SG-TDE-
AnyCloud

Data Security For Servers

SG-TDE-AnyCloud

 

SG-TDE-AnyCloud is a data security solution for sensitive information stored in a database or a file server deployed on any cloud platform – AWSAzureCenturyLinkGoogle, or within your own data center. It usually takes less than 30 minutes to install and configure our solution. The SG-TDE-AnyCloud can be used to secure data stored in a MySQL, PostgreSQL, MongoDB, CouchDB, SFTP, SAMBA or a Linux file server. The solution is designed to enable regulatory compliance with HIPAA/HITECH, GDPR, PCI DSS, FISMA, GLBA, SOX and FERPA.

Today’s computing requires enterprises to combine public clouds, private clouds, and on-premises resources to gain a competitive advantage. However, solutions that are available within one cloud platform generally are not available within other cloud environments. This necessitates the use of different solutions to achieve the same results. The SG-TDE-AnyCloud eliminates this problem by providing you with a data security solution that works on your servers deployed anywhere – any cloud or within your own data center. This in-turn lowers your operating costs and allows you to have a uniform solution across all platforms. Imagine being able to move your encrypted data across different computing platforms without having to worry about the data encryptions keys or decrypting the data sets first. That’s what SG-TDE-AnyCloud can do for you!

The HIPAA Act requires covered entities to provide public notification upon discovery of a breach of unsecured ePHI (Electronic Patient Health Information) involving more than 500 records. However, ePHI that is secured via encryption does not trigger the breach notification requirement. SG-TDE-AnyCloud can help covered entities to gain protection under the Safe Harbor provision of the HITECH Act by helping them transparently encrypt their ePHI stored in a database or a file server, hosted on any cloud platform.

Tab Content

The European Union’s General Data Protection Regulation (GDPR) will become effective as of May 25, 2018. Just like California’s SB 1386 data breach notification legislation, GDPR stipulates that any entity that handles EU citizen’s data must provide notification of a successful breach. The law requires the entity to prove that it had put all the right measures in place to protect the personal information of EU citizens. SG-TDE-AnyCloud can be used not only to encrypt data-at-rest but to also control access, manage keys and for generating immutable log files.

Businesses rely on SG-TDE-AnyCloud to meet PCI DSS mandates 3, 7 and 10. Our customers include tier-1 merchants as well as small businesses. We have gained experience over the years and designed our solution in a manner that makes it easy for you to comply with the PCI DSS mandates.

SB 1386 was signed into law on September 25, 2002 and became effective on July 1, 2003. AB 1950 was signed into law on September 29, 2004 and became effective on January 1, 2005. SB 1386 states that businesses, which conduct business in California, and keep personal information about individuals, must put measures in place to monitor such information – and upon discovery of any breach or any suspected breach, must report the event to all individuals that may have been affected. AB 1950 extends the intent of SB 1386 beyond notification, and mandates that these organizations must take adequate steps to safeguard personal information about individuals. SG-TDE-AnyCloud can help you comply with California’s SB1386 by transparently encrypting data and controlling access.

Main Features

Any Linux Server, Any Cloud Platform
SG-TDE-AnyCloud can be used to secure data stored in a Linux server located on any public, private or hybrid cloud. Our security solution does not alter the end-user’s experience.
Transparent Data Encryption
Data privacy and regulatory compliance have become critical issues for private enterprises, public organizations, as well as the government. Managing and securing customer and patient information is a growing concern for IT departments, especially when operating in the cloud. SG-TDE-AnyCloud can help you to selectively encrypt data based on the sensitivity with different types of encryption algorithms. You are in control of your data encryption key while we provide secure storage so that your keys are available to you when you need them.
Life-time Key Management
There is no need to decrypt data and then re-encrypt when you decide to move your data from one compute platform to another. You can just move your encrypted bits without worrying about your data encryption keys since they will remain the same. This approach will allow to stay compliant even when data is in transition.
Tamper-Resistant Logs
All privileged operations conducted by the SG-TDE-AnyCloud administrators are logged within and outside of the administrative domain of our customers. This feature provides non-repudiation and is heavily relied upon by auditors. In fact each Server General command is stored at four different locations.
Store Keys On-Premises
SG-TDE-AnyCloud provides robust key management functionality. Different data owners can encrypt their data sets with their own master encryption key on the same machine. Data owners are able to rotate their encryption key to fulfill regulatory compliance requirements. Our solution provides key generation, key storage, key rotation and key revocation capabilities. The customer remains in full and absolute control of their own encryption keys at all times.
Low Overhead
SG-TDE-AnyCloud has low encryption overhead (typically less than 2%) which results in no material degradation in performance of a database server or a file server.
Protection Against A Malicious Root User
SG-TDE-AnyCloud controls access to the protected data sets via advanced access control mechanisms that make it challenging even for the “root” user to access the protected data sets in clear-text.
Role-Based Management
Many solutions cling to old security concepts that result in misplaced trust in the network/system administrator. This completely defies application’s access control logic as intended by the application vendor thereby exposing the application data to a whole host of attacks. SG-TDE-AnyCloud segregates management responsibilities based on roles in order to safeguard data.
Military Grade Security
SG-TDE-AnyCloud uses the AES encryption algorithm to encrypt data. This is the same algorithm that is used by the U.S. Military to secure their own secrets. Our solution is designed to transparently encrypt each and every sensitive data file with a unique and completely random key.
Based On Open-Source
SG-TDE-AnyCloud uses standard encryption functionality embedded within the mainstream Linux kernel. This functionality is based on a stackable file system that was developed by Erez Zadok, CTO, Server General Inc.

