Home » The Art of Data Protection
Mor AhuviaNovember 11, 2015, 10:00 am EST
After a list of Comcast email accounts were offered for sale in an underground store, consisting of customers’ Comcast email addresses and associated passwords, Comcast—one of the largest providers of cable, internet and phone services in the US—forced a password reset on those accounts. Of the 600,000 accounts offered for sale, 200,000 were found by Comcast to be active, leading them to reset the passwords on all the accounts for safe measure. The forced password reset by Comcast ensures that those passwords are rendered useless to fraudsters, while the email addresses themselves could still be leveraged to deliver all forms of spam (from phishing attacks to 419 scams and malware infection points).
Forced password resets generally consist of a central annulment of current passwords, coupled with an email notice to customers to click a link to reset their passwords, or to login in with a temporary password and then immediately create a new one.
Carrier accounts have been coveted by fraudsters for quite some time now, for the free phone and internet services fraudsters can gain through them, as well as a means to an end when performing online banking fraud. Therefore, the question remains, are password resets enough? Will a password reset protect an account against the next phishing attack? Or against the next generic malware campaign? Not to mention the risk arising from an insider leak or a yet undiscovered database breach.
With passwords known to be vulnerable to so many threats, it may be time for service providers to consider an alternative, such as a simple password-less solution. For example, one-time passcodes sent to a user’s phone or email, which can replace static passwords altogether, or pattern-based authentication.
While implementing strong authentication costs mobile carriers and ISPs only a few dollars a month per account, the ROI can save them the aggravation of making the breach headlines, as well as the $179 expended per breached record, the industry cost according to the Ponemon Institute’s 2015 Cost of Data Breach Study.
So instead of logging into the management console, and issuing password resets to their users, perhaps IT and security managers should consider eliminating passwords altogether, and provision their users with simple strong authentication?
To learn about affordable, flexible, cloud-based authentication, download the SafeNet Authentication Service Product Brief.
In the latter scenario, fraudsters have been known to redirect incoming phone calls to a number they control, so that calls made by the bank to verify the legitimacy of a transaction reach them instead of the true account owner.
 SSL stealers work by stealing any word or character sent over HTTPS, including passwords and payment details.
Jennifer HindleNovember 4, 2015, 10:00 am EST
If you’ve found yourself nodding in agreement as you’ve read these posts, good. The threats to your data aren’t going away. In fact, they continue to grow – just like the volume of data that you need to protect. It’s time to move beyond strategy and get to work.
But for those of you responsible for keeping corporate data assets safe, finding the best solution can be a daunting task. You likely have structured and unstructured data to protect at every layer of the technology stack, as well as data flowing across your network and between data centers. And speaking of data centers, you likely need to protect data on premises, as well as across multiple cloud and virtual environments.
You have so many choices to choose from, so where to you get started?
Locate Your Data Across All Environments and Pinpoint a Solution
To get started, consider where your sensitive data can be found across all of your on-premises, cloud, virtual, hybrid, and big data environments:
- Data at Rest – Sensitive data is moving to or through any of the following places: application and web servers, file servers, databases, and storage
- Data in Motion – Sensitive data is flowing across your network and/or between data centers
Then follow our simple, step-by-step guide to map your needs to the appropriate data protection solution.
Protecting Data in Motion
As more sensitive assets traverse networks from site to site and across data centers, on-premises, and in private and public clouds, organizations need to know that their data in motion is secure, especially in multi-tenant, geographically distributed environments. The availability of greater bandwidth allows us to exchange information faster and more frequently, but the huge growth of often sensitive data volumes transmitted across networks presents real risks.
If you have sensitive data in motion, including real-time voice and video streams, as well as metadata that needs protecting, high speed encryption is the best option for you.
Protecting Data at Rest
If you have sensitive data at rest, it will typically reside in either a database or in files, folders, and shares. There are a number of options for applying protection to this data, and each of the solutions should be deployed with an enterprise key manager for centralized key and policy management.
If the data resides in a database, you have two options for protecting it:
- Option 1: Protect select columns in the database
Apply column-level encryption, application-level encryption, or application-level tokenization if you have sensitive data that resides within specific fields of a database, such as credit card numbers, social security numbers, email addresses, etc.
