Mark YakabuskiApril 23, 2013, 03:15 am EDT
There are several well-known truths about data encryption, according to IDC analyst Christian Christiansen:*
The best way to protect data is to encrypt it.
Data is only as safe as the keys encrypting it.
Storing keys in hardware, such as a hardware security module (HSM) is the recommended best practice.
Hardware appliances lack the agility and flexibility required in virtual and cloud environments.
“Well-known Truths” #1-3 have helped make SafeNet one of the leading HSM providers. However, it is “Truth #4” that is challenging our customers who want to move more of their data and applications into virtual environments, but can’t do it cost effectively with the tools HSM vendors have provided them.
That’s the entire premise of SafeNet’s new Crypto Hypervisor. It takes the attributes and benefits of the hardware appliance and abstracts the HSM to work in a virtual and cloud environment, allowing organizations to securely store and manage encryption keys, in abstracted hardware the same way they manage the rest of their virtual environment.
In essence, what the VMware hypervisor did for servers and desktops, the Crypto Hypervisor does for key vaulting and crypto services. It allows organizations to “spin up” and centrally manage hundreds of virtual HSMs, add partitions for multi-tenancy, and gives users the ability to select the services they need from an online catalog- which can be delivered in minutes.
This evolution of cryptographic hardware allows organizations to offer clear separation of control, creating separation between administrative duties and users operational control. And, of course, it’s all built on the field-proven FIPS certified and Common Criteria validated (in progress) Luna SA hardware security module.
Consolidating and provisioning crypto services has never been easier in private, hybrid or public cloud environments. Watch the demo below to see for yourself how SafeNet is changing the game when it comes to delivering consolidated high-assurance key-vaulting and other crypto services in a virtual world.
* Read the full quote here: http://www.safenet-inc.com/news/2013/safenet-launches-worlds-first-crypto-hypervisor/
SafeNet May 23, 2013, 12:12 pm UTC
On this episode of the TabbFORUM, SafeNet’s David Etue is joined by Adam Honoré, managing director of NASDAQ’s FinQloud, to discuss the challenges and solutions for securing financial data in the cloud. FinQloud began as an internal NASDAQ initiative, and has grown into an on-demand offering based on Amazon Web Services and SafeNet security.
Some of the controls Honoré and Etue recommend are authentication, encryption, key management, and real-time monitoring. In particular, encryption is a popular choice for financial service providers.
“Clouds love encryption,” says David Etue. “When you have a cloud provider like Amazon Web Services or infrastructure-as-a-service…illustrating control of your data can be very challenging from a security or audit perspective. When you wrap that data in encryption and you have strong encryption and good key management. All of a sudden you have the ability to abstract the visibility and control of that data away from the infrastructure itself.”
SafeNet May 22, 2013, 04:50 pm UTC
The frightening reality is that the way the entire world consumes and shares data has dramatically change over the past few years, and companies are still spending 80% of their IT budgets securing the perimeter instead of what it really matters, THE DATA.
This presents SafeNet’s channel partners with an excellent opportunity.
To help you shift your customers understanding of reality, where the end result is a Secure Breach environment, and perimeter breaches have no actual impact on the encrypted data itself, we have put together a set of sales tools for you to use in your sales efforts.
Download your Secure the Breach Channel Ready Sales Kit and change the conversation from Breach Avoidance to Breach Acceptance.
Cheryl Barto ShoultsMay 16, 2013, 03:57 pm UTC
SecurityWeek published a great article today: Preparing for an Attack: 5 Tips for Organizations. Marc Solomon starts out by saying, “Even the most security diligent organizations are realizing that breaches are no longer a question of ‘if’ but a question of ‘when.’” Yep. That’s the concept of “Breach Acceptance” that CSO Tsion Gonen has been preaching for the past year (see his article in Network World). So, now that you’ve accepted that breaches are a “when” and not an “if,” Solomon gives these five tips to make your breach cleanup run a little more smoothly.
1. Adopt a threat-centric approach to security. You need solutions that address the extended network – protecting endpoints, mobile and virtual environments.
2. Automate security as much as possible. Manual processes are inadequate to defend against relentless attacks that often employ automated techniques to accelerate and broaden attacks. For example, SafeNet Authentication Service uses automated setup and maintenance policies, freeing staff to focus on critical tasks. The Crypto Hypervisor automatically tracks encryption keys in virtual environments so your data is never left unprotected.
3. Leverage retrospective security. Look for technologies that address this scenario by continuously monitoring files originally deemed “safe” or “unknown” and enabling you to apply retrospective security if these files are later determined to be malicious.
