Home » The Art of Data Protection

All I want for Christmas is data protection. 

Retail Security Green IconOkay, that may be a stretch, but I do wish my friends and family health, prosperity, and happiness in the New Year and data protection is part of that mix. Like most of us, our holiday shopping is almost done. And for me, most, if not all, was done online and with my credit card for many reasons 1) convenience, and 2) it is great racking up the credit card points since I know my balance will be paid off by the statement due date.

Now, one would think with the rise of data breaches in 2014 (224% increase in 2014 according to the Breach Level Index) that consumer behavior would change and people would go back to the stores and use cash only, but the reality is, it has not. In fact, the National Retail Federation anticipates online shopping to increase by 8-11% this holiday season. Why is that? It goes back to my point #1 above—convenience. No lines, same bargains, instant one-click purchasing, and free shipping to your doorstep. It is a win-win for all of us.

Even so, the breach details have been downright scary this last year, many of our favorite stores have been on the list including Target, Home Depot, Neiman Marcus, etc. But the truth is no retailer is immune; it is just a matter of which retailers are finding out about the problem fast enough and reporting it first.

This is where data protection comes into play. The entire industry has gathered around the breach epidemic; they have improved standards surrounding payment data security with a new PCI DSS standard; they have enacted better point-of-sale protocols such as point-to-point encryption, which encrypts the payment transaction details at the moment of swipe, and numerous retailers have completely segregated all of their payment data from the rest of their customer data making it more difficult for even the savviest of hackers to gather personal identifiable information (PII) and link it to payment credentials. While this last bit is a hassle for consumers who accidentally leave their Target Redcard at home, for example, and find themselves unable to retrieve their account number at check out, Target in this instance is doing this to protect their customer base with a heightened data protection strategy.

So what can we as consumers do to protect ourselves without impacting the convenience of online and credit card shopping?

  1. Disable one-click shopping from your mobile devices. This feature is convenient, but if someone stole your phone, tablet, or laptop they could go on a shopping spree with you paying the bill.
  2. Delete saved payment methods from your favorite online shopping sites. Yes, this means you have to take that extra step of entering your billing information, but it saves you the headache in the event of a breach or if someone accessed your log-in credentials online,
  3. Check your statement thoroughly. This seems like old school common sense, but I can’t tell you how many times a transaction on my bill doesn’t match up, as the payment entity name may be different, or it could have been a result of credit card fraud. Notifying your credit card company of these questionable charges not only helps you stay financially aware but also alerts your credit card company of potential security issues with the retailer,
  4. Enable two-factor authentication options if offered by the online retailer. User name and password is not enough for proper access controls. Several online retailers offer additional levels of access security to verify account information. Take advantage of this service.
  5. Check the news. If a store you frequent has been breached, make sure your account information was not compromised, and for good measure, you may want to ask your credit card provider to issue you a new card regardless.

None of us are immune in the digital age to breaches. Retailers are doing all they can —  mandated and otherwise — but we as consumers need to be aware of what we can do to fight the battle. So while encryption and access control may not come up as a topic of conversation at most holiday dinner tables (unless you work in the industry), the topic of a retailer breach may, and you can give the gift of awareness to those around you to do a few simple things to protect themselves.

read more »

Nippon RA created a solution enabling cloud providers to secure access to cloud-based applications and assets using integrated PKI authentication. By installing digital certificates on users’ devices, Nippon RA is able to verify a user’s identity and allow or deny access to protected cloud applications.

The rapid increase in multiple computers, mobile devices, and smartphones caused Nippon RA to seek a solution that enabled the same secure PKI infrastructure without tying users to only one device. SafeNet’s authentication solutions store certificates on portable USB devices or software tokens, so the certificate is validated from the SafeNet token, not the user’s computer. Nippon RA continues to offer cloud providers safe, secure authentication to cloud applications, while customers can securely access cloud-based assets from any computer or device.

“SafeNet provides us with a low-cost, safe and secure authentication infrastructure to support a variety of cloud services. It gives our PKI service more flexibility so that users can authenticate to cloud applications on any computer or device, at the office, or at home,” said Seiji Tadokoro, Executive of Sales.

