Data Sheet

Vormetric Data Security Platform

Vormetric Data Security

Platform Data Sheet
The Vormetric Data Security Platform makes it efficient to manage Security Use Cases
data-at-rest security across an entire organization. The Vormetric • Database Encryption
Data Security Platform is a broad set of products that share a • File-level Encryption
centrally managed and extensible infrastructure for simple one-stop • Application-layer Encryption
data-at-rest security. The continuously expanding product-line • Privileged User Access Control
currently includes transparent file-level encryption, application- • Security Intelligence
layer encryption, integrated key management, and security • Key Management
intelligence. Deployed separately or in tandem you can address Compliance
security policies and compliance mandates across databases, files
and big data nodes—located across physical, virtual, cloud and • PCI DSS 3.0
hybrid infrastructures. With this platform’s comprehensive, unified • HIPAA
capabilities, you can quickly address your security and compliance • NIST 800-53
• FISMA
requirements for multiple enterprise use cases, while significantly
• PIPA
reducing total cost of ownership (TCO) for data-at-rest security.
• Data Residency

Unstructured
Files
Structured Application-
Databases Layer

Security
Intelligence
Big Data
Collection

Vormetric
Data Security SIEM
Cloud Manager Integration

TDE Key Privileged

Management User Access
Control

KMIP
Compliant Certificate
Keys Storage

Best Encryption Solution

THE VORMETRIC DIFFERENCE

The Vormetric Data Security Platform delivers a comprehensive range of capabilities,
including encryption, key management, access policies, privileged user access
controls, and audit logging. Through these capabilities, organizations can establish
the common controls required to address the demands of a range of security and
privacy mandates, including the Payment Card Industry Data Security Standard
(PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), the Health
Information Technology for Economic and Clinical Health (HITECH) Act, PIPA, Data
Residency, FISMA, NIST-800-53 and other global data protection and privacy laws.

Vormetric.com
 Data Sheet
Vormetric Data Security Platform

PLATFORM BUSINESS BENEFITS

Lower Total Cost of Ownership for Data-at-Rest Security
The Vormetric Data Security Platform makes it simpler and less costly to protect data-
at-rest. The platform enables your IT and security organizations to quickly deploy data Key Platform Capabilities
protection, and do so in a uniform and repeatable way that can safeguard data across
your organization. Instead of having to use a multitude of point products scattered • A single console for managing all
across your organization, you can take a consistent and centralized approach with the data-at-rest security policies
Vormetric Data Security Platform. • On demand extensibility through
licensing and software
Simple and Efficient
• Enterprise-class architecture, scale
The Vormetric Data Security Platform makes administration simple and efficient,
and performance
offering an intuitive Web-based interface, as well as an application programming
interface (API) and command-line interface (CLI). IT resources are efficiently used • Security and compliance across all
server environments: physical, virtual,
because data-at-rest security can be applied quickly and consistently across the
cloud, big data, and hybrid environments
organization. Furthermore, this high-performance solution enables efficient use
of virtual and physical server resources, reducing the load on the service delivery • Enforcement of least-privileged user
access policies
infrastructure.
• Pre-defined dashboards and reports
Beyond Compliance: Better Security with popular SIEMs
Moving security close to the data is more effective because it minimizes the
potential for any surreptitious access. Vormetric offers a unique approach for
protecting databases, files, and big data across the entire organization. The platform
provides capabilities for encrypting data, controlling access, and creating granular
security intelligence logs. These security intelligence logs can accelerate detection of
advance persistent threats (APTs) and insider threats because they offer visibility into
file access. In addition, these capabilities and logs satisfy many common compliance
reporting requirements.

PLATFORM PRODUCTS
Vormetric Data Security Manager
Offers centralized management of keys and policies for the entire suite of products
available within the Vormetric Data Security Platform. It is available as a virtual or FIPS
140-2 physical appliance.

Vormetric Transparent Encryption

Is an agent that runs in the file system to provide high-performance encryption and
least-privileged access controls for files, directories, and volumes for both structured
databases and unstructured files.

Vormetric Application Encryption

Simplifies adding column-level encryption into existing applications by removing
the complexity of the developer supporting cryptographic and encryption key
management operations.

Vormetric Key Management

Can be used to centrally manage keys for Vormetric products, Oracle Transparent
Data Encryption (TDE), and Microsoft SQL TDE. In addition, the product securely
stores certificates and offers support for the Key Management Interoperability
Protocol (KMIP).

