www.t hales-esecurity.

com

Achieve End-to-End Data Protection with Voltage

Security and Thales nShield Hardware Security Modules

Solution Benefits
Protect data everywhere it goes
Reduce the cost of compliance and audits
Quickly deploy and manage
Protect the integrity of data security processes
Guaranteed recoverability of data

Thales e-Security

Voltage Security
and Thales Solution Overview
 Sensitive data is at risk from the moment it is created or
captured. Too often, organizations recognize the need
for greater security only after a data breach, and face
costly consequences under an array of data protection
regulations and laws. To reduce risk and demonstrate
compliance, many organizations employ auditable data
protection management processes - including encryption
and key management - that aim to render sensitive
information useless to all but legitimate users.

The Voltage solution integrated with

Thales HSMs just works, and in a matter of
weeks rather than months, delivered the
data protection and key management that
Heartland needs to move the payments
industry forward.
Steven Elefant
CIO, Heartland Payment Systems

Voltage Security and Thales solutions combine to deliver

a comprehensive end-to-end data protection approach
that encompasses enterprise applications, point of sale
and storage infrastructure. Together they help eliminate
the traditional deployment and scale issues that have
plagued data protection projects in the past. They ensure
that organizations can achieve the performance and
security required, easily demonstrate compliance and
where possible minimize the scope of audits including PCI
DSS. Tightly integrated with Voltage Security solutions,
Thales nShield hardware security modules (HSMs) enforce
security policies and provide a high assurance,
tamper-resistant environment for encryption and key
management, securing not only sensitive data but the
data protection system itself from compromise.

Achieve End-to-End Data Protection with Voltage Security

and Thales nShield Hardware Security Modules
Comprehensive Approaches To Data Protection
The Voltage Security solution supports a number of data protection
techniques that address numerous security and operational
goals and these can be applied at multiple points across an
organizations extended IT infrastructure.
Data Encryption
Encryption protects sensitive data wherever it goes and
prevents unauthorized applications and users from accessing it.
By encrypting data, companies can reduce the scope of PCI
DSS audits and may achieve safe harbor from data breach
disclosure and protection laws. However, IT architects and
security professionals often have concerns relating to the potential
disruption of adding encryption to existing data processing systems
and schema and to the difficulty and costs of managing and
distributing keys efficiently and securely. To help overcome these
challenges the Voltage SecureData solution embodies
important innovations:
Voltage Identity-Based Encryption (IBE)
This approach for deriving keys simplifies the deployment and
increases the scalability of end-to-end encryption. With IBE, public
keys for a device or user are derived from credentials that already
exist (e.g, server name, email address). This avoids the need to
pre-issue keys and specialized credentials and makes the task
of supporting large populations of users and devices far easier.
Security sensitive and time intensive key distribution and tracking
processes are virtually eliminated.
Voltage Format-Preserving Encryption (FPE)
This mode of using AES encryption enables tightly structured
sensitive data, such as credit card and social security
numbers, to be encrypted while still retaining their defining

characteristics such as field length. This means applications no

longer need special re-coding to process encrypted fields and
costly database schema changes can be avoided.
Tokenization & Data Masking
In many situations the challenge of protecting sensitive data can
be made easier by simply removing the data in question.
Very often, sensitive information such as Primary Account Number
(PAN) data may flow through numerous applications, databases
and storage systems but does not need to be directly accessed in
order for them to function correctly.
To achieve this, Voltage SecureData Enterprise includes Voltage
Secure Stateless Tokenization (SST) technology, which takes
specific classes of sensitive data that have a tightly defined format,
such as a PAN, and generates unrelated data in the same format
to act as a substitute value. The token is then used as if it was the
original data by applications and can be safely viewed by staff.
Voltage SST technology is stateless because it eliminates the
token database which is central to other tokenization solutions,
and removes the need for storage of cardholder or other sensitive
data. Voltage has developed an approach to tokenization that uses
a set of static, pre-generated tables containing random numbers
created using a FIPS random number generator. These static tables
reside on virtual appliances commodity servers and are used
to consistently produce a unique, random token for each clear
text PAN input, resulting in a token that has no relationship to the
original PAN. No token database is required with SST technology,
thus improving the speed, scalability, security and manageability
of the tokenization process and dramatically reducing PCI DSS
compliance scope.

BANK CARD

Credit Card

Tax ID

Bank Account

0012 3456 7890 0000

000-00-0000

800N2982K-22

FPE

2724 9283 2943 2838

982-28-7723

709G9242H-35

FPE

*juYE62W%UWjaks&

lja&2924kUEF65%Q

Hiu97NMko2 Ku}oq

Figure 1 Compared to traditional AES encryption, Voltage AES+FPE maintains the original field length.

www.t hales-esecurity.com

Merchant

Merchant Acquirer

Figure 2 Combined solution: Voltage SecureData and Thales HSMs in a merchant deployment model.

