SafeNet

Home » The Art of Data Protection

In the Business Drivers for Next Generation Authentication Blog Series, we present the challenges enterprise stakeholders are encountering as a result of the new IAM paradigm of a Complex Identity Management & Authentication Environment—one which consists of multiple identities who are using multiple endpoints in order to access multiple applications. Once protected by the isolated confines of enterprise IT, business boundaries have been permanently warped by the juggernauts of SaaS and cloud computing.

Cryptographic Key Management Icon
With 23% of the American workforce and a similar 20% of the global workforce, telecommuting at least occasionally, virtual and work-from-home arrangements are increasingly cultural pillars in many organizations, such as Red Hat and Dell (and SafeNet) arising from quality of life, financial and employee-retention considerations. Executive management and HR are progressively rolling out flexible work options to achieve their business goals, with a Gallup Survey finding that employees working outside of the office up to 1/5 of the time reported to be ‘more engaged.’

In today’s M&A and relocated-headquarters reality, virtual work arrangements are priceless for retaining experienced staff, on top of reducing traffic congestion, commute time and stress. When considering expansion of remote work arrangements, executive management is confronted with several core challenges:

  • Cost – A survey by SafeNet found that cost is the biggest inhibitor to more widespread authentication adoption, with per-user authentication expenditures varying among organizations by as much as 300%.
  • Data security – Organizations allowing remote access to the corporate network must ensure their intellectual property and sensitive data and documents remain confidential and intact.
  • Compliancy – To demonstrate end-to-end ownership of access controls, enterprises seek methods of retaining visibility of access events, whether on- or off-premises.
  • Administration – Given the overhead required to deploy, provision and manage a new IAM or strong authentication solution to hundreds, thousands or even tens of thousands of users, streamlined administration is crucial for keeping additional IT overhead to a minimum.

These above challenges are inevitable to expanding an organization’s telecommuting infrastructure. However, a robust IAM scheme can considerably simplify the move to a mobile work style, and even allow pushing mobility programs forward while giving peace of mind to the C-Suite—be it Legal, CISOs, CIOs or CFOs—that their concerns are being effectively addressed. Consider these enablers:

  • Authentication-as-a-service – Subject to compliancy requirements, organizations can opt for a 100% cloud-based solution, eliminating upfront capital expenditures and paying on a per-user subscription basis.
  • Software tokens and tokenless authentication – Soft tokens, phone-as-a-token, context-based authentication and pattern-based authentication all remove the need to physically provision, ship and administer hardware devices, while providing strong multi-factor authentication.
  • Centralized access control – When deploying a single authentication backend, whether physical or virtual, organizations can secure access to all their resources and applications residing in the datacenter or in the cloud. This translates into a unified audit trail of all access events. Also, solutions offering support for popular mobile clients enable simplified and secure expansion of mobility programs, as they can authenticate users from a wide range of browsers.
  • Automated admin and self-service – Automated alerts delivered by SMS text messages, security alerts reporting on account lockout or configuration changes, and self-service portals which enable users to report a token lost, request a new token, or update profile details—all streamline and simplify management.
  • Provisioning – Using group-based policies and automated provisioning, organizations can centrally define policies per user population and extend identities from existing user stores to the cloud.

Fifty percent (50%) of organizations in EMEA predict that by 2015, at least half of all employees will be using two-factor authentication, mainly for remote network access.  Similarly, Forrester Research expects 43% of the American workforce to work from home at least occasionally by 2016. With a strong IAM foundation, organizations can build a greener, healthier and more mobile work culture while maintaining stringent access control over corporate assets and authentication data.

To learn more about SafeNet’s Next Generation Authentication Solutions, download the SafeNet Authentication Service brochure.

Read the previous entries in this series to learn other ways to build an effective Next Generation Authentication environment throughout your enterprise:

read more »

“A very little key will open a very heavy door.”  - Charles Dickens, Hunted Down

Cryptographic Key Management IconThe OpenSSL vulnerability, called Heartbleed, sent shockwaves through the security world. First discovered by Google and Codenomicon, Heartbleed grabs memory from applications running on a web server in a way that makes it possible to reveal private cryptographic keys used in OpenSSL.

