Tag: data encryption

Data Encryption for Cloud Security: A Practical Guide

Post author By Editorial Eval
Post date 14 de December de 2020

The frequency of cyberattacks continues to increase, especially in the education, banking, healthcare and government sectors. This is why data encryption for cloud security has been a priority.

One reason for this increase is the transition from storing data in local databases to cloud storage, which is connected via wired and wireless technologies.

And data encryption for cloud security has been key in this transition phase.

While cloud platforms present a convenient way to store large databases containing customer, employee, financial and sales records, hackers can exploit weaknesses in cloud computing systems and gain unauthorized access by representing the package as local traffic.

Cybercriminals target organizations not only with on-premises data centers, but also those with environments hosted on cloud computing platforms.

Unfortunately, strong firewall rules are not enough to protect against cyber attacks and provide the necessary authentication and authorization for operational security protection against cyber attacks. Rigorous testing and validation of security at the database and application level is required.

It is crucial to protect data stored when at rest, where data remains on a device permanently, and in transit, and when it is moved from one location or network to another location/network.

To complicate matters, hackers use modern tools and techniques to gain unauthorized access to data within an organization, on the Internet or stored in cloud computing services.

Therefore, data encryption and authentication, implementation of SSL certificates and SSL connections are essential. Equally important is establishing policies that restrict unintended access to environments and regular identity validation and access management.

Realizing the benefits of authentication and data encryption for cloud security

Basically, data encryption for cloud security protects sensitive and private informationby mixing blocks of text data into a secret code. A decryption key is required to decode the encryption.

Different algorithms, including DES, AES and RSA, transform the data into an unreadable format called ciphertext. The ciphertext is transmitted to the receiver with public and private decryption keys to decrypt the data.

The receiver decrypts the ciphertext using both keys to transform it into a readable format.

Data authentication is a complex network communication mechanism that maintains non-repudiation and data integrity. Common data authentication methods include:

Password authentication

Users must enter a password to gain access to the data, which keeps the data safe from unauthorized access. Complex passwords using a combination of numbers, letters and special characters are used for more secure data and to further reduce risk.

This is just the first step in ensuring protection against cyber attacks using data encryption for cloud security.

Two-factor authentication

Aone-time password(OTP) is sent to the user’s mobile number or email address. If you are the original user, access to the data is approved after this OTP is entered.

Hackers trying to gain access will not have this OTP, which means that access to the data is denied and the account is temporarily locked to save the data from attacks.

Token authentication

A token is sent to the network server for authentication. The server checks the device credentials and approves or denies authentication.

Parity bit check

This strong and commonly used technique is also known ascyclic redundancycheck (CRC) and ensures accurate data transmission.

A CRC code is added to the end of the data message before transmission. At the destination point, the receiver obtains the data with the CRC code and compares it with the original code. If the values are equal, the data was received correctly.

SSL (Secure Sockets Layer) certificates provide data encryption using specific algorithms. These certificates ensure the security of data transmission from malicious activities and third-party software.

Two types of mechanisms are used to encrypt the certificates: a public key and a private key.

The public key is recognized by the server and encrypts the data. SSL keeps data encrypted until the user completes the communication process. Data can only be decrypted by the private key.

If a hacker manages to hack the data during the communication process, the encryption will render the data useless. SSL is recommended as an international standard for secure data transmission on websites.

Best practices to protect against cyber attacks using data encryption

Organizations can employ several proven approaches to protect their data when using data encryption for cloud security. They include:

Develop an encryption key and access management plan to ensure that data is decrypted when access to the data is required. Key management processes should be in place to prevent unauthorized disclosure of data or irrecoverable loss of important data;
Ensure that encryption mechanisms comply with applicable laws and regulations. Any sharing of encrypted data, export or import of data encryption products (e.g. source code, software or technology) must comply with the applicable laws and regulations of the countries involved;
Define data access levels. Monitor and record inappropriate access activities to reduce insider threat occurrences. Delete the accounts of former employees immediately after separation from the company;
Train all staff in handling sensitive data using the latest technology and make sure they understand how systems use this information.

Data encryption for cloud security: mistakes your business should avoid

The biggest misconception about cybersecurity is that companies think they are completely protected from attacks because they have made large investments implementing security protocols.

They forget that there are always vulnerabilities that leave them exposed to risks, which can result in irrecoverable damage. With the advent of cloud storage, many companies have been led to believe that simply moving to the cloud guarantees protection against cyber attacks.

And while it is certainly a safe place to store a company’s sensitive data, it is not an impenetrable fortress, hence the importance of data encryption for cloud security.

In addition, some companies remain with older technologies without upgrading to newer, more secure advances, which leaves them still vulnerable to security risks.

Companies can leverage innovative security aspects to help them mitigate security threats. Software-defined networks can provide automated security at the hardware level through routers and switches.

Configuration management tools provide a convenient method to manage and automate security settings.

It is time for companies investing in cloud computing systems to also invest in making their cyber security systems more secure, reliable and robust against cyber attacks with the use of data encryption.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for more than 18 years. Since 2004, we have been offering solutions for Authentication, Electronic and Digital Signature and Protection Against Cyber Attacks. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags cloud security, data encryption, data protection

Cryptographic Key Management in Healthcare: A Real Challenge

Post author By Editorial Eval
Post date 15 de October de 2020

The use of cryptography and cryptographic key management in healthcare to protect data at rest or media is a reality for medical institutions and users of services such as cloud storage, messaging and many others.

However, those responsible for these services are presented with many options for cryptographic mechanisms and consequently there are many choices to be made.

Poor choices in cryptographic key management in healthcare can result in little or no gain, even loss, creating a false sense of security in a healthcare organization’s data.

For example: encrypt a database and keep the cryptographic key in a file on the server.

In this article we intend to address some relevant aspects for the information security of data in the health area that are related to cryptographic keys.

With this we will show the importance of their correct management for the programming of cryptographic services.

To facilitate understanding, we will divide the article into three parts. Starting with the basics about cryptography, cryptographic services and finally cryptographic key management.

Cryptographic Key Management in Health and Data Encryption

Cryptography is a set of principles used to ensure the security of information in a healthcare institution.

To this end, cryptographic key management in healthcare employs techniques to transform one piece of information (cipher) into another (cryptogram) that is readable only to those who know the secret (secret key).

By keeping this secret safe, we prevent unauthorized persons from gaining access to the original information (decrypt).

Secrecy

The security of cryptographic services is based on the secrecy of the cryptographic key, which allows encryption and decryption, and not on the method of transforming the information, i.e. the algorithm used, which must be public.