Read the full case study in English or Japanese to see how SafeNet authentication increased security while enabling mobility and user flexibility.

Want to see how SafeNet’s authentication solutions compare to others? Download a free copy of Gartner’s Magic Quadrant for User Authentication. 

Nippon RA Authentication Case Study

read more »

Retail Security IconThe holiday shopping season is in full swing. As consumers prepare for parties for hosting, marshmallows for toasting and caroling out in the snow, they’re swiping their credit cards and providing more personal information than ever before as they make their online and in-store purchases.

That’s great news for retailers as sales are easier to make than grandma’s sugar cookies. From big box stores to small businesses, it truly is the most wonderful time of the year – unless they fall victim to a data breach.

It was just about a year ago when the news of the Target breach hit the headlines, dealing a blow to the retail giant during the busiest time of year. The company reports at least 40 million credit cards were compromised in the breach, and that as many as 110 million people may have had personal information, such as email addresses and phone numbers, stolen.

So how can retailers stay out of the headlines as this year’s holiday breach victim? There’s no doubt the bad guys are going to break the perimeter and access sensitive data…the breach is inevitable. That’s why it’s essential for retailers to encrypt credit and debit card information, as well as customer contact information, while it’s at-rest or in-motion.

Encrypting Data-at-Rest

A retailer’s sensitive data resides in more places than ever before. From file, database, application, and web servers, to network attached storage (NAS), both structured and unstructured data-at-rest is attractive and easily targeted due to its volume and relevance. In addition, there are more bad guys than ever before with both insider and outsider threats on the rise. In the event an unauthorized user accesses sensitive data or service breaks the perimeter, a retailer’s sensitive data becomes an easy target if not secured.

An organization should identify where high value data-at-rest exists on premises, in traditional or virtualized data centers, or in the cloud. Then implement a strong data encryption strategy that will render sensitive data – wherever it resides – useless in the event of a breach, misuse or hijacking of privileged accounts, physical theft of servers, and other potential threats.

With strong encryption and key management solutions in place, a retailer can also ensure that their customers’ personal information is secured and the organization is PCI DSS compliant.

Encrypting Data-in-Motion

As data moves from one location to another it is highly vulnerable to attacks such as fiber tapping. As the data travels across the network, hackers can attach an evanescent fiber coupling device to the cable without detection. The hacker records all activity that runs across the network, and your data is captured and stolen without your knowledge. If that’s not enough, this type of attack can also be used to change data, and has the potential to override the controls on the entire system.

Encrypting your data in motion ensures that your sensitive information is protected, and stays that way. Through encryption, you can prevent hackers from reading or viewing the document, including the metadata, as it moves across networks. Whether data, voice, video or all of the above, your sensitive data, and metadata should be encrypted to protect not only your organization, but your customers and employees as well.

Make this and every holiday season the most wonderful time of the year for your retail business. Learn more about the vulnerabilities of the retail payment ecosystem and find out how SafeNet’s encryption solutions can help lock down your sensitive data today!

read more »

Encryption Key Management IconLast year, we predicted 2014 would be the year encryption comes of age, and BBC followed right after with their proclamation of 2014 being the year of Encryption.  Looking back, I think we can safely say they (we) were right (with a big exclamation point!).

Following the Snowden disclosures and Eric Schmidt’s statement that “the solution to government surveillance is to encrypt everything,” major companies like Facebook, Google, Microsoft and Yahoo! made investments to secure their networks and services with encryption technology.  Most recently, Apple and Google took the bold step of encrypting all data on their phones as the default setting.  True, the media coverage has focused on Encryption Games these companies are waging in order to restore trust with their users over surveillance.  But, the public discourse on encryption, regardless of its purpose, is something we have never seen before, ever.

