Home » The Art of Data Protection
Paul ArdoinFebruary 23, 2015, 12:15 pm EST
ProtectV and Virtual KeySecure Now Available in the IBM SoftLayer Cloud
Last week, we published a blogpost that discussed the importance of owning your encryption keys—and your data—when you move your sensitive data to the cloud. The IBM SoftLayer cloud platform has high levels of performance, integration, automation and global availability, which make it an unmistakably attractive offering in this space.
This week, SafeNet is announcing the ability to encrypt sensitive workloads in the IBM SoftLayer cloud platform and own and manage your keys–so you can not only securely migrate data to the IBM cloud, but also prove that you own and control your data from inception to deletion.
Two products will be available on IBM Cloud Marketplace in the coming weeks: SafeNet ProtectV encrypts entire virtual machine instances and attached storage volumes while Virtual KeySecure provides centralized enterprise key management solutions like ProtectV-secured instances AND third-party encryption solutions such as IBM XIV storage, IBM N Series, and dozens of other devices and services.
We’re making this announcement at the IBM InterConnect 2015 conference in Las Vegas, Februrary 22-26, 2015. If you’re planning on attending, make sure to stop by Booth #923. SafeNet will be discussing the dozens of integrations we have with IBM products, including the new IBM Cloud Marketplace offerings:
- Learn how you can secure data AND meet compliance mandates with customer-owned encryption keys in the IBM could.
- View demos of SafeNet Virtual KeySecure and ProtectV—two products that provide IBM SoftLayer customers with complete control of their data and satisfy compliance——because you can prove key ownership.
- Discover how encryption affects cloud data security in our Own and Manage Your Encryption Keys White Paper.
- Learn how to further refine your cloud security scenario with products featured in our ebook: SafeNet Security Enhancements for IBM Solutions.
- Enter to win the Parrot AR Drone 2.0 we’ll be raffling off on the last day of the show.
Put SafeNet #923 at the top of your list of booths to visit and we’ll see you in Las Vegas—and look for our products on IBM Cloud Marketplace in the coming weeks!
Paul ArdoinFebruary 19, 2015, 02:15 pm EST
If your data lives in the cloud, you already know the cost and uptime advantages that come with using a reputable cloud provider to manage the infrastructure. But what about the security of that data? Who is responsible for keeping it safe in the cloud? The truth is that the sole entity responsible for the security of the data is YOU—from the moment you take possession of it to the moment it’s deleted. No exceptions.
Ownership and management of data are two very different things. If the data is stolen—you are responsible. If the data is lost—you are responsible. If the data is manipulated—you are responsible. So, while it’s possible to outsource data encryption and management services in the cloud, you can’t outsource the responsibility for that data. With this level of accountability, YOU have to be the one to secure that sensitive data.
Being able to own your encryption keys and prove that you have complete control of all of your data is crucial to meet the requirements of many compliance standards, including PCI-DSS. Many encryption key solutions available in the cloud are designed so that the keys are owned—and therefore accessible –by the cloud provider. While every reputable cloud provider makes a lot of assurances around the security of these solutions, the bottom line is that if you don’t own your encryption keys, you can’t prove control of your data. And, if you don’t control your data, government agencies can subpoena the cloud provider—who are usually not only required to give that agency access to your data, but also are not obligated to let you know about it.
SafeNet is one of the only vendors that allows you—and only you—to own your encryption keys so that you remain the only entity able to access your data. Ownership means that you can prove complete control of your sensitive data. It gives you the right tools to pass audits and the assurance that the cloud provider has no authority to give government agencies a back door into your data.
SafeNet’s new white paper, Own and Manage Your Encryption Keys, outlines how customer-owned encryption keys are the only way to truly safeguard data in cloud environments. As a technology partner of the world’s leading cloud providers, SafeNet has years of experience with encryption and key management in the cloud.
SafeNet will exhibit at cloud and virtualization conferences all over the world in 2015. You can learn more about our customer-owned encryption solutions by visiting the SafeNet booths at these shows and talking to us about our approach to encryption key ownership in the cloud.
