Trusted Cyber Technologies

NIST 800-53 Mapping - Thales TCT

CipherTrust Data Security Platform

White Paper
Contents
ABSTRACT...................................................................................................................................................................................................3

THE CIPHERTRUST DATA SECURITY PLATFORM......................................................................................................................................3

CIPHERTRUST DATA SECURITY PLATFORM PRODUCTS.........................................................................................................................4

DEFENDING DATA WHERE IT LIVES.........................................................................................................................................................4

DEFENDING DATA WHERE IT BEGINS.....................................................................................................................................................4

SIMPLIFY AND CENTRALIZING ENTERPRISE KEY MANAGEMENT FOR AGENCIES...........................................................................4

DETECTING THREATS AND ISSUING ALERTS..........................................................................................................................................4

COMPLIANCE, REGULATIONS AND CONTRACTUAL MANDATES.......................................................................................................4

SECURITY CONTROL SUMMARY.............................................................................................................................................................5

SECURITY CONTROL DETAIL....................................................................................................................................................................6

1. ACCESS CONTROL............................................................................................................................................................................................................................ 6

2. AWARENESS TRAINING.................................................................................................................................................................................................................. 6

3. AUDIT AND ACCOUNTABILITY...................................................................................................................................................................................................... 7

4. SECURITY ASSESSMENT AND AUTHORIZATION................................................................................................................................................................... 7

5. CONFIGURATION MANAGEMENT............................................................................................................................................................................................ 8

6. CONTINGENCY PLANNING ....................................................................................................................................................................................................... 8

7. IDENTIFICATION AND AUTHENTICATION................................................................................................................................................................................ 8

8. INCIDENT RESPONSE....................................................................................................................................................................................................................... 8

9. MAINTENANCE.................................................................................................................................................................................................................................. 8

10. MEDIA PROTECTION...................................................................................................................................................................................................................... 8

11. PHYSICAL AND ENVIRONMENTAL PROTECTION................................................................................................................................................................. 8

12. PLANNING......................................................................................................................................................................................................................................... 8

13. PERSONNEL SECURITY................................................................................................................................................................................................................... 8

14. RISK ASSESSMENT........................................................................................................................................................................................................................... 9

16. SYSTEMS AND COMMUNICATIONS PROTECTION.......................................................................................................................................................... 9

17. SYSTEM AND INFORMATION INTEGRITY................................................................................................................................................................................ 9

18. PROGRAM MANAGEMENT......................................................................................................................................................................................................... 9

ABSTRACT Thales TCT is a key partner in helping organizations to meet the
standard. Focusing on protecting data-at-rest, Thales TCT delivers
The National Institute of Standards and Technology (NIST) Special critical data protection controls, as well as training and awareness,
Publication (SP) 800-53 provides guidance for the selection of to address each area. Core capabilities that support the standard
security and privacy controls for federal information systems and include:
organizations. Published by the National Institute of Standard and
Technology, the publication details items from the Risk Management • Encryption and Key Management – strong, centrally
Framework that address security controls required to meet managed, file and volume encryption combined with simple,
requirements in the Federal Information Processing Standard (FIPS) centralized key management that is transparent to processes,
200. Revision 4 is the most comprehensive update since the initial applications and users.
publication. Revision 4 was motivated principally by the expanding
threat space and increasing sophistication of cyber- attacks. Major • Access Policies and Privileged User Controls – that restrict
changes include new security controls and control enhancements access to encrypted data – permitting data to be decrypted
to address advanced persistent threats (APTs), insider threats, and only for authorized users and applications, while allowing
system assurance; as well as additions to address technology trends privileged users to perform IT operations without ability to see
such as mobile and cloud computing. protected information.
• Security Intelligence – logs that capture access attempts
Critical to certification for meeting FIPS, is the implementation of to protected data, providing high value security intelligence
security controls from NIST 800-53, Appendix F. Focusing on the information that can be used with a Security Information and
capabilities needed to meet these requirements, this paper provides Event Management (SIEM) solution and for compliance
background about Thales Trusted Cyber Technologies’s (TCT) reporting.
CipherTrust Data Security Platform and the CipherTrust Transparent
Encryption product that is delivered through that platform. It further
details a mapping of the CipherTrust product line’s capabilities
against these NIST security controls, first with an initial summary for
each Family Area (in the form of a table), and then with expanded
details of how these controls are delivered.

