Fortanix Key Insight User Interface Components - On-Premises Connection

1.0 Introduction

The article describes the features of the Fortanix Key Insight user interface (UI) for an on-premises connection.

2.0 Terminology References

For Fortanix Key Insight – On-premises terminologies, refer to the Fortanix Key Insight – On-premises Concepts Guide.

3.0 On-Premises Connection Overview

You can access the on-premises connection Overview tab after adding an on-premises connection. You can select the required on-premises connection from the connections dropdown and access the respective details.

The Overview page summarizes the on-premises keys and resources for an on-premises scanner based on the applied Key Insight policy.

For more details on the Key Insight policy, refer to the Fortanix Key Insight – Getting Started with On-premises Connection.

NOTE

• If the Overview page is not displaying resources, ensure to configure them using the on-premises scanner. For more details, refer to Fortanix Key Insight – Getting Started with On-Premises Connection.

• You can click any numerical value on the Overview page to view the list of corresponding on-premises keys and resources.

The Overview page is described in the following sections:

3.1 Discovered On-Premises Resources

This section provides the count of scanned resources. It shows the count of:

• Total number of databases

• Total number of keys in all the databases

Clicking the Total keys and Databases labels in the Discovered On-premises Resources section takes you to their list view.

3.2 Assessment

This section allows the user to view the on-premises keys and resources on the assessment report. The report allows you to assess your key’s security posture to ensure the safety of your data.

Click ASSESSMENT REPORT to go to the Assessment page. For more details about the Assessment page, refer to Section 4.0: On-Premises Connection – Assessments.

3.3 Top Attention Areas

This section summarizes the key areas considered as high priority for review or action due to potential risk and compliance concerns. It shows the number of active keys unrotated for over two years, unencrypted databases, and keys nearing two years in 30 days.

Click each category to access the list of the respective keys and resources.

3.4 Keys by Status

This section lists the total number of enabled and disabled keys in the on-premises scanner. Click each item to access the list of the respective keys.

3.5 Scanned Resources

This section displays the encryption status of the scanned resources, showing which ones are encrypted and which are not.

• The red color cell indicates the Unencrypted resources.

• The yellow color cell indicates the partially encrypted resources.

• The grey color indicates the resources whose encryption status is unknown.

• The green color cell indicates the Encrypted resources.

Clicking each item will take you to its corresponding list view.

3.6 Keys by Resources

This section displays the distribution of keys generated from various resources.

• The blue color cell indicates the Other keys.

• The green color cell indicates the File System Key Store   keys.

Click each key to go to its list view, which includes information such as key ID, key name, insight, key rotation, host, and so on.

4.0 On-Premises Connection - Assessments

Users can access the Fortanix Key Insight Assessment menu after the scan was performed, and on-premises keys and resources were added.

The Assessment page shows:

• How good or bad the key security posture is for the on-premises scanner.

• Violations that must be remediated to improve the security status.

• Remediation advice to improve the security status.

NOTE

You can click any numerical values on the Assessment page to view the list of corresponding on-premises keys and resources.

These are described in detail in the following sections:

4.1 Risk Score

This section provides the overall risk score of the on-premises keys and resources. There are two types of risks:

• High – A high score signifies the total number of partially encrypted DBs, active keys unrotated for over two years, or non-compliant keys in use.

• Critical – A critical risk score indicates the total number of unencrypted databases detected that need attention.

In the above example, the overall risk score is Critical. The priority of the overall risk score is based on the count of risks in the following order:

• Critical

• High

4.2 Key Violations

Key rotation ensures cryptographic security by regularly updating keys to prevent data breaches and comply with regulations. Best practices include establishing a routine rotation schedule, automating key management, using unique keys for different purposes, and implementing key versioning. Secure key storage, strict access controls, and regular audits are essential. Failure to rotate keys increases vulnerability to attacks, risks of data breaches, non-compliance penalties, and undetected compromises, ultimately leading to loss of trust and reputational damage.