Symmetric and asymmetric keys

In cryptography there are two basic types of algorithms: symmetric and asymmetric key. The former use a single key to encrypt and decrypt the data, while the latter adopt a pair of keys, one for encryption and the other for decryption.

Cryptographic services

There is really no 100% method, not for health or any other area, but some guidelines can help reduce or prevent attacks.

One of the first steps to be taken into consideration is the confidentiality of each patient’s data. Use a network where only authorized persons have access.

Looking for special storage for your data is also one of the ways to prevent data leakage. There are storages that can help digital health security in this regard.

As mentioned above, it is clear that encryption and cryptographic key management in healthcare are the most efficient ways to prevent data theft in healthcare.

Whether it is to protect data at rest, i.e. that is stored, or even to protect data in transit, i.e. that travels on the network, coupled with strict access control are essential to help the hospital keep data protected.

It is worth remembering that it is super important to protect the perimeter with a firewall on your network and also to protect the desktop / servers with antivirus, among many other tools.

Confidentiality

According to studies
email attacks grew by 473%
2017-2019 for health alone. The maintenance of outdated legacy systems is one of the reasons for this high volume of attacks.

Another study estimates that spending on advertising alone, due to image risk,
increases by 64%
in hospitals that suffer data leaks.

Confidentiality has to start with the adoption of an Electronic Patient Record (EPP), which in addition to centralizing the medical data of each care (complete history), facilitates the achievement of prestigious accreditations in the sector, such as HIMSS (Health Information and Management Systems Society), linked to good health IT practices.

You need to train your staff constantly to avoid improper access and use of the applications provided within the institution.

Confidentiality of data through encryption, management of cryptographic keys in health and with proper access control, also ensures that information cannot be viewed by third parties and that only authorized persons have access to it.

Integrity

The technique for ensuring integrity is in short, when a given piece of information is not modified in an unauthorized way after its creation, during transmission or storage.

Whether the change is accidental or intentional, the insertion, removal or replacement of data must be detected. Cryptographic mechanisms such as cryptographic digest, also known as hash, and digital signature provide the support for this service.

Authentication

The authentication service verifies the identity of a user in order to have some assurance that the person is who they say they really are. There are several authentication mechanisms, user and password is a well-known model, but so is authentication using a digital certificate.

In the digital certificate model, one can use the SSL protocol, or even login digital signatures as an authentication model. The digital certificate is interesting to use the ICP-Brazil model or another that the organization trusts, such as Internal Certificate Authority.

In the ICP-Brasil Certifying Authorities, it is in the process of issuing the digital certificate that the person needs to attend a face-to-face validation, now there is also the remote modality, with original documents that prove the identity of the applicant.

Irretractability

The non-retractability service provides the means to ensure that whoever created information cannot deny its authenticity, or at least that it is difficult to deny.

In this sense, it is linked to the digital signature, in which the owner of the private key cannot deny that he has held it for a particular purpose.

Authorization

Additionally, after authentication, it is possible to use the information of the authenticated user in the system to define the authorization of the information. The authorization service provides approval or permission for the execution of an activity.

As an example, the authorization service can be employed to define the permissions to use a cryptographic key that would consequently allow access to a certain piece of information.

Cryptographic key management in health

Cryptographic keys are the foundation of cryptography and the security of encrypted data lies in them. Breaches can lead to the compromise of keys and, consequently, the leakage of sensitive information such as patient records.

The increase in the use of encryption for data protection in healthcare institutions, mainly due to government regulation, means that they have to deal with multiple solutions to encrypt data, see LGPD.

Because of the diversity of vendors, organizations also need to define various procedures for managing cryptographic keys, and these are not always adequate.

Cryptographic key management consists of storing, protecting, organizing and ensuring the proper use of cryptographic keys, managing their lifecycle and maintaining backup copies in a secure and consistent manner.

Secure storage of keys

The keys should be stored securely, i.e. encrypted and with access control.

Encryption should preferably be performed by means of keys (
KEY
) protected on a cryptographic hardware, preferably.

Identification of keys

It should be possible to identify a key, its type, its purpose, who is authorized to use it and the period of use.

Life cycle of cryptographic keys

The lifecycle of cryptographic keys must be controlled so that they are used properly during their validity period – i.e. only authorized persons or systems can use them during a predefined time and with secure mechanisms so that they are not compromised.

We will describe the life cycle of the keys, according to NIST recommendation.

The life cycle of a key starts with generation and ends with destruction, passing through one or more of the states described below:

generation: moment of creation of the key, which is not yet ready for use;
pre-activation: the key has been generated but is not yet ready for use because it is waiting for the period of use or the issuance of a certificate;
activated: the key is available for use;
suspended: the use of the key is temporarily suspended. In this state, it can no longer perform ciphering or signing operations, but can be used for data recovery or verification of signatures previously performed.
inactivated: the key can no longer be used for ciphering or digital signing, but is kept for processing data ciphered or signed before inactivation.
compromised: indicates that the key has its security affected and can no longer be used in cryptographic operations. In some cases, as in symmetric keys, it can be used to recover the encrypted data for later encryption with another key.
destroyed: this status indicates that a key is no longer required. The destruction of the key is the final stage and can be achieved due to the end of the key’s usage cycle or the compromise of its security.

Generally speaking, both healthcare institutions and all organizations should focus on continuous improvement while managing their risks at a price that is compatible with their reality.

Companies should critically evaluate how to protect their systems. They should also consider the “root causes” of security incidents in their environments as part of a risk assessment.

As systems become more secure and institutions adopt effective measures to manage their processes, key management becomes increasingly essential. Protecting a healthcare organization’s data is critical to the security of its patients’ information.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags cryptographic keys, data encryption, Electronic Patient Record, ICP Brazil, PEP

Data Protection

10 vital recommendations for secure data transmission

Post author By Editorial Eval
Post date 27 de November de 2019
No Comments on 10 vital recommendations for secure data transmission

Protecting the data used in business operations is an essential requirement for an organization’s confidential information.

Malicious users can intercept or monitor plain text data transmitted over a network or via removable media and unencrypted mobile devices.

Thus they gain unauthorized access, compromising the confidentiality of data considered sensitive and strategic. This is why secure data transmission is so important.

Criptografia como solução de segurança

Protection in these cases is done with cryptographic algorithms that limit access to the data only to those who have the appropriate encryption feature and its respective decryption.

In addition, some modern cryptographic tools also allow for condensation or compression of messages, saving transmission and storage space.

We have converged the need to protect data transmissions together with existing technological resources. Therefore, we have separated 10 recommendations that are considered vital to be successful in the whole process of sending and receiving data.