THE CIPHERTRUST DATA SECURITY PLATFORM

The CipherTrust Data Security Platform consists of data protection product offerings that share a common, extensible implementation infrastructure
for delivering data at rest encryption, enterprise key management, access control and security intelligence across an agency’s infrastructure.
CipherTrust Data Security Platform makes it simple to solve today’s and future security and compliance concerns by simultaneously defending data
in databases, files and Big Data nodes across cloud, virtual or traditional data centers. CipherTrust Data Security Platform products are centrally
managed, making it easy to extend data security protection and satisfy compliance requirements across the entire organization, without adding
new hardware or increasing operational burdens.

Transparent Encryption Application Encryption Enviroment Support

Public Cloud
Unstructured Files Cloud Hybrid

Private Cloud

Structured Database Big Data Applications Big Data

•File and Volume Level Encryption •Flexible Enviroment and
Data Centers
•Field Level Data Encryption Field level Data Encryption

Key Management Security Intelligence

•KMIP Compliant •Splunk

•Orcale and SQL Server TDE •HP ArcSight
•Certified Management •IBM QRadar
•Object Store (e.g. passwords) •LogRythm

CipherTrust Manager CipherTrust Manager Toolkit

Physical Virtual

•Key and Policy Manager •API to Orchestrate Operations

CIPHERTRUST DATA SECURITY CipherTrust TDE Key Management delivers centralized control
of the most common encryption key management requirements
PLATFORM PRODUCTS in order to reduce the on- going management and maintenance
burden of multiple solutions. CipherTrust TDE Key Management
• CipherTrust Manager centrally manages policies and keys for not only manages the keys and policies for the CipherTrust line
all CipherTrust data security products of data security protection products, but it is also a KMIP server,
• CipherTrust Transparent Encryption secures any database, file manages keys for Oracle and Microsoft SQL Server Transparent
or volume across large agencies and implementations Data Encryption (TDE), handles certificate inventory and can
securely store any object, such as passwords. The CipherTrust TDE
Key Management solution offers an intuitive web based interface
CipherTrust Transparent Encryption and the CipherTrust Manager are and APIs. It is typically deployed in an architecture to meet the most
the primary focus of this paper. demanding high- availability SLAs.

Other CipherTrust Data Security Platform products include:

