Data Sheet

Voltage SecureData

End-to-end data-centric security for the new data-driven economy

Highlights of Voltage SecureData Next Generation Capabilities • Hyper FPE, a next generation high performance format-preserving encryption for virtually unlimited data types • FIPS 140-2 and Common Criteria validated solution, sensitive data is protected with NIST‑ Standard FF1 AES encryption, pioneered by Micro Focus • Designed for compute intensive demands and the explosion of data and formats that need protection across a broad array of use cases • Flexible range of interfaces including REST, simple , gateway, and native for easier integration with broad range of databases, applications, and platforms The Challenge in Data Security encryption technologies. These companies • Hyper SST—Next generation high performance The volume of data, the sophistication of deploying encryption technologies also tokenization experienced a substantial ROI, at 11.3%. ubiquitous computing and the borderless • More flexible encryption for global markets with flow of data are outpacing the ability to Voltage SecureData provides an end-to-end Unicode language support understand how personal data is being used. data-centric approach to enterprise data protection. It is the only com­prehensive • Supports the encryption and pseudonymization In this data-driven economy, consumers guidance in the new General Data Protection data protection platform that enables you to find it hard to trust companies for a variety Regulation (GDPR) legislation for European Union of reasons when it comes to use of their protect data over its entire lifecycle—from the point at which it’s captured, throughout its personal data. For example consumers’ movement across your extended enterprise, reaction to data misuse can cause them all without exposing live information to high‑ to reduce their spending with a company risk, high-threat environments. That’s the by about one-third.1 Moreover, the number essence of data-centric security. of cyber attacks against enterprises and governments globally, continues to grow Voltage SecureData includes next generation in frequency and severity. technologies, Hyper Format-Preserving En­cryp­­tion (FPE), Hyper Secure Stateless The findings in the Ponemon Institute Cyber Tokeni­­za­­tion (SST), Format-Preserving 2 Crime Study suggest companies using Hash (FPH), Stateless Key Management, encryption technologies are more efficient in ______detecting and containing cyber attacks. As a 1. Bridging the Trust Gap in Personal Data, result, these companies enjoyed an average BCG, March 2018 cost savings of $997,062 USD annually 2. 2017 Cost of Cyber Crime Study: Global when compared to companies not deploying Ponemon Institute, October 2017. Voltage SecureData

and data masking. Voltage SecureData F5 load balancing, and Hadoop with native The NIST standard provides an approved and “de-identifies” data, rendering it useless on‑node cluster-wide ata masking, encryption proven data-centric encryption method for to attackers, while maintaining its usability, and decryption. SIEM/SIM systems can take government agencies, and has been involved usefulness, and referential integrity for event data from Voltage SecureData or data as a developer through open cooperation data processes, applications, and services. governance reporting, activity monitoring, with NIST from initial proposals of Format- Voltage SecureData neutralizes data and audit. Preserving Encryption technologies with breaches by making your protected data formal security proofs to independent peer absolutely worthless to an attacker, whether Voltage SecureData protects information in review of the NIST AES modes. The NIST it is in production, analytic systems, or test/ compliance with PCI DSS, HIPAA, GLBA, state standard is critical in setting the bar to ensure development systems, such as training and and national data privacy regulation as well organizations are maintaining regulatory and quality assurance. as the European Commission’s General Data audit compliance, as well as using proven Protection Regulation (GDPR), applicable in methods to protect against a data breach. A Unique Approach to all EU member states. Voltage SecureData End-to-End Encryption is also compatible with the more stringent Voltage SecureData is FIPS 140-2 and Com­ Voltage SecureData is a unique, proven PCI DSS 3.2’s new requirements on transport mon Criteria validated, leveraging the NIST data‑centric approach to protection— encryption, enabling accelerated compliance FF1 AES encryption standard, providing all where the ac­cess policy travels with the ahead of deadlines as recommended by the the benefits of data-centric security delivered data itself—by permitting data encryption PCI council. Voltage SecureData enables by Hyper FPE—the most flexible and powerful and tokenization without changes to data organizations to quickly pass audit and FPE available—with the ability to encrypt format or integrity, and eliminating the cost additionally implement full end-to-end data virtually unlimited data types. and complexity of issuing and managing protection to reduce risk impact of data certificates and symmetric keys. As a result, breaches, all without the IT organization The work Micro Focus Data Security is doing leading companies in financial services, having to completely redefine the entire with NIST, ANSI, IEEE, IETF, and independent insurance, retail, healthcare, energy, infrastructure and IT processes or policies. security assessment specialists, stands unique transportation, telecom and other industries On average, Voltage SecureData requires in the market. Standards bodies where have achieved end-to-end data protection less than 0.1 full-time employee (FTE) per Voltage SecureData protection technology across the extended enterprise with success data center for ongoing management. break­throughs are published include: NIST, in as little as 60–90 days, because of the ANSI, IEEE, and IETF. minimum, in most cases zero, impact to Key Benefits applications and database schemas. Reduce audit scope, costs, system impact, and resources. Eliminate sensitive data from Short Time to Success production and test systems and enable with Data Security end-to-end data protection. Helps enable Most applications can operate using protected compliance to data privacy regulations. data without change. For those applications where sensitive data is first captured or Avoid brand-damaging, costly breaches. live data is needed for controlled business beyond compliance to easily weave purposes, Voltage SecureData can easily data protection across systems, devices, be used with virtually any system, ranging and platforms. from decades-old custom applications to the latest enterprise programs. Powerful, Industry Standard Format-Preserving Hyper FPE: Encryption and centrally managed, policy-controlled APIs, Technologies—Securedata with Hyper FPE Masking—How We Do It such as a REST API and command line tools, Micro Focus Data Security has contributed Traditional encryption approaches, such as enable encryption and tokenization to occur technology and core specifications for the AES CBC, have enormous impact on data on the widest variety of platforms, including new National Institute of Stan­dards and Tech­ structures, schemas and applications as Vertica, NonStop, Teradata, IBM mainframe, nology’s (NIST) AES FF1 Format‑Preserving shown in Figure 1 on the following page. Linux and other open systems. APIs enable Encryption (FPE) mode standard: www.nist. Hyper FPE is NIST-stan­dard using FF1 mode broad deployment into portfolios including gov/news-events/news/2016/03/new-nist- of the Advanced Encryption Standard (AES) ETL, cloud, databases and applications, security-standard-can-protect-credit-cards- ­algorithm, which encrypts sensitive data network appliances, and API brokers such as health-information while preserving its original format without