Vormetric Security Intelligence

Are granular file access security event logs that are easy to integrate with Security
Information and Event Management (SIEM) systems to produce compliance and
security reports to produce an audit trail of permitted and denied access attempts
from users and processes.

Vormetric.com
 Data Sheet
Vormetric Data Security Platform

Vormetric Data Security

Manager Specifications
Key Benefits
The Vormetric Data Security Manager (DSM) centralizes control of
the Vormetric Data Security Platform. The DSM changes the data • Single console for all platform policy
security game by enabling an IT organization to have a consistent and key management
and repeatable method for managing encryption, access policies, • Multitenant
• Proven scale to 10,000+ agents
and security intelligence for all structured and unstructured data.
• Cluster support for high availability
Once the DSM is in place, you can quickly address new security
• Toolkit and programmatic interface
mandates, compliance requirements, and emerging threats. You
• Easy integration with existing
can use the DSM to provision Vormetric Transparent Encryption authentication infrastructure
and Vormetric Application Encryption, and to manage keys and • Available as a virtual or physical
certificates for third-party devices. By delivering centralized appliance
control of a breadth of data-at-rest security capabilities, DSM
provides low total cost of ownership, efficient deployment of
secure services, and improved visibility and control.

KMIP  

DSM  
Web GUI CLI / API
DSM  
Policy and key
Management
Vormetric Data Security Manager

RELIABLE, FIPS VALIDATED, SECURE SYSTEM DESIGN

To maximize uptime and security, the DSM features redundant components and
the ability to cluster appliances for fault tolerance and high availability. Strong
separation-of-duties policy can be enforced to ensure that one administrator does
not have complete control over data security activities, encryption keys, and
administration. In addition, the DSM supports two-factor authentication for
administrative access. The hardware appliance is available with FIPS 140-2
Level 2 and FIPS 140-2 Level 3 validation.

UNIFIED MANAGEMENT AND ADMINISTRATION

ACROSS THE ENTERPRISE
DSM enable enterprises to minimize encryption and key management costs by
providing an appliance to manage heterogeneous encryption keys, including keys
generated by the Vormetric Data Security Platform, IBM InfoSphere, Guardium
Data Encryption, Oracle TDE, Microsoft TDE, and KMIP-compliant encryption
products. It features an intuitive Web-based console for managing encryption keys,
policies, and auditing across an enterprise. The product also centralizes log
collection across any number of agents.

Vormetric.com
 Data Sheet
Vormetric Data Security Platform

VORMETRIC DATA SECURITY MANAGER SPECIFICATION TABLE

Specification Description
General Specifications

Administration Interfaces Secure Web, CLI, SOAP

Number of Management Domains 1,000+

API Support PKCS#11, Microsoft Extensible Key Management (EKM), SOAP

Security Authentication Username/Password, RSA two-factor authentication (optional)
Cluster Support Yes
Backup Manual and scheduled secure backups. M of N key restoration.

Network Management SNMP, NTP, Syslog-TCP

Syslog Formats CEF, LEEF and RFC 5425
Certifications and Validations FIPS 140-2 Level 2, FIPS 140-2 Level 3, Common Criteria in process, Suite B
Hardware Specifications

Hard Drive Mirrored SAS drives

Memory 12 Gigabytes
Safety Agency Approval FCC and UL certifications
Serial Port 1
Power Supplies Redundant 800 watts max, field replaceable, AC 100 - 240V auto sense, 47-63 Hz
Chassis Dimensions 2U Rack mountable, 17" x 17" x 3.5" inches (43.18 x 43.18 x 8.89 centimeters)
Weight 30 lbs (13.64 Kgs)
Maximum BTU 410
Operating Temperature 10º to 35º C (50º to 95º F)
Non-operating Temperature -40º to 70º C (-40º to 158º F)
Operating Relative Humidity 8% to 90% (non-condensing)
Non-operating Relative Humidity 5 to 95% (non-condensing)
Minimum Virtual Machine Specifications Recommendation for Vormetric Data Security Manager Virtual Appliance

Number of CPUs 2

RAM (GB) 4
Hard Disk (GB) 80

Support Thin Provisioning Yes

VORMETRIC DATA SECURITY MANAGER AND LICENSING OPTIONS

Name SKU Description
Physical appliance, limited to managing 25 agents. FIPS 140-2
DSM 25—Physical VOR-DSM-AP50-25
Level 2. Does not support multitenant operations.
Virtual appliance, limited to managing 25 agents. FIPS 140-2 Level 2.
DSM 25—Virtual VOR-DSM-VM50-25 Does not support multitenant operations.