Malicious users can compromise the confidentiality of information during a data transmission

Data considered sensitive or restricted with regard to data protection must be encrypted when transmitted over any network. This must be done in order to protect against interception of network traffic by unauthorized users. Attacks of this type are also known as Man-in-the-middle, click here to learn more.

In cases where the source and destination devices are within the same protected subnet, the data transmission must still be protected with encryption, due to the potential high negative impact of a data breach and theft. In addition, employees tend to have less concern when they are within a “controlled” environment, believing themselves to be safe from attack.

The types of transmission can include client-to-server communication, as well as server-to-server communication. This can include data transfer between main systems, between third party systems, or P2P transmission within an organization.

Additionally, when used to store restricted data, removable media and mobile devices should also use encryption of sensitive data appropriately, following security recommendations. Mobile devices include laptops, tablets, wearable technology, and smartphones.

Emails are not considered secure, and by default should not be used to transmit sensitive data unless additional data encryption tools from these services are used.

When trying to protect data in transit, the security professional should consider the following recommendations for designing secure information transmission:

Top recommendations

Where the device (whether client or server) is accessible via a web interface, traffic must be transmitted over Secure Sockets Layer (SSL), using only strong security protocols and transport layer security;
Data transmitted by email should be protected using email encryption tools with strong encryption, such as S/MIME . Alternatively, before sending an email, users should encrypt data using compatible file data encryption tools and attach it to the email for transmission;
Data traffic not covered by the web browser should be encrypted via application-level encryption;
If an application database is outside the application server, all connections between the database and the application must also use encryption with cryptographic algorithms compliant with recommended security and data protection standards;
When application-level encryption is not available for data traffic not covered by the Web, implement network-level encryption, such as IPsec or SSL encapsulation;
Encryption must be applied when transmitting data between devices on protected subnets with strong firewall controls;
Develop and test an appropriate data recovery plan;
Follow the recommended requirements for creating strong passwords that should be defined in the organization’s security police. Also, adopt some management tool to store the access data and recovery keys;
After the data is copied to a removable media or mobile device, verify that it works by following the instructions for reading data using encryption. Also take the opportunity to include in your recovery and contingency plan tests of opening backups that have been encrypted;
When unattended, removable media (or mobile device) should be stored in a secure location with limited access to users as needed. And be aware of the keys that were used to encrypt the backup.

Support and internal policies are also very important

The last recommendation is to have proper supporting documentation for this entire data transmission process. Security policies and processes need to be validated through frequent testing that can guarantee the efficiency of all procedures to be carried out.

Finally, don’t forget to create an awareness policy made for the company’s employees. Adopt training and campaigns that demonstrate the importance of following the organization’s security and data protection policies and processes.

Data encryption tools to support secure transmission

End-to-end encryption is usually performed by the end user within an organization. The data is encrypted at the beginning of the communications channel, or earlier via removable media and mobile devices. In this way they remain encrypted until they are decrypted at the remote end.

To assist this process, the use of encryption tools provides the necessary support for secure data transmission.

There are several tools for encrypting data, but it is important to pay special attention to key management. For if you get careless and lose the key, you will lose the content that was encrypted as well.

Therefore, we always recommend the correct use of equipment and platforms that manage the key, its life cycle, as well as access control. After all, with a more comprehensive use, management can get complicated using only Excel spreadsheets.

The Challenge of Data Traffic

One of the main goals throughout history has been to move messages through various types of channels and media. The intention has always been to prevent the content of the message from being revealed, even if the message itself was intercepted in transit.

Whether the message is sent manually, over a voice network, or over the Internet, modern encryption provides secure and confidential methods for transmitting data. It also allows the integrity of the message to be checked, so that any changes in the message itself can be detected.

In short, the adoption of encryption should be a priority for all companies, regardless of their industry or size. Today, data protection has become critical to the success of any business and therefore cannot be ignored by any organization.

Finally, read more about data protection and privacy in our blog and learn how to apply encryption technology effectively in your company by contacting EVAL’s experts. We are happy to answer your questions and help you define the best ways to protect your organization against data leakage and theft.

About Eval

A EVAL está a mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria, Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presente nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.

Com valor reconhecido pelo mercado, as soluções e serviços da EVAL atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.

Eval, segurança é valor.

Tags data encryption, data protection, data transmission

Data Protection

Secure Data Transmission: 10 Tips For Your Business

Post author By Editorial Eval
Post date 27 de November de 2019

Protecting the data used in business operations is an essential requirement for an organization’s confidential information. This is when secure data transmission, along with data encryption come into play.

Malicious users can intercept or monitor plain text data transmitted over a network or via removable media and unencrypted mobile devices.

Thus they gain unauthorized access, compromising the confidentiality of data considered sensitive and strategic. This is why secure data transmission is so important.

Protection in these cases is done with cryptographic algorithms that limit access to the data only to those who have the appropriate encryption feature and its respective decryption.

In addition, some modern cryptographic tools also allow for condensation or compression of messages, saving transmission and storage space.

Cybercriminals can compromise the confidentiality of information during a data transmission

Data considered sensitive or restricted with regard to data protection must be encrypted when transmitted over any network.

This must be done in order to protect against interception of network traffic by unauthorized users. Attacks of this type are also known as Man-in-the-middle, click here to learn more.

In addition, employees tend to have less concern when they are within a “controlled” environment, believing themselves to be safe from attack.

Emails are not considered secure, and by default should not be used to transmit sensitive data unless additional data encryption tools of these services are used.

When trying to protect data in transit, the security professional should consider the following recommendations for designing secure information transmission:

Top recommendations

Where the device (whether client or server) is accessible via a web interface, traffic must be transmitted over Secure Sockets Layer (SSL), using only strong security protocols and transport layer security;
Data transmitted by email should be protected using email encryption tools with strong encryption, such as S/MIME . Alternatively, before sending an email, users should encrypt data using compatible file data encryption tools and attach it to the email for transmission;
Data traffic not covered by the web browser should be encrypted via application-level encryption;
If an application database is outside the application server, all connections between the database and the application must also use encryption with cryptographic algorithms compliant with recommended security and data protection standards;
When application-level encryption is not available for data traffic not covered by the Web, implement network-level encryption, such as IPsec or SSL encapsulation;
Encryption must be applied when transmitting data between devices on protected subnets with strong firewall controls;
Develop and test an appropriate data recovery plan;
Follow the recommended requirements for creating strong passwords that should be defined in the organization’s security police. Also, adopt some management tool to store access data and recovery keys;
After the data is copied to a removable media or mobile device, verify that it works by following the instructions for reading data using encryption. Also take the opportunity to include in your recovery and contingency plan tests of opening backups that have been encrypted;
When unattended, removable media (or mobile device) should be stored in a secure location with limited access to users as needed. And be aware of the keys that were used to encrypt the backup.

