Search
Close this search box.
Facebook Instagram Linkedin

Month: June 2018

Categories
Data Protection

Loss of Keys and the Truth No One Told You

Today, data theft and regulatory compliance requirements have caused a dramatic increase in the use of encryption keys in companies. This also caused an incidence of key loss due to poor management of these assets.

It is very common, for example, for a single company to use several dozen different encryption tools. Possibly these tools are incompatible, thus resulting in thousands of encryption keys.

How to prevent the loss of keys?

In a perfect world, cryptographic key management has the responsibility for the administration, protection, storage, and backup of encryption keys.

After all, every key must be securely stored, protected, and retrievable. However, reality is different and you should know well how this story ends regarding the loss of keys.

The importance of storing and backing up encryption keys

Key management means protecting the encryption keys from loss and unauthorized access.

Many processes must be used to control and manage keys. This includes changing keys regularly, managing how keys are assigned, and who gets them.

Experience shows us that the loss of keys has a major impact on important business processes in companies. This causes loss of access to systems and data, as well as rendering a system completely useless unless it is formatted and completely reinstalled.

It is worth pointing out that nowadays it is essential for any company to have more than one person responsible for storing and backing up the encryption keys.

In this way, we are directed to several good practices in the market. For example, we have defined the roles of the responsible parties and created an efficient encryption key management policy that is accessible to everyone.

However, there is a big challenge ahead. One of the big known problems is the lack of unified tools to reduce management overhead.

A key management system purchased from one vendor cannot manage another vendor’s keys. This is due to the fact that each implements a management mechanism in its own way.

You are probably remembering some facts related to the lack of efficient storage. Including the cases of lost keys and the impacts to the company.

Lost keys expose data of people and companies

The loss or exposure of encryption keys will never be a good experience. Imagine, for example, a developer accidentally storing keys in a public repository?

Unfortunately this scenario is likely, it can easily happen for any type of encryption keys and in different companies.

Someone might accidentally send the keys in a source code or in any file or data set submission.

Whether in the cloud or in owned data centers, companies need to build a management strategy that prevents the loss of keys and/or undue exposure.

As we have seen, keys must be stored securely and with access limited to those who need them to work. For this reason, some companies use key-loss protection applications.

They serve to check network traffic for data leaks. As well as detecting the accidental or malicious disclosure of confidential or private information.

Not only poor key management can lead to compromised servers. But also if the keys used to encrypt data are lost, the data encrypted with that key will also be lost.

Therefore, there is no substitute for encryption key management.

Common situations that lead to the loss of cryptographic keys

Because it is something of relative complexity for certain company employees, you can imagine that the loss of keys does not happen so often. However, there are very common situations in our routines that lead us to key-loss scenarios:

  • The key holder forgets the password to access the key;
  • The employee responsible for the keys does not remember where he stored the key;
  • The manager has a huge amount of keys to manage;
  • The person responsible for the keys leaves the organization, and whoever stays ends up with a big management problem.

The importance of cryptographic keys is obvious to information security professionals. But the complexity of managing them can be almost as daunting as the encryption algorithms themselves.

infographic HSM Moderno

It all comes down to how important it is for companies to control the keys

First of all, it is important to see what a digital signature is and how it works.

A digital signature is the equivalent of a written signature. Its purpose can be to verify the authenticity of a document or to verify that the sender is who he claims to be.

This shows us the importance of encryption keys in productive processes, as well as the impact generated by the loss of keys in the routines of companies of different segments or sizes.

The main cost of key loss is risk management. This is because it will mainly focus on making companies the target of sophisticated cyber attacks, leading to losses not only financial but also related to the organization’s image.

One of the most recommended practices for reducing incidents related to cyber attacks is to conduct audits. This is because it helps to identify whether the keys are being used in the right way.

This process consists of auditing public key cryptography to identify vulnerable sources and devices, from tokens to TLS certificates.

Available mitigation strategies from vendors can then be reviewed and applied according to risk-based priorities.

The solution to all problems is…

There is no shortage of guidance on how to manage digital identities and how to identify the best option for your company, it all depends on the current environment and available resources.

While using a stronger management policy may be the safest option, this can also result in significant costs. Companies must focus on continuous improvement. In addition, it can help you manage your risks at a price that is compatible with your reality.

Companies must critically evaluate how they protect their systems. They must also consider the root causes of security incidents in their environments as part of a risk assessment.

It is common, for example, to have several security incidents related to compromised accounts. This is mainly due to the lack of proper management of the encryption keys.

As systems become more secure and companies take effective measures to manage their processes. It is worth remembering that initiatives such as authentication and key management are becoming increasingly important.

It is important to ensure that your company is using the appropriate authentication and authorization processes. This requires the use of cryptographic keys based on risk management.

After all, it is already the first step in reducing the risk of incidents and ensuring the confidentiality of customer and employee data.

At the end of our article, answer the following question: What is your company’s current encryption key management strategy?

Subscribe to our Newsletter and stay up to date with EVAL news and technologies. Keep following our content on the blog and also on our Linkedin profile.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Data Leaks – 6 Simple Steps to Avoid

The data leak has been highlighted on the main websites and in the news recently. Recently, for example, we saw a major scandal involving Facebook. What struck us most about this leak was how vulnerable we are. In addition, we have seen how damaging this type of situation can be in our lives and also for companies, even those with security policies.

Unfortunately we will always have this risk, but with a few simple actions we can reduce the chances of this happening. In addition, it is possible to minimize the impact on customers when this type of incident occurs.

Awareness is the first step to reducing data leaks

First, let’s talk about awareness. After all, many companies still treat data security with restraint. This type of behavior is common when associated with the need for specialized investments. This is a strategic mistake.

