CA DataMinder Tuesday Tip: CA (DLP) DataMinder Advanced Encryption.

Discussion created by devan05 Employee on Dec 11, 2012
Latest reply on Dec 13, 2012 by Chris_Hackett
CA (DLP) DataMinder Advanced Encryption published by Andrew Devine, Snr. Support Engineer on Tuesday 11 December 2012.

You can deploy CA (DLP) DataMinder in Advanced Encryption mode. When deployed in this mode, CA DataMinder uses Transport Layer Security (TLS) and certificates to enable FIPS 140-2 compliant data transfers between CA DataMinder machines.

Advanced Encryption mode was introduced in CA DLP r12.0 (via FIX:RO16355) onwards but there is no migration path from a non-secured environment to a secured one so it is worth considering FIPS before you begin a production deployment.

Note: In theory, it is possible to convert your existing CA DataMinder machines to run in Advanced Encryption Mode. But in practice, this requires you to take all CA DataMinder machines offline and reconfigure them before restarting CA DataMinder. Any machines not changed at this point would cease to communicate with other machines in the CA DataMinder enterprise. For a typical CA DataMinder enterprise, with hundreds or thousands of protected machines, this is unlikely to be practicable.

Delpoying Advanced Encryption. allows CA DataMinder machines use a single enterprise certificate across the CA DataMinder enterprise. There is no authentication of individual machines. Any machine possessing the enterprise certificate and its associated private key can communicate with any CA DataMinder machine that uses the same certificate.

FIPS 140-2 is the Federal Information Processing Standards (FIPS) 140-2 publication, a security standard for the cryptographic libraries and algorithms that a product should use for encryption.

On Federal networks, FIPS 140-2 encryption affects the communication of all sensitive data between components of CA products and between CA products and third-party products. FIPS 140-2 specifies the requirements for using cryptographic algorithms within a security system protecting sensitive, unclassified data.

In Advanced Encryption Mode, CA DataMinder uses these encryption algorithms:

[*] Data Transfers: Sensitive data sent across the network between CA DataMinder machines is encrypted with TLS, using AES 128-bit as the symmetric cipher algorithm.

[*] Captured data: Blob files (binary large objects) containing captured data are encrypted using AES 128-bit as the symmetric cipher algorithm. They are saved in the CMS data store.

[*] Local encryption keys: These keys, used to encrypt captured data and policy data, are themselves encrypted with a master key using the 3DES (Triple Data Encryption Standard) algorithm.

When two CA DataMinder machines transfer data using the Java RMI service, the data is encrypted with TLS. In practical terms, this means that any potentially sensitive data is encrypted. The cryptographic modules are used to encrypt communications between machines running the CA DataMinder Infrastructure, plus data stored by the infrastructure such as encryption keys and Binary Large Object files (blobs) containing captured data.

For more information on this topic please refer to the CA (DLP) DataMinder r14.1 Platform Deployment Guide (DLP_Platform_ENU.pdf) which is available to download from theCA DataMinder 14.1 Bookshelf.