DSM Enterprise—Physical VOR-DSM-AP50-ENT Physical appliance. No agent management limit. FIPS 140-2 Level 2.

DSM Enterprise—Virtual VOR-DSM-VM50-ENT Virtual appliance. No agent management limit. FIPS 140-2 Level 2.
Option to upgrade from an existing DSM 25 to DSM Enterprise
Upgrade DSM 25 to Enterprise VOR-AO-ENT (physical or virtual).
FIPS 140-2 Level 3 Upgrade VOR-AO-HSM00-PL-P Upgrade physical appliance to FIPS 140-2 Level 3 validation.
Must be selected at time of order.

Vormetric.com
 Data Sheet
Vormetric Data Security Platform

Vormetric Transparent
Encryption Specifications
Vormetric Transparent Encryption enables data-at-rest encryption, Key Benefits

privileged user access control, and the collection of security • Broadest platform support in industry:
intelligence logs for structured databases and unstructured Windows, Linux, and Unix operating
systems
files —including those residing in physical, big data, and cloud
• Easy to deploy; no application
environments. By leveraging this transparent approach, your customization required
organization can implement encryption, without having to make • High performance encryption
changes to your applications, infrastructure, or business practices. • Strong encryption and Suite B protocol
Unlike other encryption solutions, protection does not end after support
the encryption key is applied. Vormetric continues to enforce least- • Privileged user access control
• Log all permitted, denied and
privileged user policies to protect against unauthorized access by restricted access attempts from
users and processes, and it continues to log access. With these users, applications and processes
capabilities, you can ensure continuous
protection and control of your data.
Technical Specifications

VORMETRIC TRANSPARENT ENCRYPTION ARCHITECTURE Platform Support

Vormetric Transparent Encryption is an agent that runs at the file system level or vol- • Microsoft: Windows Server 2003,
ume level on a server. The agent is available for a broad selection of Windows, Linux, 2008, and 2012
and Unix platforms, and can be used in physical, virtual, cloud, and big data environ- • Linux: Red Hat Enterprise Linux (RHEL),
ments — regardless of the underlying storage technology. All policy and key adminis- SuSE Linux Enterprise Server and Ubuntu
tration is done through the Vormetric Data Security Manager. • Unix: IBM AIX, HP-UX, Solaris
Vormetric Transparent Encryption agents are distributed across the server Database Support
infrastructure. As a result, the product delivers scalability and eliminates the • Oracle, DB2, SQL Server, MySQL,
bottlenecks and latency that plague proxy-based solutions. In addition, you can use Sybase, NoSQL environments and others
hardware-based encryption acceleration products, such as Intel AES-NI and SPARC Application Support
Niagara Crypto modules, to further enhance encryption performance. • Transparent to all applications and
custom applications including SAP,
Privileged Approved Processes
and Users
SharePoint, Documentum, etc.
Users
SA  
root   user   Big Data
*$^!@#)(   John  Smith    
-­‐|”_}?$%-­‐:>>   401  Main  Street         • Cloudera CDH 4/5, MongoDB, other
Cloud Provider /
Outsource HDFS environments
Administrators
Encryption Hardware Acceleration
• Intel Data Protection Technology with
Allow/Block AES-NI and Secure Key
Encrypt/Decrypt Encrypted
*$^!@#)(  
• SPARC Niagara Crypto modules
Big Data, Databases or -­‐|”_}?$%-­‐:>>  
File System Files Policy and Key Administration
Agent
• Vormetric Data Security Manager with
POWERFUL PRIVILEGED USER ACCESS CONTROLS AES-NI and Secure Key

The agent enforces granular least-privileged user access policies that protect data
from misuse by privileged users and advanced persistent threat (APT) attacks.

Granular policies can be applied by user, process, file type, time of day, and other
parameters. Enforcement options are very granular; they can be used to control not
only permission to access clear-text data, but what file-system commands are
available to a user.

Vormetric.com
 Data Sheet
Vormetric Data Security Platform

Vormetric Application
Encryption Specifications
Use Vormetric Application Encryption any time you need to do Key Benefits
application-layer encryption of a specific field or column in a
database, big data node, or PaaS environment. Vormetric • Leverage proven, Vormetric high-
performance encryption and key
Application Encryption is a library that simplifies the integration management
of encryption with existing corporate applications. The library • Broad application and platform support
provides a set of documented, standards-based APIs that can be • Centralize control of application-layer
encryption and file system encryption
used to perform cryptographic and key management operations. • Stop malicious DBAs, cloud
Vormetric
Vormetric Application
Application Encryption
Encryption eliminates the time, complexity, administrators, hackers, and authorities
and risk of developing and implementing an in-house encryption with subpoenas from accessing
Compliance without the complexity valuable data
and key management solution.

