Home » The Art of Data Protection
Wendy Nather, 451 ResearchJuly 29, 2014, 09:30 am EDT
At the SafeNet partner summit last month in Orlando, I got to see many issues being discussed, including some of a transformational nature. Anyone who has seen Tsion Gonen speak knows that he doesn’t back away from transformation – if anything, I think transformation is a little intimidated by him.
But transformation has already been here and left its calling card. Think about all the assumptions we used to make about the enterprise. Many of them are still rooted in the distant past, when there was one big mainframe in the data center, and you were issued a hardwired terminal to access it from your office. Part of the access control relied on your ability to enter the building and the fact that you were given the necessary hardware for access. And sad to say, there are still many long-running, critical systems whose security models are still based on those assumptions.
In this world of cloud, BYOD, and multi-contextual roles, authentication and access control have to transform. Both users and enterprises can use the same software for different purposes, particularly in the public cloud. Mobile is like the Other White Cloud: just as you shouldn’t have to care which server is holding your data, the server shouldn’t have to care what kind of endpoint you’re using to access it. Both ends of the transaction are blurring, and the enterprise perimeter as an innocent bystander has gotten stomped on.
Because of this abstraction of the enterprise, distinguishing personal data from business data has gotten very complicated. You can’t tell which is which by where the data is stored, how it’s stored, what device it was created on, what application was used to create it, what time of day it was created, where the user was when it was created, or even necessarily by the type of data itself. It’s now all about how the data is used; the enterprise is no longer something it has, but rather something it does. And it does it everywhere.
That’s not to say the enterprise isn’t nervous about it. In our data from 451 Research, security is the most often-named pain point for cloud computing, mentioned more than twice as often as the other ones. And those top issues in security are data privacy, access and control, auditing and compliance, and control of data. The twin themes of data encryption and authentication keep coming up over and over.
We need to solve these issues, but they may be getting worse more quickly than we can get to them. Securing data in multiple clouds is one thing, but what about the Internet of Things? (Or, as we say in Texas, the “Internet of Thangs.”) We will need secure, authenticated, encrypted connectivity among everything from refrigerators to light bulbs, and from cars to cows. No, I’m not kidding about the cows.
Between the Internet of Things and the cloud, control is being forced up the stack into the application layer, and data has become the final frontier. We need to abandon our old assumptions and create new tenets to keep up with transformation. As security professionals, our work isn’t going to get easier, but it’s sure going to get a lot more exciting.
Stephen HelmJuly 22, 2014, 10:30 am EDT
As we discussed in part 3 and 4 of this series, encryption is only the first step to securing your data. If an organization doesn’t take the time to properly secure the keys, all of that encryption could be rendered useless. Step 2 of the Secure the Breach strategy urges organizations to securely manage and store the encryption keys.
Dino Pietropaolo, Manager for Federal Sales Engineering for SafeNet, Inc., wrote a great post on the importance of key management for government agencies. In the post, he equates storing encryption keys in software to hiding your house keys under the welcome mat at the front door. While this analogy does an excellent job of illustrating the inherent insecurity of such an approach, I am sure many of you can recall friends and neighbors (perhaps even your own parents), who did something similar with their own house keys.
The key was buried in the soil of a potted plant, stashed behind a mailbox, or maybe hidden under a garden gnome. Why? Because it was convenient. If you forgot your keys, or your children were locked out, you could quickly get the spare key from that “secret place” and get in safely.
We considered the keys secure and the house safe because we disguised the location of the key, and felt only those who knew the key’s location could use it. We also assumed that our houses would be an unlikely target.
Convenience, accessibility, and a false sense of security is also why three-quarters of organizations admit to storing encryption keys in software. For so long storing keys in software has been seen as “secure enough.” The breach landscape has changed, and so too has the definition of “secure enough.”
The problem is getting worse over time as the use of encryption continues to grow. As new breaches occur, more and more organizations are turning to encryption to protect their data. Unfortunately many of these organizations deploy encryption-dependent systems like secure web services, encrypted backups, certificate authorities, or other encryption solutions in isolation without fully understanding how this affects the vulnerability of their keys.
The Importance of Key Security
The threat posed by compromised keys goes beyond simple theft. Sure, a burglar could find your house key, break in, and steal your television—but they could also make a copy of that key, replacing the original, and returning any number of times to steal valuables, spy on your family, or even impersonate you for their own gain, all without your knowledge. The same is true in the digital world.
Stolen keys can be used to decrypt sensitive data, sign malicious code that could be used to spy on your organization, and even impersonate you companies’ web server. Without proper control, including the means to audit locations, limit copies, and restrict access, there would be no way of telling who had used the keys maliciously.
Protecting Keys in the Secure Breach Era
Organizations today manage thousands of keys across a myriad of encryption-dependent systems each with their own key management and associated policies. To ensure security, organizations must establish a centralized policy around the protection, storage, back-up and organization of encryption keys. This policy should be part of a holistic, strategic security plan that achieves the following objectives:
- Securing keys throughout the key lifecycle. Reduce the exposure of cryptographic keys throughout the key lifecycle. This lifecycle includes generation, usage, distribution, and destruction.