These keys, commonly stored on the web server itself, could be used to decrypt web traffic, or even worse, to impersonate the server. In many instances, the hacker who gained access to the key would also be able to decrypt communications that had occurred well before they had the key in their possession.  Although patches to the Heartbleed vulnerability are now available, thousands of private keys will have to be reissued.

The Heartbleed vulnerability once again reinforces the importance of strong cryptographic key storage and management. By ensuring the security of the private keys, an organization can significantly mitigate the risk to their sensitive data in the event of an attack – regardless of the point of vulnerability.

The problem extends beyond websites and web servers. Certificate Authorities, which form the root of trust for the Operating Systems we depend on every day, have been subject to complex attacks.

Breaches like Stuxnet and Duqu used private keys stolen from Certificate Authorities to sign malware in a way that made it appear to be legitimate code. Attacks of this nature could be used to sign fraudulent Operating System updates, or create drivers for devices capable of sneaking a malicious payload into even the best protected systems. When attackers successfully attack trusted systems, the systems built on that trust fall apart.

So What Is the Most Secure Way to Protect Cryptographic Keys?

When encryption is used, the risk is transferred from the data itself, to the cryptographic keys. Without strong security for private keys, our systems will always be vulnerable. This is an area where software vendors have struggled. When private keys are stored on the same server as the other components of a system, it is much easier to gain access to those keys, and compromise that system. With a copy of the private key an attacker can create fraudulent identities, and create certificates at will.

Hardware Security Modules (HSMs) are the best way to protect cryptographic keys. HSMs are designed to create a barrier between software on the server and cryptographic key material. HSMs achieve this by offloading cryptographic keys from an application server and isolating them in a dedicated appliance.   Implementing an HSM – specifically an HSM that stores private keys inside of the physical device at all times – would greatly mitigate the attack vector for a hacker seeking to access sensitive private keys.

Would Using An HSM Prevent the Heartbleed Vulnerability?

No, but it would have significantly limited the scope of any attack.  By preventing the loss of the private key, the need to re-issue certificates would be avoided.  And more importantly, the risk to your Enterprise’s reputation by attackers setting up rogue web sites using your identity would also be avoided.  Finally, the fact that the private key is safe also reduces the amount of data at risk during the time Heartbleed was exploitable.

For more information download our whitepaper, Making SSL Faster and More Secure

read more »

Secure the Breach LogoIn the past posts in the series, we’ve chatted about breach acceptance, and how encryption can help protect your data. This is true, whether we’re talking about hackers, or insider threats – provided it’s managed correctly, of course.  This week we’re going to take a closer look at the types of data that need encryption, and specifically “data at rest.”

Data at rest refers to information stored on permanent media, such as tapes and disk drives. It may also be described as inactive data (i.e. not in use) which is stored in any digital form, as compared to “data in flight” which refers to information passing through a computer network.

When data enters your organization or is generated within, you can choose to encrypt in a variety of stages in its lifecycle – or at different layers in the OS stack, and there are advantages and disadvantages to whichever method you choose. Obviously the sooner you encrypt, the lower your risk of an unencrypted data breach. You can also select where you want to encrypt – in the traditional data center, a virtualized environment, or up in the cloud.  Let’s consider the various options:

  • Application level security – You could choose to protect at the application level, even in a multi-vendor infrastructure in the data center and in the cloud. This would enable you to enhance application security through fine-grained user controls with minimal impact upon the performance of application servers.
  • Transparent database security – This enables application-transparent, column-level database encryption across multi-vendor database management systems in the datacenter and in the cloud. An advantage of database encryption is that it provides support for extremely large data sets.
  • File Data SecurityFile-level encryption – This protects unstructured data in file servers and network shares. Encryption is performed transparently and affords granular access controls: authorized users and processes can continue to have read and write access to the encrypted data while unauthorized users/processes are locked out.
  • Tokenization – Tokenization replaces sensitive data (credit cards, social security numbers etc.) with a surrogate value – a token. The sensitive data is encrypted and stored in a safe repository while the token is processed throughout the organization instead.

