Search
Close this search box.
Facebook Instagram Linkedin

Month: August 2020

Categories
Data Protection

Hardware Security Module, Choose the Best

Hardware security module (HSM) usage grew at a record rate from 41% in 2018 to 47% in 2019, indicating the need for a hardened, tamper-resistant environment with higher levels of trust, integrity and control for data and applications, said the Ponemon Institute’s 2019 Global Encryption Trends Study report.

Research shows that the use of HSM is no longer limited to traditional use cases such as public key infrastructure (PKI), databases, application and network encryption (TLS/SSL).

Demand for reliable encryption for new digital initiatives drove significant HSM growth in 2018 for code signing (up 13%), big data encryption (up 12%), IoT security (up 10%) and document signing (up 8%).

In addition, 53% of respondents reported using on-premises HSMs to secure access to public cloud applications.

Strengthen your company’s IT security with encryption

The use of encryption is a clear indicator of a strong security posture adopted by companies that deploy encryption and that are more aware of threats to sensitive and confidential information and making a greater investment in IT security.

The adoption of encryption is also being driven by the need to protect sensitive information from internal and external threats, as well as accidental disclosure due to compliance requirements such as the General Data Protection Act (GDPR).

But data sprawl, concerns about data discovery and policy enforcement, along with a lack of cybersecurity skills make this a challenging environment.

This is when HSM becomes part of your safety and security strategy.

Do you need a hardware security module to protect your information?

A hardware security module (HSM) is a physical device that provides extra security for sensitive data. This type of device is used to provide cryptographic keys for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases.

To give an idea, companies can use a hardware security module, for example, to protect trade secrets of significant value by ensuring that only authorized individuals can access the HSM to complete an encryption key transaction, i.e. control access properly and if necessary with multiple authentication factors, which is a security recommendation adopted today.

In addition, the entire life cycle of the encryption key, from creation, revocation and management and storage in the HSM.

Digital signatures can also be managed through an HSM and all access transactions are logged to create an audit trail. In this way, a hardware security module can help companies move sensitive information and processes from paper documentation to a digital format.

Multiple HSMs can be used together to provide public key management without slowing down applications.

But how do you know which hardware security module (HSM) is best for your business needs?

In general, a hardware security module provides cryptographic functionality. There are free downloadable crypto components on the market that do pretty much anything an HSM would do. So why make the investment in an HSM?

Basically, there are three main reasons: Increased security, cryptographic performance, an industry standardized certification and validation program.

If selected carefully and implemented correctly, an HSM provides a considerable increase in safety and security for businesses. It does this in an operational environment where keys are generated, used and stored on what should be a tamper-resistant hardware device.

It is this ability to securely create, store and use cryptographic keys that is the greatest benefit of HSM.

There are many attributes that vendors emphasize to try to make their product appear superior to others. The following attributes are really desirable from a security perspective:

  • The key generator and secure key storage feature;
  • A tool to assist authentication by verifying digital signatures;
  • A tool for securely encrypting sensitive data for storage in a relatively unsecured location such as a database;
  • A tool to verify the integrity of data stored in a database;
  • A secure key generator for smartcard production.

But companies today are under “relentless pressure” to protect their business-critical information and applications and meet regulatory compliance, and adopting functionality that is considered basic does not make a traditional HSM the best choice.

What makes the Thales Luna HSM solution the best hardware security module option for your company’s needs?

Thales Hardware Security Modules provide the highest level of security by always storing cryptographic keys in hardware.

In addition, they provide a secure encryption foundation, as the keys never leave the FIPS-validated, intrusion-resistant, tamper-proof device.

Since all cryptographic operations take place inside the HSM, strong access controls prevent unauthorized users from accessing confidential cryptographic material.

In addition, Thales also implements operations that make deploying secure HSMs as easy as possible, and our HSMs are integrated with the Thales Crypto Command Center for fast and easy partitioning, reporting, and monitoring of cryptographic resources.

Thales’ HSMs follow strict design requirements and must pass rigorous product verification tests, followed by real-world application testing to verify the security and integrity of each device.

