Home » The Art of Data Protection
Jason HartMarch 18, 2015, 10:00 am EDT
Over the years I have spoken to organizations of all shapes and sizes about how to address their IT security challenges. Often my work has involved driving a change of focus — from trying to prevent attacks, to looking at how to protect their core data assets.
Today, we are seeing security spending as high as ever, but the number of breaches continues to go up. It’s not hard to understand why — as technology becomes more and more complex, more can also go wrong. The computer landscape used to look like office blocks, each with doors and windows that could be secured. Now it looks more like a small city, complete with complex communications networks and underground tunnels.
This is not something new to be fair, but the important point is that it is getting more complex all the time. If ever it was possible to create a one hundred percent secure boundary around a business, its computer systems and networks, it certainly is no longer.
This is why, when I talk to the businesses we work with, one of the first questions I ask is, “What are you trying to protect?” It’s a straightforward enough question perhaps, but it isn’t very easy to answer. Despite this, working out an answer is one of the most fundamental things an organization can do towards making itself secure.
It makes the topic of security very tangible, very quickly. In breach-oriented thinking, focus is on the devices – mobile phones, email systems, routers, firewalls, virtual machines and so on. With data orientation, however, thinking moves to topics like customer data, IP assets, process information and so on.
While employee records will be a must for everyone, some organizations may actually have very little they want to keep private. In which case, good luck to them. The majority should be able to rank the information they hold, aiming at identifying a small subset that is absolutely confidential and a larger pool of less sensitive information.
Working this out to any extent enables another question to be asked – what happens if the data is revealed rendered inaccessible or otherwise tampered with? Having the right contingency plans in place could enable an organization to keep its reputation, or even remain in business, following a security breach.
Breaches will continue to happen – to expect otherwise would be unrealistic. But as their scale and complexity grows, focusing on them first would take up all an organization’s IT security bandwidth. A better starting point is to know what you are trying to protect.
If you could only have a plan in place to protect at least your most important data assets, you will have a much more solid foundation to build on than a significant proportion of the organizations I see.
To learn more, visit securethebreach.com.
You are the Vice President of Operations for a large multinational corporation and are about to launch a line of voice operated smart TVs. It’s Monday, 9:00am and you receive a call from Damon, the Chief Privacy Officer.
“Hello Kyra! I am calling in regards to the new line of TVs we’re preparing to launch. As you may know, the voice activation feature “listens” to what customers are saying, and the info is then transmitted back to us as well as a third party that convert speech to text for us. Although our intent is to capture commands and queries to help us make improvements, and the data is only collected when the voice recognition feature is activated, if people’s spoken words include PII then that info is also captured. We need to ensure that the info is transmitted in a secure manner. Could you please put together a compliance guide to ensure the user data is protected? Let’s start with a set of principles, which will set us on the right path to prepare for compliance audits across the world.”
You hang up and get to work. Thirty minutes later you have scribbled a list on the back of a manila envelope, which looks something like this:
- Collect customer data fairly and for one purpose only: Have a legitimate reason for processing the customers’ audio files; give the customer a choice to opt out and no fishing expeditions.
- Opt-in: Ship TVs with voice recognition switched off allowing customer to turn it on if interested, and make it easy to turn off once activated.
- Collect relevant data: only collect what’s needed to improve the quality of the product. Don’t keep data on the “off-chance” that it will be useful in future.
- Collect accurate data: test the quality of the audio files received to ensure the data remains relevant – leads to the right decisions.
- Purge data policy: don’t store the data longer than necessary, or sell the data.
- Process data in compliance with regional privacy legislations: examine privacy laws in the countries where we plan to launch the smart TVs.
- Secure the data: encrypt customer data in transit and at rest with a trusted security solution.
- Repatriate data according to regional rules: ensure customers’ audio data from Region A can be sent to the repository at head office in Region B.
- Appoint a data custodian as a trusted third party who will independently verify the data, implement and enforce policies, and provide only the relevant data required for product improvement.
Done! You review your list and realize the scope and severity of the project. “I hope a lot of these policies and processes have already been implemented – I had better formalize this in an email and get the ball rolling before I forget and throw this envelope in the mail.”
Now that there are more security protocols available and companies can maintain their compliance posture, many customers are either actively moving to or have already committed to doing business in the cloud. Reasons for this transition vary from operational efficiency, cost management, and the overall need to keep up with the changing technological landscape and use cases.
One of SafeNet’s newest customers—a global leader in mapping and location based services—migrated to the cloud for just those reasons. Originally a hosted data center offering, the Company moved to the cloud to capture location content such as road networks, buildings, parks and traffic patterns. They resell map data to Global Positioning System (GPS) equipment manufacturers and online mapping providers. Challenges to moving to the cloud included the costly, resource heavy requirement for ongoing maintenance, and the constant need to keep abreast of changes in underlying technology.
After attempting to create a key management solution internally for over a year, the Company turned to SafeNet’s Virtual KeySecure with SafeNet’s ProtectApp to provide location-based services for public and private cloud solutions. Reasons for abandoning their own development efforts included the need to reduce costs, complexity and time-to-market, as well as a limited functionality scope. By making their map datasets available via cloud with SafeNet, the Company is now benefiting from:
- Improved scalability to meet surges in demand or overcome system outages by clustering Virtual KeySecure instances in different regions.