The challenges of securing your data are compounded in virtualized environments and especially in multi-tenant public clouds. With comprehensive protection of a virtual infrastructure, you can ensure that the entire virtual machine and attached storage is secure, similar to full disk encryption solutions on your laptop, and coupled with pre-launch authentication to ensure only authorized users can access information – and that unauthorized users, even super-users, stay out.

But regardless of where/how you choose to encrypt, it’s safe to assume that this data needs to be secured. Whether you are doing it to protect your personally identifiable information (PII), intellectual property, or you’re doing this to avoid a heavy fine for non-compliance – you can rest assured if you don’t encrypt, your data is at risk of exposure.

Next time, we’ll explore encrypting data in motion as part of our “Securing the Breach – Three Step Strategy.

read more »

In the Business Drivers for Next Generation Authentication Blog Series, we present the challenges enterprise stakeholders are encountering as a result of the new IAM paradigm of a Complex Identity Management & Authentication Environment—one which consists of multiple identities who are using multiple endpoints in order to access multiple applications. Once protected by the isolated confines of enterprise IT, business boundaries have been permanently warped by the juggernauts of SaaS and cloud computing.

Cloud Data Protection with SafeNet Authentication ServiceGartner predicts that, by 2017, more than 50% of enterprises will choose cloud-bases services as the delivery option for new or refreshed user authentication implementations, up from less than 10% today. Demand for security-as-a-service substitutes, according to the analyst firm, stems from cost-reduction considerations, short time-to-compliance, and a shortage of appropriate technical personnel.

From a purely cost-savings perspective, cloud-computing offers important advantages:

  • Less hardware to maintain, which translates into savings from reduced space, power, cooling and upgrade requirements
  • Less software to maintain, resulting in less IT management overhead, including the issuing of upgrades and patches
  • Fewer hardware and software compatibility issues to resolve, thanks to application and desktop virtualization
  • Subscription-based pricing models allows greater budgeting flexibility and predictability
  • Cost-effective business continuity and disaster recovery options, owing to a virtualized or cloud-delivered work environment.

Drilling down to the figures, SafeNet found that cloud-based authentication provides a 60% savings in Total Cost of Ownership, and up to 90% reduction in management and overhead costs.

Furthermore, when cloud-delivered authentication is applied to secure cloud and SaaS resources, it does more than just provide inherent cost savings. By extending on-premises identities to dozens of SaaS and cloud services, and locking-down access to those services with strong multi-factor authentication, enterprises can go on to securely adopt even more cloud and SaaS services—enabling even more cost savings. To this end, organizations should seek strong authentication solutions that support SAML 2.0, which provides the most effective route to identity federation and cloud single sign-on (SSO).

Allowing on-prem IT to get leaner without forfeiting data security, efficiencies enabled by SafeNet’s Next Generation Authentication solutions are fourfold:

  • Immediate savings from consuming authentication-as-a-service – as compared to on premises solutions
  • Reduced day-to-day IT management overhead – through automated solution management and extensive user self-service
  • Reduced IT provisioning overhead – through non-hardware tokens, such as ‘soft’ tokens, phone-as-a-token, and context-based authentication
  • Secure, accelerated adoption of web-based services – including cloud infrastructure, SaaS apps, and virtualized environments.

80% of large North American institutions recently surveyed by McKinsey are planning or executing programs to make use of cloud environments to host critical applications. With data security  the number one concern for many CFOs considering cloud technology, financial executives are now in the perfect position to capitalize on the best of all worlds: authentication delivered as-a-service, providing strong MFA, extending identities to the cloud—all enabling secure, wider adoption of private and public clouds that offer greater business agility.

