Entrust Digital Security Solutions

“Zero Trust Security”

Ronald Budiman
Technical Presales for Digital Security Solution

© Entrust Corporation
 Who We Are
$1B+
in revenue

3,400+
colleagues

50+
years of innovation

2k+
partners

140
countries served

65%
Fortune 500 served

2
 RECOGNIZED LEADER
Gartner Magic Quadrant
Leader in Compass for 2024 –2024 – Access
Identity Verification
Management
- Leader
- Challenger
We Passwordless
Authentication 2022
SECURE
65% of
Market Leader in
Leadership Compass for
Secrets Management 2023

Overall leader in Frost Radar

for Global Holistic TLS
Certificate Market, 2022

3
 Digital Security & Identity Chosen by World’s Leading
Brands

4
 WHAT IS ZERO TRUST

Zero Trust is a security concept centered on the belief that an organization should not automatically
trust anything inside or outside its perimeter.

“Zero trust is a cybersecurity

paradigm focused on
resource protection and the
premise that trust is never
granted implicitly but must Verify Least Assume
Explicitly Privilege Breach
be continually evaluated.”
- U.S. National Institute of Standards and Technology (NIST)
Never Trust, Always Verify

5
5
CISA – ZERO TRUST MATURITY MODEL (V2.0)
Cybersecurity and infrastructure security agency (CISA)

https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf
ENTRUST IS UNIQUELY POSITIONED TO HELP

Zero Trust Maturity Model v. 2

Source: Cybersecurity & Infrastructure Security Agency (CISA)
 ENTRUST ZERO TRUST MATURITY
COVERAGE
IDENTITY DEVICES NETWORK APPLICATION DATA
PKI for Machines, App Encryption PKI for Machines
IOT/Device
Post Quantum Workloads
Identity, Workflow/transaction
Readiness and People SSL/TLS Signing Email Encryption
Certificates and
Access Control Keys/Secrets Keys/Secrets
Identity (Smart, Management Management
Phishing
Resistant, Virtual
Data Encryption
Decentralized) Infrastructure
Governance & Applied Code Signing Keys/Secrets Services
Cryptography Cryptographic compliance
Services Management
Health Checks Development
Digital Signing &
Access Management Access Management
Data Integrity

Crypto Discovery, Control & Automation

Cryptography Hardware Key protection

Roadmaps

VISIBILITY | ANALYTICS | AUTOMATION | ORCHESTRATION | GOVERNANCE

 ENTRUST ZERO TRUST

Zero Trust Framework

Users | Devices | Data | Networks | Applications

Secure Identity Secure Secure Data

Connections

Identity PKI PKI Certificates HSM Key

Management

PQ
Ready

9
 Entrust Digital Security

MultiFactor PKI – Private Digital Certificate

/Public/SSL Lifecycle
Authentication
Certificate Management

Users’ Devices Network Security Web Servers Applications Database Data File VM Logical Disk
BYOK, DKE

E2EE for VM Encryption Cloud Key

Mobile/Internet File Encryption
Tokenization (On Prem/Cloud) Management
Banking (On Prem/Cloud)

nShield KMS & HSM

Root of Trust
10 Tamper Resistant
FIPS 140-2 Level 3
 HSM AS A SERVICE WITH NSHIELD 5C
HSM MULTITENANCY

1
9
 APPLICATION INTEGRATION CHOICES
Entrust nShield HSMs suit almost every application environment
◦ Commercial and in-house security applications: Encrypt, decrypt, sign, hash, etc.

Comprehensive support for common crypto APIs

Microsoft
PKCS #11 Java JCE OpenSSL Web Services API Entrust nCore
CryptoAPI/ CNG

Operating Systems

Entrust nShield HSM platforms

© Entrust Corporation
 Where Can I Use nShield HSM?

nShield HSM

Common Crypto API (JAVA,PKCS#11, MS CNG, REST API)

Users’ Devices Network Security Web Server Applications Database BYOK, DKE

FAST Payment,
End-to-end F5
MS IIS CyberArk, MS SQL, Oracle Cloud Key
Encryption Palo Alto
Apache HashiCorp, MS Key Protection
For Web and A10
ADCS, EJBCA, … Management
Mobile App Citrix….

13
 Offering HSM as a Service
Customers • Multi Tenant nShield 5 (2024)
• Performance upgradable by license – no
hardware change required
• Target customers who has cloud strategy,
fintech companies, lack of IT Security
personnel, has nShield HSM in Production
Private
Cloud

nShield HSMs at Partner • What problem does it solve?