2 Voltage SecureData

sac­rificing encryption strength. Structured First name: Gunther data, such as Social Security number, Tax ID Last name: Robertson number, credit card, account, date of birth, SSN: 934-72-2356 Tax ID DOB: 08-07-1966 salary fields, or email addresses can be 934-72-2356 encrypted in place. FPE First name: Uywjlqo Last name: Muwruwwbp 253-67-2356 SSN: 253-67-2356 Traditional encryption methods significantly AES-FF1 mode DOB: 08-07-1966 alter the original format of data. For example, Regular Ija&3k24kQotugDF2390^32 0OWioNu2(*872weW a 16-digit credit card number encrypted with 8juYE%Uks&dDFa2345^WFLERG AES produces a long alphanumeric string. AES-CBC mode Oiuqwriuweuwr%oIUOw1@ As a result, database schema changes are required to facilitate this incompatible format. Figure 1. Format-Preserving Encryption (FPE) versus Regular AES Encryption Hyper FPE maintains the format of the data being encrypted so no database schema policy. Advanced policy controlled caching of EU residents. GDPR pushes the EU into changes and minimal application changes maximizes performance. Stateless Key a new era of data privacy, compliance and are required—in many cases only the trusted Management reduces IT costs and eases enforcement in 2018. applications that need to see the clear data the administrative burden by: need a single line of code. Tools for bulk • Eliminating the need for a key database, Any enterprise handling EU residents’ data encryption facilitate rapid de‑identification of as well as the corresponding hardware, needs to revisit the meaning of personal large amounts of sensitive data in files and software, and IT processes required to data due to GDPR’s expanded definition databases. Typically, whole systems can be protect the database continuously or the of personal data. New expanded data rapidly protected in just days at a significantly need to replicate or backup keys from includes name, location data, online id, reduced cost. In fact, Hyper FPE allows site to site. genetic factors, etc. When an enterprise accelerated encryption performance aligning collects sensitive data, personally identifiable • Easily recovering archived data because to the high volume needs of next generation information (PII), payment card industry (PCI), keys can always be recovered. Big Data, cloud and Internet of Things, and or protected health information (PHI), it must supports virtually unlimited data types. • Automating supervisory or legal secure and protect that data. Enterprises e-discovery requirements through simple face significant financial penalties for Hyper FPE de-identifies production data application APIs, both native and via non-compliance. and creates structurally valid test data so Web services. developers or users can perform QA or • Maximizing the re-use of access policy Voltage SecureData de-identification conduct data analysis—all without exposing infrastructure by integrating easily and privacy protection of sensitive data, sensitive data. The Voltage SecureData with identity and access management production and non-production, including management console enables easy control frameworks and dynamically enforcing PII, PHI, and PCI, throughout the enterprise, of policy and provides audit capabilities data‑level access to data fields or partial provides end-to-end data-centric security. across the data life cycle—even across fields, by policy, as roles change. Hyper FPE delivers strong and flexible thousands of systems protected by Voltage encryption to protect EU citizen’s personal SecureData. Hyper FPE also provides the Unicode Latin 1—Hyper FPE Unicode Latin 1 data and to follow pseudonymization option to integrate access policy information provides format and character set preserving guidance in the new GDPR. in the cipher text, providing true data-centric encryption for global enterprises using data protection where the data policy travels with in languages such as German, Spanish, Protecting high value data in government— the data itself. French and more. Voltage SecureData has achieved the industry’s first Federal Information Processing Stateless Key Management: GDPR—New data protection law—European Standard FIPS 140-2, and Common Criteria, Transparent, Dynamic Commission is modernizing data protection validation of Format-Preserving Encryption Stateless Key Management securely legislation by replacing the EU Data Protection (FPE). Now, government agencies and derives keys on-the-fly as required by an Directive 95/46 EC with the GDPR, which is private contractors serving government application, once that application and its directly applicable in all European Union (EU) customers, can leverage the same powerful users have been properly authenticated member states, and applies to organizations and proven technology that has transformed and authorized against a centrally managed worldwide who are processing personal data cybersecurity in the private sector.

