Home » The Art of Data Protection
Stephen HelmJuly 22, 2014, 10:30 am EDT
As we discussed in part 3 and 4 of this series, encryption is only the first step to securing your data. If an organization doesn’t take the time to properly secure the keys, all of that encryption could be rendered useless. Step 2 of the Secure the Breach strategy urges organizations to securely manage and store the encryption keys.
Dino Pietropaolo, Manager for Federal Sales Engineering for SafeNet, Inc., wrote a great post on the importance of key management for government agencies. In the post, he equates storing encryption keys in software to hiding your house keys under the welcome mat at the front door. While this analogy does an excellent job of illustrating the inherent insecurity of such an approach, I am sure many of you can recall friends and neighbors (perhaps even your own parents), who did something similar with their own house keys.
The key was buried in the soil of a potted plant, stashed behind a mailbox, or maybe hidden under a garden gnome. Why? Because it was convenient. If you forgot your keys, or your children were locked out, you could quickly get the spare key from that “secret place” and get in safely.
We considered the keys secure and the house safe because we disguised the location of the key, and felt only those who knew the key’s location could use it. We also assumed that our houses would be an unlikely target.
Convenience, accessibility, and a false sense of security is also why three-quarters of organizations admit to storing encryption keys in software. For so long storing keys in software has been seen as “secure enough.” The breach landscape has changed, and so too has the definition of “secure enough.”
The problem is getting worse over time as the use of encryption continues to grow. As new breaches occur, more and more organizations are turning to encryption to protect their data. Unfortunately many of these organizations deploy encryption-dependent systems like secure web services, encrypted backups, certificate authorities, or other encryption solutions in isolation without fully understanding how this affects the vulnerability of their keys.
The Importance of Key Security
The threat posed by compromised keys goes beyond simple theft. Sure, a burglar could find your house key, break in, and steal your television—but they could also make a copy of that key, replacing the original, and returning any number of times to steal valuables, spy on your family, or even impersonate you for their own gain, all without your knowledge. The same is true in the digital world.
Stolen keys can be used to decrypt sensitive data, sign malicious code that could be used to spy on your organization, and even impersonate you companies’ web server. Without proper control, including the means to audit locations, limit copies, and restrict access, there would be no way of telling who had used the keys maliciously.
Protecting Keys in the Secure Breach Era
Organizations today manage thousands of keys across a myriad of encryption-dependent systems each with their own key management and associated policies. To ensure security, organizations must establish a centralized policy around the protection, storage, back-up and organization of encryption keys. This policy should be part of a holistic, strategic security plan that achieves the following objectives:
- Securing keys throughout the key lifecycle. Reduce the exposure of cryptographic keys throughout the key lifecycle. This lifecycle includes generation, usage, distribution, and destruction.
- Secure key storage. Keys should also be stored securely throughout their operational life. Hardware devices provide the most secure option for key storage. Examples of these devices include identity tokens (smartcards, USB tokens); trusted platform modules in desktop computers; embedded modules in special purposed devices (i.e. tape/disk drives) and, of course, hardware security modules.
- Key usage authorization. Access control, authentication of users and confidentiality protection are all critical to ensuring that keys can be used only for authorized purposes by authorized entities.
- Accountability. Certain actions around cryptographic keys should trigger audits entries. The audit logs should be cryptographically secure and time-stamped to ensure their integrity.
With a centralized policy around key management in place, organizations can effectively decrease key exposure, consistently enforce policy across all encryption systems, and streamline administration.
Mor AhuviaJuly 21, 2014, 11:34 am EDT
While two-factor authentication for secure remote access to corporate networks (VPNs) has become a ‘bare necessity’ for most organizations today, a good VPN strategy can offer new opportunities for IT ecosystem expansion.
With 20% of the global workforce telecommuting at least occasionally, offering VPN access to critical applications continues to be central to many organizations’ corporate culture. However, with 500 cyber espionage breaches tallied in 2013 alone, according to the 2014 Verizon Data Breach Investigations Report, as with any web-based access, web-borne threats need to be mitigated by replacing weak vulnerable passwords with strong authentication.
So how do you know if a VPN-authentication solution is highly advanced or just average? An advanced solution supports the latest technology—protocols and applications alike—to offer:
- Native SSL VPNs and IPSec VPN support
- VPN-platform flexibility with seamless, tested strong authentication from all leading VPN brands, such as Check Point, Cisco, F5, Fortinet, IBM, Citrix, and Microsoft, among others.
- Native identity federation, allowing you to secure SaaS applications with the same authentication solution used to secure the corporate VPN.
To learn how SafeNet can help you secure VPN access while safely expanding your IT ecosystem, download our solution brief, Anytime, Anywhere Secure Remote (VPN) Access with SafeNet Authentication Solutions.
