What kind of person are you? Are you a risk taker or someone who like to play it safe? Is your organization one that takes risk, or is it risk averse?
Let’s take digital transformation, for example. Most organizations want to embrace it, but feel constricted due to data privacy concerns and compliance regulations. However, companies that can’t or won’t find a path forward run the risk (pun intended!) of getting left behind.
Due to an ever-expanding attack surface, business-led digital transformation will always pose a risk to data – but that risk can absolutely be mitigated. This concept was a main topic of conversation during last week’s Cloud Expo Asia show in Hong Kong.
Reaching into the cloud
Last week’s conference served as a forum for IT professionals from enterprises and public sectors to learn about effective cloud investment and strategy, while developing and executing technology projects. Attracting over 10,000 visitors and more than 250 expert speakers and vendors, this premium APAC industry event is one Thales eSecurity is proud to sponsor.
The Cloud Expo Asia buzz
The most pressing concerns facing organizations in APAC seemed to lead back to compliance. Questions we received at our booth included the following:
How can my business meet regional and global compliance regulations?
What should be classified as “personal data”?
Which are the best strategies are for protecting data in the cloud?
From Top: Thales eSecurity managing principal vonsultant Ian Christofis presents his session to a packed audience. From L to R: A hive of activity around the Thales eSecurity booth.
Privacy and security are often confused. They are separate but overlapping concepts
The GDPR has international reach and stands to have a profound effect on organizations all over the world
Many types of data will be considered personal data. If in doubt, treat all data as personal data
Privacy, security, and compliance
For good or bad, compliance is seen by many as an easy benchmark standard for securing data, even when moving into the cloud. However, privacy is a very complex area, with many jurisdictions having privacy-related laws guided by various multinational frameworks and guidance. Privacy regulations continue to proliferate as threats to privacy increase.
So what are organizations doing about it? Well, most are being smart and protecting their data using one of the most powerful tools available: encryption.
In light of the challenges presented by regulations, none more so than the GDPR, and the ongoing transition to multi-cloud infrastructures, it is more essential than ever businesses choose data protection technologies that help them meet compliance requirements while still scaling with their business needs.
Is your business #FitforCompliance or #FitforGDRP? For more information about the GDPR, please visit our dedicated landing page. You can also find insights at our main compliance page.
John Grimm, Thales eSecurity’s Senior Director of IoT Security Strategy, recently spoke with CyberWire’s Dave Bittner about key findings and trends from Thales eSecurity’s 2018 Global Encryption Trends Study. The CyberWire is a free, community-driven cybersecurity news service based in Baltimore.
A sampling of John’s comments:
The lynchpin of any good encryption system is how well you protect the key.
One of the findings in the survey that’s been very consistent over the years is that the one of the top threats to data is mistakes. Mistakes that human beings make even in the course of trying to do things right.
The full podcast may be found here, with John’s interview kicking off at the 7:09 mark.
Have questions? Leave a comment below, or with John @johnrgrimm
In 2016, I provided predictions in an article entitled The (Immediate) Future of Ransomware. I indicated ransomware was going to grow and find other vectors for infection outside of simply malware links. Those predictions come true on a massive scale in particular with the WannaCry and Petya outbreaks, driven by system vulnerability vectors just as I foresaw.
In this article, let’s consider the overarching drivers behind ransomware and then consider it philosophically from an enterprise perspective. Our philosophy around any given cybersecurity threat is going to necessarily inform our view of that threat and how to effectively address it.
Another question to address: Is there a lesson we can learn from ransomware that we can carry over into other threat areas we perhaps aren’t seeing clearly and effectively addressing?
Ransomware Is About Numbers
From an overarching perspective, ransomware is about numbers, both in terms of its motivation as well as its continued success from a high-level.
Instead of ransomware going away, ransomware has actually increased by 750% since 2016. Why? The continued success and increase is for reasons I stipulated in my last article as well as a few more I’ll point out here.