- Option 2: Protect the entire database file
Apply file system-level encryption, transparent data encryption (TDE), or encrypt the entire virtual machine or instance if you have database exports, archives, and backups that contain sensitive information.
If you have sensitive data located in files, folders, or shares in on-premises, you have four options for protecting it:
- Option 1: Protect data at the file-system level
Apply transparent and automated file-system level encryption of server data-at-rest in the distributed enterprise, including Direct Attached Storage (DAS), Storage Area Network (SAN), and Network Attached Storage (NAS) servers using CIFS/NFS file sharing protocols.
- Option 2: Protect data at the application-level
Apply protection at the application-level by encrypting select files and folders before they are stored on the file server.
- Option 3: Protect data at the remote folder-level
Apply protection to NAS folders on shares on remote storage with the granularity necessary to encrypt select, sensitive folders, not entire storage arrays.
- Option 4: Protect the entire virtual machine or instance
If you have large quantities of sensitive data to secure in a public cloud environment as a result of migrating your data center to the cloud, running a hybrid cloud environment, or bursting to a public cloud when applications running in a private cloud or data center need additional compute power, apply protection to the entire virtual machine or instance.
Ready to get started? For more information and to learn more about Gemalto’s portfolio of SafeNet data protection solutions, download the new guidebook, Protect Your Sensitive Data: A Step-by-Step Guide to Finding the Right SafeNet Data Protection Solution for Your Organization.
Andrew GertzOctober 29, 2015, 05:53 pm EST
The domino effect of technology has always fascinated me – especially when it comes to what prompts the evolution of cyber security solutions and how quick enterprises embrace security best practices. For example, it’s not news that the increasing capabilities of mobile devices and the networks supporting them means employees are able to get more done from wherever they might be. As a result, how much or little an enterprise embraces mobility with its policies will have a direct impact on productivity. But the increase in mobile endpoints creates greater security risk, and thus cyber security measures must likewise quickly evolve to keep up.
The findings from the 2015 Authentication and Identity Management Index, a recent global survey of 900 IT decision makers by Gemalto, highlights just how critical it is for enterprises to balance embracing new methods to remain competitive and empower employees and avoiding potentially disastrous security risks. The adoption of authentication seems to be trending upward, which is great as – according to the respondents – this is something enterprises need to do in order to truly remain secure while giving employees remote access.
Here are some of the results from the new study:
Digital Identity Management and Mobility Challenges
Many of the questions on the Authentication and Identity Management Index revealed how daunting a task it is for IT to try to scale authentication and identity management capabilities to cover the workforce’s growing mobility demands.
- On average, respondents’ organizations are managing three sets of credentials per user
- Each user in respondents’ organizations has access to, on average, two mobile end points
- Almost all (97%) respondents recognize the importance of mobility in their organization’s work practices
- However, 95% of respondents agree that there are obstacles to increased user mobility within their organization, with security concerns (46%) and IT management overhead (46%) being the most common obstacles
- The vast majority (92%) of respondents say that their organization restricts users from accessing corporate resources from mobile devices to some extent, with 37% saying that this is completely restricted
- Software tokens (90%) and hardware tokens (90%) are anticipated as being the most commonly used token types for mobility in two years’ time. On average, they are anticipated to be used by 46% and 44% of users respectively in the next two years.
Two-Factor Authenticaton Today
While IT is certainly facing an uphill battle, one of the more positive takeaways from the Authentication and Identity Management Index is how prevalent two-factor authentication (2FA) is among the respondents’ organizations already, the areas in which it is being applied, and the expectations for 2FA adoption in the future.
- Currently 38% of users in respondents’ organizations use two-factor authentication, this is expected to increase to over half (51%) in two years
- On average, 35% of users are currently required to use two-factor authentication to access corporate resources from mobile devices within respondents’ organizations. This number is expected to increase to just under half (49%) in two years’ time, on average
- Over nine in ten (92%) respondents are using two-factor authentication within their organization for at least one application.
- The applications more commonly protected by two-factor authentication within respondents’ organizations are VPNs (86%), web portals (84%) and cloud applications (83%).
- The vast majority (93%) of respondents expect that their organization will expand the use of two-factor authentication to protect applications in the future, with around half (48%) expecting that this will be done within the next year.
