As you might be aware that Thales has announced the End of Life and End of Support for its two main Key Managers acquired from Gemalto/Safenet and Vormetric, i.e Keysecure and DSM. The EOS (End of support) for Keyscure is the 31st of December 2023, and EOS for DSM is yet to be announced, but I believe 2023 will be the right time for the customers using either of these Key managers to choose a new Product for storing the encryption keys or migrate to a same kind of product provided by Thales known as CM ( Ciphertrust Manager). I will try to elaborate on what CM is and what all features Thales is providing in this next-generation Key Manager.
Let’s think as a customer who is using Keysecure and/or DSM and has no choice but to use these classic key managers and is not planning to migrate to any of the new Key managers in 2023, the only bad news is that Keysecure is already declared as EOS, but DSM customers still may have some time, because the DSM is still there until it is declared as EOL/EOS. So better to start initiating the Migration project, I know it has to be discussed with all stakeholders but we should initiate it and start planning on it as soon as possible.
What Thales Offers?
Thales has a wider range of products if we talk about Data identity and security. if you don’t want to trade off and want everything as it was before, Thales has a next-generation product line for all levels of encryption, like File Level encryption, Application Level Encryption, Database level encryption, etc.
Migration:
Migration is something that has to be done in the coming months because I know every project has some scope creep to deal with, and has to take all three main constraints ( Scope, Budget, and time) into consideration, and here time is an external dependency and you can control it by doing a tradeoff with other two, if the project is not started on time, and I believe few of you might have already scheduled it, and cost-benefit analysis is already done for all the plans you have in place to decide what product to choose for Key Management.
Simple Cost Benefit Analysis formula:
(G-C) ÷ C = ROI
G = Financial Gains, C= Upfront and ongoing costs of your investment.I personally suggest following the proper project cycle in the migration project initiation phase and drafting a proper project charter to define the project and outline the necessary details for this project to reach its goal.
Now coming back to the migration, As far as I know, there is no good replacement for Keysecure and DSM at the moment in the market, we have FutureX, Fortanix, etc.. but I doubt they support the migration from Keysecure and DSM. The only product I can see and have personally experimented with is CM ( Ciphertrust Manager) by Thales. You can easily migrate from Keysecure and DSM to CM by running a few commands and your job is done.
Advantages of CM:
Let me try to scratch the surface, rest of the details, you can find on Thales’s Website.
- CM is built using Microservice-based Architecture, so it is faster and loosely coupled, unlike Keyscure and DSM which are monolithic.
- CM has various KMIP integrations and Thales Engineering is covering everything in the market so don’t worry if you have a product that supports KMIP.
- CM supports all the classic or legacy clients from Gemalto/Safenet and Vormentric and there is a proper migration plan for those clients as well.
Example: VAE is migrated to CADP for C
VKM is migrated to CAKM for ORACLE TDE and CAKM for MSSQL
SVT/VTS to CT-VL
Vormetric BDT to CM BDT
SVT to CADP for JAVA etc..
- CM is built by merging both Gemalto Safenet Keysecure and Vormetric DSM and Transparent Encryption and is a powerful replacement to the DSM and Keyscure and many customers are finding it compelling.
- CM preserves all keys and encryption configurations which helps customers to continue with their old configurations.
- CM supported a wide variety of clients, below is the top of the list that you can find useful
1: CipherTrust Application Data Protection (CADP) :- It is an Application encryption and does support C, JAVA, DOT NET Core, PKCS11
2: CipherTrust Transparent Encryption (CTE) :-
CTE protects data at rest, residing on Direct Attached Storage (DAS), Network Attached Storage (NAS) or Storage Area Networks (SAN). This can be a mapped drive or mounted disk, as well as through Universal Naming Convention paths.
CTE secures data with little impact to application performance. It requires no changes to your existing infrastructure and supports separation of duties between data owners, system administrators, and security administrators.
3: CipherTrust Tokenization
4: CipherTrust Cloud Key Manager (CCKM)
5: CipherTrust Application Key Management (CAKM) for Oracle and MSSQL
6: CipherTrust Database Protecttion (CDP) etc..
Thalesdocs.com
Complexity in Migration:
So far the Thales Product Team is focused, and trying to remove all the barriers that can be a reason for trouble while migrating, if we talk about migration from Safenet ProtectFile to CTE, we have to migrate the Keyscure to CM first, so we need to follow the proper documentation for the successful migration.
Example: Migrating Steps from PF to CTE
- Backup ProtectFile Manager on Classic KeySecure.
- Apply the backup to CipherTrust Manager.
- Update ProtectFile Client Profiles
- Upgrading ProtectFile Clients
- Migrating ProtectFIle clients to CM
You can visit Thales Docs for full details
https://thalesdocs.com/ctp/cm/latest/get_started/pf2cte/index.html
For any help from Thales, you can always reach Thales Support at technical.support.dis@thalesgroup.com
I wish you a very Happy Migration.
Aadil Nabi