Thales’ HSMs are cloud agnostic and are the HSM of choice for Microsoft, AWS and IBM, providing a hardware security module service that dedicates a single tenant device located in the cloud for the customer’s cryptographic processing and storage needs.

With Thales hardware security modules, you can:

  • Address compliance requirements with blockchain solutions, LGPD and Open banking, IoT, innovation initiatives such as Pix of the Central Bank of Brazil and prominent certifications such as the Central Bank of Brazil. PCI DSS, digital signatures, DNSSEC, hardware key storage, transactional acceleration, certificate signing, code or document signing, bulk key generation and data encryption;
  • The keys are generated and always stored in an intrusion-resistant, tamper-proof, FIPS-validated device with the strongest levels of access control;
  • Create partitions with a dedicated Security Office per partition and segregate by administrator key separation;

Therefore, Thales Luna HSMs have been implementing best practices in hardware, software, and operations that make deploying HSMs as easy as possible.

Thales Luna HSMs meet stringent design requirements and must pass rigorous product verification testing, followed by real-world application testing to verify the safety and integrity of each device.

Make the best choice of HSM technology

HSMs are built to protect cryptographic keys. Large banks or corporate offices often operate a variety of HSMs simultaneously.

Key management systems control and update these keys according to internal security policies and external standards.

A centralized key management design has the advantage of streamlining key management and providing the best overview for keys in many different systems.

Learn more about Thales HSM

The encryption keys are literally the key to accessing the organization’s data. They protect an organization’s most sensitive information, so the system that generates and stores it must be protected at all costs.

Thales Luna HSM not only provides the best physical security, it is usually located at the heart of a company’s secure data center, but it also ensures that stored keys are never breached.

Unless you have an environment where a physical data center is not available, adopt an HSM appliance to secure the organization’s encryption keys and leave virtualized services for the rest of your infrastructure, and take comfort in knowing your encrypted connections and data are always secure.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

6 advantages that only Thales HSM Luna has!

There are many benefits to using an HSM (Hardware Security Module). They are designed to meet strict government and regulatory standards and generally have strong access controls and role-based privilege models, hardware specifically designed for fast cryptographic operations and resistance to physical breaches, and flexible API options for access.

HSM is the most secure way of storing cryptographic keys and managing their lifecycle, and this also applies to the cloud. The use of an HSM is now standard practice for any highly regulated company that employs cryptographic services and uses cryptographic keys in its business operations.

In practice, companies that don’t use HSM tools and resources today are likely to lose business from government, financial and healthcare clients who demand strong protection controls for all their transactions.

Does your company need an HSM to protect its information?

Basically, HSMs are dedicated hardware systems designed specifically to store and manage public and private keys, such as SSL (Secure Sockets Layer) certificates.

HSM allows customers to securely generate, store and manage cryptographic keys used for data encryption in a way that they are only accessible by the customer.

These systems are useful if your company needs, for example, to run digital rights management or a public key infrastructure. In addition, HSM solutions can be used to provide high levels of security for products that primarily need to ensure regulatory compliance.

Advantages that only Thales Luna HSMs has

Thales Hardware Security Modules provide the highest level of security by always storing cryptographic keys in hardware. Thales HSMs provide a secure cryptographic base, as the keys never leave a FIPS 140-2, Level 3 validated, intrusion-resistant and tamper-proof device.

As all cryptographic operations take place in the HSM, strong access controls prevent unauthorized users from accessing sensitive cryptographic material.

Thales also implements operations that make deploying secure HSMs as easy as possible, and HSM equipment is integrated with the Thales Crypto Command Center for quick and easy partitioning, reporting and monitoring of cryptographic resources.

All Thales HSMs follow stringent design requirements and must pass rigorous product verification tests, followed by real-world application tests to verify the safety and integrity of each device.

The main advantages of Thales HSM Luna are the following:

1. The keys always remain in the hardware

Protect your most sensitive cryptographic keys in our FIPS 140-2 Level 3 HSMs.

Storing your keys in our high-security vault ensures that they are protected against tampering, unlike alternative solutions on the market.

