Fortanix Key Insight for On-premises Concepts

Prev Next

1.0 Introduction

The article describes the concepts related to the Fortanix Key Insight solution for on-premises environments. It illustrates how Fortanix Key Insight helps implement uniform key lifecycle management policies and processes across different cryptographic key management systems and on-premises environments such as databases, source code, and file systems.

2.0 Terminology References

CONCEPT

DESCRIPTION

On-premises Connection

Integration of Fortanix Key Insight with an organization's local infrastructure to manage and secure cryptographic keys and data. Fortanix Key Insight scans an on-premises connection and all the resources within that.

Key Discovery

The process of identifying and locating cryptographic keys within various key management systems and databases. Fortanix Key Insight provides the on-premises key discovery report to analyze the usage of keys and resources.

On-premises Scanner

An on-premises scanner is a configuration file deployed within an organization's local infrastructure designed to scan, analyze, and manage sensitive data, including cryptographic keys and compliance information.

This solution features a robust scanner package designed to handle and protect your on-premises keys and resources seamlessly within the Fortanix Key Insight.

On-premises Resources

Resources include databases, source code, and file systems that are used to manage and protect sensitive data within an organization’s local environment.

The Fortanix Key Insight on-premises scanner consists of specialized tools designed to assess compliance status across various databases, source code, and file systems. For example, it can evaluate compliance for widely used databases such as Oracle and Microsoft SQL Server (MSSQL).

On-premises Databases

These are the structured data repositories, such as Oracle and MSSQL, used to store and manage business-critical information. Fortanix Key Insight on-premises scanner connects to these databases and scans for cryptographic keys, certificates, and algorithms to assess compliance with security and cryptographic policies.

On-premises Source Code Repositories

These are local or self-hosted repositories containing application code, libraries, and configuration files. Fortanix Key Insight on-premises scanner scans source code for embedded cryptographic material such as hardcoded keys, algorithms, private keys, secrets, or ciphertexts, and highlights risks for remediation.

On-premises File Systems

These are Linux and Windows file systems where applications, services, and configuration data are stored. Fortanix Key Insight analyzes file systems to detect cryptographic keys, certificates, operating systems, and related artifacts that may be improperly stored or unprotected.

On-premises Keys

Keys are the primary resource in an on-premises connection, which are logical representations of cryptographic keys. Each key is assigned a unique key identifier or key ID. Fortanix Key Insight on-premises scanner scans all keys stored in databases and file systems and evaluates the key compliance status.

NOTE

Currently, Fortanix Key Insight supports scanning cryptographic keys in Oracle and MSSQL databases, as well as in Linux and Windows file systems.

On-premises Cryptographic Assets

These include keys, certificates, and other cryptographic materials found across source code and file systems.

Fortanix Key Insight provides a centralized inventory of all discovered cryptographic assets, enabling visibility, risk assessment, and compliance monitoring across the on-premises environment.

On-premises Certificates

These are stored within Linux or Windows file systems, including TLS/SSL server certificates, application certificates, and certificates in local trust stores. Fortanix Key Insight discovers these certificates, checks for expiration, weak cryptographic algorithms, or misconfigurations, and highlights gaps in certificate lifecycle management.

On-premises Scan

The process of connecting to on-premises environments and obtaining information about services of interest for Fortanix Key Insight.

On-premises Sync

The act of synchronizing cryptographic key information and state between the on-premises scanner and Fortanix Data Security Manager (DSM) so that the state and contents of DSM reflect the state and content of the on-premises connection.

3.0 Fortanix Key Insight Features - On-premises Connection

The Fortanix Key Insight on-premises connection has the following features:

  • It allows users to scan all key sources across databases and file systems, inspecting each resource to identify which keys are encrypted and which keys were used for encryption.

  • Provides an overview of cryptographic key compliance status across multiple databases.

    The Overview page for databases shows the following information:

    • Scanned databases and total keys

    • Keys by specifications

    • Keys by status

    • Scanned resources

    • Keys by sources

    • Top database servers by assets

  • Provides an overview of cryptographic key compliance status across multiple file systems.

    The Overview page for file systems shows the following information:

    • Scanned total keys, resources, and certificates

    • Discovered assets and operating systems

    • Keys by specifications

    • Certificates by statuses

    • Certificates by key specifications

    • Top operating systems by assets

  • Provides an overview of cryptographic asset compliance status across multiple source code repositories.

    The Overview page for source code shows the following information:

    • Scanned cryptographic assets and repositories

    • Top asset types

    • Top repositories by asset count

  • Generates an assessment report across databases, source code, and file systems, providing a snapshot of your data security posture. The report highlights vulnerabilities and includes risk scores, resource and certificate violations, certificate expiry details, top security issues, strengths, and areas requiring improvement.

  • For every key in an on-premises connection,

    • Displays a tabular view with details such as the key ID, key source, key name, violations, key category, owners, usage description, version, key insight, key category, hostname, key spec, key creation date, rotation date, expiration date, database (DB) type, and key status, infrastructure, file path, fingerprint, and so on.

    • Provides a map of key compliance statuses.

    • Detects non-compliant keys based on the applied policy and raises vulnerability alerts according to NIST standards.

    • Provides essential information such as key properties, key owner(s), rotation, resource mapping, and related violations.

  • For every resource in an on-premises connection,

    • Displays a tabular view with details such as the resource category, hostname/IP address, encryption status, and so on.

  • For each cryptographic asset discovered within source code and file systems in an on-premises connection,

    • Displays a tabular view with details such as the unique reference ID, asset name, asset type, violations, associated locations, repository name, file name, file path, host name, and so on.

    • Provides essential information such as cryptographic asset properties and related violations.

  • For each certificate discovered within file systems in an on-premises connection,

    • Displays a tabular view with the details such as the certificate name, infrastructure, status, violations, issuer, key spec, machine IP address, creation date, file path, and so on.

    • Provides essential information, including certificate properties and related violations.

  • Allows users to export all scanned key and resources data in comma-separated values (CSV) format and provides the ability to track export activities.

  • Allows users to export all scanned keys and resources metadata in CBOM-compliant JSON format to track post-quantum readiness and cryptographic risk.

  • Enables users to optionally select pre-configured Fortanix DSM (on-premises or SaaS) application credentials for key correlation during the onboarding of an on-premises connection. This allows Fortanix Key Insight to identify whether the scanned keys originate from a Fortanix DSM SaaS or on-premises environment after the scan is initiated.

  • Allows users to download an assessment report.

  • Allows users to create and manage user-defined policies, duplicate and modify system-defined, Fortanix DSM, or existing user-defined policies, and automatically retrieve cryptographic policies from Fortanix DSM to apply them to scanned connections.

  • Provides a dashboard to assess on-premises connection post-quantum cryptography (PQC) readiness, featuring a sunburst chart layout for simplified visualization of key data points, with drill-down capabilities for deeper insights.