Companies Are Still Paying
For one, companies are still paying ransoms. TrustLook stipulates that 38% of ransomware victims pay ransom, resulting in hundreds of millions of dollars in payouts in 2016 and 2017. Why companies are paying (and whether they should) would make room for discussion in another entire article, but suffice it to state simply here, companies are still paying.
Ransomware Is Now Easy
Secondly, because initiating ransomware has gotten easier. With ransomware kits and Ransomware-as-a-Service (RWaaS) now available, it’s easy for a technical novice to get involved in advancing ransomware attacks. Buying of ransomware kits and use of RWaaS has dramatically increased the rate and made ransomware writers rich.
The latest approaches no longer sell kits or services for a set price but instead stipulate as much as a 50% cut of any ransomware profits generated by the kit or service.
Easy Money Laundering
Thirdly, because money laundering ransom payments has a new and very significant digital enabler: Bitcoin. As in any criminal scheme where financial gain is the goal, how does one remove risk from the backend of the transaction? No criminal wants the source of payment to come under jurisdiction and be monitored, traced, seized or closed. While law enforcement is aware and has some inroads into addressing Bitcoin payments, Bitcoin represents a darker side of digital transformation and is by far one of the most significant enablers to the spread of ransomware.
Stopping Ransomware Is About Access Control
Finally, because at base, ransomware enablement is still about access and not necessarily about the initiation vector, be it through malware links or through system vulnerabilities. Simply put, ransomware can’t take place when access to files are denied within the context the ransomware executable attempts to run within.
The Hidden Philosophical Lesson of Ransomware
The hidden philosophical lesson of ransomware is perhaps the most intriguing and yet the least considered and exercised. What one big lesson can we learn from ransomware?
That encryption is highly effective.
Why do criminals understand the effectiveness of encryption and we as enterprise strategists do not? Why is encryption consistently seen near the bottom or not listed at all on enterprise cybersecurity strategies?
I recently provided consultative advice for a major billion-dollar VAR regarding a very popular hyperconverged reference architecture. During our time, I was informed that of the 25 to 30 Fortune 500 companies who spec’d out that technology, not a single company asked for that infrastructure to be delivered with encryption capabilities. Not one.
Criminals See & Leverage the Value of Encryption – Why Can’t We?
Criminals readily see the advantage and hold our own data for ransom through encryption, and yet we as technologists can’t see the value of encryption coupled with strong access controls as an effective deterrent strategy against exfiltration of company information.
True, encryption alone doesn’t stop ransomware as I stated in 2016. But ransomware isn’t the only significant enterprise threat and billions continue to be spent on strategies proven to be ineffective in stemming the tide of data exfiltrated from companies every year.
Approximately 7.8 billion records were breached in 2017, resulting in untold billion dollar loses based on per instance value of those records, forensics, cleanup, fines and brand recognition damage. In many cases, encryption was admittedly not used and would have been effective in protecting company and consumer data.
The Philosophical Conclusion
Ransomware is driven by big numbers and isn’t going away. In my next article, I’ll provide a generic, high-level enterprise roadmap for defending from and responding to ransomware.
In the meantime, philosophically speaking, enterprises should be taking a page from the bad guys. This entails allowing themselves to see the incredible power and value of encryption with strong access controls as a standard enterprise strategy for protecting data in the face of other significant threats.
Feel free to leave a comment below, or engage with me @ChrisEOlive. For more on Thales eSecurity’s data protection solutions, please visit our product page.
For many years, Thales eSecurity has been a solution provider member of the Cloud Security Alliance (CSA), a global organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment1.
Among CSA’s many activities is its research arm, which include 34 working groups, one of which is called Security Guidance. Recently this working group published CSA Security Guidance v4.0. Security Guidance v4.0 is divided up into “security domains” which I will refer to from here as “chapters” when I’m talking about the structure of the document. While I really dig on Security Guidance v4.0 (at least, the chapters that I understand), our systems engineers have found that actual secure cloud migration tends to cut across many domains of cloud security.