It’s not just your data you’re protecting—it’s the data of your prospects, customers, clients, vendors, partners, and everyone you do business with. The power to secure it should reside with no one but you and your customer-owned keys.
Andrew GertzFebruary 12, 2015, 08:47 am EST
A year ago, I was writing about the 575 million data records lost or stolen throughout 2013, a sum based on the data collected by the Breach Level Index that seemed astonishing at the time. The Target breach that happened at the end of that year stood out for me as the epitome of a changing infosec landscape, in which a breach not only caught the attention of industry experts, but also warranted weeks of mainstream media coverage.
Time changes everything. Unfortunately, in terms of breach occurrences, things didn’t improve in 2014. The number of data records lost or stolen somehow increased by approximately 78% year over year, with more than 1 billion records lost or stolen last year according to the Breach Level Index. That breaks down to 32 records lost or stolen every second of the year. There were 1,056 breach incidents in 2013. There were 1,541 in 2014, an approximately 46% increase. But the figure that really stands out to me is 4%; that’s the percentage of the all 2014 incidents that were “secure breaches” – those in which encryption was used to protect the data and render it useless after it was compromised.
Additionally, breaches continued to make headlines last year, picking up where the Target breach news left off. 2014 was the year hackers successfully attacked the payment data systems of Home Depot, stealing 109 million data records and registering a 10.0 on the Breach Level Index’s risk assessment scale. JP Morgan Chase likewise encountered a 10.0 breach, in which more than 80 million records were compromised. And then came the Sony Pictures Entertainment breach.
While it was low by the numbers in comparison to some other 2014 breaches – 47,000 records compromised – Sony’s breach stands out most to me. Employees were threatened, executives’ private emails were released, films still in theaters were leaked, and the theatrical release of a film with A-list stars and a $44 million budget, The Interview, was cancelled. The FBI was involved in an investigation that led to the conclusion that the attack originated in North Korea, and the breach and what it represented was so significant that President Obama personally addressed the nation in regards to the situation.
We continue to see the impact of that breach in 2015. Last week, Amy Pascal, the co-chairman of Sony at the time of the hack, stepped down following the above mentioned release of her private emails. And on February 10, 2015, just days ago, the White House called the Sony hack a “game changer” and announced the formation of a new agency, the Cyber Threat Intelligence Integration Center, to gather and analyze information about cyberthreats.
Take a moment to consider just how far-reaching the impact of one breach was socially, economically, and politically. Like Target, the Sony breach became the top story in the news, but it seemed like the cyberattack ripple effect increased exponentially at the end of 2014. A breach occurred, and the world changed.
Like many of us, I do my best to balance optimism with realistic expectations. I don’t think we can expect that a new perimeter security measure is coming that will keep determined cybercriminals from successfully breaching most organizations they target. I don’t anticipate the Sony breach to be the last to have history-making implications that may indirectly impact the lives of people around the globe.
As Tsion Gonen, chief strategy officer for Identity & Data Protection at Gemalto, recently wrote for The Hill: “It’s time that executives and information security professionals accept the fact that their companies will be breached and start thinking outside the box when it comes to data security.”
My hope is that in another year, if I’m writing about the billions of data records stolen in 2015, I’ll at least be able to say that the silver lining is the percentage of secure breaches increased and they stand as evidence that more companies followed Gonen’s advice.
Mor AhuviaFebruary 11, 2015, 04:18 pm EST
To comply with the DEA’s Electronic Prescriptions for Controlled Substances (EPCS) regulation, medical practitioners need to re-authenticate to their EHR system using two-factor authentication whenever they issue Rx’s for medical narcotics in digital format.
With state deadlines quickly approaching, SafeNet lets hospitals and healthcare organizations implement EPCS easily, without changing their current infrastructure.
What is EPCS? And how, when and why should you comply? Check out our below infographic for the answers.
Key Points/Stats from this Infographic:
- 1 Billion eRx’s are issued in the US annually. Controlled substances, meaning medical narcotics such as morphine, codeine, etc. account for 130 Million of them.