– Subscription based offering by Partner
– No HSM operation and hosting overheads
by customer
– Quick hardware and parts replacement

14
SECURING DATA WITH KMS &
TOKENIZATION
 KEY CONTROL 10

CENTRALIZED KMS
FOR DATA
PROTECTION

• Root of trust for

cryptographic operations

• A true random number generator for the

creation
of high-quality
cryptographic keys

• NIST FIPS 140-2 Level 3 assurance –

PCIDSS compliant
 KEYCONTROL KMS
• Licensing / Entitlements
• Global Dashboard
• Key Lifecycle Management
• Key Compliance
• Key Documentation / Audit
• Trends and Violations

Vault locations are chosen by BYOK – Bring Your Own Key

customer based on data HYOK – Hold Your Own Key
sovereignty regulations, corporate GCP – Google Cloud Platform
security policy & compliance KMIP – Key Management Interoperability
mandates * Protocol

* Geographic locations shown for illustration purposes only

17
KEYCONTROL VAULT FOR SECRETS MANAGEMENT

KeyControl Vault for Secrets Management

offers a range of cloud-native and DevOps
integrations, including:

• Tools/Toolchains: Ansible, Jenkins,Datadog

• PaaS/Container Orchestration: Kubernetes,
Red Hat OpenShift, VMware Tanzu
Web UI, CLI, or the RESTful API
KEYCONTROL VAULT FOR PRIVILEGED ACCOUNT
AND SESSION MANAGEMENT (PASM)

KeyControl simplifies the management of

SSH access by leveraging corporate
identity and access management (IAM)
systems and automating the lifecycle of
SSH keys, including:

• Key storage
• Backup
• Rotation
• Key revocation
KEYCONTROL VAULT FOR VIRTUAL MACHINE (VM)
ENCRYPTION
Background
Pelindungan data pribadi ditujukan untuk menjamin hak warga negara atas pelindungan diri pribadi dan menumbuhkan
kesadaran masyarakat serta menjamin pengakuan dan penghormatan atas pentingnya pelindungan data pribadi

(1) Data Pribadi terdiri atas:

a. Data Pribadi yang bersifat spesifik; dan
b. Data Pribadi yang bersifat umum.

(2) Data Pribadi yang bersifat spesifik sebagaimana dimaksud pada ayat (1) huruf a meliputi:
data dan informasi kesehatan;
a. Data biometrik;
b. Data genetika;
c. Catatan kejahatan;
d. Data anak;
e. Data keuangan pribadi; dan/atau
f. Data lainnya sesuai dengan ketentuan peraturan perundang-undangan.

(3) Data Pribadi yang bersifat umum sebagaimana dimaksud pada ayat (1) huruf b meliputi:
nama lengkap;
a. Jenis kelamin;
b. Kewarganegaraan;
c. Agama;
d. Status perkawinan; dan/atau
e. Data Pribadi yang dikombinasikan untuk mengidentifikasi seseorang.

© Entrust Corporation
 DATA TOKENIZATION
➢ Rest-API based (supported by any programming language)
➢ Data format is preserved (no change in database schema)
➢ Works for any OS and database – MySQL, Oracle, Postgress, DB2, MariaDB, MS SQL and more
➢ Vault-less tokenization (no database in Token Vault)

Tokenization

Name: Bob Smith Name: XyU Emutg

DOB: 03/11/1980 DOB: 56/98/2763
Phone: +667384656 Phone: +746538293
Tokenization Vault VM

De- Tokenization
Database contains token
data, not actual data
TOKEN SERVICE ARCHITECTURE
1234-0913-6979-6919

Application calls REST API to

1
3 send plaintext to Token Vault
Business Database
Application Token Vault converts data to
2
token (fake data) and return to
1 2 Application.

1234-1234-1234-1238 1234-0913-6979-6919
Application receives token data
3
and stores to database (on
REST API Calls
prem or on cloud).

Process is reversible to obtain

Token Service the original plaintext.

Entrust Token
Vault
WEB BASED TOKEN PROFILE SETUP
Delete the profile
Specify at the time profile is
created. Not allowed to
modify afterward.

Name of Key, an
alphanumeric string

Charset

Except for Numeric

type, Charset
Options are
available

Number of characters to be
preserved from left and right
hand side
 GRANULAR TOKENIZATION GROUPING

➢ Support multi department and

branches EntrustToken
Vault VM
➢ VM based. WebGUI for token Token Profile for Snap BI
Snap BI Server

vault and profile management

Token Vault 1 (for HQ) Token Profile for Investment Investment Banking

REST API
➢ Different or same Admin for
Server
Token Profile for HR PDPA
Token Vault (unlimited Token Token Vault 2 (for branches)
HR Server
Vault)
Token Vault 3… Token Profile for micro loan
➢ Policy based token profile for Micro Loan Server

flexible grouping (unlimited

token profiles)

25
TOKENIZATION SECURITY
1. Token Access Token
◦ Token calls from application to be validated with access token
2. Communication Encryption
◦ Communication between client and token service is encrypted by TLS 1.2
3. Token Grouping
◦ Each Token Vault can be managed and accessed by assigned Administrators.
Administrators can only access own Token Vaults.
4. HSM Token Key Generation and Protection
◦ Token keys are generated and protected with FIPS 140-2 Level 3 HSM
◦ Tamper resistance HSM
◦ Comply to PCI-DSS needs (Requirement 3: Use of tamper resistant hardware module)
SECURING IDENTITY WITH ENTRUST
ENTRUST HIGH ASSURANCE IAM SOLUTION
Best-in-class Passwordless Access
Authentication suite