With the key-in-hardware approach, apps communicate through a client with keys stored in the HSM and the keys never leave the device.

2. High performance

Benefit from best-in-class performance across a range of algorithms, including ECC, RSA and AES-GCM, to satisfy the most demanding applications and meet service level agreements.

Thales Luna HSM sends email alerts about events affecting the service and support quickly to the application owner.

 

3. Next generation features

With an unrivaled combination of features, including central key and policy management, robust encryption support, streamlined onboarding, flexible backup options, remote management and more.

Thales Luna HSM hardware security modules enable organizations to protect against evolving threats and take advantage of emerging opportunities presented in technological advances.

4. Runs in the cloud

Thales Luna HSM supports many deployment scenarios, from on-premises data centers to private, hybrid, public and multi-cloud environments, providing a tremendous amount of flexibility as it allows customers to move keys in and out of cloud environments.

5. Broad integration ecosystem

HSMs feature one of the broadest ecosystems available on the market and integrate with more than 400 of the most widely used enterprise applications for PKI, blockchain, big data, IoT, code signing, SSL / TLS, post-quantum, web servers, application servers, databases and much more. In addition, we offer extensive API support including PKCS #11, Java, OpenSSL, Microsoft, Ruby, Python and Go.

6. Emerging technologies

Protect against evolving threats and capitalize on emerging technologies including Internet of Things (IoT), Blockchain, Quantum and more.

Learn more about Thales HSM

The encryption keys are literally the key to accessing the organization’s data. They protect an organization’s most sensitive information, so the system that generates and stores it must be protected at all costs.

Thales Luna HSM not only provides the best physical security, it is usually located at the heart of a company’s secure data center, but it also ensures that stored keys are never breached.

Unless you have an environment where a physical data center is not available, adopt an HSM appliance to secure the organization’s encryption keys and leave virtualized services for the rest of your infrastructure, and take comfort in knowing your encrypted connections and data are always secure.

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

ANPD and LGPD: The Importance of Law 13.853

On July 8, 2019, Law No. 13,853 was published in the Federal Official Gazette (DOU) with the purpose of formalizing the creation of the National Data Protection Authority (ANPD).

Basically, the ANPD as a national authority and public administration body is responsible for ensuring, implementing and enforcing compliance with the General Data Protection Law (LGPD) throughout the national territory.

According to the LGPD, the National Data Protection Authority is composed of:

  1. Board of Directors
  2. National Council for the Protection of Personal Data and Privacy
  3. Internal Affairs
  4. Ombudsman
  5. Own legal advisory body
  6. Administrative units and specialized units necessary for the implementation of the LGPD

In addition, the Board of Directors of the ANPD shall be composed of five (5) directors, including the Chief Executive Officer.

But law 13.853 did not consist only in the creation of the ANPD, it went further and established important changes for companies that need to adapt to the requirements of the General Data Protection Law.

The approved modifications were fundamental for the applicability of the LGPD. Since without the creation of the ANPD, the law risked becoming practically unworkable, contradicting a system that has demonstrated worldwide effectiveness.

LGPD requirements: law 13.853 went beyond the creation of the National Data Protection Authority – ANPD

The General Data Protection Law provides, among several competences, that the ANPD must ensure the protection of personal data and develop guidelines for the National Policy for the Protection of Personal Data and Privacy.

Therefore, the National Data Protection Authority has a great responsibility regarding the supervision of the requirements defined by the LGPD and that must be met by companies that must adapt to the new legislation that comes into force in 2021.