DETECTING THREATS AND ISSUING
• CipherTrust Developer Suite (which includes CipherTrust
Application Data Protection and Tokenization) provides a ALERTS
simple framework to deliver field level encryption Thales TCT understands that protecting your data is good, but not
• CipherTrust Enterprise Key Management centralizes KMIP and good enough; you need awareness of who and what is accessing
TDE keys and certificate management your private and confidential data, including privileged users
masquerading as other users. Every time someone attempts to
• CipherTrust Manager captures syslog details and can forward access a resource under the protection of the CipherTrust platform,
them to popular SIEM tools to help accelerate the detection of rich logs of whom, when, where, which policies applied, and the
APTs, Insider Threats and compliance report generation. resulting action can be generated. Because sifting through the rich
granular data of CipherTrust Manager’s event logs can be time
DEFENDING DATA WHERE IT LIVES consuming, the CipherTrust platform generates Syslog log files that
can be integrated with leading SIEM (Security Information and
By combining encryption at the file system level with integrated
Event Management) systems, including HP ArcSight, Splunk, IBM
key and policy management, CipherTrust Transparent Encryption
QRadar and LogRhythm, adding to their value with new inside-the-
protects and controls access to sensitive data in your Cloud, Big
fence security intelligence and awareness. With those tools pre-
Data, database, and file servers. After protecting your sensitive
defined reports and visualizations, you’ll be better able to pinpoint
data, least privileged access policies are enforced, preventing
which events are worth further investigation.
privileged insiders and APTs from accessing your data. Because this
is “transparent” encryption, there are no changes required to your
applications, infrastructure or business practices. Your users will never
even know that the sensitive data that they were accessing is now
COMPLIANCE, REGULATIONS AND
secure, unless they tried to access it in an unauthorized fashion! CONTRACTUAL MANDATES
Thales TCT addresses industry compliance mandates, global
government regulations (such as NIST 800-53) and contractual
DEFENDING DATA WHERE IT BEGINS mandates by securing data in traditional on-premise, virtual, Cloud
CipherTrust Developer Suite (which includes Application Data and Big Data infrastructures, through:
Protection and Tokenization) enables organizations to design • Data at Rest encryption and centralized enterprise key
and embed encryption capabilities directly into their applications management that allows agencies to lock down data using
when necessary. With this data security protection product, the strong industry approved algorithms coupled with a virtual or
data is protected from the application, through transmission, physical FIPS 140-2 Level 3 certified appliance for key and
and into storage. Most commonly, deploying this data security policy management.
protection product is to meet specific compliance requirements
• Simplify the creation and consistent enforcement of data access
or to take specific data out of compliance scope. The CipherTrust
and privileged user control policies. Fine-grained control to
platform removes the complexity and risk of building encryption
determine whom can access specific data in order to block
into an application by providing libraries for NIST approved AES
privileged users, such as root, as well as preventing Advanced
encryption and simplifying key management with the CipherTrust
Persistent Threats (APTs) from gaining access to protected data.
Manager
• CipherTrust syslog feature delivers the fine-grained details
of data access required to prove compliance to auditors. In
SIMPLIFY AND CENTRALIZING addition, leveraging CipherTrust syslog and integration with
popular SIEM tools simplifies integration and analysis.
ENTERPRISE KEY MANAGEMENT FOR
AGENCIES
A common data security challenge is how to manage and
maintain all the different key and certificate management solutions.
SECURITY CONTROL SUMMARY
As found in NIST 800-53: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Security Control Compliance Baseline Thales TCT Product Line Mapping

