1.0 Introduction
1.1 Purpose
The purpose of this article is to describe the concepts related to the Fortanix Key Insight solution for on-premises environments. It illustrates how Fortanix Key Insight helps implement uniform key lifecycle management policies and processes across different cryptographic key management systems and on-premises resources.
1.2 Intended Audience
This article is intended to be used by technical stakeholders of Fortanix Key Insight, such as the Chief Information Security Officer (CISO) who will use this feature to see compliance information or deficiencies at a very high level and is interested in trends and drift, and the Security Engineer, who will use this feature to find and fix issues with the implementation and management of cryptographic data protection.
2.0 Terminology References
CONCEPT | DESCRIPTION |
|---|---|
On-Premises Connection | Integration of Fortanix Key Insight with an organization's local infrastructure to manage and secure cryptographic keys and data. Fortanix Key Insight scans an on-premises connection and all the resources within that. |
Key Discovery | The process of identifying and locating cryptographic keys within various key management systems and databases. Fortanix Key Insight provides the on-premises key discovery report to analyze the usage of keys and resources. |
On-Premises Scanner | An on-premises scanner is a physical or software-based tool deployed within an organization's local infrastructure designed to capture, analyze, and manage sensitive data, including cryptographic keys and compliance information. |
On-Premises Resources | Resources include the hardware, software, and infrastructure elements utilized for managing and safeguarding sensitive data within an organization’s local environment. The Fortanix Key Insight on-premises scanner comprises specialized tools designed to assess compliance status across various databases. For example, it can evaluate compliance for widely used databases such as Oracle and Microsoft SQL Server (MSSQL). |
Keys | Keys are the primary resource in an on-premises connection, which are logical representations of cryptographic keys. Each key is assigned a unique key identifier or key ID. Fortanix Key Insight scans all the on-premises keys within the database and identifies the key compliance status.
|
On-Premises Scan | The act of making a connection with the on-premises Key Management System (KMS) and obtaining information about services of interest for Fortanix Key Insight. |
On-Premises Sync | The act of synchronizing cryptographic key information and state between the on-premises scanner and Fortanix Data Security Manager (DSM) so that the state and contents of DSM reflect the state and content of the on-premises key manager(s). |
3.0 Fortanix Key Insight Features - On-Premises
The Fortanix Key Insight for on-premises has the following features:
It allows users to scan all key sources across databases (DBs), inspecting each database to identify which keys are encrypted and determining which keys were used for encryption.
Generates reports on on-premises non-compliant keys and resources. For each on-premises connection, the report shows:
Corresponding keys with the risk score
Keys not rotated
Keys set with expiry greater than two years
Total keys in Oracle and MSSQL DB
Non-compliant keys in Oracle DB
Non-compliant keys in MSSQL DB
Top security issues
Non-HSM managed keys
Non-compliant keys
Unencrypted DBs
Quantum vulnerable keys
Provides a dashboard view of cryptographic key compliance status across multiple databases. The dashboard shows information such as:
Scanned databases and total keys
Top attention areas
Keys by status
Scanned resources
Keys by sources
For every key in an on-premises connection,
Provides a tabular view that shows the key identifier, key source, DB type, Hostname, key algorithm, and so on.
Provides a map of the key compliance statuses.
Detects non-compliant keys based on the applied policy and issues vulnerability alerts according to NIST standards.
Provides essential information such as key properties, key owner(s), rotation, resource mapping, and related violations.
For every resource in an on-premises connection,
Provides a tabular view that shows the resource category, hostname/IP address, encryption status, and so on.
Allows users to export all scanned key and service data in comma-separated values (CSV) format and provides the ability to track export activities.
Allows users to download a report.
Provides an assessment report that identifies vulnerabilities by providing a snapshot of your data security posture, and risk score, highlighting areas of strength, and pinpointing opportunities for improvement.