I’m getting on a plane next week to give a couple of speaking sessions on secure cloud migration, during which I’m leveraging our latest white paper, titled, “Best Practices for Secure Cloud Migration” (subtitled “Leveraging Cloud Security Alliance Security Guidance”). See, they go together. The white paper goes through some actual data protection use cases. For each, it identifies each chapter of Security Guidance v.40 that provides unbiased detail on the topic. In my most humble opinion, we formatted the paper to best serve interested readers: In plain black-and-white the reader finds use cases, relevant domains, and additional best-practice recommendations. In blue and white on the same page, various Thales eSecurity products involved with the use cases and relevant security domains are discussed. The reader can focus their attention on the black-and-white objective content, and read or ignore the blue-and-white. It’s a solid white paper, and I strongly urge you to check it out.
Making payments even in a face-to-face environment is no longer just about using magnetic stripe or chip cards where the security, operating rules, and risks have been long established and well understood by all the actors involved. We are now living in a world where fundamentally different types of devices are being used to initiate payment transactions. This has created new complexities to manage and new forms of risk to mitigate.
In one of his recent blogs, ‘Establishing trust in mobile payments’, my colleague Jose Diaz discussed how the challenge is no longer just about encrypting data on the device itself, but rather more to do with establishing trust in the device through a ‘digital birth certificate’. This places stringent requirements on full lifecycle management of the ‘content’ that the issuer or service provider shares with the device and inherently involves multiple security considerations encompassing items such as keys, certificates, PINs/passcodes and other critical data. This represents a different proposition to securing cards, where strict controls are in place from the start (comprehensively specified by EMVCo for chip-based credit and debit cards) and where the consumer has little or no opportunity to directly or indirectly influence the overall system security. With non-card devices the consumer is effectively in control and significantly more effort is necessary to ‘trust’ what in reality starts off as an ‘untrusted consumer device’ before the ‘digital birth certificate’ is in place.
A platform approach, not a mix of piecemeal products
For issuers, the emergence of multiple alternative payment instruments is an opportunity rather than a threat. Offering customers the ability to utilize their credit or debit accounts to initiate payments on things as wide-ranging as smartphones, wearables, IoT and connected devices are important aspects of both customer retention and long term profitability for issuers. A common theme among the wide range of issuing solution or service providers, many of whom are part of the Thales ASAP technology partner program, is the ability to provide support for a broad (and constantly evolving) range of credential-issuing functionality for cards, mobile, IoT and emerging applications. This is what we would call a platform approach rather than a mix of disparate point products with no common lifecycle management.
Leading industry bodies who understand the need for high levels of security have published papers offering solution advice for non-card based payments. Two recent examples you may wish to review are ‘Implementation Considerations for Contactless Payment-Enabled Wearables’ from the Secure Technology Alliance or STA (formerly known as the Smart Card Alliance) and ‘MULTOS the platform for innovation’, which summarizes the areas where MULTOS chip technology can be used to secure a wide range of payment devices. Thales eSecurity is an active participant in STA activities and is also a member of the MULTOS Consortium and has supplied its HSM devices as part of MULTOS-based issuance solutions for many years.
Hardened security to deliver trust
Building on its proven pedigree in the chip card issuance world since the introduction of EMV technology in the 1990’s, Thales eSecurity has worked closely with both issuers and service providers to ensure that its HSMs deliver the specific functionality they need, especially:
Easy integration through high level REST APIs
Robust, scalable and high performance proven in service provider environments
Cryptographic isolation for multiple applications and tenants
Certification to the relevant global and regional industry security standards
The payShield 9000 HSM from Thales eSecurity continues to evolve and provides the secure foundation that issuers and service providers need to support the issuance of a wide range of payment instruments today and for those yet to emerge in the future. Please click here to download a copy of our brochure ‘Payment Credential Issuing using payShield HSMs’ to see how we offer issuers a one-stop-shop, simpler integration and lower operating costs for all their issuance needs.
In past years’ Thales Data Threat Reports, we asked IT security pros around the world separate questions about whom they believed were the riskiest internal threats and external threats. The results were useful but didn’t allow us to compare which category proved most worrisome.
This year, we restructured the two separate questions into a single one, and that gave us some very interesting results about who worries these IT security professionals the most.