This section displays the total number of key violations relative to the total number of active keys. Key violations include active keys that have not been rotated for more than two years and keys rotated after two years. You can click each item to go to its list view.

4.3 Resources Overview

'Non-compliant keys' are cryptographic keys that fail to meet the organization's security policies, standards, or regulatory requirements. They may not align with criteria such as key strength, usage, or rotation policies. Identifying these keys allows administrators to update policies, rotate, or replace them, ensuring compliance and reducing risks of data breaches and regulatory penalties.

This section highlights resources with keys that fail to meet security policies or compliance standards, potentially increasing risk. You can view the total number of non-compliant keys for Oracle and MSSQL among all active keys. You can click each item to go to the resources list view.

4.4 Top Security Issues

This section provides the following information about the keys:

• Non-HSM managed keys: Non-HSM (Non-Hardware Security Module) managed keys refer to cryptographic keys that are handled, stored, and managed by software rather than specialized hardware devices designed for key management and security. This section displays the total number of keys in the on-premises scanner that are not managed by hardware.

• Non-compliant keys: This section provides an overview of the total number of keys that do not meet the established industry standards and compliance frameworks. It highlights keys that do not adhere to the required security practices and guidelines set forth by regulatory bodies and industry best practices. By identifying these non-compliant keys, this section helps identify the areas where key management practices need improvement to ensure that they align with the necessary security and compliance requirements.

  Any key that utilizes the following algorithm and key size combinations is considered Non-Compliant in Fortanix Key Insight, according to the National Institute of Standards and Technology (NIST) 800-57 standard:

  • AES: Any key size less than 192 bits.

  • 3DES: Keys with size 112 bits and 168 bits.

  • DES: Keys with size 56 bits.

  • RSA: Keys with size less than 2048 bits.

  • DSA: Keys with size less than 2048 bits.

  • ECC: Keys with size less than 224 bits.

  The non-compliant keys increase the data security risk. They will be flagged as vulnerabilities on the Keys page.

  Fortanix Key Insight recommends using stronger key algorithms and ensuring that the key strength aligns with your defined policies and NIST standards.  

• Unencrypted DBs: This section shows the number of databases that do not have encryption applied to their stored data. Encryption is a critical security measure used to protect sensitive information by converting it into a secure format that is unreadable without the appropriate decryption key.

• Quantum-vulnerable keys: For an on-premises scanner, this is the total number of keys that utilizes Quantum-vulnerable algorithms. This information will help you determine what data are encrypted using Quantum-vulnerable keys.

4.5 Download Report

Click DOWNLOAD REPORT on the top-right corner of the Assessment page to view the Data Security Assessment Report for the on-premises scanner in PDF format.

5.0 Rescan an On-Premises Connection

Click RESCAN on the Overview page to perform a rescan and verify if any keys have been added, deleted, or updated in the on-premises scanner.

NOTE

• The RESCAN option is accessible only to users with the Account Administrator and Group Administrator roles.

• You cannot perform RESCAN for pending and disconnected on-premises connections.

If you click RESCAN and start the scan, you can monitor the progress bar while the scan is running.

After the scan is completed successfully,

• The Last scanned label will be updated with the date and time of completion.

• The Overview page will reflect the new state of the on-premises keys and resources.

You can also click RESCAN on the Assessment page to perform the rescan. After the scan is completed, the Assessment page will reflect the new state of the on-premises keys and resources.

6.0 Keys

After the on-premises connection is onboarded, click the Keys menu in the Fortanix Key Insight left navigation bar.

Clicking the Keys menu will direct you to the Keys page, where you can view all the on-premises scanner keys.

The key list shows the following information:

• For every on-premises scanner, it shows the key ID, key source, key name, violations, key category, owners, usage description, version, key insight, key category, hostname, key algorithm, key creation date, rotation date, expiration date, database (DB) type and key status.

