Search
Close this search box.
Facebook Instagram Linkedin

Tag: EKM

Categories
Data Protection

Key Management with Cryptography, how to protect data?

In recent years, suppliers in the data storage market have started to pay more attention to the use of the Key Management Interoperability Protocol (KMIP) in their solutions for integration with encryption key managers.

There are two main reasons for this. The need to comply with data protection regulations is an important reason.

There are also the benefits of Enterprise Key Management (EKM) solutions for companies.

Find out what these benefits are in this article.

Application of good practices in information security

The definition of what is adequate or sufficient to meet regulatory demands about protecting data varies greatly between companies.

Many solutions offer internal support for key management with encryption. Depending on the context, this may be enough.

However, adopting this model could compromise data security. After all, we must consider that the encryption key responsible for protecting them is embedded in the storage solution itself.

In addition, it is common to find scenarios with different storage solution providers, where each one programs their key management models with encryption.

This can lead to human error and compromise data availability in the event of an unsuccessful encryption operation.

The use of an external key management solution provides adequate segregation of roles. It also offers a standardized model for all encryption processes.

In addition, these solutions usually offer international certifications for the implementation of encryption algorithms. This prevents, for example, the use of algorithms or key sizes that are considered weak.

On the Owasp website you can find a very interesting cryptography guide, in which it is not recommended to use the MD-5, SHA-0, SHA-1 hash algorithms and the DES symmetric encryption algorithm.

In addition, key management solutions with encryption can be coupled with equipment designed to provide protection with a high level of security.

For example, Hardware Secure Modules(HSMs) and Enterprise Key Management(EKM). Protection is thus centralized for all the organization’s data storage systems.

Efficient Key Management with Cryptography

Typically, solutions that offer encryption capabilities don’t worry about the lifecycle of a key. Thus, they ignore, for example, validity, activation, deactivation, exchange with preservation of already encrypted processes and destruction.

Using the same encryption key for a long time is inappropriate. After all, this compromises security in the event of a data leak.

A management solution not only provides the necessary requirements for the entire key lifecycle. After all, it also presents these features in a user-friendly interface, from a centralized console.

It even defines access profiles based on integration with a Lightweight Directory Access Protocol (LDAP) database.

Flexibility of Implementation and Key Management with Cryptography

The decision to keep applications on your own infrastructure or migrate to an external data center depends on several factors.

If the key management solution with encryption is coupled with the storage system, the decision to keep it in-house or migrate to the cloud must take this into account.

 

Ability to generate audit reports during key management with encryption

For these cases, it is necessary to offer information with a high level of trust and access to keys. In this way, you should detail who accessed it, the time of the event and the success or failure of the operation.

In addition, alert mechanisms can notify staff if problems arise with the key management equipment or other devices that communicate with the manager.

One of the main benefits of an external key management solution is its ability to enhance audit reports.

Trying to prove to an external compliance auditor that the keys are safe, secure and have strong access controls would be much more difficult with native storage, especially if there is more than one solution. This will also require all systems to be audited individually.

Segregation of profiles

External key management systems can define permissions for the administrators and users who will use the keys.

A common example of this is the ability to allow an administrator to create a key, but not be able to use it to encrypt or decrypt using LDAP or Active Directory (AD) user attributes.

Normally, the systems’ own cryptography does not have this level of granularity in the administrative functions. As a result, the storage administrator is also responsible for the key.

Variety of systems where sensitive data can be stored

From CRMs, File Systems, Virtual Machines, structured or unstructured databases, there is a possibility that there is information that needs encryption to avoid exposure in the event of a security breach.

Encrypted key management, with the ability to integrate with open protocols, provides the necessary resources to meet the needs of a wide range of environments.

There are at least four perspectives that can be addressed regarding the location of the data to be protected: file system, operating system, database and memory.

The effort to implement encryption increases in this order and exceeds the complexity, considering the variety of environments and systems in the end-to-end flow of the data to be protected.

As you may have realized, native encryption is not necessarily the best way to protect data. If you still have questions about this, leave them in the comments. We’ll be happy to answer your questions.

Sobre a Eval 

Eval has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With recognized value by the market, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and the General Law of Data Protection (LGPD). In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Is Proper Key Management Really a Challenge?

Data protection leads companies to implement various encryption solutions. In this sense, one aspect that cannot be overlooked is the need for proper key management.

This is mainly due to the widespread use of encryption as a result of governance and compliance requirements. This shows that we have made progress in terms of data protection, but exposes the major challenge of key management.

After all, it’s common to manage keys in Excel spreadsheets, which can bring a great risk to organizations, since losing control or even losing cryptographic keys can cause the company to lose its data.

Key Challenges of Proper Key Management

Management is vital for the effective use of encryption. The loss or corruption of keys can lead to loss of access to systems and render them completely unusable.

Proper key management is a challenge that increases with the size and complexity of your environment. The larger your user base, the more difficult it will be to manage efficiently.