Factors Driving Authentication Trends
As mentioned above, it’s expected that in two years 51% of users in the respondents’ organizations will utilize two-factor authentication. Compliance with security regulations, breach preparedness, and trying to reduce the occurrence of shadow IT were among the reasons IT decision makers cited as potentially leading enterprises to increase two-factor authentication and to adopt a central 2FA management platform.
- Over nine in ten (94%) respondents are concerned that their organization will be breached or hacked as a result of credential theft or compromise
- The most common event that would increase stakeholder buy-in of an authentication solution that supports increased user mobility within respondents’ organizations would be a high profile breach involving cloud-hosted resources (53%).
- The vast majority (95%) of respondents think that two-factor authentication can help their organization comply with data protection regulations and pass security audits
- When sourcing a two-factor authentication solution, 94% of respondents’ organizations consider software authentication and tokenless authentication methods for end users, and the cost per user as factors
- Nine in ten (90%) respondents say that managing two-factor authentication centrally can help reduce shadow IT in their organization
Check out our new infographic to learn more about secure mobile access challenges highlighted by the 2015 Authentication and Identity Management Index. You can also visit our report page for all the questions and findings from the new survey. I hope you enjoy reviewing the findings, and I encourage you to share your opinion on the authentication trends you’re seeing within your organization with us via @SafeNetInc.
The motto “Never have so many people known so little about so much,” became a hallmark of James Burke’s brilliant BBC TV Series “Connections” back in the 80’s and 90’s.
To paraphrase Burke in terms of the IoT revolution, never will have so many people entrust so much to companies about whose security practices they know so little.
With October serving as Cyber Security Awareness Month, this blog is dedicated to this week’s theme, which touches on IoT, now and in the future.
So what is the Internet of Things anyway?
As defined in Gemalto’s IoT Guidebook, the Internet of Things (IoT) describes an era in which uniquely identifiable devices are able to communicate within the existing Internet infrastructure—providing greater insight and control over elements in our increasingly connected lives. With an estimated 50 billion connected devices estimated to be deployed across the globe by 2020, a pervasive reality of the internet of things is quickly approaching.
This list provides enlightening examples of top IoT sensor-based applications across verticals.
While IoT is quickly presenting vast lifestyle, health and business opportunities, it is also opening a veritable Pandora’s box of yet-to-be addressed security risks. And when it comes to the world of IoT, concerns like privacy and integrity make way for an even great risk—that of personal safety. Security researchers have already demonstrated their ability to hack a car and remotely manipulate its braking system, as well as the eerie prospect of overtaking intravenous devices and altering dosages of medicine delivered to patients.
So what issues do we have to contend with to make IoT safe? Below are just a few.
Establishing security crash tests
In the same way that we rely on standardized crash tests to verify the safety of a car, international standards bodies will have to establish universal security ‘crash tests’ that can reliably establish that a given product is secure and safe to use. A short glance at the breach headlines reflects a reality of security standards that vary widely across verticals and countries, with some sectors lagging a decade or more behind in terms of the countermeasures they use. And with manufacturers producing their IoT wares in one country, selling it in a different country and operating their backend systems in yet another, internationally-recognized standards will become crucial.
Linking smart devices to identities
Browsers are called ‘user agents’ as they perform actions on our behalf. Similarly, connected devices also act on our behalf, yet they may do so independently. We trust connected devices to act on our behalf when giving these devices our credentials (a fingerprint or PIN or digital certificate), or when authorizing them to act on our behalf autonomously. How can we ensure that our trust is not abused by a malicious attacker or malware that has taken over the device. In other words, how will trust be built into the IoT framework to keep us physically safe while using everyday devices such as cars, healthcare devices and doors?
Aggregating control of multiple smart devices
With estimates on the number of things that can be connected in a home reaching the several hundreds, we probably won’t want an app to control each of those things. Instead, we might opt to use service providers that will aggregate all those connected things for us under a single console, to make them manageable once more. And not only will connected homes require management capabilities. Rather any venue that large numbers connected devices will need these to aggregate control of connected devices, including monitoring for anomalies and the issuing of software updates. Harking back to the point above, who will verify that our service provider has secured their systems so that the inhabitants of the connected home stay safe? So that smoke detectors, gates, and thermostats aren’t vulnerable to remote hacking and manipulation?