For data, insiders are the top threats
When it comes to their data, IT security pro are more worried about insiders within their organizations than they are about external attackers.
If we look just at those chosen as the most dangerous threat actor, four out of the top five categories selected were insiders. The single most dangerous threat actor category that our survey identified was privileged users (23%), followed by cyber-criminals (16%). This pattern recurs when we look at the top three selections: privileged users are at the top, followed by cyber-criminals and other insiders with potential access to sensitive data.
What’s most interesting about this? If you are an IT security pro, many of us (and all the vendors) make a yearly pilgrimage to San Francisco for the yearly RSA trade show. Although there are security conference rivals, this show continues to be the preeminent show for the industry. One would think the conference would at least partially focus on insider threats – but I simply didn’t see this issue emphasized. While there were vendors showcasing privileged user and insider solutions, external threats appeared to claim the lion’s share of attention.
IT security spending patterns: Yet again, protecting data is not the priority
We asked separate questions about which tools are most effective at protecting data, and where our respondents’ organizations are increasing their IT security spend. What did we find? Enterprises are consistently spending on the tools that won’t make the biggest difference in protecting data. We even found this year that people knew what worked best at protecting data, but are not prioritizing their IT security spending increases on what works best: data-at-rest security.
So what’s going on?
It seems clear that for most organizations, protecting their data is a secondary priority. No wonder data breach rates around the world are soaring! Here in the U.S., almost half (46%) experienced a data breach in the last year, and the pattern repeats (with some variations) around the world.
Perhaps as regulations such as the GDPR in Europe and PIPA in South Korea start to be heavily enforced, and with substantial penalties, the priorities will change – but that will be a tale for another year.
Here’s what Garrett Bekker from 451 research (the author of the 2018 Thales Data Threat Report) had to say:
“Clearly, doing what we have been doing for decades is no longer working.”
“Re-prioritize your IT security tool set – With increasingly porous networks, and expanding use of external resources (SaaS, PaaS and IaaS most especially) traditional end point and network security are no longer sufficient. Look for data security tool sets that offer services-based deployments, platforms and automation that reduce usage and deployment complexity and staffing requirements.”
For more on the results, find our global, regional and vertical Thales Data Threat Reports here.
The rapid adoption of hyperconverged infrastructure (HCI) solutions have been due to their proven ability to deliver scalability, agility, reduced costs, storage redundancy, and reliability. As the market leader in this space, the Nutanix Enterprise Cloud is on the forefront of integrating virtualization, storage, networking, and security, in a turnkey HCI solution.
Perhaps one of the elements that is garnering the most attention right now is data security. Data breaches can have devastating consequences. From loss of customer confidence and damaged reputation, to compliance mandates, to significant remediation and liability costs, compromised data can, and has, put enterprises out of business. Maintaining the security of critical data is therefore of utmost importance.
Nutanix certainly knows this and is working hard with Thales eSecurity to protect the confidentiality and integrity of sensitive data through strong encryption of user and application data to a level of FIPS 140-2 Level 2 compliance. When used with Vormetric Data Security Manager (DSM), the combined solution provides FIPS-certified, robust key management and role separation to meet the most stringent security requirements.
The integration of Nutanix encryption and Vormetric Key Management is made possible by the Key Management Interoperability Protocol (KMIP), which helps simplify and extend centralized key management throughout the enterprise.
Vormetric Key Management provides advanced capabilities such as separation of duties, securing keys separate from data, backups, redundancy and resiliency, and standards compliance, as well as key management for disparate data environments. These are all elements of “best practice” key management.
Perhaps the biggest benefit of the KMIP standard is that Thales not only centrally manages keys from the Nutanix environment, but also from third party applications and devices. Plus, additional advanced Thales data security capabilities can be deployed from the same DSM platform, such as Vormetric Transparent Encryption (VTE). VTE combined with Nutanix would add capabilities such as protection against logical threats, granular encryption, and rich audit information, helping to foster consistent policies, aid in compliance, ease management, and reduce training and maintenance costs.