Support and internal policies are also very important

The last recommendation is to have proper supporting documentation for this entire data transmission process.

Security policies and processes need to be validated through frequent testing that can guarantee the efficiency of all procedures to be carried out.

Finally, don’t forget to create an awareness policy made for the company’s employees.

Adopt training and campaigns that demonstrate the importance of following the organization’s security and data protection policies and processes.

Data encryption tools to support secure transmission

End-to-end encryption is usually performed by the end user within an organization. The data is encrypted at the beginning of the communications channel, or earlier via removable media and mobile devices.

In this way they remain encrypted until they are decrypted at the remote end.

To assist this process, the use of encryption tools provides the necessary support for secure data transmission.

Therefore, we always recommend the correct use of equipment and platforms that manage the key, its life cycle, as well as access control.

After all, with a more comprehensive use, management can get complicated using only Excel spreadsheets.

The Challenge of Data Traffic

Whether the message is sent manually, over a voice network, or over the Internet, modern encryption provides secure and confidential methods for transmitting data.

It also allows the integrity of the message to be checked, so that any changes in the message itself can be detected.

Finally, read more about data protection and privacy on our blog and learn how to apply encryption technology effectively in your business by contacting Eval’s experts.

We are happy to answer your questions and help you define the best ways to protect your organization against data leakage and theft.

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and the General Data Protection Law (LGPD). In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags data encryption, data protection, data transmission

Data Protection

Data protection with encryption: a challenge for companies

Post author By Editorial Eval
Post date 27 de November de 2019

Data protection with encryption, considered one of the most recognized and widely implemented security controls today, is still a major challenge for companies. According to the American company Vera Security, only 4% of data breaches are considered “secure”, where encryption renders the stolen files useless.

Encryption is usually purchased and deployed for purposes related to compliance with requirements. In other words, it is usually not aligned to deal with real-world security risks, such as data theft and accidental employee excesses.

In fact, applying encryption technology effectively is one of the main challenges organizations face in achieving satisfactory data protection performance.

To give you an idea of the situation, data presented in a survey by Vera Security shows that 61% of respondents believe that compliance drives the need for encryption, not the protection of user data.

This further increases the disconnect between encryption and security.

The report also cites perimeter-oriented encryption deployments as one of the main reasons why organizations’ encrypted data protection investments are misaligned with how employees and business partners actually use critical data.

The challenge of protecting data with encryption throughout the business lifecycle

For professionals specializing in security, privacy and risk, the speed and scale of how data moves through organizations and their partners today are the factors that most increase the need for data protection.

Especially in today’s collaborative post-cloud environment, organizations must invest in data protection with encryption throughout the business lifecycle.

The main approach is to use file security with always-on encryption to protect data during its lifetime. This ensures compliance with existing laws and regulations. This strategy aims to provide strong encryption, real-time access control and defined policy management.

Another important finding in the report is that almost two thirds of respondents rely on their employees to follow security policies. This is the only way to guarantee the protection of distributed files.

However, 69% are very concerned about the lack of control over documents sent outside the network or collaborated on in the cloud. Finally, only 26% have the ability to locate and revoke access quickly.

The survey also shows that only 35% of respondents incorporate data protection with encryption into security processes in general. Meanwhile, others cite difficulties in implementing technology correctly as the reason for its low prioritization in the organization.

One of the main conclusions of the research is that encryption is not seen as an “easy win”. It is also considered difficult to deploy and use.

Recommendations for turning this game around with cryptography

Despite the difficulties in adopting data protection with encryption in companies, it is worth noting that there are data-centric security technologies that can provide real-time tracking and access control, without inconveniencing the end user. The recommendations are as follows:

1. IT and business teams need to follow the company’s workflow to find security breaches

These teams will then be able to find hidden data exposures. In addition, it should be noted that encryption mechanisms generally cannot keep up with data and new user functions.

Thus, organizations need to study how employees actually use sensitive information to identify areas where data protection with encryption cannot reach or is disabled out of necessity.

However, a team that knows the organization’s sensitive data can help map it out so that IT can deploy encryption correctly. That’s why the business team must be a multidisciplinary team involving various areas of the company.

infographic about the data protection platform CipherTrust

2. Invest in preventing attacks

Organizations should avoid reactive thinking about incidents (“actions to be taken only after the attack”). After all, in most organizations, well-intentioned employees make mistakes that outweigh malicious threats.

For this reason, companies are advised to ensure clear visibility of their processes to help employees and managers contain accidental data exposure and apply their policies to prevent data theft and loss of privacy.

The question now is when my company’s data will leak. With this in mind, it becomes clearer how to define an appropriate strategy that will prevent the attack and ensure that, if it does occur, the data remains protected.

3. Align the business, partners and technologies to protect data with encryption

Companies need to align their technological resources – and this includes encryption – to deal with cloud, mobile and third-party technologies. The multiplication of mobile devices and business partners presents a wide variety of new places where data must travel.

Routing this data access through cloud and other centralized services helps IT, security and business leaders restore visibility and consolidate control by including this data on platforms with built-in encryption and file access controls.

The strategy for meeting the challenge of data protection with encryption needs to be assertive

Finally, the main reasons given by those interviewed in the survey for adopting encryption were:

Data is not taken seriously enough (40%);
Implementing an encryption policy on all data is considered very difficult (18%);
It’s not easy to keep track of where data is being stored (17%);
Internal applications have not been tested to ensure that data is protected in accordance with the policy (13%);
Administrators are unable to configure encryption controls correctly (12%).

Against this backdrop, we can see that we have a major challenge ahead of us. Companies cannot leave the burden of data security to IT teams alone.

Instead, they must raise awareness, implement and properly test an assertive data protection strategy with encryption.

And for these security objectives, investing in technology is essential.

When planning encryption needs, map information flows across all applications and the tables that store relevant information. Then apply data protection with encryption for storage and transmission. And don’t forget data access control either.

Finally, to further protect the organization’s data, be careful with documents or applications shared between users. They are easy to access and share, but can put confidential information at risk.

Encryption-based access controls again ensure that only authorized users can access certain data. Track and monitor data usage to ensure that access controls are effective.

Read more about data protection and privacy on our blog and find out how to apply encryption technology effectively in your company by contacting Eval’s experts.

We are available to answer your questions and help you define the best ways to protect your organization against data leakage and theft.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags data encryption, data protection

Data Protection

Communication Applications with Encryption and the Use of Data

Post author By Editorial Eval
Post date 16 de May de 2019

If you’re concerned about data security and privacy, you may have heard of encryption for communication applications, even if only in a superficial way.