4. Hone your incident response processes. The Verizon 2013 Data Breach Investigations Report found that in 22 percent of the incidents investigated it took months to contain the breach. Orgs should have an Incident Response Team trained on what to do, an InfoSec Policy to ensure you’re protecting the right data, an Incident Response Runbook with step-by-step instructions, and quarterly systematic program reviews.
5. Educate users and IT security staff on the latest threats. Educating users and keeping staff trained on the current threat landscape can go a long way toward preventing these malicious attacks that often rely on relatively simple methods.
SafeNet May 9, 2013, 08:05 am UTC
Alvand Solutions provides Enterprise Security, FinanceCenter, Application Development, and Project Management Services. To ensure their clients are equipped to combat the latest cybersecurity threats, Alvand Solutions recommends encryption solutions like SafeNet hardware security modules (HSMs).
“Data breaches are happening to globally recognized entities, and obviously it’s a key concern for the financial services industry,” says David Jones, VP of Alvand Solutions. “Encryption is fairly standard. People know how it works, but in terms of effectively implementing and securing it, that’s where SafeNet solutions come to the floor.”
Learn more about SafeNet’s solutions for the financial services industry at http://www2.safenet-inc.com/email/2013/dp/financial-services/index.html.
Panel: Virtual World with Virtual Risks. Can it be Cloudy and Clearly Secure?Cloud, Crypto, Secure the Breach
SafeNet May 6, 2013, 05:05 am UTC
May 15 2013 11am ET/ 4pm UK – Register Now
“What customers want is choice in application deployment models whether it is a dedicated virtual cluster, mixed trust cluster, private cloud, public/dedicated cloud or public/shared cloud. But they want these options with the assurance that their data is always under their control.”
“We need to deliver, or our customers need to deliver, access to internal services, through a variety of devices- laptops which are not enrolled, tablets, smartphones, etc., and we require a flexible solution.”
“We used to put in hardware applications, but now customers want a platform they can run on VMware, or from the cloud. And in that scenario, they don’t want stovepipes. They want to be able to take the appliance and manage it everywhere.”
As well as Jason Hart and Leonor Martins of SafeNet. Register now for this expert panel, and better understand a way to manage risk, maintain compliance, accelerate and protect business from evolving security threats.
SafeNet December 26, 2012, 10:46 am UTC
In 2012, we saw an explosion of interest in cloud security, and high demand for… well… anything other than whitepapers. You want all the important info in 3 min or less? With cool graphics and visual aids? Done. Here are the top 5 videos from 2012.
Charles GoldbergJanuary 9, 2013, 10:58 am UTC
I just finished reviewing The Global State of Information Security® Survey 2013 which is a worldwide study by PwC, CIO magazine, and CSO magazine. I like this report because it is comprehensive: 9,300 CXOs from 128 countries, with less than half from North America. Also, this report is unique because it surveys folks very serious about security, with 42% of respondents seeing their organization as a “front-runner” in terms of information security strategy and execution. It is a good read.
It is a 32 page report (download the PDF), so it is hard to pick only a few highlights, but here are a few that struck me.
Dispersed Data Changing Security Rules
I think the report articulated the core of the current security challenges well, “The heart of the matter for many businesses, security has become a game that is almost impossible to win. The rules have changed, and opponents−old and new−are armed with expert technology skills, and the risks are greater than ever.”
I mentioned that 42% identified themselves as front-runners in security – however, this survey determined that only 8% ranked as true security leaders. I’m not sure which scares me more – the companies whose security teams know that they are not security leaders and don’t change, or the 34% that are delusional. Actually – I’m sure – it is the delusional ones that terrify me more! The report show 56% of respondents admitting to collecting more personal information then they need while becoming less confident that they know how to protect it. The bright side to this fact? The first step in solving a problem is admitting that you have one! It is getting tougher to build perimeters around data that is agile in virtual environments and in the cloud. This contributes to why only 31% have accurate inventory of locations or jurisdictions where data is stored. I guess European companies are surprised when the US takes their data under the US Patriot Act because they didn’t even know fell into US jurisdiction! If your data isn’t encrypted government agencies can easily ask for your data from a cloud provider without even letting the corporation know.
Incidents & Breaches Up from 2011
The number of respondents reporting 50 or more incidents hit 13%, up slightly from last year and far above the levels reported in earlier surveys. About one-third of respondents say their organization experienced no incidents, while one in seven say they do not know. The good news is that financial loss is down. However, in another report, 61% of customer respondents stated they would stop using a company’s services after finding out about a breach – it is easy to understand why companies are not performing a thorough appraisal of the factors that might contribute to such losses.
Don’t Ask, Don’t Tell
The report continues to say that investigations and forensics were included by just over one-third of respondents, and roughly the same percentage looked at audit and consulting services and legal defense services. It appears many companies are following “a don’t ask, don’t tell policy” post a breach because of the fear they would have to share what they learned about losses publically. After a detected breach and loss they go right to the lawyers because they know the consequences can do tremendous damage to their business.
