1.0 Introduction
This article describes the on-premises connection concepts and supported features in Fortanix Key Insight. Fortanix Key Insight enables you to apply uniform key lifecycle management policies and processes to cryptographic key management systems across multiple cryptographic key management systems and on-premises environments, such as databases, source code, and file systems.
2.0 Concepts
The following table outlines the on-premises connection concepts in Fortanix Key Insight:
CONCEPT | DESCRIPTION |
|---|---|
On-premises Connection | Integration of Fortanix Key Insight with an organization's local infrastructure to manage and secure cryptographic keys and data. Fortanix Key Insight scans an on-premises connection and all the resources within that. |
Key Discovery | The process of identifying and locating cryptographic keys within various key management systems and databases. Fortanix Key Insight provides the on-premises key discovery report to analyze the usage of keys and resources. |
On-premises Scanner | An on-premises scanner is a configuration file deployed within an organization's local infrastructure designed to scan, analyze, and manage sensitive data, including cryptographic keys and compliance information. This solution features a robust scanner package designed to handle and protect your on-premises keys and resources seamlessly within the Fortanix Key Insight. The on-premises scanner supports both Linux and Windows platforms, enabling flexible deployment across different environments. |
On-premises Resources | Resources include databases, source code, and file systems that are used to manage and protect sensitive data within an organization’s local environment. The Fortanix Key Insight on-premises scanner consists of specialized tools designed to assess compliance status across various databases, source code, and file systems. For example, it can evaluate compliance for widely used databases such as Oracle and Microsoft SQL Server (MSSQL). |
On-premises Databases | These are the structured data repositories, such as Oracle and MSSQL, used to store and manage business-critical information. Fortanix Key Insight on-premises scanner connects to these databases and scans for cryptographic keys, certificates, and algorithms to assess compliance with security and cryptographic policies. |
On-premises Source Code Repositories | These are local or self-hosted repositories containing application code, libraries, and configuration files. Fortanix Key Insight on-premises scanner scans source code for embedded cryptographic material such as hardcoded keys, algorithms, private keys, secrets, or ciphertexts, and highlights risks for remediation. |
On-premises File Systems | These are Linux and Windows file systems where applications, services, and configuration data are stored. Fortanix Key Insight analyzes file systems to detect cryptographic keys, certificates, operating systems, and related artifacts that may be improperly stored or unprotected. |
On-premises Keys | Keys are the primary resource in an on-premises connection, which are logical representations of cryptographic keys. Each key is assigned a unique key identifier or key ID. Fortanix Key Insight on-premises scanner scans all keys stored in databases and file systems and evaluates the key compliance status.
|
On-premises Cryptographic Assets | These include keys, certificates, and other cryptographic materials found across source code and file systems. Fortanix Key Insight provides a centralized inventory of all discovered cryptographic assets, enabling visibility, risk assessment, and compliance monitoring across the on-premises environment. |
On-premises Certificates | These are stored within Linux or Windows file systems, including TLS/SSL server certificates, application certificates, and certificates in local trust stores. Fortanix Key Insight discovers these certificates, checks for expiration, weak cryptographic algorithms, or misconfigurations, and highlights gaps in certificate lifecycle management. |
On-premises Scan | The process of connecting to on-premises environments and obtaining information about services of interest for Fortanix Key Insight. |
On-premises Sync | The act of synchronizing cryptographic key information and state between the on-premises scanner and Fortanix Data Security Manager (DSM) so that the state and contents of DSM reflect the state and content of the on-premises connection. |
3.0 Supported Features
The Fortanix Key Insight on-premises connection supports the following features:
Supports the on-premises scanner on both Linux and Windows platforms, enabling flexible deployment across different environments. The scanner can analyze databases, source code, and file systems, providing comprehensive visibility and protection for on-premises data and resources within Fortanix Key Insight.
Allows users to scan all key sources across databases and file systems, inspecting each resource to identify which keys are encrypted and which keys were used for encryption.
Provides an overview of cryptographic key compliance status across multiple databases.
The Overview page for databases shows the following information:
Scanned databases and total keys
Keys by specifications
Keys by status
Scanned resources
Keys by sources
Top database servers by assets
Provides an overview of cryptographic key compliance status across multiple file systems.
The Overview page for file systems shows the following information:
Scanned total keys, resources, and certificates
Discovered assets and operating systems
Keys by specifications
Certificates by statuses
Certificates by key specifications
Top operating systems by assets
Provides an overview of cryptographic asset compliance status across multiple source code repositories.
The Overview page for source code shows the following information:
Scanned cryptographic assets and repositories
Top asset types
Top repositories by asset count
Generates an assessment report across databases, source code, and file systems, providing a snapshot of your data security posture. The report highlights vulnerabilities and includes risk scores, resource and certificate violations, certificate expiry details, top security issues, strengths, and areas requiring improvement.
For every key in an on-premises connection,
Displays a tabular view with details such as the key ID, key source, key name, violations, key category, owners, usage description, version, key insight, key category, hostname, key spec, key creation date, rotation date, expiration date, database (DB) type, and key status, infrastructure, file path, fingerprint, and so on.
Provides a map of key compliance statuses.
Detects non-compliant keys based on the applied policy and raises vulnerability alerts according to NIST standards.
Provides essential information such as key properties, key owner(s), rotation, resource mapping, and related violations.
For every resource in an on-premises connection,
Displays a tabular view with details such as the resource category, hostname/IP address, encryption status, and so on.
For each cryptographic asset discovered within source code and file systems in an on-premises connection,
Displays a tabular view with details such as the unique reference ID, asset name, asset type, violations, associated locations, repository name, file name, file path, host name, and so on.
Provides essential information such as cryptographic asset properties and related violations.
For each certificate discovered within file systems in an on-premises connection,
Displays a tabular view with the details such as the certificate name, infrastructure, status, violations, issuer, key spec, machine IP address, creation date, file path, and so on.
Provides essential information, including certificate properties and related violations.
Allows users to export all scanned key and resources data in comma-separated values (CSV) format and provides the ability to track export activities.
Allows users to export all scanned keys and resources metadata in CBOM-compliant JSON format to track post-quantum readiness and cryptographic risk.
Enables users to optionally select pre-configured Fortanix DSM (on-premises or SaaS) application credentials for key correlation during the onboarding of an on-premises connection. This allows Fortanix Key Insight to identify whether the scanned keys originate from a Fortanix DSM SaaS or on-premises environment after the scan is initiated.
Allows users to download an assessment report.
Allows users to create and manage user-defined policies, duplicate and modify system-defined, Fortanix DSM, or existing user-defined policies, and automatically retrieve cryptographic policies from Fortanix DSM to apply them to scanned connections.
Provides a dashboard to assess on-premises connection post-quantum cryptography (PQC) readiness, featuring a sunburst chart layout for simplified visualization of key data points, with drill-down capabilities for deeper insights.