In addition to consolidating the creation of the ANPD, Law 13.853 was responsible for solidifying important changes provided for by data protection and privacy legislation:

  • The law provides that data protection is of national interest, avoiding the proliferation of state and municipal laws that attempt to regulate the matter;
  • The data controller may be a legal person, and its appointment will also involve the data operator. In the original version, this assignment was exclusive to the data controller;
  • With the changes, the law excludes the obligation to inform the data subject in cases of processing of personal data to comply with a legal or regulatory obligation or when carried out by the public administration, for the execution of public policies provided for in rules or contracts;
  • It expands the hypotheses of communication and shared use of sensitive data related to health, explaining the scope to those related to pharmaceutical care and auxiliary services of diagnosis and therapy. In addition, also in cases of portability requested by the holder, or for financial and administrative transactions resulting from the use and provision of said services;
  • Health insurance companies are prohibited from using health data for risk selection, or for the purpose of hiring or excluding beneficiaries;
  • It inserts the possibility to waive the communication by the controller to the data controller. This, in the case of sharing data that has undergone correction, deletion, anonymization or blocking of data, where such communication proves impossible or represents a disproportionate effort
  • It establishes conditions for cases of sharing personal data, contained in databases in government agencies, to private entities;
  • It brings the hypothesis of direct conciliation between the data controller and the data subject – in cases of individual leaks or unauthorized access -, prior to the application of legal sanctions;
  • Establishes the need for the members of the ANPD Board of Directors, chosen by the President of the Republic, to be approved by the Federal Senate;
  • It defines rules for the composition of the ANPD, its attributions and the origin of its revenues;

The ANPD has various roles and responsibilities, including investigating organizations that have suffered data breaches, imposing penalties where appropriate and generally auditing companies for their data collection and storage practices.

How does ANPD support the General Data Protection Law and businesses?

As the national authority responsible for overseeing and applying sanctions in case of non-compliance with data protection and privacy legislation, the National Data Protection Authority also aims to promote good practices in the processing of personal data and guidance on data protection.

In practice, the publication of law 13.853, creating the ANPD, consolidates the legal bases for processing, data auditing and privacy policies, aiming to ensure that the personal data of customers and employees are processed legally.

The importance of the ANPD for business

The publication of Law 13.853 was fundamental for companies that already face several challenges in their routine search for information security in their business processes.

There are often time constraints, budget and more pressing operational concerns that may take higher priority over cybersecurity.

But there are other issues as well, with the lack of knowledge in data protection and privacy that directly impact the difficult journey of meeting the requirements provided by the LGPD.

Therefore, the National Data Protection Authority should help companies understand their data protection responsibilities by providing resources, support and guidance, tailored to the needs of organizations according to their segment, size and applicability of data protection law.

In addition, the ANPD should also promote awareness among the population of public rules and policies on personal data protection and security measures, prepare studies on national and international practices on personal data protection and privacy, and encourage the adoption of standards for services and products that facilitate control over their personal data, which should take into account the specificities of the activities and the size of those responsible.

Indeed, technology is driving changes in the social, political, legal and commercial environment that the National Data Protection Authority needs to regulate.

The most significant data protection risks for individuals are now driven by the use of new technologies and so the role of the ANPD will be key throughout this process.

With just over a year to go, companies need to be aware of the next steps of the LGPD. That is, the implementation of the necessary compliance actions in accordance with the law.

About Eval

Eval has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Data Protection for Healthcare Institutions and the LGPD

In the age of information and hyperconnectivity, data protection for healthcare institutions has emerged as not only a legal but also an ethical and strategic imperative.

The increasingly blurred boundary between the digital and physical worlds has elevated data management and security to a matter of vital importance.

For the health sector, this need becomes even more critical.

Healthcare institutions deal with large volumes of sensitive and confidential data every day, which requires the highest level of protection.

However, with the General Data Protection Law (LGPD), which represents a paradigmatic shift in data management practices, this sector now faces a new challenge.

In this scenario of digital transformation and greater awareness of privacy rights, health institutions need to adapt to the requirements of the LGPD.

Therefore, understanding the magnitude of the LGPD and how data protection for healthcare institutions can bring positive impacts to the relationship with patients, efficiency of processes and reputation of organizations is essential.

The Convergence of the LGPD and Data Security in Healthcare

The General Data Protection Law (LGPD), in force since 2020, has arrived as a regulatory milestone in Brazil.

It established a new level of rights and responsibilities related to privacy and personal data protection, directly impacting health institutions.

The LGPD classifies health data as “sensitive information”, a subset of personal data that deserves greater protection due to its intimate nature and potential to cause harm if improperly exposed.