Family
Access Controls (AC) • Access Enforcement Through the use of kernel level agents providing AES-256 Encryption, the
• Account Management CipherTrust Manager exceeds and augments current access control solutions
• Separation of Duties at the file, directory, drive, or target level at the Operating System and
• Least Privilege provides Least Privilege.
Awareness and • Training Policies Deployment of CipherTrust Transparent Encryption is a part of program’s
Training(AT) • Security Awareness Training Defense-In-Depth security architecture to protect sensitive data through fine-
• Role Based Security Training grained access controls and encryption at rest. On initial deployment, Thales
(in-class, online) are used to train staff to use the solution. burden, and the
training provided covers tasks and responsibilities for each desired/deployed
role, with appropriate documentation provided.
Audit and • Audit Events CipherTrust Transparent Encryption provides full audit data at the CipherTrust
Accountability(AU) • Content Manager and host agents in an open format and can be integrated to a
• Response program or an agency’s audit reduction tool or SIEM solution.
• Capacity
• Non-Repudiation
• Report Generation
Security Assessment • System Interconnects CipherTrust Transparent Encryption can be tested as a part of an Information
and Authorization(CA) • Plan of Action and Milestones System. The agents are installed on operating systems that undergo security
• Continuous Monitoring hardening and STIG configurations. The CipherTrust Manager is FIPS 140-2
Level 1 or Level 3 compliant depending upon configuration.
Configuration • Baseline Configuration The configuration of the CipherTrust Manager can be changed to match
Management (CM) • Change Control operational requirements for access control, encryption at rest, and can be
• Security Impact Analysis saved, backed up, and added to a CMDB in to track changes over time.
• Least Functionality
Contingency • Contingency Plan The CipherTrust Manager component can operate in a clustered environment
Planning(CP) • Contingency Testing in active or standby mode, and can be added to a program’s COOP/DR
strategy.
Identification and • Organizational Users Identification is provided through local web GUI login or Active Directory/
Authentication(IA) • Device Login LDAP Integration at the CipherTrust Manager appliance. Authentication is
• Authentication Management provided through the use of kernel level system access to files, folders, and
• Crytpographic Module applications.
• Incident Handling
Incident Response(IR) • Incident Response Testing The CipherTrust Data Security Platform processes incidents at the individual
• Training component level (host system, web GUI, CipherTrust Manager). These
• Handling incidents and audit events are in an open syslog format that can be sent to
• Monitoring an information system’s monitoring/reporting tool, including 3rd party SIEM
solutions. Log file formats can be tailored to match a program’s security policy
for user and application behavior.
Maintenance(MA) • Controlled Maintenance CipherTrust Manager is tamper resistant with zeroizing ciruitry. Additionally,
• Tools maintenance and audit sessions is separable by domain and by administrator
login.
Media Protection(MP) • Media Access CipherTrust Manager has the ability to be zeroized at the appliance console.
• Media Marking
• Storage Transport
Physical and • Access Authorizations The CipherTrust Manager is a 19” 1ru hardware device and can be secured in
Environmental • Control a lockable data center rack enclosure
Protection (PE) • Transmission
Planning(PL) • Security Architecture CipherTrust Data Secure Platform provides fine-grained access policies
• Concept of Operations and AES256 encryption that can be used to limit privileged user access and
implement least-privilege principles for users authorized for access to sensitive
data.
 Security Control Compliance Baseline Thales TCT Product Line Mapping
Family
Personnel Security(PS) • Personnel Termination and Thales TCT Transparent Encryption should be operated by personnel at the
Transfer appropriate level of clearance and information system access.
Risk Assessment(RA) • Security Categorization CipherTrust Transparent Encryption can be used as part of a risk assessment
• Vulnerability Scanning process at both components in its architecture in an information system. The
CipherTrust Manager is FIPS 140-2 Levels 1 or 3 compliant and the Host
Agents can be installed on hardened servers to minimize risk.
System and Services • Allocation of Resources System Components of the CipherTrust Manager are produced in USA by
Acquisition(SA) • System Development Life Thales TCT approved manufacturer. It is FIPS 140-2 Level 3 compliant.
Cycle
Systems and • Application Partitioning As a part of the CipherTrust Transparent Encryption solution, AES 256
Communications • Security Function Isolation encryption keys are passed through an encrypted wrapper. The Administrator
Protection(SC) • Confidentiality and Integrity Web Interface is accessed through HTTPS. Agent-to-CipherTrust Manager
• Cryptographic Key communication is accomplished through the use of ephemeral ports. This
Management provides and additional layer of encryption key protection and thus reduces
• Platform Agnosticism risk.
Systems and • Certified only for FIPS 140-2 System Integrity on the CipherTrust Transparent Encryption product is satisfied
Information Integrity Levels 1, 2 and 3 depending through the CipherTrust Manager’s FIPS140-2 validation. Host agents installed
(SI) on model. on an Information System’s server provide data encryption at rest capabilities
to enhance system integrity.
Program • Security Alerts and Advisories Program Management controls are typically implemented at an Organization
Management(PM) • Software and Information Level and not directed to Information Systems. As such, it is not a technical
Integrity control that the CipherTrust Transparent Encryption addresses.

