Home » The Art of Data Protection

This is the second in a series of blog posts about how to address data security in the AWS cloud environment with the SafeNet product line from Gemalto.  Topics that will be addressed include: how to store data in the AWS cloud with customer-owned encryption, roots of trust, the importance of secure key management, encryption and pre-boot authentication for EC2 and EBS, and customer-owned object encryption for Amazon S3.

The Challenges of Cloud Security

Most people know that if you want to keep your company data safe from not only hackers but also unauthorized prying eyes—such as customers and coworkers—you need to encrypt it.  After all, an encrypted environment is far more secure than an unencrypted environment because encryption equals safety . . . or does it?

Encrypting Your Data Is Not Enough

At the most basic level, encryption jumbles the contents of data (whether in files, databases, or sitting in servers) and runs them through an algorithm that renders the file unreadable —only to be decrypted with a key.  Sounds safe, right? After all, encryption algorithms are near impossible to crack without access to the encryption key. But the encryption itself is only one part of the story.  The safety of your data in the cloud is ultimately dependent on the encryption scenario you’ve put into place. For business leaders and IT administrators, this means that understanding the encryption process as it relates to the ownership of and access to company data is crucial to securing it in the cloud.

To illustrate why ownership of and access to data plays such a critical role in data security, let’s examine encryption in a “what if” scenario that replaces your company’s encrypted data with your wallet.

Scene:  The Gym

Let’s say you go to the gym and lock your wallet in a locker for safekeeping while you work out. How is the safety of your wallet affected if you drop the key on the floor or store it on the ledge above the locker? What if you give the key to a friend while you run on the treadmill or leave it with your towel at the edge of the pool while you swim laps?  What if someone finds the key and gives it to the front desk? What if you use a gym-issued lock and the facility holds a master key or copy of your key?  What if you see—or don’t see—evidence that someone has tampered with your lock?  What if the lock manufacturer created duplicates of the very same lock and key that you are using?

In each of these scenarios, your wallet is locked in the locker, but how well is it really protected if you do not have full ownership and control over the lock mechanism and the key used to secure it?

Encryption Requires Levels of Protection

Protecting data, especially sensitive data, requires various levels of data encryption protection. And, it is the responsibility of each and every data owner to execute due diligence by researching every “what if” so that the appropriate level of protection can be applied to secure their data stored in the cloud. Making sure that data is safe from unauthorized access requires enterprises to consider not only the physical and logical security of the cloud service provider but also who is encrypting the data; when and where the data is being encrypted; and who is creating, managing, and accessing the encryption keys. Much like the “wallet-in-the-gym-locker” example, encryption is more than a code and a key.

Storing Data in the Cloud with Customer – Owned Encryption

Recognized universally by analysts and experts as a necessary way to control data stored in the cloud, customer-owned encryption is fundamental to demonstrating regulatory compliance. Experts often recommend encrypting sensitive data and deploying customer-owned key management to:

  • isolate regulated and sensitive information and
  • separate encryption control and ownership from the cloud provider.

By doing so, organizations can demonstrate compliance and pass audits and, most importantly, protect sensitive data from specific attacks.

Three Rules for Encrypting Data Stored in the Cloud

  1. Own your encryption so that you—not your cloud provider—can address any and all access requests for the surrender of your company’s cloud data.
  2. Own and manage the encryption key lifecycle to ensure that your cloud data is always secure.
  3. Define and control data access permissions for company personnel, partners, vendors, customers, etc. to prevent unauthorized access to your cloud data.

Encryption Ownership:  

It’s the difference between thinking and knowing that your cloud data is secure.

I used a gym locker analogy not only because I liked how it compared to the various levels of cloud data security but also because it got me thinking about the difference between thinking and knowing that my cloud data is secure. Let’s face it; there are enough “what ifs” in business and in life. So whether you are moving data to the cloud for the first time or refining an existing cloud security scenario, knowing that your cloud data is secure with customer-owned encryption will not only give your data — and the data of your prospects, customers, clients, vendors, partners, and everyone you do business with —the protection required by business mandates, but will also give you peace of mind to attend to the business at hand (and that workout you’ve been putting off).

For more information on taking ownership of your encryption and encryption keys in the cloud, watch our on-demand webinar, Trusted Crypto in the Cloud: Best Practices for Key Ownership and Control.

read more »

Mobile Workforce Security Blog Series – Part 4

Organizations worldwide are seeking greater employee mobility for a variety of business and quality of life reasons. Key to becoming a ‘mobile enterprise’ is the ability to manage and secure the identities and data within an IT ecosystem whose boundaries are becoming increasing blurry. This blog series explores how enterprises can do so to gain enterprise mobile security.

Mobile Security Plan ImageWhile the proliferation of mobile endpoints and BYOD programs help drive workers’ productivity up, they introduce a major hurdle for IT. If the enterprise perimeter was previously limited to well-defined corporate issued devices, that perimeter is now stretched to include personal mobile devices, and in some cases the same device doubles for personal and work-related use.

That is why it is not uncommon for enterprises today to charter mobile enterprise security plans that tackle the issue of how to enable mobile workforce productivity, while ensuring mobile endpoint security and eliminating the risk of a breach.

