Home » The Art of Data Protection
Doron CohenDecember 11, 2013, 11:05 am EST
This is the first time, after many years in the Identity Management and Authentication business, that I can truly say, that a broad industry effort is in motion to bring the era of password authentication to an end. The adoption of cloud, along with changing user expectations around authentication, is creating a fundamental shift in awareness in how we – as end users and organizations – authenticate to networks, applications and services.
2014 bodes exciting developments for the authentication market. I believe this will be a year in which we will witness the embrace of new authentication schemes that will further change the way we protect our accounts and identities in the cloud. On one end, having a seamless, portable identity and authentication tools that do not require us to remember dozens of passwords, will become possible. At the same time, more and more services will become more secure by abandoning the reliance on passwords and moving to strong authentication, identity federation and single-sign-on technologies.
Below are some of the trends I see bringing us closer to this reality:
- Enterprises will be more proactive in securing their networks and cloud services. The need for enterprises to tighten access controls for their private and public cloud services will drive adoption of delivery models that offer cloud-based authentication and single sign on solutions for enterprise cloud services, public clouds and corporate networks.
- Enhanced security from cloud and SaaS providers. Cloud adoption is galloping forward, as threat vectors continue to escalate. As a result, enterprises will be more strident in their demands that cloud providers secure their offerings with HSM-based hardware-root-of-trust. Amazon has already taken a first step in this direction by offering Amazon Cloud HSM which secures their services and encryption keys.
- Customer demands for ease of use and frictionless authentication will drive improvements. Customers’ expectations for seamless trusted authentication and the continued dominance of smart phones and smart devices will accelerate the move from legacy hardware One-Time-Password tokens to mobile friendly, embedded security and contextual access controls. These methods will rely on security elements built into devices, and leverage device sensors to authenticate users. We can already see early examples in Apple’s iTouch for biometric authentication, and investments by vendors such as Samsung to bake enterprise grade security controls into their KNOX platform.
- The need for an interoperable and universal authentication framework. As the lines between different types of identities blur, there will be a greater demand for an authentication framework that can offer better assurance than passwords and which can be implemented across different environments and use cases. Developments in this direction are being taken by the FIDO Alliance whose aim is to develop a universally flexible authentication framework for consumers.
The trends I’ve mentioned above reflect a convergence of interest between end users and businesses. We have reached the point where we recognize the fact that static passwords need to go. It is exciting to know that the alternative authentication approaches currently evolving will be easier to deploy, easier to use, and make it easier for us to do business securely.
Prakash PanjwaniDecember 4, 2013, 02:09 pm EST
Eric Schmidt, Google executive chairman, had the simplest response recently to all the stories related to surveillance: “The solution to government surveillance is to encrypt everything.” True. But, there are two interesting issues that this simple statement brings up.
First, is encryption really just a response to surveillance? Or, is he saying that because the focus lately in the media is on who is doing the surveillance? The reality is that data security is in the middle of a game that has been going on for a much longer time than recent stories would lead you to think. It is the game between those who want your data and your ability to protect it. And that is not new. The only difference now is how much more aware the general public is regarding the need for safeguarding that data. But, if you ask any CIO of a reasonably sized corporation to name the security threats to their network and sensitive data, they will likely give you a very, very long list before the word “surveillance” appears on it, if it does at all. What does appear on that list are threats from organizations and individuals they don’t even know but who are coming up with sophisticated attacks to get to sensitive information.
Second, is the solution as simple as he makes it sound? There is no doubt that encryption is the right solution. But if you are going to truly encrypt everything, then it is certainly not sufficient to encrypt just the data in transit – as in between a client device and server (Google in this case). You must encrypt the data in situ, meaning data where it is stored. The majority of data that is vulnerable is actually sitting in corporate data centers in databases, file servers, on people’s laptops, in storage networks, and the cloud. If all data is then encrypted, who cares who manages to get access to it? It is a philosophy referred to as “secure the breach” – assume undesired parties will have access to your sensitive data and figure out how you protect it even if it was breached.
In larger corporations, as much as they would like to encrypt everything, typically they start with the data they have to encrypt. For example, confidential customer information such as credit cards or personal information such as health records or social security numbers require a higher degree of protection due to compliance requirements. However, the safeguarding of other important data and information that does not fall under regulatory mandates is usually hit or miss because it is generated, stored and accessed in many locations by many individuals. That is why comprehensive data protection strategies are so critical.
Once you know what to encrypt, the next challenge is managing encryption – especially keys used for encryption. Specifically, how are the keys generated? Where are they stored? What is the strength (or size) of keys? How often are keys changed? These are just some of the questions you have to answer when building a strong encryption strategy for protecting data.
So, yes, sure, Mr. Schmidt is right – encryption is the solution. But winning the data security battle isn’t as simple as the statement sounds when it comes to protecting the data you really care for, especially when in reality you don’t even know the enemy you are fighting. All you know is that you can’t afford to lose the battle – there is too much at stake, even more so than recent articles will lead you to believe.
Studies show that we collectively create about 2.5 exabytes of data every single day. That is the equivalent of about 625 million DVDs worth of new data, per day. That’s more data than the contents of every book ever written. Now amplify that on big shopping days such as Black Friday or Cyber Monday.