Organizations are required to protect their customers Personally

Identifiable Information (PII) data in their systems, including in test,
development, analytics warehouses and outsourced environments.
Voltage SecureData delivers a comprehensive solution for data
encryption, de-identification, and masking that does not require costly
and time consuming data schema and format changes in existing
systems. Voltage SecureData Masking enables enterprises to ensure
sensitive data is de-identified, while remaining usable, before it is
distributed to less controlled environments such as test, development
and analytics warehouses. Voltage SecureData Masking delivers the
same rigor for non-production test and development systems,
by leveraging an extensible architecture with powerful tools for
policy-driven data masking.
Email and File Encryption
While transactions systems and business applications that handle
sensitive data must clearly be protected, that same sensitive data
is also found in less tightly structured systems such as email and
file servers. Data within these systems is often widely shared inside
and outside the organization and is notoriously hard to control and
typically involves significant effort and complexity for the average user.
Consequently, email and file encryption projects have been slow to
deploy and often fail as user objections emerge.
Voltage SecureMail and Voltage SecureFile use a different
approach, making deployment easier and the user experience
simple. With Voltage IBE technology, email or server identities are
used to derive public encryption keys. Using this approach email
encryption is transparent to users and can be enforced by policy.
Similarly, file encryption can also be deployed transparently and is
available on a wide range of platforms.

Benefits of the Combined Solution

The combined power of the Voltage Security and Thales solution is
unique in its ability to secure data and the data protection system
itself against compromise. Thales HSMs not only secure and
manage the root, system level secrets of the Voltage solution but
they also protect the sensitive encryption operations associated
with IBE key derivation. Security critical processes are performed
within the Thales HSM using the Secure Execution Engine (SEE)
capability which ensures encryption and key management
operations are performed inside the HSMs tamper-resistant
environment away from possible malware or insider compromise.
The Thales nShield HSMs are independently certified to the FIPS
140-2 level 3 security benchmark and employ sophisticated key
management techniques to ensure that keys are securely managed
and backed up, guaranteeing recoverability in the event of system
failure. All administrative functions on the HSMs, and on the
keys that they protect, require strong authentication for system
administrators which can be further strengthened by establishing
dual controls, whereby the collusion of multiple administrators
would be required to subvert the system. Together, these
capabilities provide comprehensive logical and physical protection
that delivers a tangible and auditable method for enforcing the
security policies that underpin this critical component of a data
protection infrastructure.

Summary
Secure data everywhere it goes
By focusing on protecting sensitive data instead of building barriers
that restrict the flow of data, organizations can develop IT security
programs that help enable business growth. Voltage Security and
Thales data protection solutions enable you to secure your data
throughout your organization and out to business partners and
service providers - end-to-end.
Reduce the cost of compliance and audits
By protecting sensitive data, Voltage Security data protection
solutions allow organizations to reduce the scope of audits
and achieve safe harbor. Thales nShield HSMs make it easy to
demonstrate policy enforcement, reducing the time spent on audits.
Sixty-three percent of QSAs find that the use of HSMs reduces the
time spent demonstrating compliance.
Build trust into your data protection system
Too often sensitive data has been compromised by unauthorized
insiders or malicious software. Voltage Security and Thales
solutions uniquely move the most sensitive data protection and key
management processes from software-based systems into certified,
hardware-based and tamper-resistant Thales nShield HSMs.

For additional information follow the links below:

Voltage Format Preserving EncryptionTM,
Tokenization, and Masking
Voltage SecureData
Voltage SecureData Payments
Voltage Email Encryption
Voltage SecureMail
Voltage SecureMail Cloud
File Encryption
Voltage SecureFile
Thales Hardware Security Modules
Thales nShield Connect
Thales nShield Solo

Follow us on:

Americas Thales e-Security Inc. 900 South Pine Island Road, Suite 710, Plantation, FL 33324 USA Tel:+1 888 744 4976 or +1 954 888 6200 Fax:+1 954 888 6211 E-mail: sales@thalesesec.com
Asia Pacific Unit 4101 41/F 248, Queens Road East, Wanchai, Hong Kong, PRC Tel:+852 2815 8633 Fax:+852 2815 8141 E-mail: asia.sales@thales-esecurity.com
Europe, Middle East, Africa Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ Tel:+44 (0)1844 201800 Fax:+44 (0)1844 208550 E-mail: emea.sales@thales-esecurity.com

Thales e-Security February 2013 LH1022

Quickly deploy and manage

Voltage Security and Thales solutions enable developers,
administrators, and operations teams to quickly deploy and
manage data protection. Thales nShield HSMs integrate with
the complete range of Voltage Security data protection products
including Voltage SecureData Enterprise, Voltage SecureData
Payments and Voltage SecureMail and fully support both encryption
and tokenization capabilities.