In addition, it is possible that your interest in the subject arose as a result of some news of a leak or theft.

This is a reality that has been growing in recent years. We are increasingly concerned about our information and technology has a direct impact on our routines.

Who would have thought, for example, that the cell phone would become so important to us? But not because of its original functionality, making and receiving calls, since messaging apps have practically doomed phone calls.

Do you have any idea how many messages have been received and sent in the last few hours via the main tools of this type? And how many have replaced a connection?

Thousands of messages every day

Brazilians send thousands of messages every day to friends, family, work colleagues and other people. In the world, an average of 55 billion messages are sent every day via WhatsApp.

Even services like WhatsApp have become strategic for businesses. Considered sales tools, messaging apps help many entrepreneurs to boost the economy.

Because of this importance, we want the messages to remain restricted to interested parties only. These are often private conversations that deal with personal and strategic matters.

Given the frequency with which we all use these tools, it is increasingly important to protect privacy and personal information.

One way of doing this is by using encryption for communication applications.

Definition of cryptography

Before looking at who adopts encryption for end-to-end communication applications, it’s worth remembering the basic concept behind secure messaging.

Security systems for communication have existed for centuries. Basically, the idea is to get a message or information to a destination without any unauthorized person being able to read it.

In practice, with the help of the internet, we send a lot of private data to other computers or servers every day.

Encryption takes your data and scrambles it, making it impossible for anyone who intercepts it to read or understand.

When it reaches the recipient, the data is decrypted back to its original form so that it can be read and understood.

Unencrypted data is called plain text and encrypted data is called cipher text.

The way a device takes data and encrypts it is called the encryption algorithm. It is used with a cryptographic key, so that only the person with the right key can decrypt it.

For example, if we wanted to encrypt the message “good morning!” and send it to someone else, we would need to use an encryption algorithm, which would encrypt it to something like “SZKKB YRIGSWZB”. That way, someone using the same technology could open it and read it.

From end to end

End-to-end encryption is asymmetric. It protects the data by ensuring that only two people can read it: the sender and the recipient.

This means that no one else can read the data, such as hackers, governments, companies or servers. Therefore, when a user sends a message to another, even if it has been intercepted, it cannot be read.

If the message passes through WhatsApp’s server, for example, it won’t be able to read it. If the service wanted to provide this data to third parties, they would not be able to do so.

This is what happens when encryption for communication applications is end-to-end. To find out more about how WhatsApp messages are encrypted, as well as the algorithms used, click here.

Encryption for communication applications is a standard

The use of encryption in communication applications has become a standard in recent years. However, it has not yet been adopted by all manufacturers.

In fact, encryption is not mandatory in all situations, but in some you definitely use it, such as when you buy items online and enter your card details.

At times like these, encryption happens without you knowing. In everyday life, you can opt for encryption for communication applications just to have the peace of mind of knowing that absolutely no one else can access your messages or calls.

End-to-end encryption means that unauthorized people won’t be able to access your data and your privacy is preserved.

Which applications to use

There are so many options on the market that it’s hard to say which is the best. Instead, we’ll list the most popular ones that use encryption for communication applications by default.

Encryption on WhatsApp

WhatsApp already has more than 1.5 billion users and integrates the encryption protocol into its conversations. This means that WhatsApp messages are end-to-end encrypted by default.

It has chat, group calls, file sharing, archiving, location sharing, broadcasting and much more.

The popularity of the app also works in your favor, as you probably won’t need to convince other people to download it.

WhatsApp is free to use and ad-free. However, it is owned by Facebook, which openly admits to collecting a lot of data about you for marketing purposes.

Encryption in Facebook Messenger

According to one BBC reportFacebook Messenger also uses encryption, but a little differently from the encryption used in WhatsApp, in which the message is encrypted from the sender to the server, which opens the message and encrypts it back to the sender end-to-end, the same signal protocol used by WhatsApp.

But there are already plans to implement the same end-to-end encryption on Facebook Messenger as is used on WhatsApp. Ultimately, this means that your messages cannot be viewed by the social network team.

Facebook Messenger also uses encryption, but a little differently from the encryption used in Whatsapp, in which the message is encrypted from the sender to the server, which opens the message and encrypts it back to the sender. end-to-end, the same signal protocol used by WhatsApp.

But there are already plans to implement the same end-to-end encryption on Facebook Messenger as is used on WhatsApp. This means that your messages cannot be viewed by the social network team.

Facebook Messenger works like most other apps, with group chat and calls, file sharing, location sharing and video calls. It’s also very easy to use, with stickers, GIFs and even games.

However, the application is owned by Facebook, which means that it still contributes to the data collected about you and billions of other users.

Encryption in Telegram

Telegram was one of the first apps on the market. End-to-end encryption is not active by default: you need to make sure that secret mode is active so that no one else can access your messages.

The app has features such as group chat, sending files and photos – also encrypted only in secret mode – missing messages, archiving functionality and voice and video calls.

When secret mode is active, messages can also self-destruct on all devices in a chat and there is the option to self-destruct your account within a set time.

Telegram is free to use and ad-free. All data is encrypted and stored on servers, except for secret chat messages.

Encryption in iMessage and FaceTime

Apple has introduced end-to-end encryption for all your messages in iMessage, the default app on iOS devices, and all FaceTime calls and videos.

iMessage and FaceTime are available on iOS mobile devices as well as Mac computers.

Both apps cover a range of basic functionalities, such as messaging, location or file sharing and voice and video calls. iMessage messages are backed up in iCloud, but this can be disabled in your settings.

Make sure you read the data privacy policies of all the applications you use. Make sure you are comfortable with them before trusting your chosen tool.

Sobre a Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags Communication Applications, data encryption

Data Protection

Cryptography and Key Management – Important Concepts

Post author By Editorial Eval
Post date 16 de May de 2019

The use of encryption and key management, as well as cryptographic services are vital for protecting data at rest or media, a reality for companies and users of services such as cloud storage, messaging and many others.

However, those responsible for these services are presented with many options for cryptographic mechanisms and consequently there are many choices to be made.

Inappropriate choices can result in little or no gain, creating a false sense of security.

For example: encrypt a database and keep the cryptographic key in a file on the server.

In this article we intend to address some aspects relevant to information security that are related to cryptographic keys. With this we will show the importance of their correct management for the programming of cryptographic services.

To facilitate understanding, we will divide the article into three parts. Starting with the basics of cryptography, key management and cryptographic services.

Basic concepts of data encryption

Cryptography is a set of principles used to guarantee the security of information.