IDENTITY & ACCESS

MANAGEMENT
Adaptive access Federated SSO
(Contextual analysis)

Simplified Admin console for Integrations

Identity management & User Self (Apps, Directories and EMMs)
Service tools

Flexible deployment options: Cloud | On-premises | Managed Service

BEST-IN-CLASS MFA
Unrivaled number of supported authenticators & use cases
 Evolution of Multi-Factor Authentication (MFA)
Phishing, MFA fatigue, & AiTM resistant
Passwordless

AI – driven
KBV Voice SMS Email Grid / eGrid PKI mobile smart Facial Biometric
Q&A OTP OTP OTP cardsT FIDO2 Credentials
FIDO2 Key credential + Identity
(aka “passkeys”)
Bluetooth proximity verification

Mobile push Mobile time- Mobile + QR Code

Mobile push
notification based OTP mutual auth
+ mutual auth

Phishing MFA fatigue Phishing & MFA fatigue

resistant resistant resistant

Financial Institutions’ MFA mandates

 PHISHING-RESISTANT PASSWORDLESS MFA
CRITICAL PART OF ZERO TRUST ARCHITECTURE

Entrust mobile smart

High Assurance Identities
login (PKI mobile
Best smart credential Device certificate + User Certificate + RBA
+ Bluetooth proximity)
Threat / Risk Signals

Better FIDO2 Key

User Identity Challenge
User initiates Application issues FIDO key signs Application
login security challenge with private key verifies signed Risk
to registered and sends challenge and
logs in user
Policy
device in proximity back challenge
Engine Block

FIDO2 Credentials
Good (aka “passkeys”)
User initiates Application issues User uses Application
• Device Identity and reputation
login security challenge biometrics to verifies signed • Device Certificate
to registered smart authenticate challenge and
device in proximity passkey. Passkey proximity of
(confirmed on mobile is used passkey device
via Bluetooth) to sign and send to log in user
back challenge

31
Mobile OTP token & Push Authentication

Biometric - Face ID Mobile push

Mobile time-based OTP
/ Touch ID to unlock notification

32
Push Authentication – additional feature

Display on Website, pending user Mobile push Upon clicking on “confirm”,

notification user asked to click on the
approval on mobile device correct value on device.
33
 ENTRUST IDENTITY PASSWORDLESS OPTIONS

ON-PREM ON-PREM ON-PREM

HIGH ASSURANCE
1/17/2025
34
INCREASED PRODUCTIVITY
 Entrust IDaaS IAM – Consumer / Citizen / Workforce

User Management Authentication & Authorization

• Adaptive Risk-based authentication (step up)
• Central Identity repository
• Integration with 3rd party repositories • Transaction Based Risk for Banking
• User Management • Authorization Server (RBAC, OAuth 2.0/2.1)
• Self Service Portal
• RESTful API

Access Management Orchestration

• Identity provider • Identity Orchestration
• Single Sign On with Federated Identity • Lifecycle & Workflow Management
• Password-less SSO • No code / Low Code
• On Premise Application Protection • Provisioning (API based, SCIM)
• IDP Proxy (Support for 3rd party IDPs)

Fraud Prevention Reporting

• Identity Verification/ Proofing • Analytics

• User Impersonation / Manipulation • Dashboard
• 3rd party Risk Signals • SIEM Integrations
• AI Driven*
35
35
 ONBOARDING WITH IDENTITY PROOFING
Secure self-service identity verification using client’s mobile phone

Upon successful identity

authentication, user applies for
Debit and/or Credit Card

Capture & Classify Facial Recognition Validation / Secure Identity Omnichannel

Creation Authentication
World class patented image Two classes of facial Accurate data population High-Assurance Secure
capture that automatically crops & recognition match and with 50+ forensic tests run Mobile Identity can be used to
detects document type, region & liveness tests in seconds in the same authenticate across Digital
prevents glare seamless process and Physical channels

36
Entrust Data Security
DATA
Logs Financial Data Healthcare Data PII Credit cards

Database File Encryption Cloud Key

(OnPrem/Cloud) Management

Data VM Encryption
Tokenization 123 456 Tokenization & (On Prem/Cloud)
Detokenization
XXX XXX During submission:
Tokenize or Encrypt
Audio/
nShield KMS & HSM
Root Of Trust Network
fields/data
Video File Encryption Security
Decrypt/Detokenize during
Excel, CSV analysis:
E2EE for Call REST APIs, Vault
Mobile/Internet Banking
PKI – Public Key
Tokenization
Infrastructure/CA
Certificate Management:
Digital Certificate
Discover, Manage, Design,
Crypto Programming API
(Java, PKCS#11, OpenSSL, Multifactor Lifecycle Management Automate
MS CNG, nCore) Authentication
Multifactor Authentication:
Discover – Manage – Design – Automate Push Notification, Password
less Authentication, Based
Edge On Premise Cloud
Credentials Authentication
© Entrust Corporation