Data Sheet

Leader in Runtime Encryption

Fortanix Self-Defending Key Management Service (SDKMS)

Next generation HSM and Key Management

As you shift your applications to new infrastructures, you need a solution that can protect all your data on-premises as well as in the cloud.
Fortanix Self-Defending Key Management Service (SDKMS) delivers HSM, Key Management, Encryption, and Tokenization for your hybrid and
cloud-native applications, all from the same integrated solution. Fortanix introduces a radical new technology — Runtime Encryption, and a
new product architecture.

With SDKMS, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys,
tokens, or any blob of data.

INSTANT VALUE SCALE ON-DEMAND LOWER TCO

Quick time to value with rapid deploy- Scale as you need to support millions of Transparent, simple, and predictable pric-
ment, simplified operations and centralized clients and billions of transactions with auto- ing. No additional costs for clients, connec-
management mated load-balancing and high availability tors, features or algorithms

Key Features and Benefits

• UNIFIED DATA PROTECTION: Integrated HSM, KMS, Encryption
and Tokenization functionality. Support for full NSA Suite B algo-
rithms: RSA, AES, Elliptical Curve1. Perform broad cryptographic
operations and key management operations, including key
generation, key import, key rotation, key derivation, encryption,
decryption, signing, verification, tokenization, and masking

• COMPLETE PRIVACY: End-to-end security for keys and data

(at-rest, in-transit, and in-use) protected with layers of defense
including Fortanix Runtime Encryption®, Intel® SGX and FIPS-vali-
dated hardware; Only authorized users can access keys

• CENTRALIZED VISIBILITY AND CONTROL: Centralized intui-

tive web-based user interface for management. Role-based access
control (RBAC) for users, applications and groups with segregation
of duties. Comprehensive tamper-proof audit logs to track all
activity, including administration, authentication, access, and key
operations

1 See algorithms supported here -

https://support.fortanix.com/hc/en-us/articles/360016160411-Algorithm-Support

DATA SHEET | FORTANIX SELF-DEFENDING KEY MANAGEMENT SERVICE (SDKMS)

 • APPLICATION FRIENDLY INTERFACES: Support for RESTful
APIs, PKCS#11, KMIP, JCE, Microsoft CAPI, and Microsoft CNG.
Easily support all existing and new applications, whether operat-
ing in public, private, or hybrid cloud. Out of the box connectors
with no additional license costs

• ADVANCED ADMINISTRATION: Single Sign-on support (SAML,

OAuth, and Active Directory/LDAP). Auditing integration with SIEM
tools (Syslog, Splunk, and CSP logging). Quorum approval policy (M
of N) for enhanced protection

• RUNTIME ENCRYPTION PLUGINS: Securely run sensitive

business logic inside trusted boundary with Runtime Encryption
plugins. Easily create or customize cryptography logic for your
unique business or security requirements

• CLOUD-SCALE PROTECTION: Distributed scale-out architec-

ture provides scalable performance on demand. Simplified oper-
ations with built-in synchronization, high availability and disaster
recovery

• FLEXIBLE CONSUMPTION: Designed to run in and support all environments: on-premises environment, private cloud, edge cloud, public
cloud, managed environments. Flexible consumption options: either a FIPS validated appliance, software on SGX-enabled servers/IaaS or
SaaS providing you a ubiquitous solution for your multi-cloud applications

Deployment Architecture
SDKMS delivers quick time to value — new nodes can be deployed and provisioned without requiring any initial configuration in a centralized place.
Once deployed, an SDKMS cluster can be managed and monitored remotely and without need for physical access.