Did you know that for as little as $400, cyber-criminals can buy a LEGAL fibre-clamping device, tap a fibre-optic cable, and remove or add data – WITHOUT breaking the connection?
Data in motion has never been at a higher risk of exposure. It’s out there in terabytes (and even petabytes), and, if unencrypted can be ‘tapped’ or ‘sniffed’ with relative ease (see our video, Fibre Tapping: How to Protect Your Data in Transit with Encryption), or misdirected unintentionally either by human or machine error.
So, if you can’t prevent or detect fibre tapping, how do you secure your data in motion? As our infographic shows, the simplest and best approach for securing data-in-motion is to provide protection that stays with the data – wherever it is being sent.
For more information about securing your data in motion, visit safenet-inc.com/data-encryption/network-encryption.
Whether it’s for business or personal use, having buying options that allow me to manage my budget is crucial. Like any conscientious consumer, I look for opportunities to save on the products and services that I use, which also may explain why one-size-fits-all options for consumable services doesn’t usually work for me.
As an example, consider a gym that only offers one type of membership. With long-term contracts, members often don’t have the flexibility to negotiate or change membership terms once they’ve signed; even if they visit the gym less frequently—or stop going entirely—they’re still locked in to their contract. And, for people who exercise regularly, pay-as-you-go gym memberships can become cost-prohibitive for members who would rather commit to a longer term contract—if they could receive a discount for their loyalty.
Over the last 12 months, SafeNet has added encryption and key management solutions to AWS Marketplace to provide businesses with the ability to purchase and manage a complete encryption solution within AWS with simple, on-demand delivery and hourly pay-as-you-go pricing. As of today, SafeNet and AWS are adding another option.
For customers who wish to commit to yearly, discounted subscriptions, there are new annual pricing models for ProtectV (a full-disk encryption solution for virtual instances), and Virtual KeySecure (a hardened software appliance that manages and securely stores the encryption keys for ProtectV)—both available on AWS Marketplace. These two solutions work together, like the combination lock on your gym locker, to enable organizations to unify encryption and control across virtualized and cloud infrastructure which increases security and compliance for sensitive data residing in public cloud environments.
SafeNet’s Annual Subscription IS NOT Your Average Contract
When compared to hourly pricing, the new, yearly subscriptions allow businesses to better manage their budget and forecast their yearly software expenses while lowering their spending by 10 to 40%. For example, customers who use ProtectV and Virtual KeySecure on a regular basis may find that on-demand, annual subscriptions are a cost-effective way for them to cover steady workloads at a discounted price and supplement with hourly pricing to meet additional seasonal demand.
For customers who prefer the hourly, pay-as-you-go model and find that their usage needs have increased, moving to an annual subscription is quick and easy to do without submitting paperwork, purchasing new license keys, or installing new software. Annual subscription and hourly payment options are designed to fit your budget and your business needs—offering simple, trusted, and secure ways to quickly leverage SafeNet security offerings on-demand and on your terms.
Jennifer HindleJuly 10, 2014, 10:59 am EDT
Is your enterprise deploying Hadoop to manage big data? Hadoop provides scalable, cost-effective storage and fast processing of large data sets, yet security is not inherent in this popular big data framework. It cannot protect sensitive data residing in the nodes of a Hadoop cluster against illicit mining of data by unauthorized users or services.
As we shared in our last post, data breaches are on the rise and it’s important to have a plan to protect your data and, ultimately, your business. Take a look at our latest infographic to find out why securing big data has become such a big deal, and get tips for locking down your organization’s sensitive data at rest and data in motion in a Hadoop cluster.
Key Stats from this Infographic:
- The global volume of data will grow by a factor of 300 — from 130 to 40,000 exabytes — between the year 2005 and 2020.
- By 2018, global fixed broadbrand speeds will reach 42 Mbps, up from 16 Mbps in 2013.
- Thirty-two percent of companies survey have already made a Hadoop deployment, 31 percent intend to deploy Hadoop in the next 12 months, and 36 percent say to use a Hadoop deployment in more than a year.
- Between January and March 2014 alone, more than 200 million records were stolen — the equivalent of approximately 93,000 records stolen every hour.
Stephen Helm July 22, 2014, 10:30 am UTC
Mor Ahuvia July 21, 2014, 11:34 am UTC
Jennifer Hindle July 10, 2014, 10:59 am UTC
Trisha Paine January 28, 2014, 02:14 pm UTC
Mor Ahuvia May 23, 2014, 11:08 am UTC
RSA 2014 Session Preview: Not Go Quietly – Surprising Strategies and Teammates to Adapt and Overcome
David Etue February 19, 2014, 11:00 am UTC
Prakash Panjwani March 10, 2014, 10:21 am UTC