Some of the biggest challenges involve:

User training and acceptance

Users don’t like change. Although not really part of the key management process, failure to accept them can be a major impediment to the success of a project.

Therefore, it is necessary to map the impact of adopting and using cryptography in your production cycle and the difficulties in recovering or resetting keys or passwords.

Listen to user feedback and develop appropriate training to address their specific concerns or difficulties. Develop system benchmarks to check performance before and after the product is implemented.

In other words, manage user expectations.

System administration, key maintenance and recovery

These problems can have a major impact on the organization and should be addressed with the supplier before they are purchased. On an enterprise scale, manual key management simply isn’t feasible.

Ideally, management should integrate with the existing infrastructure, while providing easy administration, delivery and recovery of secure keys.

Recovery is a fundamental process, especially in situations such as an employee leaving the organization without a proper return or when a key is damaged and can no longer be used. It should also be a simple but very safe process.

In proper key management, the generation procedure should be restricted to one person. In practice, we have, for example, a product process that allows a recovery key to be split into several parts.

From there, the individual parts of the recovery key can be distributed to different security agents. Owners must be present when it is used. This process is simple, but secure, because it requires several parties to recreate the key.

What’s more, forgotten passwords can have an additional impact on the support team. The process must therefore not only be simple, but also flexible. Remote and off-network employees need to be considered as well as internal ones. In this case, remote key recovery is an indispensable feature.

Best practices for proper key management

When dealing with key management problems, who can organizations turn to for help?

The specifics of proper key management are largely dealt with by cryptographic software, where standards and best practices are well established.

In addition, like the National Institute of Standards and Technology (NIST) and the Brazilian Public Key Infrastructure (ICP-Brasil), standards are developed for government agencies that can be applied in any business community. This is usually a good starting point when discussing encryption products with your suppliers.

In the meantime, here are some industry best practices to get you started:

  • The usability and scalability of proper corporate key management should be the main focus of product analysis. The ability to leverage existing assets must play an important role in decision-making. Integration with an authentication environment will reduce costs and eliminate the need for redundant systems;

  • Two-factor authentication is a necessary security measure for financial organizations. Due to the increased processing power and capabilities of today’s computers, the strength of passwords alone is no longer enough.

Control and training

Management means protecting encryption keys from loss, corruption and unauthorized access. Therefore, at the end of the procedures and techniques applied to the management process, it is necessary to guarantee:

  • That the keys are kept securely;

  • That they undergo regular change procedures;

  • That management includes who the keys are assigned to.

Once the existing keys have been controlled, the policies and processes for provisioning, monitoring, auditing and termination need to be rigorously applied. For this reason, the use of automated tools can greatly ease the burden of responsibility.

Finally, information security professionals, infrastructure professionals, database professionals, developers and other professionals who need to use encryption keys should be trained, as a lack of awareness of the risks of protection failures is one of the main factors in problems.

If there is no control over access, there will be no security.

For more tips on proper key management and other more strategic topics for information security and data protection, subscribe to our newsletter and stay up to date!

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Data Loss Prevention: What You Need to Know

Data loss prevention is defined as the strategy used to guarantee information security so that digital and corporate users don’t send confidential or critical information outside a corporate network or even a home network.

The term also defines software that helps a network administrator control what data end users can transfer.

With the recent approval of the General Personal Data Protection Law (LGPD), the Brazilian legislation that determines how the data of Brazilian citizens can be collected and processed, concern about the issue of data loss prevention will be even more prominent.

In this post, we’ve compiled the main information you need to clear up your doubts on the subject and take the next steps in protecting your company’s data.

Preventing data loss will have an impact on purchasing decisions

In the midst of the Digital Transformation era, where data and information have come to play a fundamental role in the purchasing process, preventing data loss has become a priority in protecting customers and the image of companies.

In this way, all it takes is a virtual attack or a security breach to result in data theft. This directly affects the credibility of the organization affected and the purchasing decisions of its customers.

Data loss prevention doesn’t just apply to large companies – it’s strategic for any business. Involving all sizes of companies and segments of activity. Being subject to cyber-attacks, hijackings and data theft has completely changed organizations’ view of information security. That’s why data protection has become part of any company’s business model.

Investment in Technology is Fundamental

Software products developed for data protection use business rules and policies to classify and protect confidential and critical information. They aim to prevent unauthorized end users from accidentally or otherwise sharing data that could pose a risk to the organization.

In practice, for example, if an employee tried to forward a business email outside the corporate domain or upload a file considered strategic to a cloud storage service such as Dropbox, Drive and so on, they would be denied permission.

The adoption of data protection is happening as a result of insider threats and stricter privacy laws. As well as being able to monitor and control activities, data protection tools can use filters to control the flow of information on the corporate network and protect data that is still in motion.

Data protection is a shared responsibility

Data loss can happen for different reasons. Some companies may be more concerned about vulnerabilities and external attacks, while others worry mainly about human error.