Here are a few pointers to keep in mind when developing your own mobile enterprise security plan:

#1 Identify the applications you need, and ensure consistent enforcement of security policies.

In order to drive mobile productivity up, you’ll need to provide the right productivity tools to your mobile workforce. How can you identify mobility-driving applications? Either from usage logs or via an end user survey, figure-out which applications your users need or will benefit from most. After identifying these, make sure to account for each application in your security plan, so that it is covered from end-to-end, including how users authenticate to a resource from a mobile device, and after what period of inactivity they are logged off (session timeout).

Caution – Consider various levels of assurance: To keep the authentication journey as simple as possible, make sure your plan includes a way to implement different security assurance levels, to accommodate the different levels of risk posed by different applications (for example, accessing the VPN vs. an attendance application).

#2 Implement mobile endpoint security measures.

Mobile endpoint security is essential as devices that are lost or stolen present a twofold hazard: Not only do they contain sensitive data, but they also contain access credentials which could be used to glean even more valuable data.  According to a study by the Ponemon Institute sponsored by Intel, the overall cost of a stolen laptop is upwards of USD $49,000, with 80% of the cost comprising expenses such as “forensics, lost productivity, legal bills, regulatory expenses, and lost intellectual property.” How can you secure data within, and access from, mobile endpoints? Full Disk Encryption (FDE) of a laptop’s hard drive ensures that it remains indecipherable, even if the hard disk is physically removed from the laptop and connected to another device in an attempt to read its contents. Another option is preboot authentication, where 2FA is required before the laptop boots. And on the server-side, authentication of mobile devices can be simplified using device and behavior-based attributes, such as device ID and source IP address.

#3 Get the visibility you need to maintain compliance.

As you add more applications and throw in additional security mechanisms and policies, it gets harder to achieve complete visibility into your IT ecosystem. Find a “single point of management” solution that will enable administration of on-prem, cloud and remote resources from one, central console. That kind of solution will let you define a policy once, and enforce it throughout.

Caution – Apply real time alerts: What happens if a mobile device is lost or stolen? Make sure you have an automated alert mechanism in place that notifies you of any system exceptions (i.e. anomalies). This will ensure that you can quickly revoke permissions to all applications, so that access credentials present on a stolen device will be rendered useless.

To learn how simple and easy enterprise mobile security can be, check out our infographic or visit our A4 Authentication for Mobile Workforce Security microsite, and find out how you can secure access to Any Application, from Any Device, at Any Assurance Level, Anywhere.

read more »

Recently, Jen Hindle wrote about unsharing your data, and the three steps to make it happen:

  • First, locate your sensitive data.
  • Next, encrypt it.
  • And finally, own and manage your keys.

So how do you go about doing this across your enterprise? Many of you probably find your organization deploying multiple data protection projects in silos to react to different mandates, meet the security requirements of individual business units, or address a security breach.

If you find yourself doing patchwork deployments when what you really want is a smart, long-term data protection strategy, then it’s time to enable encryption as an IT service.

What is Encryption as an IT Service?

Encryption as an IT ServiceExtending the “as-a-service” concept to your enterprise enables your IT and security teams to become a service provider, combining resources to unify and centralize services for encryption and key management. Once encryption as an IT service is deployed, your internal “customers” have a single place to go to subscribe to the services they need to address all of their data protection needs. The result is a simple, cost-effective, elastic, and more secure service that is available across different solutions, data centers, geographies, environments, or all of these areas.

By enabling your IT group to act as a service provider, encryption and key management can be centralized but distributed. This means that consistent security policies can be set across the organization’s varied encryption deployments, allowing them to be updated as needed automatically, with ease, while business owners make sure their data is kept separate. Standards can be maintained throughout. The IT and security teams can utilize their knowledge effectively to provide high-level APIs with consistent security parameters across the organization. At the same time, internal consumers– from business unit leaders to developers, or the actual applications, databases, or file servers registered to the “service”- can benefit from the economies of scale and security provided by this consolidated and comprehensive approach to data protection.

As efforts are consolidated in a “one-stop-shop” service, “build once” solutions can be replicated effectively and overlapping encryption solutions can be avoided. For example, developers don’t decide on key types or sizes, as they are already abstracted by APIs, ensuring that security remains in the hands of the security experts. Auditing and compliance tracking is also simplified as it is centralized.

A Streamlined, Repeatable Model for Centralized, Enterprise-wide Encryption

By moving past silo-constrained encryption and deploying encryption as an IT service centrally, uniformly, and at scale across the enterprise, your organization can benefit from unmatched coverage— whether you are securing databases, applications, file servers, and storage in the traditional data center, virtualized environments, and/or the cloud, and as the data moves between these different environments.

When complemented by centralized key management, your organization can apply data protection where it needs it, when it needs it, and how it needs it—according to the unique needs of your business.