SECURITY CONTROL DETAIL

• Separation of Domains and Roles – One of he functions of
1. ACCESS CONTROL the CipherTrust Manager is the notion of domain administration.
A Domain is logical entry that is used to separate administrators
Access Control applies to the following places within the CipherTrust
and the data they access from other administrators, and can be
Transparent Encryption solution:
applied internally to a program, a fixed numberof programs,
or externally to an entire enclave. The credentials of each of
• CipherTrust Data Security Platform Product Policy
these domains can be integrated into Active Directory or LDAP
1. The CipherTrust Manager is a hardened appliance for groups, and monitors number of logins, login attempts,previous
optimum security and comprises a policy engine and logons, and will lock each role out after 15 minutes of inactivity.
a central key and policy manager. Agents installed on The use of these domains and the protection of data through the
hosts intercept every attempt made to access protected use of “guard points” enforces Least Privilege that is defined in
data and, based upon a set of rules, either permit or an Information System’s Security Plan, Concept of Operations,
deny the access attempt. and proven through testing.
2. CipherTrust product line policy is comprised of sets of
security rules that must be satisfied in order to allow or 2. AWARENESS TRAINING
deny access to an information system under its control.
• Deployment of CipherTrust Transparent Encryption is a part of
Each security rule evaluates who, what, when, and how
program’s Defense-In-Depth security architecture to protect
protected data is accessed and, if these criteria match,
sensitive data through fine grained access controls and
the agent will permit or deny access.
encryption for data at rest. On initial deployment, Thales TCT
3. The set of rules is defined in a policy is configured Professional Services Group and a host of learning options
on the CipherTrust Manager and downloaded to the (in-class, online) are used to train staff to use the solution.
agent through a secure TLS network connection. It CipherTrust Transparent Encryption has low administrative
provides separation of duties between data owners, burden. Available training covers tasks and responsibilities for
administrators, key managers, and security managers. each desired/deployed role, with appropriate documentation
provided.
• CipherTrust Manager Login – The CipherTrust Manager
has both a web-based and command-line GUI that can be
configured for both administrator and role based separation.
3. AUDIT AND ACCOUNTABILITY
• Audit data can also be protected from unauthorized access or
• Agent activity is closely monitored and logged. All auditable modification through encryption using CipherTrust Transparent
events, including backups, restores, and security operations Encryption. The audit directory can be configured as a guard
can be logged at the CipherTrust Manager or at the hosts. The point and placed under access control. This is also a non-
CipherTrust Manager is capable of storing up to 110,000 audit repudiation technique, as it will preserve the content path of
messages. The following audit event content is provided: any individual accessing an unauthorized component of an
• Date and Time Information System. Audit data is collected in an open Syslog
format and can be integrated with several SIEM and log
• Event type
correlation tools.
• Severity
• When the agent component of CipherTrust Transparent
• User Identity Encryption cannot contact the central manager (CipherTrust
• Process from which the attempt is being made Manager) for logging (network outage), logs from the agent
are stored locally until network connectivity resume, at which
• Status: success or failure point those logs are uploaded to the CipherTrust Manager.
• Name of related policy (key, policy, host, etc) By sending agent Host OS logs to an audit reduction or
• Description network monitoring tool, correlations can be created with the
appropriate alerting.

4. SECURITY ASSESSMENT AND AUTHORIZATION

• CipherTrust Transparent Encryption can be tested as a part of an Information System.
• The agents are installed on operating systems that undergo security hardening and STIG configurations.
• The following ports and protocols are required for operation:

Protocol Port Communication Direction Purpose

TCP 22 Workstation -> CM SSH Access for CLI Management
TCP 22 CM -> HSM SSH Communication for Hardware Security Modules (if using Luna Network
HSM, TCT Luna T-Series Network HSM, or AWS Cloud HSM)
TCP 80 Workstation -> CM HTTP Access for UI Management
TCP 443 Workstation -> CM HTTPS Access for UI Management
TCP 443 HSM -> CM HTTPS for DPoD HSM on Demand Service
TCP 5432 CM <-> CM PostgreSQL for Cluster Heartbeat/Information Exchange
TCP 9000 Agent -> CM NAE-XML server/interface
TCP 5696 Agent -> CM KMIP (Key Management Interoperability Protocol) Interface
TCP 1792 CM -> HSM If using Luna Network HSM, TCT Luna T-Series Network HSM, or AWS
CloudHSM
TCP 123 CM -> NTP Server Network Time Protocol
TCP 514 CM -> Syslog Syslog
ICMP 6514 CM -> Syslog Syslog
ICMP 161 Agent -> CM SNMP
UDP 162 CM -> Agent SNMP