- Ensuring appropriate levels of data privacy based on where their location-based services are being accessed.
- Leveraging extensive logging to provide necessary alerting and reporting demanded by their customers via Service Level Agreements.
Through Virtual KeySecure, the company is now addressing the critical requirements of personally identifiable information (PII) in the cloud, and ensuring the protection of data with strong encryption and key management best practices—all while keeping current with compliance requirements.
With the additional benefit of scalability through Virtual KeySecure together with the Connector family of products (Protect App, ProtectDB, ProtectFile and Tokenization Manager), as their key management and encryption needs grow, so will their solution.
Paul ArdoinFebruary 23, 2015, 12:15 pm EDT
ProtectV and Virtual KeySecure Now Available in the IBM SoftLayer Cloud
Last week, we published a blogpost that discussed the importance of owning your encryption keys—and your data—when you move your sensitive data to the cloud. The IBM SoftLayer cloud platform has high levels of performance, integration, automation and global availability, which make it an unmistakably attractive offering in this space.
This week, SafeNet is announcing the ability to encrypt sensitive workloads in the IBM SoftLayer cloud platform and own and manage your keys–so you can not only securely migrate data to the IBM cloud, but also prove that you own and control your data from inception to deletion.
Two products will be available on IBM Cloud Marketplace in the coming weeks: SafeNet ProtectV encrypts entire virtual machine instances and attached storage volumes while Virtual KeySecure provides centralized enterprise key management solutions like ProtectV-secured instances AND third-party encryption solutions such as IBM XIV storage, IBM N Series, and dozens of other devices and services.
We’re making this announcement at the IBM InterConnect 2015 conference in Las Vegas, Februrary 22-26, 2015. If you’re planning on attending, make sure to stop by Booth #923. SafeNet will be discussing the dozens of integrations we have with IBM products, including the new IBM Cloud Marketplace offerings:
- Learn how you can secure data AND meet compliance mandates with customer-owned encryption keys in the IBM could.
- View demos of SafeNet Virtual KeySecure and ProtectV—two products that provide IBM SoftLayer customers with complete control of their data and satisfy compliance——because you can prove key ownership.
- Discover how encryption affects cloud data security in our Own and Manage Your Encryption Keys White Paper.
- Learn how to further refine your cloud security scenario with products featured in our ebook: SafeNet Security Enhancements for IBM Solutions.
- Enter to win the Parrot AR Drone 2.0 we’ll be raffling off on the last day of the show.
Put SafeNet #923 at the top of your list of booths to visit and we’ll see you in Las Vegas—and look for our products on IBM Cloud Marketplace in the coming weeks!
Paul ArdoinFebruary 19, 2015, 02:15 pm EDT
If your data lives in the cloud, you already know the cost and uptime advantages that come with using a reputable cloud provider to manage the infrastructure. But what about the security of that data? Who is responsible for keeping it safe in the cloud? The truth is that the sole entity responsible for the security of the data is YOU—from the moment you take possession of it to the moment it’s deleted. No exceptions.
Ownership and management of data are two very different things. If the data is stolen—you are responsible. If the data is lost—you are responsible. If the data is manipulated—you are responsible. So, while it’s possible to outsource data encryption and management services in the cloud, you can’t outsource the responsibility for that data. With this level of accountability, YOU have to be the one to secure that sensitive data.
Being able to own your encryption keys and prove that you have complete control of all of your data is crucial to meet the requirements of many compliance standards, including PCI-DSS. Many encryption key solutions available in the cloud are designed so that the keys are owned—and therefore accessible –by the cloud provider. While every reputable cloud provider makes a lot of assurances around the security of these solutions, the bottom line is that if you don’t own your encryption keys, you can’t prove control of your data. And, if you don’t control your data, government agencies can subpoena the cloud provider—who are usually not only required to give that agency access to your data, but also are not obligated to let you know about it.
SafeNet is one of the only vendors that allows you—and only you—to own your encryption keys so that you remain the only entity able to access your data. Ownership means that you can prove complete control of your sensitive data. It gives you the right tools to pass audits and the assurance that the cloud provider has no authority to give government agencies a back door into your data.
SafeNet’s new white paper, Own and Manage Your Encryption Keys, outlines how customer-owned encryption keys are the only way to truly safeguard data in cloud environments. As a technology partner of the world’s leading cloud providers, SafeNet has years of experience with encryption and key management in the cloud.
SafeNet will exhibit at cloud and virtualization conferences all over the world in 2015. You can learn more about our customer-owned encryption solutions by visiting the SafeNet booths at these shows and talking to us about our approach to encryption key ownership in the cloud.
It’s not just your data you’re protecting—it’s the data of your prospects, customers, clients, vendors, partners, and everyone you do business with. The power to secure it should reside with no one but you and your customer-owned keys.
Jason Hart March 18, 2015, 10:00 am UTC
Paul Ardoin February 23, 2015, 12:15 pm UTC
Paul Ardoin February 19, 2015, 02:15 pm UTC
Danna Bethlehem December 4, 2014, 12:51 pm UTC
Doron Cohen March 13, 2013, 08:15 am UTC
Cheryl Barto Shoults December 16, 2014, 10:00 am UTC