Monetizing the data
Data is worth money, and with our lives increasingly connected, she who owns the data will own the cash cow. For example, who will own the data harvested by our smart fridge? Will the individual product manufacturers own it? The fridge manufacturer? Or perhaps our internet service provider which enables the traffic of data to flow from the fridge to our grocery store’s replenishment gateway? With IoT net profit estimated by Cisco at $14 Trillion by 2022, will the owner of the IoT data also be accountable for the security of our data and the safety of our person?
To learn more about IOT Security, view our webinar Security and The Internet of Things.
Kathleen SpaethOctober 20, 2015, 10:00 am EST
This is the fourth in a series of blog posts about how to address data security in the AWS cloud environment with the SafeNet product line from Gemalto. Topics that will be addressed include: how to store data in the AWS cloud with customer-owned encryption, roots of trust, the importance of secure key management, encryption and pre-boot authentication for EC2 and EBS, and customer-owned object encryption for Amazon S3.
Enter your user name and password.
Did you know that this seemingly simple request could be the downfall of your organization? Despite the countless choices of alpha-numeric-character combinations, many employees continue to use the same login for most of their accounts or create a password so complex that they have to write it down in a notebook or store it in a file on their desktop or mobile device. Let’s face it, with so many online accounts, passwords are difficult not only to remember but also to rotate. Raise your hand if you are guilty of using the same static password over and over again. People do it more often than you think without even realizing that reusing passwords makes the network you’re using more vulnerable to attack. Considering all of these variables, it’s no wonder that passwords are of great concern to organizations who worry about how easy it is for human error to compromise a seemingly secure login. Of these things, enterprises are sure: Hackers are fast. Hackers are smart. And, hackers love when we make these kinds of mistakes.
Two Forms of ID, Please
Businesses can protect access to company data with strong authentication. Also known as “multi-factor authentication” (MFA), strong authentication uses two or more different forms of identity verification—usually something you know (password or PIN) in combination with something you have (smart card or token). It’s an access strategy that provides users with secure access to enterprise data anytime, anywhere.
Your AWS Management Console and “Getting Carded” in the Cloud
For enterprises that use the AWS Management Console, multi-factor (MFA) authentication provides that additional layer of authentication that protects it from the vulnerability of password mishaps that put login information into the wrong hands. By incorporating MFA, AWS Management Console users not only have additional protection when signing-on to the Console or accessing AWS APIs, but also the reassurance that they are not putting their organization at risk with their password choice.
Convenient and portable, SafeNet IDProve OTP devices are user-friendly, time- or event-based hardware appliances that offer multi-factor (MFA), unconnected protection for your AWS Management Console. Available as a token or card, these hand-held devices offer secure, remote access with zero footprint since no associated software is required to use them. To gain admittance to your AWS Management Console, users simply enter their username with the numeric code generated by the OTP device. The authentication server validates the code and access is granted. Plus, SafeNet IDProve one-time password devices can be enabled for all individual AWS Identity and Access Management users on your account.
SafeNet Encryption Solutions for the AWS Cloud Environment
Gemalto offers a range of solutions for the AWS cloud environment—from virtual security appliances to tamper-proof hardware appliances—that allow organizations to demonstrate compliance with the strictest information regulations, such as PCI DSS, HIPAA, CJIS, BASEL II, SOX (Sarbanes-Oxley), and GLBA.
OTPs: Here today, gone tomorrow
Whether hardware- or software-based, one-time password (OTPs) solutions generate a fresh password within seconds of each activation. While the steps required to obtain an OTP may vary, the passwords generated are usually time- or event–based and can be easily incorporated as part of a MFA solution option for securing access your company data.
For more information on taking the next step of securing your AWS environment, download our Secure the AWS Cloud with SafeNet Solutions eBook.
Mor Ahuvia November 11, 2015, 10:00 am UTC
Jennifer Hindle November 4, 2015, 10:00 am UTC
Andrew Gertz October 29, 2015, 05:53 pm UTC
Kathleen Spaeth October 20, 2015, 10:00 am UTC
Cheryl Barto Shoults March 19, 2012, 10:05 am UTC
Cheryl Barto Shoults January 24, 2012, 08:30 am UTC
Andrew Young November 20, 2013, 11:41 am UTC
Mor Ahuvia November 11, 2015, 10:00 am UTC
Motty Alon June 6, 2013, 01:21 pm UTC