What’s SafeNet Doing About It?
At SafeNet we are finding many new customers embracing one of the oldest ways in securing their data: using encryption. Our customers are protecting their data across physical, virtual and cloud datacenters with modern and innovative techniques giving them an opportunity to securely create value for their business. This enables them the resilience of knowing that when their perimeter is breached their important data can’t be compromised because it is encrypted, these customers experience what is called a Secure Breach. These customers are highly-aware security leaders!
Adversary ROI Comes to Atlanta: Josh Corman and David Etue Present at the GFIRST National ConferenceCloud, Crypto, Events
David EtueAugust 17, 2012, 02:15 pm UTC
Josh Corman and I will be speaking at the 8th Annual GFIRST National Conference in Atlanta on Tuesday, August 21 at 1 PM (in the Marquis Ballroom C) on adversary-centric security models. Attendees will learn why organizations must look not from their own company’s perspective, but from the adversary’s, to best model threats and security investment.
The GFIRST presentation is an updated version of the presentation we gave earlier this year at RSA incorporating feedback we received and additional research we’ve incorporated.
We hope you can join us at GFIRST, but if you are unable to you can still view the TED-like version at RSA Conference Online.
Landis+Gyr and SafeNet Sign Agreement to Enhance Smart Grid Security for Utility Companies and ConsumersCorporate News
Jennifer LewisOctober 20, 2010, 02:54 pm UTC
Landis+Gyr and SafeNet announced on October 19, 2010 they have signed a reseller agreement to integrate SafeNet’s Luna Hardware Security Module (HSM) into Landis+Gyr’s Gridstream™ end-to-end security architecture, creating a highly secure environment to exchange and store utilities’ sensitive cryptographic keys in a trusted hardware device.
As part of its multi-tiered security strategy, Landis+Gyr is implementing SafeNet HSMs to protect the cryptographic keys used to secure data exchange between smart meters and the head-end system in the Gridstream RF network. The Luna HSM complies with the highest security standards, such as Federal Information Processing Standard (FIPS) 140-2 and Common Criteria EAL 4+, and provides utilities with a validated and tamper-resistant hardware solution that supports overall smart grid security.
View the entire press release here: Landis+Gyr and SafeNet Sign Agreement to Enhance Smart Grid Security for Utility Companies and Consumers
Microsoft has PhoneFactor…What’s Your Multi-Factor Authentication Offering?Authentication, multi-factor authentication
Andrew YoungOctober 17, 2012, 01:21 pm UTC
Google’s been offering its 2-Step verification for years, and earlier this month Microsoft acquired PhoneFactor to provide multi-factor authentication for web-based services like OWA, SharePoint, Azure, and Office 365. That’s a great value-add for anyone using Microsoft services, and an example for other service providers that strong authentication is not just a nice thing to offer, but something customers are demanding in the move to cloud computing.
So how can you add strong authentication to your service offering? There are essentially three options:
- Buy it. Purchase a company that does authentication in the cloud and have their engineers work it into your service offering.
- Build it. From the ground up, engineer a strong authentication solution that exactly meets your needs.
- Subscribe to it. Find a company that offers ready-made, white label authentication-as-a-service that you can rebrand and sell to your customers on-demand, on your terms.
Let’s be honest, unless you’re Microsoft, you don’t have extra cash available to buy a company outright. And unless you’re Google where the world’s most talented engineers are clamoring to work for you, dedicating staff to build, and then manage, security isn’t your best use of time and resources. So that leaves the rest of the world looking at option three: subscribe to authentication-as-a-service and let a security expert do it for you.
So what should you look for in an AaaS solution?
Multi-tier, multi-tenant. You get a single platform, unlimited customers, and automated customer on-boarding.
White label. You brand it so your customers don’t know the difference.
Customizable. You and your customers pick the features, tokens, and reporting you want.
Integrated. Works with an organization’s existing technology, like LDAP,Radius and SAML so your customers can get up and running quickly, radically automate all of the boring and repetitive task normally associated with authentication system, without changing their existing user account management processes.
SafeNet Authentication Service (SAS) is exactly what you’re looking for. SAS fully automated, customizable cloud platform can substantially reduce authentication-related operational costs through the elimination of manual tasks associated with the provisioning, administration, billing, and management of users and tokens. Cryptocard has been a leading provider of cloud-based authentication for years, and now SafeNet has combined their expertise & vision with our market-leading authentication technology and rolled it into a next-gen authentication solution built for service providers. Learn more at http://www2.safenet-inc.com/sas/index.html. Want to try before you buy? Click here for a free 30-day trial to see if SAS is right for you & your customers.