private keys can be managed without The Venafi Platform can be used to generate all ever leaving the hardware or being exposed to X.509 and SSH keys in a central HSM, even for host memory. Businesses get full SSL/TLS and applications that do not have the capability to SSH key management in a FIPS 140-2 Level 2 or integrate with an HSM. This ensures that keys are environment—pairing automated Venafi management created with strong random number generation with the security of the HSM.

Private Key and Certificate Installed on Managed Application

www.venafi.com 3 Venafi Advanced Key Protect Data Sheet

Private Key Securely Maintained on HSM

The Details TRUSTED BY THE TOP Venafi Advanced Key Protect triggers the generation of a key pair by the HSM and orchestrates the 5 OF 5 Top U.S. Health Insurers connection to the system that needs the certificate. 5 OF 5 Top U.S. Airlines Venafi delivers key and certificate management with 4 OF 5 Top U.S. Retailers the key pair securely maintained by the HSM. Both 4 OF 5 Top U.S. Banks Gemalto and Thales HSMs enable this approach 4 OF 5 Top U.K. Banks and this capability is supported on Apache, 4 OF 5 Top S. African Banks Windows IIS and Java keystores. 4 OF 5 Top AU Banks Again, the process begins when an administrator ABOUT VENAFI enters application and HSM information into the Venafi is the cybersecurity market leader Venafi Platform, but this time it triggers the following in machine identity protection, securing the actions by the platform: cryptographic keys and digital certificates • Connects to the managed application and on which every business and government instructs the HSM to generate a key pair depends to deliver safe machine-to-machine communication. Organizations use Venafi Retrieves a CSR from the HSM through the • key and certificate security to protect managed application communications, commerce, critical systems • Uses the CSR for certificate enrollment with a CA and data, and mobile and user access. • Installs the certificate on the managed To learn more, visit www.venafi.com application (the private key remains on the HSM) Next Steps If you have the Venafi Platform and a Gemalto or Thales HSM, or you’re considering investing in these solutions, contact us to learn more about how you can best leverage these solutions to maximize strong key generation and management.