* Note: The CipherTrust Manager will automatically use Suite B communications unless ports 8446, 8447, 8448 are not available. If not
available (or communicating with older versions of an agent that does not support Suite B), communications fall back to using Ports 8443, 8444,
8445 and TLS/RSA encrypted communications
5. CONFIGURATION MANAGEMENT 8. INCIDENT RESPONSE
• The configuration of the CipherTrust Manager can be changed • CipherTrust Transparent Encryption processes incidents at the
to match operational requirements for access control and individual component level (host system, web GUI, CipherTrust
encryption at rest, and can be saved/ backed up in order to Manager).
track changes over time.
• These incidents and audit events are in an open syslog format
and can be sent to an information system’s monitoring/reporting
6. CONTINGENCY PLANNING tool, including 3rd party SIEM solutions.
• The CipherTrust Manager can operate in a clustered
environment and can be added to a program’s COOP/DR • Log formats can be tailored to match a program’s security policy
strategy. for user and application behavior.

7. IDENTIFICATION AND AUTHENTICATION

9. MAINTENANCE
• CipherTrust agent policies work in conjunction with a program’s
• Is available as a FIPS 140-2 Level 2 or 3 certified configuration
authentication and identification policies and procedures and
(level 3 is tamper resistant)
are used to protect:
• Additionally, maintenance and audit sessions can be separated
• System files
by domain and by administrator login.
• Data files and folders
• Applications
10. MEDIA PROTECTION

• Policy configuration can be fine-tuned to select: • As required by FIPS 140-2 level 3 certification, the CipherTrust
Manager has the ability to be zeroized at the appliance
• A desired database console.
• A program’s Operating System
• Host records 11. PHYSICAL AND ENVIRONMENTAL PROTECTION
• Key Type • The CipherTrust Manager dimensions are 19” x 1ru. The
• User sets (Organizational Users) CipherTrust Manager:

• Group Identification • Can be installed into a standard locking

rack enclosure.
• Specific processes and applications that are allowed to
access a guard point • Is available as a FIPS 140-2 Level 2 or 3 certified
configuration (level 3 is tamper resistant)
• Each CipherTrust agent is cryptographically signed by a
certificate authority generated by the CipherTrust Manager
12. PLANNING
in order to identify and authorize access and encryption/
decryption operations on the host system. The CipherTrust • CipherTrust Transparent Encryption provides fine-grained access
Manager is available as a FIPS 140-2 Level 3 hardware policies that can be used to limit privileged user access and
appliance. implement least-privileges principles for users authorized for
• The CipherTrust Manager supports integration with existing access to sensitive data. Thales TCT’s Technical Services team
technologies for identification and authentication(Active includes top subject matter experts who can help organizations
Directory and LDAP) and augments that process by specifying to architect secure and efficient solutions for managing and
(through the use of policy) which user, application, or process controlling privileged access and access to their data.
is allowed to access a file, directory, or application on an • Key and policy management is centralized using CipherTrust
information system component. Transparent Encryption.
• On the CipherTrust Manager Web Console, credentials of
each of these domains can be integrated into Active Directory 13. PERSONNEL SECURITY
or LDAP groups, and monitors number of logins, login attempts, • The CipherTrust Manager supports integration into an
previous logons, and will lock each role out after 15 minutes of organization’s Active Directory tree or LDAP to support existing
inactivity, requiring re-authentication. network and server based authentication methods including
• Communication between CipherTrust Manager andagents the ability to track a users’ credentials as they enter and exit a
are cryptographically signed by the CipherTrust Manager’s program
certificate authority and passed in an encrypted format
(AES256).
14. RISK ASSESSMENT • The kernel space portion also creates an asymmetric key pair
• CipherTrust Transparent Encryption can be a part of a risk and follows the same certificate creation process in order to
assessment process at both components in its architecture in an send the kernel space public key to the CipherTrust Manager.
information system; The CipherTrust Manager and host agents. • Keys are passed between the CipherTrust Manager and
• The CipherTrust Manager is FIPS 140-2 Levels 1 or 3 the host by generating a one-time AES256 random key on
certified depending on model. the CipherTrust Manager. The desired encryption keys are
encrypted using the random key. The random key password is
• The CipherTrust encryption agents are installed on servers in encrypted using the kernel space public key. The entire payload
an Information System that should meet security hardening is sent to the host system, where the kernel space private key
and STIG guidance. decrypt the random key and password. The random key then
decrypts the desired encryption keys, and those keys are
15. SYSTEM AND SERVICES ACQUISITION
applied to the file/directory/executable that is to be encrypted
• The CipherTrust Manager is a FIPS 140-2 Level 3 appliance.
• The CipherTrust Manager Key Vault is a secure inventory of
certificates, keys, and other materials. It provides alerting and
16. SYSTEMS AND COMMUNICATIONS PROTECTION upcoming event status regarding certificate and key expiration.
• CipherTrust Transparent Encryption provides a fine- grained set Key strength and type are also available to check compliance
of access controls that can act as a secondary set of controls on any weak keys applied to an information system. Import
beyond those available from a system or identity management and export of 3rd party keys is also supported. The key vault
solution to ensure that general users cannot gain access to is protected from tampering through the CipherTrust Manager,
administrative or security capabilities. which is a FIPS 140-2 hardened appliance.
• The solution is platform independent 17. SYSTEM AND INFORMATION INTEGRITY
• Security functions on the CipherTrust Manager are isolated • CipherTrust Transparent Encryption monitors an information
from normal operation and include domain creation, key system at these points, and creates audit data on::
creation, host creation, and audit-only.
• CipherTrust Manager
• Once a system’s data has been encrypted through data
• CipherTrust Manager Web-based GUI
transformation, it remains encrypted at rest and is under
fine-grained access controls. • Host Agents Host logon
• If more than one domain is deployed, domain • CipherTrust Transparent Encryption enforces information
administrators and users are separated by domain. handling through the use of guard points. A guard point
Administrators have the option of using different is a protected device or directory that is encrypted, and
encryption algorithms and key lengths to provide even provides decryption rules within policy. Each rule specifies a
more separation. Encryption algorithms for each domain condition that will permit or deny access based on a particular
include AES 128 and 256. combination of:
• Encrypted communications between CipherTrust Manager • User (either local user/group or Active Directory user/
and agent is selectable. group)
• CTE uses REST API for communicating over TLS 1.2 channel • Process (the actual binary used; i.e. mssql.exe) Action (read,
with CM. write, change attribute, delete, list directory, etc.)
• There is secure transmission control between the CipherTrust • Result (specific files or directories within the guard point)
Manager, the daemon running on the host, and the SecFS • Time (Time of Day, e.g. 9am-5pm M-F)
portion that sits in the host’s kernel space. The CipherTrust
Manager creates a public/private key pair, generates a 18. PROGRAM MANAGEMENT
Certificate Signing Request (CSR), which generates a certificate • Program Management controls are typically implemented at
authority certificate that is stored in the CipherTrust Manager an Organization Level and not directed to Information Systems.
database. As such, it is not a technical control that CipherTrust Transparent
• The user space portion of the CipherTrust agent creates a Encryption addresses. ©2022 SafeNet Assured Technologies, LLC . 9.19.22
public/private key pair. The public key is used to create a
CSR for the host, and is sent back to the CipherTrust Manager,
where the request is signed, sent back to the host, and creates a
“blueprint” of the host, along with the certificate.

About Thales Trusted Cyber Technologies

Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., is a trusted, U.S. provider of cybersecurity solutions
dedicated to U.S. Government. We protect the government’s most vital data from the core to the cloud to the edge with a unified approach
to data protection. Our solutions reduce the risks associated with the most critical attack vectors and address the government’s most stringent
encryption, key management, and access control requirements.

For more information, visit www.thalestct.com

3465 Box Hill Corporate Center Drive, Suite D, Abingdon, MD 21009 •443-484-7070 •[email protected]
thalestct.com