|Overview - Vormetric Transparent Encryption & NIST 800-53 revision 4
|Security Control Family
||• Access Controls(AC)
• Account Management
• Separation of Duties
• Least Privilege
|Through the use of kernel level agents providing AES 256 encryption, Vormetric Transparent Encryption exceeds and augments current access control solutions at the file, directory, drive, or target level at the Operating System and provides Least Privilege.
|Awareness and Training(AT)
||• Training Policies
• Security Awareness Training
• Role Based Security Training
|Vormetric Professional Services makes available both, personal and online, training options to educated staff on use of the solution. Thales e-Security solutions have few administrative requirements, and the available training covers tasks and responsibilities for each desired/deployed role, with appropriate documentation.
|Audit and Accountability(AU)
||• Audit Events
• Report Generation
|Vormetric Transparent Encryption provides full audit data at the Vormetric Data Security Manager appliance and at host agents in an open format and can integrate with a program or agency’s audit reduction tool or SIEM solution.
|Security Assessment and Authorization(CA)
||• System Interconnects
• Plan of Action and Milestones
• Continuous Monitoring
|Vormetric Transparent Encryption can be tested as a part of an Information System. The agents are installed on operating systems that undergo security hardening and STIG configurations. The Data Security Manager is FIPS 140-2 Level 2 or Level 3 Compliant depending upon configuration.
||• Baseline Configuration
• Change Control
• Security Impact Analysis
• Least Functionality
|The configuration of the Vormetric DSM can be changed to match operational requirements for access control and encryption at rest, and can be saved, backed up, and added to a CMDB in order to track changes over time.
||• Contingency Plan
• Contingency Testing
|The Vormetric DSM component can operate in a clustered environment in active or standby mode, and can be added to a program’s COOP/DR strategy.
|Identification and Authentication(IA)
||• Organizational Users
• Device Login
• Authentication Management
• Crytpographic Module
• Incident Handling
|Identification is provided through local web GUI login or Active Directory/LDAP Integration at the Data Security Manager appliance. Authentication is provided through the use of kernel level system access to files, folders, and applications.
||• Incident Response Testing
|The Vormetric Data Security Platform processes incidents at the individual component level (host system, web GUI, DSM). These incidents and audit events are in an open syslog format that can be sent to an information system’s monitoring/reporting tool, including 3rd party SIEM solutions. Log file formats can be tailored to match a program’s security policy for user and application behavior.
||• Controlled Maintenance
|As a part of the FIPS 140-2 certification, the Vormetric Data Security Manager is tamper resistant. Additionally, maintenance and audit sessions can be separated by domain and by administrator login.
||• Media Access
• Media Marking
• Storage Transport
|As a part of the FIPS 140-2 level 3 compliance evaluation the Vormetric Data Security Manager has the ability to be zeroized at the appliance console.
|Physical and Environmental Protection(PE)
||• Access Authorizations
|The Vormetric Data Security Management appliance used as a component of the solution is available as 17”x17”x3” hardware device and can be secured in a lockable data center rack enclosure.
||• Security Architecture
• Concept of Operations
|Vormetric Transparent Encryption provides fine-grained access policies and AES-256 encryption that can be used to limit privileged user access and implement least-privilege principles for users authorized for access to sensitive data.
||• Personnel Termination and Transfer
||The Vormetric Transparent Encryption Solution should be operated by personnel at the appropriate level of clearance and information system access. Administrative group links to LDAP compatible Directory Services solutions.
|System and Services Acquisition(SA)
||• Allocation of Resources
• System Development Life Cycle
|System Components of the Vormetric Data Security Manager are assembled in the US at the corporate headquarters in San Jose, CA. The DSM is FIPS 140-2 Level 3 certified when the optional Hardware Security Module (HSM) is installed, and FIPS 140-2 Level 2 certified without the HSM.
|Systems and Communications Protection(SC)
||• Application Partitioning
• Security Function Isolation
• Confidentiality and Integrity
• Cryptographic Key Management
• Platform Agnosticism
|As a part of the Vormetric Transparent Encryption solution, AES-256 encryption keys are passed through an encrypted wrapper. The Administrator Web Interface is accessed through HTTPS. Agent to DSM communication is accomplished through the use of ephemeral ports and is encrypted using Suite B algorithms.
|Systems and Information Integrity(SI)
||• Security Alerts and Advisories
• Software and Information Integrity
|System Integrity on the Data Security Manager Appliance is satisfied through the DSM’s FIPS 140-2 validation. Host agents installed on an Information System’s server provide encryption at rest capabilities to enhance system integrity.