- What is EPCS? Electronic Prescriptions for Controlled Substances (EPCS) is a regulation issued by the DEA, requiring medical practitioners to re-authenticate to their EHR system using two-factor authentication, each time they issue an eRx for a controlled substance.
- Who needs to comply with EPCS? Compliance is required of medical practitioners who issue eRx’s for controlled substances.
- When is EPCS compliance due? State deadlines vary, with some mandating compliance by year end 2015. To qualify for financial incentives, organizations can also leverage EPCS to more easily demonstrate State 2 Meaningful Use.
- How do you choose a 2FA solution for gaining EPCS compliance? Seek a solution that offers FIPS-validated tokens, quick deployment and low day-to-day operational overhead, while allowing you to keep within budget and evolve your IT ecosystem over time.
Read our White Paper to Learn More: How to Become EPCS Compliant with SafeNet Authentication or go to our EPCS Compliance webpage.
People have been signing documents as a means of establishing proof of identity for hundreds of years. As communication evolved, the need to identify the author or approver of documents has increased. Just as handwritten signatures enable us to apply a means of identification to any document, a digital signature enables us to apply a unique identity to a digital document or message. We can validate the authenticity of a signature by comparing it to other examples of the same person’s signature and checking for commonalties. In much the same way, digital signatures provide a means for verifying authenticity and integrity of documents and messages.
How Do Digital Signatures Provide Integrity and Authentication?
Digital signatures use public key cryptography to enable parties to exchange messages in a trusted fashion. The first step in the signature process is to apply a mathematical technique to create a summary of the message you intend to send. Using this technique you reduce the message to a small number called a digest. The digest should have two particular qualities: it should be ‘collision free’ (that is, no two messages should be able to produce identical digests); and it should be one-way (that is, although you can obtain the digest from the message, you cannot obtain the message from the digest).
The author of the message uses their private key to encrypt the digest, and attaches the encrypted digest to the original message and sends to the intended recipient. When the recipient receives the message, they use the author’s public key to decrypt the digest. Since only the sender’s public key can be used to decrypt the digest, this proves that it was the message sent by the author. In this way, the recipient can authenticate the author of the document.
The recipient can also verify that the document has not been modified by anyone other than the author. To do so, they create a new digest from the plaintext message, and compare the resulting digest to the one from the author. If they match, the recipient has assurances that the document is unaltered.
Enhancing Digital Signatures with Hardware Security Modules
We recommend using a hardware security module for digital signatures for two reasons: performance and security.
From a performance standpoint, signing operations are very processor-intensive. And the longer the key, the greater the processing effort required. NIST recommends using keys that are at least 2048 bits in order to provide adequate security. At this length, there is a significant load on the CPU—and it is not something that can be solved by simply increasing the server’s RAM. The larger the signature key length, the greater the CPU utilization.
To be CPU-independent, you need to use hardware acceleration to provide a large number of both key generation and signing operations. The simple fact is that you need to offload all cryptographic functions to a dedicated HSM with its own dedicated crypto processors in order to ensure adequate performance and to prevent overloading the host server.
The second reason that all signing operations need to be performed within the HSM is basic security. As the entire security structure is built upon the foundations of cryptographic keys, care should be taken to protect the sensitive private keys. Private keys must be kept strictly private, secret, and secure. Without proper security measures in place to protect the signing process and underlying cryptographic keys our ability to trust digital signatures could be compromised. An attacker could create fraudulent signatures, or use legitimate signatures against an organization.
Paul Ardoin February 23, 2015, 12:15 pm UTC
Paul Ardoin February 19, 2015, 02:15 pm UTC
Andrew Gertz February 12, 2015, 08:47 am UTC
Mor Ahuvia February 11, 2015, 04:18 pm UTC
Mor Ahuvia November 25, 2014, 12:47 pm UTC
Paul Ardoin May 20, 2014, 05:35 pm UTC
Doron Cohen March 13, 2013, 08:15 am UTC