Ciphertrust – Product Announcement
Flexible monitoring and management of all HSMs across all locations
Thales e-Security is pleased to announce a comprehensive HSM monitoring and management platform as a new addition to our product portfolio. CipherTrust provides operations teams with high levels of visibility regarding the overall operational status of HSMs across multiple locations, providing a central view of security and performance for mission critical cryptographic operations.
- Provides 24 x 7 visibility on all HSMs
- Identifies performance bottlenecks to improve capacity planning
- Facilitates pro-active HSM management responses to potential issues through automatic alerts
- Reduces costs through background remote operation without human intervention
- Works seamlessly with existing HSM hardware and software configurations
The first version of CipherTrust provides extensive monitoring capabilities for payShield HSMs. Future versions will support additional products including the Thales nShield HSM family.
CipherTrust from Thales e-Security is a comprehensive HSM monitoring and management platform that enables network operations teams to receive 24 x 7 high visibility on the operational status of all HSMs across all locations without the need for any human intervention. HSMs can now be monitored in a similar way to other IT equipment in data centers. Designed with both security and flexibility in mind, Thales CipherTrust addresses two primary challenges faced by today’s organizations: how to inspect HSMs across multiple data centers in a cost effective and efficient manner and how to know in advance that a potential security, configuration or utilization issue has occurred that may compromise the mission critical infrastructure.
Core status and activities captured by CipherTrust include information on tamper events, individual device configuration and performance utilization keeping users fully informed while helping them proactively respond to potential issues using complementary Thales HSM management tools. Users obtain alerts and warnings directly from CipherTrust via email or via their own Security Information and Event Management (SIEM) tool which is kept up to date every minute by CipherTrust. The result is a dramatic increase in visibility of real-time HSM operation while also providing early warning of potential issues likely to impact the security and operational efficiency of their complete HSM infrastructure.
Thales HSM management tools such as payShield Manager complement CipherTrust by enabling the security teams to manage and make configuration changes to any of the HSMs as a result of information delivered via CipherTrust.
24 x 7 Visibility of all HSMs
One of the main benefits of CipherTrust is that it provides constant monitoring of all HSMs across all locations at 60 second intervals and uses this information to populate a dashboard that can be accessed through the web interface in addition to delivering event and alarm information directly to registered users via email.
An example of the dashboard view for the ‘Group Manager’ role
The monitoring facility captures instantaneous information from all HSM devices via SNMP in the following categories:
In addition to the dashboard facility that Administrators and Group Managers can access through the CipherTrust web interface, the platform also supports a series of alerts that are delivered directly to users via email or via a syslog output to an external Security Information and Event Management (SIEM) tool for further processing.
CipherTrust uses different categories of alerts which the Group Manager can decide which ones only appear on dashboards and which will be delivered in addition by email or syslog. The table below lists the alert categories supported and examples of the type of information that is provided for each.
Distinct user roles with segregation of duties
Two user roles are supported by the CipherTrust platform – Administrator and Group Manager. An overview of the main roles and responsibilities for each user role are summarized in the table below.
Both types of users have access to a dashboard – the information displayed is different to reflect their different focus. Group Managers see more details about the operational status and utilization of individual HSMs and the groups to which they belong in order to be able to pro-actively respond to any issues identified through the event and alarm information. By contrast Administrators have a much higher-level view of the overall HSM monitoring capability and do not require detailed information on individual HSMs – their focus is to ensure that the CipherTrust platform remains operational.
Detailed HSM utilization analysis
payShield HSMs already provide users with the ability to capture detailed HSM utilization statistics via multiple interfaces – the console, local or remote management interface (Remote HSM Manager or payShield Manager) and the host port interface. All of these approaches require extensive human intervention and/or software development (by the user) to capture and subsequently process and display the information retrieved typically in a graphical manner.
CipherTrust dramatically simplifies the task of obtaining comprehensive utilization data without any human interaction or programming effort. Group Managers automatically see graphs on their dashboard relating to the overall HSM loading and the individual host command volumes for all HSM groups under their control. The graphs are very interactive and the Group Manager can then click on individual sections to drill-down into more detail for individual HSMs and specific host commands. It is easy to identify HSMs that are either overloaded or close to their processing capacity.
Group Managers have the capability to define group alarm thresholds within CipherTrust to control the warning level, critical level, peak level and peak duration for each HSM group. This enables fine tuning of what the system will report through alerts and visible alarms on the dashboard relating to individual or group HSM overloading.
An example of the detailed view of the host command utilization for any given HSM or group
CipherTrust supports a range of event logs which can be viewed through the web interface and also exported as files for analysis on external systems. The logs in question currently supported as summarized in the table below.
Group Managers have the capability to define and schedule one of more pre-determined reports in addition to running an instantaneous report on demand. Flexible parameters to filter the data are provided in addition to a range of output formats. The reports can be tailored to focus on HSM at both individual device level and group level.