3 Voltage SecureData

Professional Services—Available to clients’ scope projects, combat advanced threats, reduce compliance burden, and quickly solve difficult data privacy challenges. SS T FPE FPE FPE FPE Hyper SST (Secure Stateless Tokenization) Hyper Secure Stateless Tokenization (SST) is an advanced, patented, data security solution that provides enterprises, merchants, and payment processors with a new approach to help assure protection for payment card Secured data access under strict policy controls data. Hyper SST is offered as part of the Voltage SecureData platform that unites market-leading encryption, tokenization, data masking, and key management to Figure 2. Data Protection with Hyper FPE and Hyper SSTS Encryption protect sensitive corporate information in a single comprehensive solution. enforcing the right to be forgotten. Voltage original data. This enables FPH to offer high- Format-Preserving Hash (FPH) operates with performance data usability—unlike traditional Hyper SST is “stateless” because it eliminates the same benefits as FPE for structure, logic, one-way transformation techniques, such as the token database, which is central to partial field application and so forth, but SHA-256—in a non-disruptive and more other tokenization solutions, and removes with the added benefit of non-recovery of flexible approach toward data masking. the need for storage of cardholder or other sensitive data. Hyper SST uses a set of static, pre‑generated tables containing random Atalla HSM numbers created using a FIPS random Voltage number generator. These static tables reside on virtual “appliances”—commodity servers— SecureData and are used to consistently produce a Voltage unique, random token for each clear text SecureData Primary Account Number (PAN) input, Management resulting in a token that has no relationship Console to the original PAN. No token database is required with Hyper SST, thus improving the speed, scalability, security and manageability of the tokenization . In fact, Hyper SST effectively surpasses the existing “high‑octane” SST tokenization performance.

Data Anonymization with Voltage Format-Preserving Hash In specific use cases, such as Article 17— Voltage Voltage Voltage Voltage Voltage Right to erasure (‘right to be forgotten’) or SecureData SecureData SecureData SecureData SecureData in the creation of test data for example, the WebServicesAPI Command Lines native APIs File Processor Sentry need to recover masked data may be an (REST, SOAP) & Automated (, Java, C#, .NET) unnecessary risk, or further, may be explicitly File Parsers undesired, as in the case of permanently Figure 3. Voltage SecureData Architecture with virtual servers and administration tools

4 Voltage SecureData

Voltage SecureData Architecture SecureData Sentry Transparent encryption method by intercepting sensitive Voltage SecureData solutions share a Deployment to Accelerate data flowing through the network to support common infrastructure, including the same Time to Value on-premises and hybrid cloud-deployed centralized servers and administration tools. With migration to hybrid IT and an applications. SecureData Sentry simplifies This enables Voltage SecureData customers increasing reliance on SaaS applications, hybrid IT migration, accelerates time to value to choose an appropriate combination of organizations may not have the accessibility by quickly enabling security compliance, techniques to address their use cases, or development resources for API-level and offers consistency for end-to-end data across diverse environments, while avoiding integration. Along with Layer 2 approaches, protection, without having to break open the costs and complexities of deploying and a data privacy broker solution, Voltage applications and extensively re-qualify managing multiple products. SecureData Sentry, enables a transparent IT architectures.