Centralized
Centralized Key Generation Key Lifecycle
Tamper-Proof RBAC Encryption Tokenization Plugins
Management & BYOK Management
Audit Logs

Fortanix SDKMS

RESTful APIs
PKCS#11, CNG, CAPI, JCE
KMIP

Data Center
Hybrid Cloud

DATA SHEET | FORTANIX SELF-DEFENDING KEY MANAGEMENT SERVICE (SDKMS)

Use Cases

SECURE CLOUD ADOPTION SECURE VIRTUAL

DATA AT REST ENCRYPTION
ENVIRONMENTS
Make a secure and seamless transition
Address performance and availability Accelerate data protection and com-
to hybrid or multi-cloud. With a scalable
requirements for the encryption of dis- pliance for virtualized environments
distributed architecture and easy to use
tributed databases, data lakes, or stor- with enterprise-wide key management
BYOK support for major cloud provid-
age systems with scalable distributed and KMIP-based integration for native
ers, SDKMS can service encryption for
key storage with auto synchronization encryption solutions
any application in any cloud
capabilities of SDKMS

BLOCKCHAIN KEY
MANAGEMENT
PKI / IOT SECURITY
Blockchain Key Management: SDKMS
delivers unmatched security and avail-
Enable secure remote manufacturing
ability for Blockchain private keys
with SDKMS. The solution helps estab-
including support for powerful yet
lish chain of trust from birth of the
easy to use policies for multi-sig with
device throughout the entire lifecycle
quorum approval, and strong access
control
Microsoft PKI
NETWORK SECURITY
(TLS TERMINATION)

Close the encryption gap with the

ability to keep all the keys in the trust
boundary with SDKMS

SECURE CODE /
BUSINESS LOGIC
REGULATORY COMPLIANCE
Easily implement new cryptographic
Cost-effectively achieve compliance algorithms, unique key derivation,
for GDPR, PCI-DSS, and data privacy or advanced access control policies
laws with fine-grained access control using Runtime Encryption Plugins. Run
and comprehensive auditing inside the secure boundary of SDKMS

DATA SHEET | FORTANIX SELF-DEFENDING KEY MANAGEMENT SERVICE (SDKMS)

Fortanix vs. Traditional HSM/KMS Solutions

Feature/Attribute Fortanix Traditional HSM/KMS

1. Consumption options Flexible options: software on servers, Appli- Proprietary hardware

ance, SaaS

2. Total cost of ownership Predictable all-inclusive model, no additional Needs specialized expertise required to
costs for connectors maintain, complicated pricing based on
multiple variables

3. Security FIPS 140-2 pending, security extends to KMS, FIPS 140-2, security limited to keys
authentication, authorization and key operations

4. Horizontal scalability Infinitely scalable Not scalable

5. Storage capacity Increases linearly with size of cluster Very limited

6. Performance Single node 25% faster than fastest HSM, Limited based on hardware
and then increases linearly with size of configuration
cluster

7. High availability Built-in redundancy and fault tolerance in Generally achieved by replicating HSMs,
cluster done using client’s help

8. Seamless disaster recovery and backup Built-in Not available

9. Multi-region support Single cluster can span multiple continents Not available

10. Multi-user support Integrates with single-sign on, authorization Not available
using RBAC, advanced quorum control

11. Multi-app and multi-client support Strong separation of key space across clients Key space shared across clients
and apps and apps

12. Secure code execution Run sensitive business logic with easy to Limited support to run code written using
develop and use Runtime Encryption plugins proprietary SDK in constrained envi-
ronments, often requires professional
services

13. Supported data types No limitations on nature of stored data Can only store keys & related security
(keys, data, applications, etc.) credentials

14. Audit logs Secure, comprehensive, No audit logs for key operations, some
tamper proof support for getting appliance health
information

15. KMIP First solution to provide HSM and KMIP in a Sold as separate appliances
single product

16. Tokenization Support for many common fields including Sold as separate appliances
SSN, DOB, PAN, and more or products

© 2019 Fortanix Inc.

[email protected] | +1 (628) 400 2043 | 444 Castro St #305 Mountain View, CA 94041

DATA SHEET | FORTANIX SELF-DEFENDING KEY MANAGEMENT SERVICE (SDKMS)