If you’re attending the Nutanix .NEXT Conference in New Orleans May 8-10, come by the Thales eSecurity booth number S24. Additionally, you can hear Thales eSecurity’s Arun Gowda and Nutanix’s Eric Hammersley jointly discuss the solution at the Solutions Expo Theater on May 10th at 12:30 pm.
For more information on the Thales eSecurity and Nutanix solution, please click here.
For more information on Vormetric Data Security Manager and integrated key management, please here.
Large data scale breaches have led an increasing number of companies to embrace comprehensive encryption strategies to protect their assets. According to our 2018 Global Encryption Trends Study, 43% of respondents report that their organization has an encryption strategy they apply across the enterprise, compared with 15% in 2005.
While the accelerated growth of encryption strategies is great news for data security, organizations must bear in mind that with any encryption-based security scheme, securing and managing keys is as important as the encryption itself.
Microsoft SQL and Oracle Database Key Management Challenges
Microsoft SQL Server and Oracle Database solutions provide native transparent data encryption (TDE) that protect the data stored in their customers’ enterprise and cloud-hosted databases. As is intrinsic to any encryption scheme, however, managing the associated keys presents challenges such as separating them from the data they protect and storing them securely.
Encryption key management challenges multiply as organizations use multiple databases for different purposes, each requiring dedicated key management to ensure that keys are properly stored, backed up and secured. With multiple database solutions each requiring their own encryption keys, management becomes more complex and exacerbates the risks of having keys lost or stolen.
Solutions for Transparent Database Encryption
With a dedicated centralized key management solution you can overcome these challenges. Benefits include:
Streamlined operations through centralized key management. Reduce costs and effort associated with managing encryption keys for disparate databases, and free up security teams to work on other priorities.
Stronger security by separating keys from databases. Ensure that keys are properly stored, backed up and secured in a separate location—an industry best practice.
Fulfill compliance mandates. Leverage FIPS-certified hardware and software solutions.
Thales eSecurity offers two solutions to support TDE applications: Vormetric Key Management in concert with the Vormetric Data Security Manager (DSM) and key management using nShield Hardware Security Modules (HSMs). Both offer the opportunity to expand your solutions to a wide set of applications; the option you choose to manage your TDE keys will depend largely on other functions you want to support with your Thales eSecurity solution.
How it Works
Thales key management solutions complement Microsoft SQL TDE by providing secure storage and management of the keys used in Microsoft’s database encryption scheme. Microsoft TDE encrypts the sensitive data in the SQL database using a database encryption key (DEK), and Thales interfaces with Microsoft Extensible Key Management (EKM) to store and manage the DEKs in the Vormetric DSM or nShield HSM.
The Vormetric Key Manager and nShield HSMs complement Oracle Database TDE by centrally storing and managing Oracle Database encryption keys. As a part of the Oracle Advanced Security TDE two-tier key architecture, Oracle Database uses master encryption key (MEKs) to encrypt the DEKs, which are used to encrypt columns and tablespaces within the databases. Thales key management solutions interface through the Oracle Wallet to protect and manage the MEKs within a secure FIPS-certified boundary.
Choosing the Right Solution
Picking the right solution for TDE applications will depend largely on other functions an organization wishes to support with their Thales eSecurity solution. For example, if a business plans to support a public key infrastructure (PKI) or needs an environment for secure code execution, they will likely choose an nShield solution. Alternatively, if the organization needs more comprehensive encryption such as database or files, Vormetric products will be the more suitable choice.
To learn more about how Thales eSecurity can help you simplify and strengthen key management for your enterprise database encryption solution download our TDE Key Management solution brief.
The cyber community is often reminded of past events such as large-scale data breaches and vicious cyberattacks that caused mass destruction and caught the publics’ attention. This month marks the one-year anniversary of the WannaCry ransomware attack that seized operating systems across the globe and caused businesses up to $4 billion in damages.
The WannaCry virus was able to spread thanks to the Shadow Brokers’ NSA data dump which exposed EternalBlue to the public and was quickly abused by cybercriminals. Using the same exploit, hackers released the NotPetya attack in June 2017 which infected computers in over 100 countries worldwide.