  NOTE

  You can view up to six columns on the Keys list view. For more details on how to configure the columns display, refer to the Section 6.3: Customize Keys List Columns Display.

• Each key displays the Oracle and MSSQL database resources encrypted by it.

• If a key has not rotated for over two years, expired, non-compliant, or does not have the cryptographic policy, then it shows a vulnerability warning in the VIOLATIONS column and Fortanix Key Insight recommends resolving it.

6.1 Filter Keys

To apply the filter on the key list:

1. Click Search to search the keys using:

   • Key Identifier

   • Host

   • Key Name

   • Key Version

   • Key Source: HSM, Oracle Key Vault, File System Key Store, Fortanix, Other

   • Compliance: Compliant keys, Non-compliant keys

   • Key Status: Active, Expired

   • Vulnerability: Keys rotated after two years, Keys nearing to two years in 30 days, Quantum vulnerable keys

   • DB Type: MSSQL, Oracle

   • Owner

   • Usage Description

     NOTE

     Please wait up to 15 minutes after adding or updating the ownership information before filtering the keys by Owner or Usage Description.

   • Key Rotation Compliance

   • Key Category: Master Key, Data Exncryption Key

2. Press ENTER key to filter the search data.

For example, if you filter key source using File System Key Store, you will see that the key list displays only the keys with File System Key Store source.

You can use a combination of the different key attributes to display the key list with specific results.

6.2 Export Keys Data

For more details, refer to Section 8.0: Scanned Data Export.

6.3 Customize Keys List Columns Display

To modify the Keys table column display in the list view:

1. Click  .

2. On the Customize Columns dialog box, select a maximum of six columns that you want to display in the table.

3. Click SAVE to view only the selected columns on the table.

4. Click RESET TO DEFAULT to display the default columns if required.

6.4 Add Key Details

After the on-premises connection is onboarded to Fortanix Key Insight, you can assign owners to the scanned keys to enhance key management, simplify tracking, and improve remediation workflows.

To add the key(s) details,

1. Select key(s) in the list.

2. Click ADD DETAILS on the top right corner.

   NOTE

   If your on-premises connection was last scanned before the KI 25.03 release and a new scan was not performed, clicking the ADD DETAILS option will show a Rescan Required to Add Details dialog box. To ensure your key details are correctly added, you must rescan the on-premises connection and then add the key details.

   For more details on how to perform a rescan, refer to Section 5.0: Rescan an On-Premises Connection.

3. On the Add Details dialog box, enter the following details:

   1. Primary owner: Enter the primary owner’s name or employee ID.

   2. Email ID: Enter the primary owner’s valid email ID.

   3. Click ADD SECONDARY OWNER to add the secondary owner’s details, if required.

   4. Description (Optional): Enter an optional description.

   5. Click ADD to add the ownership details to the selected key(s).

   NOTE

   To add ownership details, specifying a primary owner is mandatory before adding a secondary owner.

   On the Keys page, the primary and secondary owners’ name or employee ID and email address will appear in the OWNERS column, and the description will appear in the USAGE DESCRIPTION column.

NOTE

Only users with Account Administrator permissions can add or edit key details.

6.5 Edit Key Details

You can modify the details of the selected key(s).

To edit the key(s) details,

1. Select key(s) in the list.

2. Click EDIT DETAILS on the top right corner.

3. On the Edit Details dialog box,

   1. Update the primary owner’s name or employee ID and email ID.

   2. Update the secondary owner’s name or employee ID and email ID.

   3. Update the description if required.

   4. Click UPDATE to save the details to the selected key(s).

You can also update the details while viewing the key details. For more details, refer to the Section 6.6: View Key Details.

6.6 View Key Details

Click any key in the Keys list to view the key's properties, rotation history, associated violations, and service mappings.