Reality shows that investing in information security is essential, especially at a time when customers are increasingly connected and carrying out financial transactions online.

Before any action or investment is made, awareness is the first step to guaranteeing the security of corporate and customer data.

Therefore, it should be understood that a data leak is an incident that exposes confidential or protected information in an unauthorized way. They cause financial and image damage to companies and individuals.

In addition, data theft can involve personal information, personal identification, trade secrets or intellectual property. The most common types of information in a data leak are the following:

  • Credit card numbers;
  • Personal identifiers such as CPF and ID;
  • Corporate information;
  • Customer lists;
  • Manufacturing processes;
  • Software source code.

Cyber attacks are usually associated with advanced threats aimed at industrial espionage, business interruption and data theft.

How to avoid data breaches and theft

There is no security product or control that can prevent data breaches. This statement may seem strange to those of us who work in technology. After all, what is the point of the various hardware and software assets specific to the security area?

The best ways to prevent data breaches involve good practices and well-known security basics, see examples:

  • Continuous vulnerability and penetration testing;
  • Application of protections, which includes security processes and policies;
  • Use strong passwords;
  • Use of secure key storage hardware;
  • Use of hardware for key management and data protection;
  • Consistent application of software patches for all systems.

Although these steps help prevent intrusions, information security experts such as EVAL encourage the use of data encryption, digital certificates and authentication as part of the set of best practices.

Learn about the other 5 steps to prevent data leaks

The increase in the use of cloud applications and data storage has led to growing concern about data leakage and theft.

For this reason, the steps we are going to describe consider cloud computing as the main IT infrastructure adopted by companies to host their products, services and tools that are part of the production process.

1. Develop a data leak response plan

It may seem strange to recommend a response plan before building security policies and processes, but it will make sense. In fact, there is no right order in which to draw up the documents, not least because the construction will be done by several hands and they are all independent.

A data breach response plan consists of a set of actions designed to reduce the impact of unauthorized access to data and to mitigate the damage caused if a breach occurs.

Within the development process, there are stages which, when well defined, will serve as the basis for drawing up your security policies and processes. To give you an idea, the development of this plan brings us approaches like:

  • Business impact analysis;
  • Disaster recovery methods;
  • Identification of your organization’s confidential and critical data;
  • Defining actions for protection based on the severity of the impact of an attack;
  • Risk assessment of your IT environment and identification of vulnerable areas;
  • Analysis of current legislation on data breaches;
  • And other critical points.

We’ve mentioned a few points, but a data breach response plan addresses other areas that also serve as the basis for building security policies.

As we are considering a cloud environment, the strategy to be built into the data breach response plan must involve the cloud infrastructure provider.

It is also worth noting that many of the resources available in the cloud already have their own characteristics that help in the construction and execution of plans.

 
2. Have an information security policy that covers data protection

A security policy is generally considered a “living document”, which means that it is never finished, but is continually updated as technology requirements and company strategies change.

A company’s security policy should include a description of how the company protects its assets and data.

This document also provides a definition of how security procedures will be executed and the methods for evaluating the effectiveness of the policy and how the necessary corrections will be made.

It is worth remembering that part of the security policies is the adoption of a term of responsibility signed by employees so that they are committed to information security and the non-leakage of data.

Like the data breach response plan, the security policy is also a broad document with several points, but which have not been described in this article.

3. Make sure you have trained staff

So, as you may know, training is a crucial point in preventing data leaks. Employee training addresses safety on several levels:

  • Teach employees about situations that could lead to data leaks, such as social engineering tactics;
  • It ensures that data is encrypted as actions are carried out in accordance with security policies and plans;
  • It ensures that the processes involved are as dynamic and automatic as possible in order to achieve compliance with legislation;
  • It ensures that employees are aware of the importance of information security, reducing the risk of attacks.
4. Adopt effective data protection tools

In a cloud architecture adopted by companies, the existence and use of tools that help guarantee information security is mandatory. In addition to hardware and software assets, resources must be found:

  • Tools for monitoring and controlling access to information;
  • Tools to protect data in motion (SSL/TLS channel);
  • Tools to protect data at rest (in databases and files);
  • Tools to protect data in memory;
  • Data loss prevention tools (DLP).

In short, the approaches adopted by these tools are useful and mandatory when the aim is to block the exit of confidential information. They are key to reducing the risk of data leakage when managed through cloud infrastructure services.

5. Test your plan and policies, addressing all areas considered to be at risk

Just as the other sections described are important, the value of carrying out checks, as well as validating security policies and plans, makes this last step one of the most critical.

As a result, the company must carry out in-depth audits to ensure that all procedures work efficiently and without room for error. However, for many, the testing stage must be one of the most challenging parts. So the information security area must always seek to prevent data leaks.

On the other hand, it is very difficult to implement all the procedures described. Mainly due to the fact that we have the company’s operations running at full steam.

If not planned correctly, testing can have a major impact on the organization’s routine. However, this validation is fundamental to protecting the company from data leaks and cannot be neglected.

Finally, the steps described in the article will certainly help your company prevent security incidents. Despite their apparent complexity, it is entirely possible to adopt them and succeed in preventing data leaks.

Finally, subscribe to our newsletter and stay up to date with EVAL’s news and technologies. Keep following our content on the blog and take advantage of our Linkedin profile to stay informed.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and the General Data Protection Law (LGPD). In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho
São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Facebook Instagram Linkedin
logo-tales-azul
keyfactor-logo
logo-valid-certificadora-digital
google-safe-browsing
Privacy Policy

Copyright © 2023, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97