- Secure key storage. Keys should also be stored securely throughout their operational life. Hardware devices provide the most secure option for key storage. Examples of these devices include identity tokens (smartcards, USB tokens); trusted platform modules in desktop computers; embedded modules in special purposed devices (i.e. tape/disk drives) and, of course, hardware security modules.
- Key usage authorization. Access control, authentication of users and confidentiality protection are all critical to ensuring that keys can be used only for authorized purposes by authorized entities.
- Accountability. Certain actions around cryptographic keys should trigger audits entries. The audit logs should be cryptographically secure and time-stamped to ensure their integrity.
With a centralized policy around key management in place, organizations can effectively decrease key exposure, consistently enforce policy across all encryption systems, and streamline administration.
Mor AhuviaJuly 21, 2014, 11:34 am EDT
While two-factor authentication for secure remote access to corporate networks (VPNs) has become a ‘bare necessity’ for most organizations today, a good VPN strategy can offer new opportunities for IT ecosystem expansion.
With 20% of the global workforce telecommuting at least occasionally, offering VPN access to critical applications continues to be central to many organizations’ corporate culture. However, with 500 cyber espionage breaches tallied in 2013 alone, according to the 2014 Verizon Data Breach Investigations Report, as with any web-based access, web-borne threats need to be mitigated by replacing weak vulnerable passwords with strong authentication.
So how do you know if a VPN-authentication solution is highly advanced or just average? An advanced solution supports the latest technology—protocols and applications alike—to offer:
- Native SSL VPNs and IPSec VPN support
- VPN-platform flexibility with seamless, tested strong authentication from all leading VPN brands, such as Check Point, Cisco, F5, Fortinet, IBM, Citrix, and Microsoft, among others.
- Native identity federation, allowing you to secure SaaS applications with the same authentication solution used to secure the corporate VPN.
To learn how SafeNet can help you secure VPN access while safely expanding your IT ecosystem, download our solution brief, Anytime, Anywhere Secure Remote (VPN) Access with SafeNet Authentication Solutions.
Did you know that for as little as $400, cyber-criminals can buy a LEGAL fibre-clamping device, tap a fibre-optic cable, and remove or add data – WITHOUT breaking the connection?
Data in motion has never been at a higher risk of exposure. It’s out there in terabytes (and even petabytes), and, if unencrypted can be ‘tapped’ or ‘sniffed’ with relative ease (see our video, Fibre Tapping: How to Protect Your Data in Transit with Encryption), or misdirected unintentionally either by human or machine error.
So, if you can’t prevent or detect fibre tapping, how do you secure your data in motion? As our infographic shows, the simplest and best approach for securing data-in-motion is to provide protection that stays with the data – wherever it is being sent.
For more information about securing your data in motion, visit safenet-inc.com/data-encryption/network-encryption.
Whether it’s for business or personal use, having buying options that allow me to manage my budget is crucial. Like any conscientious consumer, I look for opportunities to save on the products and services that I use, which also may explain why one-size-fits-all options for consumable services doesn’t usually work for me.
As an example, consider a gym that only offers one type of membership. With long-term contracts, members often don’t have the flexibility to negotiate or change membership terms once they’ve signed; even if they visit the gym less frequently—or stop going entirely—they’re still locked in to their contract. And, for people who exercise regularly, pay-as-you-go gym memberships can become cost-prohibitive for members who would rather commit to a longer term contract—if they could receive a discount for their loyalty.
Over the last 12 months, SafeNet has added encryption and key management solutions to AWS Marketplace to provide businesses with the ability to purchase and manage a complete encryption solution within AWS with simple, on-demand delivery and hourly pay-as-you-go pricing. As of today, SafeNet and AWS are adding another option.
For customers who wish to commit to yearly, discounted subscriptions, there are new annual pricing models for ProtectV (a full-disk encryption solution for virtual instances), and Virtual KeySecure (a hardened software appliance that manages and securely stores the encryption keys for ProtectV)—both available on AWS Marketplace. These two solutions work together, like the combination lock on your gym locker, to enable organizations to unify encryption and control across virtualized and cloud infrastructure which increases security and compliance for sensitive data residing in public cloud environments.
SafeNet’s Annual Subscription IS NOT Your Average Contract
When compared to hourly pricing, the new, yearly subscriptions allow businesses to better manage their budget and forecast their yearly software expenses while lowering their spending by 10 to 40%. For example, customers who use ProtectV and Virtual KeySecure on a regular basis may find that on-demand, annual subscriptions are a cost-effective way for them to cover steady workloads at a discounted price and supplement with hourly pricing to meet additional seasonal demand.
For customers who prefer the hourly, pay-as-you-go model and find that their usage needs have increased, moving to an annual subscription is quick and easy to do without submitting paperwork, purchasing new license keys, or installing new software. Annual subscription and hourly payment options are designed to fit your budget and your business needs—offering simple, trusted, and secure ways to quickly leverage SafeNet security offerings on-demand and on your terms.
Wendy Nather, 451 Research July 29, 2014, 09:30 am UTC
Stephen Helm July 22, 2014, 10:30 am UTC
Mor Ahuvia July 21, 2014, 11:34 am UTC
Prakash Panjwani March 10, 2014, 10:21 am UTC
David Etue February 18, 2014, 02:02 pm UTC
Nicki Wallace March 14, 2014, 12:38 pm UTC
Trisha Paine February 21, 2014, 09:54 am UTC