Read the previous entries in this series to learn other ways to build an effective Next Generation Authentication environment throughout your enterprise:

read more »

In the Business Drivers for Next Generation Authentication Blog Series, we present the challenges enterprise stakeholders are encountering as a result of the new IAM paradigm of a Complex Identity Management & Authentication Environment—one which consists of multiple identities who are using multiple endpoints in order to access multiple applications. Once protected by the isolated confines of enterprise IT, business boundaries have been permanently warped by the juggernauts of SaaS and cloud computing.

If you haven’t already, check out Part One in this series, How CISOs Can Secure a Nebulous Sea of IT, and Part Two, The Secret to an InfoSec Scheme Your Sysadmins Like

Next Generation AuthenticationA recent study published by the National Institute of Technology and Standards (NIST) entitled “Report: Authentication Diary Study,” found that on average NIST employees authenticated 23 times within a 24 hour period, with “over-authentication” requirements resulting in user frustration, aka ‘password fatigue,’ as well as coping strategies that jeopardize security down the line, such as writing down passwords.

Echoed by numerous other studies on password fatigue, user management solutions provider Janrain found that “92% of respondents reported leaving a website during sign on versus resetting or recovering password information.”

In enterprise authentication scenarios, however, users cannot simply walk away to avoid authentication. Instead, they oftentimes require multiple credential sets only to authenticate to standard applications, such as attendance-tracking, e-conferencing, and project-management apps.  Mechanisms recommended by the researchers include single sign-on (SSO), the use of password vaults, AND the standardization of password policies across resources–for example, uniformly requiring alphanumeric characters to be used alongside special ones.

So how can organizations resolve password-aggravation and offer users a frictionless authentication experience? Therein lies the rub.

As suggested by the NIST researchers, SSO is a powerful method for eliminating multiple credential-sets, enabling users to log in only once and access all the enterprise applications and resources they need. SSO or Enterprise SSO (ESSO) denotes access to predefined resources mostly hosted on-premises at an enterprise data center, and usually relies on specific protocols, such as Kerberos. Federated SSO, takes it a step further, allowing organizations to extend their on-premises identities to cloud and SaaS applications using such protocols as ADFS and SAML 2.0. To the merriment of users, this means having to log in with only one identity to access all cloud, SaaS or on-prem resources offered by an organization—just one identity to gain access to the entire IT ecosystem.

To elevate the level of assurance that a user is in fact who they claim to be, strong multi-factor authentication can be added to ESSO/Federated SSO scenarios without incurring a high cost of user inconvenience. Case in point is context-based authentication, which simplifies user logon by requiring a second factor only when the weighed risk, determined by a risk engine, warrants it.

Removing the need to carry on-one’s-person additional daily authentication props, out-of-band, software tokens and phone-as-a-token options provide convenient enterprise mobility from any endpoint. Hardware tokens, on the other hand, can be exclusively provisioned for use cases determined to require them.

Next, two factor authentication can completely replace static passwords, with PIN-protection of OTPs providing an extra layer of security. To illustrate, instead of requiring users to enter multiple complex 8-digit passwords, users can login with a single federated identity to gain access to an organization’s entire IT ecosystem, and enter only a username and OTP.

Keeping dependence on helpdesk personnel to a minimum, users can be offered extensive self-service functionalities such as resetting their profile details, requesting a new token, or synching a current one.

To reduce password-aggravation, increase productivity, and streamline security, organizations can capitalize on the leaps and bounds made in identity-verification technology to offer their users authentication that is truly frictionless.

To learn more about authentication technologies offered by SafeNet’s Next Generation Authentication, download the Authentication Technologies Survey White Paper.

If you missed previous entries in this series, be sure to check out Part One, How CISOs Can Secure a Nebulous Sea of IT, and Part Two, The Secret to an InfoSec Scheme Your Sysadmins Like

read more »

Recent Tweets

Cloud