The devastation caused by these two aggressive ransomware attacks continue to plague businesses. In fact, Boeing was recently reported to be hit with WannaCry, demonstrating how the ransomware is still very alive and well.
The anniversaries remind us that organizations need to be better equipped to face the next WannaCry or NotPetya. To do so, businesses have to know where their data lives, why it’s important, and who should be allowed to have access to it. Without this knowledge, it’s difficult for organizations to put the proper security and access control measures in place to ensure sensitive data doesn’t end up in the wrong hands.
According to our recent Global Encryption Trends Study, 67% of organizations cite data discovery as one of the biggest areas of challenge when deploying encryption. Organizations are storing their data in more places now than ever, and by default, they are creating new attack surfaces.
Additionally, global data regulations and compliance orders are forcing companies to be held accountable for how they manage data privacy. In fact, our report revealed that respondents in the UK, Germany, U.S. and France indicated the highest data discovery challenges, which can be attributed to preparations for GDPR.
When it comes to protecting sensitive data from ransomware, traditional methods such as backing up your data and continually patching systems are always important best practices. However, businesses need to take this one step further by encrypting data and putting the right access controls in place.
By encrypting your data, anything that’s retrieved by hackers is rendered useless to them. Organizations should adopt a strategy of “encrypting everything” to ensure they have the upper-hand in the fight against attacks like WannaCry and NotPetya.
Access controls such as key management are also a crucial component that allow organizations to take control and manage the individuals who are accessing sensitive data. Thales offers a comprehensive suite of data security solutions designed to protect data wherever it lives – across devices, processes, platforms and environments.
Unfortunately, cybercriminals are becoming increasingly sophisticated and these attacks will continue to occur unless organizations deploy preventative solutions. As an industry, we need to unite together to prevent cybercriminals from gaining access to our data and fundamentally disrupting the way do business.
By now, few businesses can be unaware that there is just one month to go until the EU General Data Protection Regulation, better known as the GDPR, comes into force.
Perhaps the most comprehensive data privacy standard ever introduced, the GDPR will impact every individual and business that is either a ‘controller’ or ‘processor’ of EU citizens’ personal data. (In)famously bringing with it the potential for fines of up to four percent of an organisation’s annual turnover or 20 million Euro, whichever is greater, the stakes are high for cases of non-compliance.
According to my colleague, Peter Galvin, however, “we have to admit that data breaches are the new reality”. Our recent Global Data Threat Report revealed that two thirds of businesses (67%) have been breached, with over a third (36%) reporting a breach within the past year. Unsurprisingly, such breaches are a key focus of the GDPR, and organisations will be required to report the ‘destruction, loss, alteration, unauthorised disclosure of, or access to’ people’s data within 72 hours of the organisation learning about the breach, or risk coughing up a lot of money.
In one of my previous posts, I wrote about how according to Article 34 of the new regulation, if an organisation is breached but has ‘implemented appropriate technical and organisational protection measures […] such as encryption’, it can avoid the 72-hour breach notification requirement, along with the inevitable administrative costs and reputational damage that will accompany it.
Indeed, Article 32 states that organisations will be compelled to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […] including the pseudonymisation and encryption of personal data’.
Critical to complying with the GDPR, encryption was recognised in our report as being the top tool (42%) for meeting new privacy requirements, with around three quarters of respondents citing data-at-rest (77%) and data-in-motion (75%) solutions, such as encryption technologies, as being most effective at preventing data breaches. Despite this, however, Garret Bekker, principal security analyst, information security at 451 Research, comments that “security spending increases that focus on the data itself are at the bottom of IT security spending priorities, leaving customer data, financial information and intellectual property severely at risk.”
The GDPR is almost upon us. Given the huge potential financial and reputational impact that non-compliance could have on a business, it’s crucial that security strategies are brought in line with what’s required.
The clock may be ticking, but we have a wealth of resources with which you can check whether your business is fit for GDPR. Don’t waste any time.