While the surveillance blocking initiatives of the major technology heavyweights have caught the headlines, the bulk of the spending on encryption, in truth, is being spent on protecting financial and other sensitive information from cyber criminals and other threats.  Banks, healthcare organizations and retail companies are now taking a much closer look at encryption as a central focus for safeguarding their data.  In the wake of the recent retail data breaches, many large retailers are totally overhauling the security of their payment systems with end-to-end encryption.  Put simply, the call for a highly encrypted future is not just about stopping surveillance.  That would be shortsighted.  It is about the privacy and security of all sensitive data, personal, financial or corporate intellectual property to secure against the breaches.

So, if 2014 was the year encryption became mainstream, what does 2015 hold in store for us?  Given the growing adoption and use cases for encryption, the big issue for companies and other organizations moving forward will be the increasing complexity of encryption key management.

So, that said, it’s now time for another annual prediction: 2015 will be the year of Crypto Management – the creation, management, security and storing of encryption keys.

Why will 2015 be the year of Crypto Management?  That is easily answered when you weigh the growing adoption of encryption against the skills and technology (or lack thereof) that companies currently have.

Let’s look at some data points1 to demonstrate the reality:

  • Demand is on the Rise:
    • More than 70% of IT professionals say the ability to encrypt data is important, and this will increase to nearly 80% over the next two years.
  • The Complexity is Growing:
    • The average enterprise with more than $1 billion in revenues has more than 17,000 keys and certificates.
    • The average company today has 12 applications that require encryption and has seven different encryption/key management platforms.
  • Resources are Limited:
    • The majority of companies (60%) have less than five people involved in encryption management, globally.
  • No Centralized Strategy for Key Management:
    • Less than half of companies store their keys centrally with 45% storing their keys in software which is the worst place for the crown jewels.
    • And, here is the kicker, nearly one-fifth of IT professionals do not know where their encryption keys are stored.

So, to summarize, it’s obvious that encryption is seen as more strategic in corporate data security, but the reality is that most companies do not have the right technology, people skills, and strategies when it comes to strong crypto management.  This is a problem, a big problem.

There is a saying that goes something like this: “Amateurs talk about encryption while professionals talk about key management.”  Sure, you can protect as much data with encryption as you want, but screw up key management and you risk exposing or, even worse, losing all of your data.  Imagine this conversation:

CIO: (walking, really running, down to the CEO’s office) “It’s gone.”
CEO: “What’s gone?”
CIO: “The data.”
CEO: “What data?”
CIO: “All of it.”
CEO: “How the [bleep] did that happen.”
CIO: “We lost the keys.”
CEO: “Keys? You mean, like, car keys?”
CIO: “No. The encryption keys.”
CEO: “WTF are those?”

For that reason, 2015 will be the year we start talking Crypto Management. You heard it here first.

To learn the four crypto components essential to any data protection strategy, check out our Building a Crypto Foundation page.

1Source: Ponemon Institute and SafeNet

read more »

With robust solutions for infrastructure, energy, and architecture, and a global customer base, a forward-thinking civil engineering organization needed the ability to work closely with sub-contractors and partners. They wanted a strong authentication solution that would make it easy to grant certain access levels to these users, and equally as easy to remove access when the project was complete.

While they had been using RSA SecurID for more than a decade, they found the solution was complex to manage, caused excessive administrative overhead, and didn’t integrate with Microsoft Active Directory.

“We needed a change. RSA SecurID was complex, expensive and really did not meet all of our needs. SafeNet Authentication Service makes it easier for our administrators to manage access to corporate resources, reducing the cost and resources needed for this process. The decrease in administration cost is monumental,” explained the company’s Lead IT System Engineer.

Civil Engineering SAS Case Study

SafeNet Authentication Service provides the flexibility and automation that the company needs to operate at a global level, while reducing cost and resources on administration and ongoing management of their strong authentication environment. SafeNet Authentication Service also provides the company with a strong integration to Microsoft Active Directory, further streamlining their identity and access management.

Read the full case study to see how SafeNet authentication increased security while cutting costs.

Want to see how SafeNet’s authentication solutions compare to others? Download a free copy of Gartner’s Magic Quadrant for User Authentication.

read more »

Recent Tweets