This means that patients’ health information, which can cover everything from their medical and genetic history to data about their physical and mental well-being, is considered specially protected by the law.

The Importance of Data Protection for Healthcare Institutions

Healthcare institutions, which handle such data on a large scale, are therefore required to adjust to the stricter guidelines set out by the LGPD.

This involves implementing robust security measures to prevent the leakage or misuse of this information, as well as ensuring the explicit consent of data subjects for its collection and use.

Thus, the LGPD raises the data protection standard for healthcare institutions, requiring them to make an even greater commitment to the privacy and security of patient data.

In turn, it imposes the need to constantly review and improve data security protocols, privacy policies and data management practices.

In practice, the GDPR and health data security are now intrinsically linked, and GDPR compliance has become an inseparable part of health care.

Strategies to Implement Data Protection for Healthcare Institutions

Building an environment of trust and security around patient data is not a simple task, but it is an imperative need for healthcare institutions in the era of GDPR.

Below, we will explore some crucial strategies for the effective implementation of data protection for healthcare institutions.

Master the Law

The foundation for any data protection strategy starts with a comprehensive understanding of the GDPR.

This involves familiarization with all its provisions and guidelines, as well as their specific implications for the health sector.

Invest in expert legal advice to help your institution navigate the complexity of the law and ensure full compliance.

Conduct a Data Risk Assessment

To effectively implement data protection for healthcare institutions, it is crucial to conduct a data risk assessment.

This process involves identifying and analyzing potential risks that could threaten the security of patient data.

Include assessing existing IT systems, identifying potential weaknesses and implementing appropriate security measures to minimize risks.

Implement Data Protection Policies and Practices

Develop and implement rigorous data protection policies and practices, tailored to the unique needs and challenges of the healthcare sector.

Implement clear guidelines on how patient data is collected, stored, processed and shared within your organization, ensuring ongoing compliance with the GDPR.

Data Protection Education and Training

One of the keys to data protection for healthcare institutions is creating an organizational culture that values data privacy and security.

This challenge can be overcome through a continuous education and training program.

Such a program equips all staff with the knowledge and skills needed to properly handle patient data and maintain compliance with the GDPR.

These strategies will not only ensure compliance with the GDPR, but will also improve the security of patient data, increasing patient trust and satisfaction and enhancing your healthcare organization’s reputation.

The GDPR as an Opportunity

Often, the GDPR is seen only as a legal requirement to be fulfilled, an obstacle that needs to be overcome.

However, it is critical to recognize that the LGPD, and the subsequent need for robust data protection for healthcare institutions, also represents a significant opportunity for institutional improvement and market differentiation.

  • Strengthening the Relationship with Patients

LGPD compliance demonstrates the organization’s commitment to patient data privacy and security.

Strengthen the relationship between healthcare institutions and their patients, who will perceive consideration and respect for the integrity of their personal information.

At the end of the day, trust is the foundation of any relationship, especially in healthcare where sensitive information is constantly being exchanged.

  • Market Differentiation

A healthcare institution that strictly adheres to the LGPD and invests in patient data protection differentiates itself in an increasingly competitive market.

Concern for data privacy and security not only helps to avoid regulatory sanctions, but can also be used as a powerful marketing tool to attract new patients and retain current ones.

  • Enhancing Digital Infrastructure

GDPR compliance requirements can drive healthcare institutions to enhance their digital infrastructure.

Leading to the implementation of new technologies and practices, results in more secure and efficient data systems that benefit not only data protection for healthcare institutions, but also the overall quality of patient care.

Therefore, the adoption of the LGPD and data protection for healthcare institutions should not only be seen as a legal obligation, but rather as a path for improvement.

In doing so, healthcare institutions have the opportunity to improve their relationship with patients and stand out in a competitive market. In addition, this can drive innovation in your digital infrastructure.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho
São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Facebook Instagram Linkedin
logo-tales-azul
keyfactor-logo
logo-valid-certificadora-digital
google-safe-browsing
Privacy Policy

Copyright © 2023, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97