How Does it Work?

  • Install Server Genral Agent
    Install the SG-Agent on your server.The Agent installation takes less than 5 minutes.
  • Configure Server Agent
    -Configure SG Administrators
    -Generate/Store Encryption Keys
    -Create a Security Policy
    -Enforce It
  • Encrypt Data at Request
    Enforce the security policy which in turn will transparently encrypt data stored in the protected data sets using AES-256. No Application level change required.
  • Manage Encrption Keys
    You will be able to generate, store, rotate and revoke keys. We will encrypt your encryption keys and store the encrypted values in a locker deployed on-premises or within our global key management infrastructure.
  • Control Access
    All access to the protected data sets is denied unless explicitly granted by you. Even the "root" user is unable to access the sensitive information stored in the protected data sets in the clear text format.
  • Log at Multiple Locations
    Logs are stored locally on your server and at three outside locations.This prevents an attacker from rewriting history
  • That's It
    We make sure that your encryption keys are available to you when you need them and to no one else.

Technology

The core components of SG-TDE-AnyCloud are a data encryption engine, a key management engine, an access control engine, and a logging engine. Each component performs a critical function in securing sensitive information and collectively they provide active countermeasures against various types of attack vectors.

SG-TDE-AnyCloud includes a high-performance Data Encryption Engine, which provides strong encryption for all writes, and decryption for all reads. The Data Encryption Engine protects against theft of media, data images – even if intruders are able to obtain physical or electronic copies of data. The stolen data would be unusable without the decryption keys. Any probing of files would only yield blocks of ciphertext.

The Key Management Engine allows the customer to control their own encryption keys at all times. The encryption keys are stored in one or more key lockers deployed within the Server General global key management infrastructure. The encryption keys are themselves wrapped in another layer of encryption using a master key (a passphrase) that is only known to the data owner. This way only cipher blobs are stored in key lockers preventing other parties from deciphering them. The key management system allows customers to generate strong keys, rotate them on-demand, revoke any key at any time and store them in a secure location.

The Access Control Engine provides industrial strength access control that results in reduction of the ‘trust domain’. Only authorized SG-TDE-AnyCloud administrators, and not the system administrators, are able to access administrative functions: this one measure reduces the risk posed by rogue systems administrators (or any other entity that has progressed beyond perimeter security). The access control engine allows only authorized users to access the protected data sets. Even the "root" is denied access to protected data sets in the clear-text.

The Logging Engine logs every administrative operation related to SG-TDE-AnyCloud in real-time at four different locations - on the host server and remotely within our cloud infrastructure. Data from these logs is crucial for a security audit as well as for compliance. In case of a regular server, an external or a malicious internal user may gain unauthorized access to the data – then perform acts to conceal the breach by removing or editing audit logs. However, this is not possible with SG-TDE-AnyCloud, as logs are stored outside the administrative domain of the entity.

Compliance

The HIPAA Act requires covered entities to provide public notification upon discovery of a breach of unsecured ePHI (Electronic Patient Health Information) involving more than 500 records. However, ePHI that is secured via encryption does not trigger the breach notification requirement. SG-TDE-AnyCloud can help covered entities to gain protection under the Safe Harbor provision of the HITECH Act by helping them transparently encrypt their ePHI stored in a database or a file server, hosted on any cloud platform.

Tab Content

The European Union’s General Data Protection Regulation (GDPR) will become effective as of May 25, 2018. Just like California’s SB 1386 data breach notification legislation, GDPR stipulates that any entity that handles EU citizen’s data must provide notification of a successful breach. The law requires the entity to prove that it had put all the right measures in place to protect the personal information of EU citizens. SG-TDE-AnyCloud can be used not only to encrypt data-at-rest but to also control access, manage keys and for generating immutable log files.

Businesses rely on SG-TDE-AnyCloud to meet PCI DSS mandates 3, 7 and 10. Our customers include tier-1 merchants as well as small businesses. We have gained experience over the years and designed our solution in a manner that makes it easy for you to comply with the PCI DSS mandates.

SB 1386 was signed into law on September 25, 2002 and became effective on July 1, 2003. AB 1950 was signed into law on September 29, 2004 and became effective on January 1, 2005. SB 1386 states that businesses, which conduct business in California, and keep personal information about individuals, must put measures in place to monitor such information – and upon discovery of any breach or any suspected breach, must report the event to all individuals that may have been affected. AB 1950 extends the intent of SB 1386 beyond notification, and mandates that these organizations must take adequate steps to safeguard personal information about individuals. SG-TDE-AnyCloud can help you comply with California’s SB1386 by transparently encrypting data and controlling access.

SG-TDE-AnyCloud has been certified to work with for the following application server

SG-TDE-AnyCloud is certified to work on the following platforms​