SG-TDE

A Data Encryption Service For Cloud Servers

More About SG-TDE

SG-TDE is a data-at-rest encryption service for sensitive information stored in a database or a file server deployed on any cloud platform – AWSAzureCenturyLinkGoogle, or within your own data center. It usually takes less than 30 minutes to install and configure our service.The SG-TDE service can be used to encrypt data stored in a MySQL, PostgreSQL, MongoDB, CouchDB or a file server. The service is designed to enable regulatory compliance with HIPAA/HITECH, GDPR, PCI DSS, FISMA, GLBA, SOX and FERPA.

SG-TDE is a data-at-rest encryption service for sensitive information stored in a database or a file server deployed on any cloud platform – AWSAzureCenturyLinkGoogle, or within your own data center. It usually takes less than 30 minutes to install and configure our service.The SG-TDE service can be used to encrypt data stored in a MySQL, PostgreSQL, MongoDB, CouchDB or a file server. The service is designed to enable regulatory compliance with HIPAA/HITECH, GDPR, PCI DSS, FISMA, GLBA, SOX and FERPA.

The HIPAA Act requires covered entities to provide public notification upon discovery of a breach of unsecured ePHI (Electronic Patient Health Information) involving more than 500 records. However, ePHI that is secured via encryption does not trigger the breach notification requirement. Server General TDE can help covered entities to gain protection under the Safe Harbor provision of the HITECH Act by helping them transparently encrypt their ePHI stored in a database or a file server, hosted on any cloud platform.

Tab Content

It generally takes less than 30 minutes to install and configure Server General TDE. No programming is required to encrypt data. Moreover, you will control your own encryption keys no matter where your servers are hosted.

Server General TDE enables customers to store their log files outside of their administrative control thereby eliminating the possibility of contamination by the interested parties. Auditors are more apt to trust information stored in such log files which in turn could lower the overall cost of an audit.

Incredible Features

Any Linux Server, Any Cloud Platform
Server General TDE service can be used to encrypt data stored in a Linux server located on any public, private or hybrid cloud. The encryption process does not alter the end-user’s experience. Data can be selectively encrypted based on the sensitivity of the data with different types of encryption algorithms.
Data Encryption Service
Data security and regulatory compliance have become critical issues for private enterprises, public organizations, as well as the government. Managing and securing customer and patient information is a growing concern for IT departments, especially when operating in the cloud. Organizations have been trying hard to comply with many regulations, but the effort necessary often exceeds the capability of small IT groups. Server General TDE service with live monitoring allows organizations to fight against malicious actors who hide behind anonymity that today’s Internet provides. It generally takes less than 30 minutes to install, configure and store keys at a secure location using our service.
Military Grade Encryption
Server General TDE uses the AES encryption algorithm to encrypt data. This is the same algorithm that is used by the U.S. Military to secure their own secrets. Our service is designed to transparently encrypt each and every sensitive data file with a unique and completely random key. The target server can be hosted on a public, private or hybrid cloud.
Low Overhead
Server General TDE has low encryption overhead (typically less than 2%) which results in no material degradation in performance of a database server or a file server.
Protection Against A Malicious Root User
Server General TDE controls access to the protected data sets via advanced access control mechanisms that prevent even the “root” user from accessing the sensitive data sets.
Life-time Key Management
Server General TDE provides robust key management functionality. Different data owners can encrypt their data sets with their own master encryption key on the same machine. Data owners are able to rotate their encryption key to fulfill regulatory compliance requirements. Our service provides key generation, key storage, key rotation and key revocation capabilities.
Store Keys On-Premises
Server General TDE provides an option to store encryption keys on-premises in a secure appliance or within our secure cloud. The customer remains in full and absolute control of their own encryption keys at all times no matter where they are stored.
Role-Based Management
Many solutions cling to old security concepts that result in misplaced trust in the network/system administrator. This completely defies application’s access control logic as intended by the application vendor thereby exposing the application data to a whole host of attacks. The Server General TDE on the other hand segregates management responsibilities based on roles in order to safeguard data.
Log Management
All privileged operations conducted by Server General TDE administrators are logged within and outside of the administrative domain of a customer. This feature provides non-repudiation and is heavily relied upon by auditors.
Battle Hardened Solution
All privileged operations conducted by Server General TDE administrators are logged within and outside of the administrative domain of a customer. This feature provides non-repudiation and is heavily relied upon by auditors.
Based On Open-Source
Server General TDE uses standard encryption functionality, eCryptFS, embedded within the mainstream Linux kernel. This functionality is based on a stackable file system that was developed by Erez Zadok, CTO, Server General Inc.

How Does it Work?

  • Install Server Genral Agent
    Install the SG-Agent on your server.The Agent installation takes less than 5 minutes.
  • Configure Server Agent
    -Configure SG Administrators
    -Generate/Store Encryption Keys
    -Create a Security Policy
    -Enforce It
  • Encrypt Data at Request
    Enforce the security policy which in turn will transparently encrypt data stored in the protected data sets using AES-256. No Application level change required.
  • Manage Encrption Keys
    You will be able to generate, store, rotate and revoke keys. We will encrypt your encryption keys and store the encrypted values in a locker deployed on-premises or within our global key management infrastructure.
  • Control Access
    All access to the protected data sets is denied unless explicitly granted by you. Even the "root" user is unable to access the sensitive information stored in the protected data sets in the clear text format.
  • Log at Multiple Locations
    Logs are stored locally on your server and at three outside locations.This prevents an attacker from rewriting history
  • That's It
    We make sure that your encryption keys are available to you when you need them and to no one else.

Technology

The core components of SG- TDE are a data encryption engine, a key management engine, an access control engine, and a reporting engine. Each component performs a critical function in securing sensitive information and collectively they provide active countermeasures against various types of attack vectors.

Server General TDE includes a high-performance Data Encryption Engine, which provides strong encryption for all writes, and decryption for all reads. The Data Encryption Engine protects against theft of media, data images – even if intruders are able to obtain physical or electronic copies of data. The stolen data would be unusable without the decryption keys. Any probing of files would only yield blocks of ciphertext.

The most important component of the Server General TDE is its Key Management Engine, which allows the customer to control their own encryption keys at all times. The encryption keys are stored in one or more key lockers deployed within the Server General global key management infrastructure or within customer’s own network. In both instances, the encryption keys are themselves wrapped in another layer of encryption using a master key (a passphrase) that is only known to the data owner. This way only cipher blobs are stored in key lockers preventing other parties from deciphering them. The key management system allows customers to generate strong keys of length of 256, rotate them on-demand, revoke any key at any time and store them in a secure location.

The Access Control Engine provides industrial strength identification and authentication mechanism that results in reduction of the ‘trust domain’. Only authorized Server General TDE administrators are able to access administrative functions: this one measure reduces the risk posed by rogue systems administrators (or any other entity that has progressed beyond perimeter security). The access control engine allows only authorized users to access the protected data sets.

The Logging Engine logs every administrative operation related to Server General TDE. The logs are stored at four different locations - on the server and remotely within our cloud infrastructure. Data from these logs is crucial for a security audit as well as for compliance. In case of a regular server, an external or a malicious internal user may gain unauthorized access to the data – then perform acts to conceal the breach by removing or editing audit logs. However, this is not possible with Server General TDE, as logs are stored outside the administrative domain of the entity.

SG-TDE has been certified to work with for the following server types

SG-TDE is certified to work on the following platforms