To do this, it uses techniques to transform one piece of information (cipher) into another (cryptogram) that is readable only by those who know the secret (secret key).

By keeping this secret safe, we prevent unauthorized persons from gaining access to the original information (decrypt).

Secrecy

Symmetric and asymmetric keys

In cryptography and key management there are two basic types of algorithms: symmetric and asymmetric. The former use a single key to encrypt and decrypt the data, while the latter adopt a pair of keys, one for encryption and the other for decryption.

The diagram below shows the use of a symmetric key to encrypt a message. We can see that the key used by John is the same one adopted by Alice.

Cryptography, key management and cryptographic services - Symmetric and asymmetric keys. — Figure 2 – Symmetric key algorithm

The next diagram shows the use of an asymmetric key. The key used by Alice to encrypt is the public key of John, who uses his private key to decrypt.

Cryptography, key management and cryptographic services - Asymmetric key algorithm — Figure 3 – Asymmetric key algorithm

An interesting point about this type of algorithm is that after encrypting with the public key, only the private key can decrypt.

Examples of uses for these algorithms include a database that uses the AES algorithm (symmetric key) to encrypt certain information in the database and the digital signing of documents using the RSA algorithm (asymmetric key).

We would also like to point out that the secret in these two types of algorithms lies in protecting the symmetric key and the private key (in the case of asymmetric keys).

Finally, another aspect is that these algorithms are complementary and serve as the basis for programming cryptographic services.

Cryptographic summary and digital signature

In relation to cryptography and key management, a cryptographic digest is a value that represents information. It is generated using an algorithm, such as SHA256, to analyze the data bit-by-bit and creates a value that cannot be falsified in practice.

Cryptography, key management and cryptographic services - Cryptographic summary — Figure 4 – Cryptographic summary

However, the cryptographic digest cannot be used on its own, because although it cannot be falsified, it can be replaced.

So, to be used in practice, the cryptographic summary is encrypted with the private key (asymmetric), generating a digital signature.

This way, everyone who has the public key can generate the cryptographic summary and compare it with the one in the digital signature.

You can then check whether the data is valid. Fundamental actions in cryptography and key management.

Cryptography, key management and cryptographic services - Digital signature — Figure 5 – Digital signature

Let’s take SHA256 with RSA for example. It uses the SHA256 summarization algorithm and the RSA encryption algorithm to generate the digital signature. However, this is still not enough, as we have no way of identifying who a given public key belongs to.

This requires a new element: the digital certificate.

A digital certificate basically consists of textual information that identifies an entity (person, company or server), a public key and a purpose of use. It has a digital signature.

It is important to note that the digital certificate must be signed by a trusted third party (digital certification authority).

Thus, we introduced the concept of a relationship of trust. According to him, if we trust entity A and it trusts entity B, then we also trust B.

This concludes the basic concepts of cryptography. In the next part, we’ll talk about the cryptographic services that can be created from them.

Cryptographic services

As part of the cryptography and key management lifecycle, basic cryptographic mechanisms such as symmetric encryption and cryptographic digest are used to support confidentiality, integrity, authorization and irretrievability or non-repudiation services.

Thus, one cryptographic mechanism can be used to support several services. It is also important that cryptographic services should be used together to guarantee security.

Below we will briefly describe the basic cryptographic services:

Confidentiality

This service provides data confidentiality through encryption and key management. It also ensures that the information cannot be viewed by third parties and that only authorized persons have access to it. Fundamental to cryptography and key management.

Examples include encrypting files, file systems and databases with symmetric keys. We also have information encrypted with the certificate’s public key, so only those who have the corresponding private key can open the information.

Integrity

The integrity service must ensure that a given piece of information is not modified in an unauthorized way after it has been created, during transmission or storage.

Authentication

The authentication service verifies the identity of a user or system requesting authorization to access information.

The digital signature is a cryptographic mechanism generally used to support this service, as the identification of the user has already been validated before the digital certificate is issued, either by a trusted ICP-Brasil Certificate Authority or another that the organization trusts, such as an Internal Certificate Authority.

At ICP-Brasil Certifying Authorities, it is in the process of issuing the digital certificate that the person needs to attend a face-to-face validation, with original documents proving the applicant’s identity.

Irretractability

The non-retractability service provides the means to guarantee that whoever created the information cannot deny its authenticity.

In this sense, it is linked to the digital signature, in which the owner of the private key cannot deny that he has held it for a particular purpose.

This concludes the description of cryptographic services. In the next section, we will present the main factors to be considered in key management – cryptography and key management.

Authorization

As an example, the authorization service can be employed to define the permissions to use a cryptographic key that would consequently allow access to a certain piece of information.

Cryptographic key management

Cryptographic keys are the foundation of cryptography and key management, and the security of encrypted data lies in them. Breaches can lead to compromised keys and, consequently, the leakage of sensitive information.

The increased use of encryption for data protection, mainly due to government regulations, means that companies have to deal with multiple encryption solutions.

Because of the diversity of vendors, organizations also need to define various procedures for managing cryptographic keys, and these are not always adequate.

When managing keys, we must take a few points into account, which we will describe below:

Secure storage of keys

The keys should be stored securely, i.e. encrypted and with access control.

Encryption should preferably be carried out using keys (KEK) protected on cryptographic hardware.

Identification of keys

It must be possible to identify a key, its type, its purpose, who is authorized to use it and the period of use.

User authentication and authorization

The use of cryptographic keys should only be allowed after the user has been identified.

Therefore, for proper key management, the system must provide authentication and authorization mechanisms or allow integration with existing systems, such as Microsoft’s Active Directory.

Life cycle of cryptographic keys

The lifecycle of cryptographic keys must be controlled so that they are used properly during their validity period – in other words, only authorized people or systems can use them during a predefined time and with secure mechanisms so that they are not compromised.

We will describe the life cycle of the keys, according to NIST recommendation.

The life cycle of a key starts with generation and ends with destruction, passing through one or more of the states described below:

Generation: when the key is created and not yet ready for use;
Pre-activation: the key has been generated, but is not yet ready for use because it is waiting for the period of use or the issue of a certificate;
Activated: the key is available for use;
Suspended: use of the key is temporarily suspended. In this state, it can no longer perform ciphering or signing operations, but can be used for data recovery or verification of signatures previously performed.
Inactivated: the key can no longer be used for encryption or digital signature, but is kept for processing encrypted or signed data prior to inactivation.
Compromised: indicates that the key has had its security affected and can no longer be used in cryptographic operations (encryption and key management). In some cases, as in symmetric keys, it can be used to recover the encrypted data for later encryption with another key.
Destroyed: this status indicates that a key is no longer needed. The destruction of the key is the final stage and can be achieved due to the end of the key’s usage cycle or the compromise of its security.