Technical Specifications
Vormetric
Application Application Encryption • Supported Environments: Microsoft.NET
VAE

www.acme.com
2.0 and higher, JAVA 6 and 7, and C
Web Server Application
Server • Standards: OASIS PKCS#11 APIs
Encryption Key • Encryption: AES
Request / Response
at initial request
• Operating Systems: Windows 2008,
2012 and Linux
Database or Big Data DSM   • Performance: over 50,000 credit card
size encryption transactions per second
• Policy and Key Administration: Vormetric
REDUCING APPLICATION-LAYER ENCRYPTION Data Security Manager
COMPLEXITY AND COSTS
Application-layer encryption is typically employed when compliance or regulatory
mandates require encryption of specific fields at the application layer, before data is
stored. Vormetric Application Encryption reduces the complexity and costs
associated with meeting this requirement, simplifying the process of adding
encryption capabilities to existing applications. Developers can use libraries for
Java, .NET, or C to facilitate communication between applications and the
Vormetric Application Encryption Agent. This agent encrypts data and returns the
resulting cipher text to the application, using the same proven high-performance
encryption and reliable key management capabilities that are employed by
Vormetric Transparent Encryption. All policy and key management is done through
the DSM, simplifying the data security operations environment by reducing the
number of administrative consoles that administrators have to learn and maintain.

PROTECTING DATA IN THE CLOUD

Security professionals often have concerns about moving sensitive data from
traditional enterprise applications to platform-as-a-service (PaaS) environments.
Vormetric Application Encryption enables you to encrypt sensitive data before it
leaves the enterprise and is stored in the cloud. By leveraging this approach, you
can ensure that cloud administrators, other customers, hackers, and authorities
with subpoenas can’t access sensitive data, which can help address relevant
auditor requirements and security policies.

Vormetric.com
 Data Sheet
Vormetric Data Security Platform

Vormetric Key Management

Specifications
With Vormetric Key Management, you can centrally manage Key Benefits

keys from all Vormetric products, and securely store and inventory • Operational efficiency, continuous
third-party keys and certificates. The product provides a high availability, secure storage, and inventory
of certificates and encryption keys
availability, standards-based, FIPS 140-2 validated key manage-
• Alerts offer proactive notifications of
ment platform that can secure keys for Microsoft TDE, Oracle TDE,
certificate and key expiration
and KMIP-compliant devices. By consolidating key management,
• Reports provide status and
this product fosters consistent policy implementation across characteristic information, audit support
multiple systems, reducing training and maintenance costs.
Technical specifications
Integrated Vormetric Keys and Policies TDE Keys
Manage Security Objects
Oracle Tablespace Encryption Keys
• X.509 certificates
Encrypted Tablespaces • Symmetric and asymmetric
SQL Server Database Encryption Keys encryption keys
DSM   Administration
Encrypted Database
• Secure-web, CLI, API

Securely Vault Keys and Certificates KMIP Keys

• Bulk import of digital certificates and
encryption keys
Symmetric Asymmetric Certificates
• Validates on import
•  Manual Key Import •  Scripting Interface • Extracts basic attributes from uploaded
•  Key Vault •  Ingest
•  Reporting •  Retrieval Self encrypting drives, tape libraries, etc certificates and keys for reporting
•  Logging •  Removal
• Command line scripts
• Retrieval and removal
CONSOLIDATE AND SIMPLIFY KEY MANAGEMENT Supported Key and Certificate Formats for
Search, Alerts, and Reports
AND VAULT CERTIFICATES • Symmetric encryption key algorithms:
Historically, as the number of applications and devices using encryption proliferated, 3DES, AES128, AES256, ARIA128,
there was a commensurate increase in the number of key management devices and ARIA256
employed. This growing number of key management devices added cost and • Asymmetric encryption key algorithms:
complexity to securing sensitive data. Further, these disparate key management RSA1024, RSA2048, and RSA4096
devices often left valuable certificates unprotected, making them easy prey for
hackers. Also, if these certificates are left unmanaged, they can unexpectedly expire, • Digital certificates (X.509): PKCS#7,
which can result in the unplanned downtime of vital corporate services. The Vormetric PKCS#8, DER, PEM, PKCS#12
Data Security Platform extends your key management capabilities, enabling you to Transparent Database Encryption (TDE)
manage keys for Vormetric’s encryption products as well as keys and certificates from • Key management for both Oracle TDE
third-party products. and Microsoft SQL Server TDE
API Support
SECURE, RELIABLE, AND AUDITABLE • PKCS#11, Microsoft Extensible Key
Management (EKM), and OASIS KMIP
Vormetric Key Management offers all the reliability and availability capabilities of
Vormetric DSM. Vormetric DSM features an optional FIPS 140-2 Level 3 validated Key Availability and Redundancy
hardware security module (HSM). The solution provides extensive audit capabilities • Secure replication of keys across
that can be used to report on all activities relating to key usage, including key multiple appliances with automated
generation, rotation, destruction, import, expiration, and export. backups