Armed with these encryption-as-an-IT-service capabilities, your organization can realize a host of benefits:

  • Strengthened security
  • Reinforced compliance and reduced audit costs
  • Reduced security and IT costs
  • Increased IT and business agility

Ready to break down the silos? Start delivering Encryption as an IT Service across your organization and improve your security posture, reduce costs, and increase business agility. To find out how, download our Encryption as an IT Service white paper.

read more »

Mobile Workforce Security Blog Series – Part 3

Organizations worldwide are seeking greater employee mobility for a variety of business and quality of life reasons. Key to becoming a ‘mobile enterprise’ is the ability to manage and secure the identities and data within an IT ecosystem whose boundaries are becoming increasing blurry. This blog series explores how enterprises can do so to gain enterprise mobile security.

VPN Access Control applied within your Current BudgetIncreased enterprise mobility doesn’t have to mean additional budget.

When it comes to secure remote access and the flexible work styles it allows, many companies still perceive employee mobility to be a luxury. Not only do concerns over upfront investments surface in the mobility discussion, but, anxieties over the need for additional administration and staff emerge, understandably, as well. While numerous solutions can provide increased security, the question remains how much management overhead will be incurred along with that security.

Happily, secure remote access, be it to the corporate network or to cloud applications, can be deployed within your company without shelling out additional budget. When evaluating strong authentication solutions for your VPN access control needs, look for these cost-cutters:

  • As-a-service delivery, which reduces TCO by up to 60% according to Gemalto research, and provides flexible subscription-based pricing models.
  • Over-the-air provisioning of software-based tokens and tokenless authentication methods. Examples include OTP apps, OOB, and context-based authentication. These two-factor authentication (2FA) methods make it easy to extend strong security to remote staff, and lower ongoing operations & maintenance costs associated with provisioning and replacing lost or damaged tokens.
  • Automated workflows, including automated lifecycle administration of user account and tokens synched with existing user stores, and workflows that leverage self-service portals to cut helpdesk costs. Automated system and account-related alerts further reduce overheads, as does multi-tier multi-tenant architecture, which comes in handy to enable implementing existing security policies to new business units.
  • Broad ecosystem support, namely out-of-the box integrations which shorten time to deployment and remove the need for additional development efforts, and let you leverage the same solution for all your user access control needs (VPN, VDI, portals, cloud etc.).
  • Native identity federation, which eliminates hard and soft costs related to identity federation servers, and shrinks costs associated with lost or forgotten passwords.
  • Support of third-party solutions, which lets you keep your current authentication servers and token estate, and allows for incremental migration to a new or refreshed solution.

With two thirds of data breaches resulting from compromised credentials, according to Verizon’s DBIR—including the OPM and Target breaches—IT directors and CIOs can easily protect their organization’s credentials with a step-up second factor. Just as wearing a seatbelt constitutes a must-have rather than a nice-to-have, 2FA is a must-have for IT leaders looking to steer their companies to the mobility freeway.

To learn how simple and easy enterprise mobile security can be, check out our infographic or visit our A4 Authentication for Mobile Workforce Security microsite, and find out how you can secure access to Any Application, from Any Device, at Any Assurance Level, Anywhere.

read more »

Connected CarIn October, I wrote a Halloween-themed blog titled “IoT Nightmares: Rerouted” in which a faceless “Mr. Thompson” flees from members of a criminal enterprise only to have his car hacked and rerouted to the place of his eventual capture.

Rerouted was based on research from 2013 into the vulnerability of connected cars.  Security researchers Charlie Miller and Chris Valasek discovered that automobiles data and systems could be accessed by hackers within a 130 foot range. Their research caught a ton of headlines, and was supposed to serve as a wakeup call for the auto industry. Today, the very same security researchers announced that 471,000 connected vehicles could be hacked from nearly anywhere in the world – as long as the attacker knew the IP address of the target vehicle.

Miller and Valasek’s latest attack exploits the cellular connection of a car and migrates its way to the hardware for the entertainment system. At that point the attackers are able to rewrite the firmware of the system, and begin sending commands through the car’s internal computer network – all while remaining completely undetected.  With the ability to send commands to the various components of the car, an attacker can do things as innocuous as changing the radio station and modifying the temperature or as a dangerous as bringing the car to a halt on the highway.

Miller and Valasek are slated to unveil some of the details of the attack during the Black Hat security conference in Las Vegas next month, but today’s announcement surely sent chills down the spine of the players in the automotive industry. With the Senate set to introduce new legislation to establish security standards for privacy and protection in the automotive industry, it is increasingly apparent that security must become a higher priority for auto manufacturers and their partners.

Vulnerabilities like the one Miller and Valasek discovered are alarming, but make no mistake; the connected car movement is here to stay. Consider the progress being made toward autonomous vehicles. Recent estimates predict that 75% of vehicles on the road will be autonomous by 2040, and by removing the driver from the equation some studies project that self-driving cars will reduce automobile accidents by up to 90%. If those projections are true, the future of autonomous and connected cars will represent one of the most important technological advancements in health and safety ever made.

For more information read our recently published white paper, “Building the Trusted Connected Car,” in which we discuss some of the ways manufacturers, application providers, and communication service providers in the automotive world can mitigate threats to connected cars using things like code signing and strong identities.

read more »

Recent Tweets