Backing up cryptographic keys

The main function of backups is to guarantee the recovery of keys and, consequently, encrypted data in the event of loss or failure.

Just like keys, which must be stored securely during use, backup copies also need to be protected.

They can be stored in encrypted files or cryptographic hardware suitable for this purpose, which should be kept in secure locations.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level. Eval, safety is value.

Tags data encryption, encryption, key management

Data Protection

Data Encryption for Payment and Financial Records

Post author By Editorial Eval
Post date 29 de January de 2019

Today, huge amounts of personal and financial electronic data are part of our routines. In addition, digital currency flows in payment ecosystems are also present in everyone’s daily lives. After all, billions of transactions are processed every day. Hence the need to invest in Data Encryption for Payment.

In fact, cutting-edge encryption has become so vital for our financial transactions and personal information.

Investing in Payment Data Encryption is Necessary for a Secure Online Financial System

As you may know, the online payment ecosystem is the main target of cybercriminals. In this way, data encryption is necessary to maintain the integrity of interbank transactions and internet sales platforms.

Perhaps what you don’t know yet is the impact of personal data theft. Illegal access to confidential information generates billions of dollars every year.

By default, the payment infrastructure is a very popular target for hackers. However, this scenario changes with attacks on social networks or other sites that have many users. After all, they often store personal information.

Normally, when a consumer enters their credit or debit card details to make a purchase, they remain open when they leave the merchant’s terminal. This data is not protected until it is encrypted at a gateway on the processing platform.

This is a security model that puts the cardholder’s data at risk. After all, they can fall into the hands of cybercriminals who use methods such as network malware. It also puts the entire payments ecosystem at risk.

In a successful data breach, merchants face financial and reputational repercussions with consumers and the market itself.

Thus, symmetric encryption of financial records and data is one of the main resources for guaranteeing a secure online system. Especially when implemented end-to-end in a payment process or in the traffic of personal or confidential data.

Recently there was a huge data leak, in which data from approximately 800 million email accounts was stolen. If you want to check whether your e-mail data has also been stolen, check at: https://haveibeenpwned.com.

Security can be improved through Data Encryption, but it needs to be a priority

Technological solutions are key to protecting the payment system. However, industry collaboration is also an integral component in the collective fight against cybercrime.

Organizations need to prioritize security for several reasons:

The ease of buying and using services on the Internet has generated a great deal of transaction traffic, mainly consisting of personal and payment data;

Data encryption is still lacking for payment when important information is stored in the cloud;

The considerable increase in mobile applications developed and deployed in the cloud has created business opportunities, but many organizations are still learning about the need to protect devices from security vulnerabilities;

Many organizations still establish partnerships with service providers without investing in security policies and processes to protect users and their personal and payment data.

The result of this scenario is a huge increase in security incidents and data theft, resulting in financial, regulatory, legal, operational and brand compromise implications.

Data Encryption for Payment: the solution is available to everyone

Despite the risk of virtual attacks and data theft, the solution is available to all companies in the financial sector.

Companies need to become proactive in reducing security threats while accelerating their journey towards digital transformation. They therefore need to adopt flexible, scalable and dynamic platforms to manage the products and services available on the Internet.

Decision-makers – not just IT professionals, but especially executives – also need to understand and commit to shared responsibility for information security.

Encryption of financial records can help secure payment processes

Tokenization and data encryption for payment are examples of security technologies that are strong and play important roles in limiting the current virtual attacks and information thefts that take place in the digital market.

Tokenization technology, for example, replaces sensitive information – such as a credit card number – with a meaningless value or “token” that can be stored in a database. It usually has the same format so that it remains compatible with current card processing systems.

Data encryption for payment goes further, keeping all information out of commercial systems. After all, the transaction chain from the terminal to the bank is fully encrypted.

So when a customer enters their payment details, or an employee swipes a credit card at a terminal, they are encrypted. After that, they can only be opened using a key.

Tokenization and encryption of payment data are valuable tools for protecting sensitive card transaction data. These are solutions that, when implemented efficiently, can provide the highest level of confidentiality in financial transactions and the sending of personal information.

Want to know more about encryption and data protection? Follow our LinkedIn page and keep up with us here on the blog.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags data encryption, financial records, SFN

Data Protection

Key Management with Cryptography, how to protect data?

Post author By Editorial Eval
Post date 28 de January de 2019

In recent years, suppliers in the data storage market have started to pay more attention to the use of the Key Management Interoperability Protocol (KMIP) in their solutions for integration with encryption key managers.

There are two main reasons for this. The need to comply with data protection regulations is an important reason.

There are also the benefits of Enterprise Key Management (EKM) solutions for companies.

Find out what these benefits are in this article.

Application of good practices in information security

The definition of what is adequate or sufficient to meet regulatory demands about protecting data varies greatly between companies.

Many solutions offer internal support for key management with encryption. Depending on the context, this may be enough.

However, adopting this model could compromise data security. After all, we must consider that the encryption key responsible for protecting them is embedded in the storage solution itself.

In addition, it is common to find scenarios with different storage solution providers, where each one programs their key management models with encryption.

This can lead to human error and compromise data availability in the event of an unsuccessful encryption operation.

The use of an external key management solution provides adequate segregation of roles. It also offers a standardized model for all encryption processes.

In addition, these solutions usually offer international certifications for the implementation of encryption algorithms. This prevents, for example, the use of algorithms or key sizes that are considered weak.

On the Owasp website you can find a very interesting cryptography guide, in which it is not recommended to use the MD-5, SHA-0, SHA-1 hash algorithms and the DES symmetric encryption algorithm.

In addition, key management solutions with encryption can be coupled with equipment designed to provide protection with a high level of security.

For example, Hardware Secure Modules (HSMs) and Enterprise Key Management(EKM). Protection is thus centralized for all the organization’s data storage systems.

Efficient Key Management with Cryptography

Typically, solutions that offer encryption capabilities don’t worry about the lifecycle of a key. Thus, they ignore, for example, validity, activation, deactivation, exchange with preservation of already encrypted processes and destruction.

Using the same encryption key for a long time is inappropriate. After all, this compromises security in the event of a data leak.

A management solution not only provides the necessary requirements for the entire key lifecycle. After all, it also presents these features in a user-friendly interface, from a centralized console.

It even defines access profiles based on integration with a Lightweight Directory Access Protocol (LDAP) database.

Flexibility of Implementation and Key Management with Cryptography

The decision to keep applications on your own infrastructure or migrate to an external data center depends on several factors.

If the key management solution with encryption is coupled with the storage system, the decision to keep it in-house or migrate to the cloud must take this into account.