During an average day, you create data that exposes you to risk, but you don’t always think about those risks or the amount of people and organizations that have access to your data. Consider one simple online credit card transaction for Cyber Monday (one of nearly 23 billion that are processed annually in the U.S.) and the number of parties involved in that process.
- You hop online to buy a new sweater for your dad using the Cyber Monday coupon code (with free shipping). At check out, you enter your credit card to pay.
- The merchant sends a request to the acquirer (the payment processor that contacts the credit card company).
- The acquirer sends a request to the card issuer to authorize the transaction.
- An authorization code is sent to the acquirer if there is valid credit available.
- The merchant completes the sale, sends you an order confirmation receipt, and you check one more item off of your holiday shopping list.
- The merchant stores your credit card data in a daily batch of sales transactions.
- The merchant then also sends the entire batch of transactions to the acquirer to actually receive payment.
- The batch is then sent from the acquirer through a card network to request payment from each individual card issuer.
One transaction; numerous steps and numerous handlers. If a hacker can gain access to any part of this payment network they can steal your information. And what about the personal data that the merchant store now has access to? After swiping your card, the merchant assigns you a Guest ID number that stores a history of everything you’ve bought and any demographic information collected or bought from other sources. How is that data protected?
Many consumers tend to trust in the security of the payment systems they voluntarily opt into when making point of sale purchases. But the sad fact is that, while the initial transaction path is usually fairly secure thanks to regulations like PCI-DSS, the data tends to live on and is used in other ways – like data mining to understand buyer behavior. PCI-DSS focuses on credit card processing to improve security; however, as with most compliance regulations, PCI-DSS only mandates a lowest common denominator-level of security, and more may be required.
With so many points of failure and handlers throughout the lifecycle of the data, credit card information is hugely vulnerable to external hacking. For this reason, we have entered an era of “personal responsibility,” where consumers need to be aware of the risks of using credit cards in person, by phone or online and be selective about when and how they do so.
Top 4 Tips to Secure Your Identity and Wallet:
- Think about the personally-identifiable information you generate with each interaction and who you share it with. Government IDs, healthcare information, and credit cards are some of the most valuable data that criminals will try to intercept.
- When shopping, either physically or electronically, protect your card information and make sure you are dealing with a legitimate merchant.
- Use technology such as consumer encryption to make sure your data is unreadable if you lose it.
- When cleaning up around the house, shred documents that reveal critical data like your social security number, before you throw them away.
Retailers should likewise make reviewing the transaction security solutions they use a regular part of their business operations and take any steps necessary to address potential vulnerabilities that could leave customers’ data at risk.
Yael BeeriNovember 27, 2013, 01:55 pm EST
The best and most successful way for introducing a new system into the organization is through communication.
We recommend that when communicating the introduction of your new two-factor authentication (2FA) solution to your employees, you make sure to cover the What / Why / How questions and topics.
So, how do you do it? We’ve put together an example of what such a communication should include. Feel free to cut/copy/paste/edit and adapt it to your brand and lingo. We also suggest you add a section about how to use the token, depending on the type of token you provide (hardware, software, one-time-password, certificate-based, etc.).
As part of our efforts to enhance security and become even more effective and productive, we have recently implemented a strong authentication solution. Going forward, it will be safer for you to access company assets remotely.
What is Two-Factor Authentication?
Two-factor authentication ensures that you are who you claim to be. Two-Factor authentication can be achieved using a combination of two of the following factors:
- Something you know – a password or a PIN code
- Something you have – a token or a smart card
- Something you are – biometrics, such as a fingerprint
What is it for?
It’s to make your life easier and our assets more secure. With two-factor authentication, you won’t have to remember a static password. At the same time, access security for company resources is much improved, as we know for sure that when you log into a corporate resource, you are indeed who you claim to be – and not an imposter using a hacked or stolen password.
How to use your new token
Insert your IT service department’s instructions on how to use the provided authentication token(s) here.
Ever wonder exactly what a hardware security module (HSM) is used for? Or maybe you were curious what type of organizations use an HSM today. Check out the new “What is an HSM?” video for a quick crash course in HSMs.
From the Video:
What is a hardware security module? A hardware security module is a dedicated crypto processor, designed to protect the crypto key lifecycle, validated for security by third parties (FIPS 140-2, Common Criteria, PCI HSM, FIPS 201).
A hardware security module is a trust anchor. A trust anchor that protects the things we use every day. Things like:
- Mobile devices
- Smart meters
- Medical devices
- National identity cards
- Credit card data and PINs
- Mobile payments and verbal bankin
- Digital documents
- And so much more.
Hardware security modules typically are appliances or cards. Appliances or cards that ensure compliance, simplify audits, improve performance, and securely generate and store keys.
Hardware security modules are trusted by the most security-conscious companies, agencies, banks, and service providers in the world.
Hardware security modules: trust anchors in a digital world.
Doron Cohen December 11, 2013, 11:05 am UTC
Prakash Panjwani December 4, 2013, 02:09 pm UTC
Trisha Paine December 2, 2013, 11:57 am UTC
Yael Beeri November 27, 2013, 01:55 pm UTC
Tsion Gonen October 11, 2013, 10:04 am UTC
Andrew Young November 20, 2013, 11:41 am UTC