Voltage SecureData Platform Modules Description Voltage SecureData­ Enforces data access and key management policies, and eliminates the need to configure each application, because flexible policies are Management ­Console ­centrally defined and reach all affected applications. Manages data format policies, business rules enforcement over data access, integration with enterprise authorization and authentication systems and connectivity to enterprise audit and security event monitoring systems. It also manages data security policies such as the choice of Hyper FPE, file encryption, and data masking.

Key Management High-scale, on-demand, stateless key management eliminates the need for traditional complex storage-based key management, because keys are ­dynamically derived; seamlessly integrates with existing Identity Management and Authorization Systems and Key Management using FIPS 140–2 ­Hardware Security Modules.

Voltage SecureData Centralized Web services encryption and tokenization option for Service Oriented Architecture environments, enterprise applications and Web Services Server ­middleware. Supports SOAP and REST API Web services, and Unicode Latin 1 for native languages.

Voltage SecureData Maximizes efficiency on a broad range of application servers through native encryption on HP-UX, SAP HANA, NonStop, Microsoft Azure, Amazon Simple API Web ­Services (AWS), Solaris, Stratus VOS, Linux (Red Hat, SUSE, CentOS), AIX, and Windows. Additional APIs are available for embedded ­platforms such as ­payment terminal devices. Supports hardware accelerated encryption processes where available, e.g., Intel AES-NI.

Voltage SecureData Scriptable tools easily integrate bulk encryption, tokenization, and file encryption into existing batch operations and applications. ­Command Lines

Voltage SecureData Aggregates support for both tokenization and encryption of sensitive data elements. It provides a unique value to the customer as a single File Processor client ­converging both Web services and native API interfaces. The converged clients expand the support for new file types by decoupling input file processing from the underlying encryption and tokenization operations. Delivers high performance data de-identification, with parallel multi-threaded processing of sensitive data elements simultaneously protecting data fields across columns.

Voltage SecureData Includes simple data security libraries to easily incorporate into native mobile applications. This enables the mobile application to secure Mobile ­captured data end-to-end to the trusted host using a one-time cryptographic key. Supports iOS and Android.

Voltage SecureData  Voltage SecureData z/Protect: Maximizes CPU performance on mainframe systems through native z/OS support for encryption and also ­supports ­ ­tokenization. mainframe, Big Data,  Voltage SecureData z/FPE: Mainframe data processing tool to fast track integration into complex record management systems such as VSAM, and payment security QSAM, DB2, and custom formats. De-identify sensitive data for production and test use. ecosystems  Voltage SecureData for Hadoop Developer Templates: Enable customers to integrate FPE and SST technologies into their Hadoop ­instances. Templates come with pre-built integrations for NiFi, Sqoop, MapReduce and Hive, and can be quickly expanded to integrate into other ­technologies in the Hadoop stack such as Flume.  Voltage SecureStorage: Data-at-rest encryption for Linux with Stateless Key Management.  Voltage SecureData Web and Optional Add-ons: Secures data end-to-end from browser applications and forms to secure back-end ­applications, extending end-to-end security beyond transport encryption such as SSL and TLS.  Voltage SecureData Terminal SDK and Host SDK: Provide market-leading P2PE payments security.

5 “We needed fast deployment in an environment that is reluctant to change, but we were able to move through very quickly. We were able to get PCI compliant, which is a very big win for us, and improve our security and the additional controls around the data as it’s being moved, and we have very few support calls.” Contact us at CyberRes.com DIRECTOR OF ENTERPRISE INFORMATION SECURITY Like what you read? Share it. AAA—The Auto Club Group

Atalla HSM Authentication & Voltage authorizatioa nsources SecureData (e.g., active directory) Management VoltageSecureData Console

Voltage iOSand Android VolumeKey Voltage SecureData Voltage Voltage Voltage Voltage Partner SaaS &PaaS Payment devices Management SecureData CommandLines & SecureData SecureData SecureData Native SecureData integrations cloud apps terminals WebServicesAPI Automated File native APIs File Processor UDFs z/Protect, z/FPE (REST, SOAP) Parsers (C,Java, C#, .NET)

Policycontrolleddataprotectionand maskingservices&clients

Business applications, data stores and processes

Mobile apps Volumes and Enterprise Production ETL&data 3rdparty Teradata, Voltage Mainframe Network Web/cloud 3rdparty SaaS Payment storage applications databases integration applications Hadoop & Nonstop applications & Interceptors applications gateways systems suites Vertica Applications& databases (AWS,Azure) Databases

Figure 4. Voltage SecureData Architecture addresses use cases for enterprises across diverse environments.

760-000020-002 | M | 04/21 | © 2021 Micro Focus or one of its affiliates. Micro Focus and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other marks are the property of their respective owners. A Micro Focus line of business