• The KEY DETAILS tab includes the following details:

  • Key Properties: This section displays key specifications, such as key ID, status, version, creation date, expiration date, usage, and so on.

  • Ownership: This section is available if owner details have been added to the key. It displays the primary and secondary owner's name or employee ID, email ID, and description.

    • You can update the key details using EDIT DETAILS. For more details, refer to the Section 6.5: Edit Key Details.

  • Automatic Key Rotation Policy: This section includes key rotation details, such as the last rotation time.

• The VIOLATIONS tab displays any violations linked to the key. These violations may include issues such as shared keys, overly usage or management permissions, key expiration, and so on.

  

• The RESOURCE MAPPING tab displays the mapping between the key and on-premises resource(s), if any. Click Legends below to understand the meaning of icons and warnings displayed in the resource mapping view.

  

7.0 Resources

After the on-premises connection is onboarded, click the Resources menu in the Fortanix Key Insight left navigation bar.

Clicking the Resources menu will take you to the Resources page, where you can view a list of all on-premises resources, including Oracle and MSSQL.

The resources list shows the following information:

• For every resource category (Oracle and MSSQL), you can see the hostname/IP address, resource name, and resource ID.

• For every resource category, it shows the encryption status of the Oracle and MSSQL databases.

7.1 Resources Filter

In the list view, you can filter the resources using the Search field with the following criteria and available values:

• Resource Category: Oracle, MSSQL

• Identifier

• Name

• Host Name / IP Address

• Encryption Type: Unencrypted, Partially Encrypted, Fully Encrypted, Encryption Status Unknown

• Key Violation

• Key Vulnerability: Encrypted with non-compliant key

You can use a combination of the above filter options to display the services with specific results.

8.0 Scanned Data Export

This feature allows you to export the scanned key and resource-related data from Fortanix Key Insight in Comma-Separated Values (CSV) format. Also, it provides flexibility, enabling you to download data for detailed analysis, audits, or reporting, and to access real-time status.

In the on-premises Keys and Resources list view, you can click EXPORT to export the scanned data using any of the available options:

• Export current page: Use this option to export all column data from the current page in CSV format.

NOTE

You can download a maximum of 100 items at a time, based on the settings specified in the Items per page drop down menu.

• Export all raw data: Use this option to export all scanned data shown in the keys and services tables in CSV format. If you select this option, you can read the details on the Export All Raw Data dialog box and click PROCEED to export all the data.

  After the export process begins, you can track its progress. The export status will be logged with a message under the Activities tab in Fortanix Key Insight. For more details, refer to Section 8.1: Manage Export Activities.

• Export selected rows: This option is disabled by default. You can select the required rows on the current page and then use this option to export them in CSV format.

NOTE

• Users with the Account Administrator and Group Administrator roles can only perform the scanned data export.

• Within the same account, you can have multiple exports running simultaneously from different cloud and on-premises connections.

8.1 Manage Export Activities

After you initiate the export process using Export all raw data, you can monitor the export status on the Activities tab.

You can see the following details for each export:

• Name of the activity.

• Name of the file.

• Activity status: This indicates the current state of the data export. This can be,

  • Completed: The data export has been completed, and the CSV file will automatically download to the location specified on your local machine.

  • In Progress: The data export is in progress, and you can cancel it using if required.

  • Cancelled: The data export has been canceled due to switching accounts or manually canceling it while it was in progress.

  • Failed: The data export was not completed and failed due to errors.

• Name of the connection

• Export creation date and time

NOTE

• If you switch to a different account during export, the export will be cancelled and logged in the Activities tab.

• If you navigate to a different solution (for example, Identity and Access Management), the export will continue, but no logs will appear in the Activities tab. The export status will be confirmed using toast a message.

• If you refresh the web page during the export, the confirmation dialog box will appear. If you refresh, the export will be cancelled, and all entries in the Activities tab will be removed. Therefore, it is recommended not to refresh the page during the export.