Ability to generate audit reports during key management with encryption

For these cases, it is necessary to offer information with a high level of trust and access to keys. In this way, you should detail who accessed it, the time of the event and the success or failure of the operation.

In addition, alert mechanisms can notify staff if problems arise with the key management equipment or other devices that communicate with the manager.

One of the main benefits of an external key management solution is its ability to enhance audit reports.

Trying to prove to an external compliance auditor that the keys are safe, secure and have strong access controls would be much more difficult with native storage, especially if there is more than one solution. This will also require all systems to be audited individually.

Segregation of profiles

External key management systems can define permissions for the administrators and users who will use the keys.

A common example of this is the ability to allow an administrator to create a key, but not be able to use it to encrypt or decrypt using LDAP or Active Directory (AD) user attributes.

Normally, the systems’ own cryptography does not have this level of granularity in the administrative functions. As a result, the storage administrator is also responsible for the key.

Variety of systems where sensitive data can be stored

From CRMs, File Systems, Virtual Machines, structured or unstructured databases, there is a possibility that there is information that needs encryption to avoid exposure in the event of a security breach.

Encrypted key management, with the ability to integrate with open protocols, provides the necessary resources to meet the needs of a wide range of environments.

There are at least four perspectives that can be addressed regarding the location of the data to be protected: file system, operating system, database and memory.

The effort to implement encryption increases in this order and exceeds the complexity, considering the variety of environments and systems in the end-to-end flow of the data to be protected.

As you may have realized, native encryption is not necessarily the best way to protect data. If you still have questions about this, leave them in the comments. We’ll be happy to answer your questions.

Sobre a Eval

Eval has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With recognized value by the market, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and the General Law of Data Protection (LGPD). In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags data encryption, EKM, HSM, key management, native encryption

Data Protection

Encryption Software: Benefits and Challenges

Post author By Editorial Eval
Post date 22 de August de 2018

The use of encryption software has been one of the most efficient methods for providing data security, especially for end-to-end protection transmitted between networks.

Companies and individuals also use encryption to protect confidential data stored on computers, servers and devices such as phones or tablets.

If you still have doubts about the efficient use of encryption software when carrying out different transactions over the Internet, take advantage of this article to clarify all the points.

Encryption software is widely used on the Internet to protect users

One example of the use of encryption software is data protection. In short, we have passwords, payment information and other personal information that should be considered private and sensitive.

How encryption works

The data, usually made up of plain text, is encrypted using an algorithm and an encryption key. This process generates a ciphertext that can only be viewed in its original form if it is deciphered with the correct key.

Decryption is simply the reverse process of encryption, following the same steps but reversing the order of operations. Encryption software basically falls into two categories: symmetric and asymmetric.

Symmetric Cryptography

Also known as a “secret key”, only one key is used, also called a shared secret. This is because the system performing the encryption must share it with any entity that intends to decrypt the encrypted data.

Symmetric key encryption is generally much faster than asymmetric encryption, but the sender must exchange the key used to encrypt the data with the recipient before they can perform decryption on the ciphertext.

Asymmetric encryption

Known as public key cryptography, it uses two different keys, i.e. a pair of keys known as the public key and the private key. The public key can be shared with everyone, while the private key must be kept secret.

The benefits of using encryption software

The main purpose of cryptography is to protect the confidentiality of digital data stored on computer systems, transmitted over the Internet or any other computer network.

Many companies and organizations recommend or require that confidential data be encrypted to prevent unauthorized persons from gaining access.

In practice, the best-known example is the data security standard used in the payment card sector. It requires customer card data to be encrypted when transmitted over public networks.

Encryption algorithms play a key role in ensuring the security of IT systems and communications. After all, they can provide not only confidentiality, but also elements that are considered key to data security:

Authentication: the origin of the message can be verified;
Integrity: proof that the content of a message has not been altered since it was sent;
Non-repudiation: the sender of a message cannot deny sending the message.

Many Internet protocols define mechanisms for encrypting data that moves from one system to another – this is known as data in transit.

Cloud based HSM DPoD vs On Prem HSM TCO WP

Cryptography being used in communication applications

Some applications use end-to-end encryption (E2EE) to ensure that data passing between two parties cannot be viewed by an attacker capable of intercepting the communication channel.

The use of an encrypted communication circuit, as provided by Transport Layer Security (TLS), between the web client and the web server software is not always sufficient to guarantee security.

Normally, the actual content being transmitted is encrypted by the software before being passed on to a web client and decrypted only by the recipient.

Messaging applications that provide E2EE include Facebook’s WhatsApp and Open Whisper Systems’ Signal. Facebook Messenger users can also receive E2EE messages with the “Secret conversations” option.

Current cryptographic challenges

For any current encryption key, the most basic method of attack is brute force. In other words, the hackers make several attempts in a row to find the right key.

The length of the key determines the number of possible keys, hence the viability of this type of attack. There are two important elements that show how strong the encryption used is. These are the algorithms used and the size of the key.

After all, as the size of the key increases, greater resources are also required in an attempt to break the key.

Currently, attackers also try to crack a target key through cryptanalysis. In other words, the process that tries to find some weakness in the key that can be exploited with less complexity than a brute force attack.

Recently, security agencies(such as the FBI ) have criticized technology companies that offer end-to-end encryption. It was claimed that this type of encryption prevents law enforcement authorities from accessing data and communications, even with a warrant.

The US Department of Justice has publicized the need for “responsible encryption”. That is, it can be released by technology companies under a court order.

Next steps

Key management is one of the biggest challenges in the strategy for using encryption software. After all, the keys to decrypt the ciphertext need to be stored somewhere in the environment. However, attackers usually have a good idea of where to look.

That’s why when an organization needs to access encrypted data, it usually puts encryption keys into stored procedures in the database management system. In such cases, the protection may be inadequate.

The next steps in improving the use of cryptography are the challenge of developing an information security plan capable of defining more reliable key storage structures, which is one of the weakest links in the application of corporate cryptography.

Security policies and methods should seek best practices in order to reduce malicious attempts to break and use cryptographic keys and invalidate the use of encryption software.

Now you know a little more about encryption software. Always keep up to date, subscribe to our newsletter and stay on top of Eval news and technologies. Keep following our content on the blog and also on our Linkedin profile.

About EVAL

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.

Eval, segurança é valor.

Tags data encryption, data protection, data security

Secrecy

Symmetric and asymmetric keys

Confidentiality

Integrity

Authentication

Irretractability

Authorization

Secure storage of keys

Identification of keys

Posts recentes

Comentários

Arquivos

Categorias

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho
São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Copyright © 2023, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97