Capability Domains met by Entrust Digital Security

AC - Access Control
SI - System & Information Integrity
SC - System & Communications Protection
CM - Configuration Management
PE - Physical Protection
MP - Media Protection
MA - Maintenance
AU - Audit & Accountability
IA - Identification & Authentication

nShield Security World

The nShield Security World provides a specialized key management framework that spans the entire nShield family of general purpose HSMs. This architecture provides a unified administrator and user experience and guaranteed interoperability whether the customer deploys one or hundreds of devices.

Administration and Operation functions are separated using different and unique sets of smart cards, created using a k-of-n quorum that utilizes the Shamir secret sharing method. The creation of the k-of-n quorum of smart cards provides the inherent ability to enforce separation of duties and multi-party control.

Methods of Key Protection

Our flexible Security World architecture provides three different methods of key protection, isolation, and access control: Operator Card Set (OCS) for physical token with passphrase protected keys, softcard protection for passphrase protected keys, and module protection. There are no logical limits to how many of these key protection mechanisms can be used, and your application keys are cryptographically separated using these key protection mechanisms, which can effectively be used to achieve cryptographic boundaries for multi-tenancy.

With strict process isolation controls, once a key is loaded into the HSM, only the application/session that loaded the key can access it in the HSM memory.

Entrust PKI & Digital Certificates

PKI and certificates provide the ability to restrict access to data by providing secure access credentials for authentication and data management platforms, as well as a means to sign data for integrity and encrypt data for privacy. The PKI allows users to exchange data securely and validate that signatures on data are legitimate. PKI also provides a means to distribute keys/certs used for the data protection to devices and users in an automated way.

For controlling internal system access, much of the requirement relates to setting up and enforcing policy around data access. PKI and certificates provide a method to enforce the policies by providing every participant with a credential which can be used to enforce the defined access policies. Typically, the path is via a corporate directory like Active Directory (AD) – access to resources is set and group policies will push users into access groups leveraging certificates for authentication. Credentials placed on access cards, in AD or other user device via MDM are governing access controls. Remote system access can be VPN, secure auth, MFA... these are all backed by crypto keys and certificates.

When it comes to limiting data access to authorized users and processes, device certificates and MDM is applicable based on encryption certificates being deployed to devices. User certificates are provided by the PKI via an MDM allowing content to be decrypted/encrypted by users so they can view it on their devices seamlessly. PKI enables the credentials to be distributed to many endpoints. Full disk encryption solutions like Microsoft and BitLocker leverage certificates and keys deployed to endpoints to carry out disk encryption/decryption. Containers can be similar through the use of code signing and secrets managers like HashiCorp Vault.

Entrust Identity

Entrust Identity applies an identity to ensure the right level of access to the right applications through a set of centrally managed policies with the ability to inject real-time contextual information with adaptive risk-based authentication. Administrators can easily set access and entitlement rules based on attributes, such as user group membership.

Entrust Identity provides visibility into who has access to which data and specific applications. Defined users can be assigned to established groups and provided access to applications and services by group. Privileged users can be placed into a group and control around accounts and resources can be provided within this group.

Entrust Identity allows IT admins to manage unsuccessful log-on attempts in accordance with the organization's policy. Entrust Identity automatically monitors session activity and allows IT administrators to centrally manage organizational policy for session timeout and re-authentication processes. Session termination rules can be established as well as unlock processes using time out or Help Desk intervention.

Entrust Identity's advanced MFA offers a non-disruptive, non-intrusive, easily integrated solution that works with your Virtual Private Network (VPN), Remote Desktop Protocol (RDP) and Secure Shell (SSH).

Entrust Identity maintains logs for monitoring and the ability for initial access with MFA for remote sessions. Entrust Identity can verify and control connections to external systems but may not limit those connections.

Entrust CloudControl

Entrust CloudControl enforces least privilege access model and separation of duties across the environment to mitigate the risk of intentional/unintentional misuse. Specific functionality includes automated secondary approver, temporary access requests via Root Password Vaulting, and two-factor authentication. Privileged access administration for groups / individuals leverage Active Directory.

Entrust DataControl

Entrust DataControl provides platform independent data-at-rest encryption & KMIP compliant key management (FIPS certified). The encryption policy travels with the workload to always ensure data is protected. This agnostic solution allows customers to administer / track / monitor workloads wherever they reside (on-prem or in the cloud) via a single, easy to use interface. DataControl limits user and group access to encrypted workloads allowing for secure multi-tenant configurations.

Solutions for Public Sector and Solutions for Commercial and Enterprise

Events & Resources

Contracts & Ordering