Vormetric.com
 Data Sheet
Vormetric Data Security Platform

Vormetric Security
Intelligence Specifications
Vormetric Security Intelligence are granular event logs that produce Key Benefits
an auditable trail of permitted and denied access attempts from
• Increased visibility of sensitive
users and processes, delivering unprecedented insight into file data access
access activities. Logging occurs at the file system level, removing • Accelerated APT and insider threat
the threat of an unauthorized user gaining stealthy access to detection
sensitive data. These logs can inform of unusual or improper data • Export logs in all major log formats:
Syslog RFC5424, CEF, and LEEF
access and accelerate the detection of insider threats, hackers, and
• Fast integration with Vormetric SIEM
advanced persistent threats (APT) that have bypassed perimeter partners
security. With the availability of pre-defined dashboards and • Consolidated and consistent
reports, Vormetric Security Intelligence easily integrates with SIEM compliance and audit reporting
systems to produce compliance and security reports. SIEM Partner Integration
Data protected by
Vormetric Transparent Encryption
SIEM
• Vormetric Splunk App
Vormetric • HP ArcSight CEF Certified
Data Security Manager
SmartConnector
Big Data SAN / NAS
• IBM QRadar Vormetric Device
Vormetric SIEM Partners
Support Module
Identify unusual file
access patterns
Cloud File About Vormetric
Systems
Accelerate detection of
insider threats and APTs
Granular security RFC5424 Logs Create compliance
Vormetric (@Vormetric) is the industry
intelligence logs
on file access
CEF Logs
LEEF Logs
and audit reports leader in data security solutions that span
VMs Databases
physical, virtual and cloud environments.
Data is the new currency and Vormetric
PROVIDING SECURITY INTELLIGENCE helps over 1400 customers, including 17
of the Fortune 25 and many of the world’s
Vormetric Security Intelligence provides logs that detail which processes and most security conscious government or-
users have accessed protected data. Sharing these logs with a SIEM platform helps ganizations, to meet compliance require-
uncover anomalous process and user access patterns, which can prompt further ments and protect what matters — their
sensitive data — from both internal and
investigation. For example, an administrator or process may suddenly access much
external threats. For more information,
larger volumes of data than normal, or attempt to do an unauthorized download of
please visit: www.vormetric.com.
files. Such inconsistent usage patterns could point to an APT attack or malicious
insider activities. Traditionally, SIEMs relied on logs from firewalls, IPSs, and NetFlow Global EMEA
devices. Because this intelligence is captured at the network perimeter, these Headquarters Headquarters
approaches leave a commonly exploited blind spot: They don’t provide any visibility 2545 N. 1st Street, 200 Brook Drive
into the activity occurring on servers. Vormetric Security Intelligence fills this blind San Jose, CA 95131 Green Park, Reading,
spot, helping accelerate the detection of APTs and insider threats. Tel: +1.888.267.3732 RG2 6UB
Fax: +1.408.844.8638 United Kingdom
COMPLIANCE REPORTING www.vormetric.com Tel: +44.118.949.7711
Fax: +44.118.949.7001
In order to adhere to many compliance mandates and regulations, many organizations
must be able to prove that data protection is in place and operational. Vormetric APAC Headquarters
Security Intelligence is commonly used to prove to an auditor that encryption, key 27F, Trade Tower, 159 -1
management, and access policies are working effectively. The detailed logs are Samsung-dong,
shared and reviewed to specify when users and processes accessed data, under Gangnam-gu, Seoul. (135-729)
which polices, and if access requests were allowed or denied. The logs will even Tel: +82.2.6007.2662
expose when a privileged user leverages a command like “switch user” in order to www.vormetric.co.kr
attempt to imitate another user.
©2014 Vormetric, Inc. All rights reserved.

Vormetric.com