To give you an idea, data loss can occur during a standard IT procedure such as a migration. It can also happen after attacks by ransomware or other malware. What’s more, these threats can be triggered by a simple email.

The impact of data loss can also vary according to the segment or size of the organization. In addition to impacting internal information, losing data puts a company’s legal position at risk in the face of compliance laws.

However, the burden and the challenge cannot be left to managers and IT teams alone. After all, the responsibility for preventing data loss needs to be shared by everyone.

In many cases, it is the employees themselves who accidentally send information that is considered sensitive. In addition, sometimes they also perform an operation that opens the door to a virtual attack.

Therefore, more than just implementing a data loss prevention program, we need to raise awareness. And to do this, the team responsible for information security needs to provide training for executives and end users on the benefits of data protection for the company, its own employees and customers.

The challenge of data protection

Common unintentional causes of data loss include hardware malfunctions, corrupted software, human error and natural disasters.

Data can also be lost during migrations and during power outages or incorrect system shutdowns. This shows us just how big a challenge data loss prevention has become.

 
Hardware malfunction

This is the most common cause of data loss in companies. All it takes is for a hard disk to crash due to overheating, mechanical problems or simply time.

Preventive hard disk maintenance helps to avoid data loss. It also enables IT teams to replace the unit in situations of risk.

Corrupted software

Another common problem in the data loss prevention challenge is corrupted software. This situation can occur when systems are switched off incorrectly. They can usually be attributed to power outages or human error. That’s why it’s essential that the infrastructure team is prepared for incidents and ensures that systems are shut down properly.

Natural disasters

Natural disasters are related to all the items described above. In this way, it can cause both hardware damage and system corruption. A disaster recovery plan and frequent backups are the best strategies to avoid this type of data loss.

In addition to these examples, computer viruses and virtual attacks are potential factors for data loss. And they also cause great damage to organizations and their customers.

The direct impact on the business

As you can see, in addition to the challenge, preventing data loss can be an expensive process, requiring the purchase of software and hardware solutions, as well as backup and data protection services.

However, although the costs of these services can be high, the investment in complete data loss prevention is usually worth it in the medium and long term. Especially when compared to the impacts of a lack of protection.

In the event of major data loss, business continuity and processes are severely affected. Company time and financial resources often have to be diverted to resolving incidents and recovering lost information, so that other business functions can be restored.

Next steps

With the convergence of businesses towards the digital economy, worrying about information security and preventing data loss has become essential.

Not only will companies’ participation in this period of digital transformation be compromised, but any kind of initiative aimed at future growth will be difficult to achieve if financial and credibility losses hit companies.

About EVAL

A EVAL está a mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria, Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presente nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.

Com valor reconhecido pelo mercado, as soluções e serviços da EVAL atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a Lei Geral de Proteção de Dados (LGPD). Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.

Eval, segurança é valor.

Categories
Data Protection

Data Leaks – 6 Simple Steps to Avoid

The data leak has been highlighted on the main websites and in the news recently. Recently, for example, we saw a major scandal involving Facebook. What struck us most about this leak was how vulnerable we are. In addition, we have seen how damaging this type of situation can be in our lives and also for companies, even those with security policies.

Unfortunately we will always have this risk, but with a few simple actions we can reduce the chances of this happening. In addition, it is possible to minimize the impact on customers when this type of incident occurs.

Awareness is the first step to reducing data leaks

First, let’s talk about awareness. After all, many companies still treat data security with restraint. This type of behavior is common when associated with the need for specialized investments. This is a strategic mistake.

Reality shows that investing in information security is essential, especially at a time when customers are increasingly connected and carrying out financial transactions online.

Before any action or investment is made, awareness is the first step to guaranteeing the security of corporate and customer data.

Therefore, it should be understood that a data leak is an incident that exposes confidential or protected information in an unauthorized way. They cause financial and image damage to companies and individuals.

In addition, data theft can involve personal information, personal identification, trade secrets or intellectual property. The most common types of information in a data leak are the following:

  • Credit card numbers;
  • Personal identifiers such as CPF and ID;
  • Corporate information;
  • Customer lists;
  • Manufacturing processes;
  • Software source code.

Cyber attacks are usually associated with advanced threats aimed at industrial espionage, business interruption and data theft.

How to avoid data breaches and theft

There is no security product or control that can prevent data breaches. This statement may seem strange to those of us who work in technology. After all, what is the point of the various hardware and software assets specific to the security area?

The best ways to prevent data breaches involve good practices and well-known security basics, see examples:

  • Continuous vulnerability and penetration testing;
  • Application of protections, which includes security processes and policies;
  • Use strong passwords;
  • Use of secure key storage hardware;
  • Use of hardware for key management and data protection;
  • Consistent application of software patches for all systems.

Although these steps help prevent intrusions, information security experts such as EVAL encourage the use of data encryption, digital certificates and authentication as part of the set of best practices.

Learn about the other 5 steps to prevent data leaks

The increase in the use of cloud applications and data storage has led to growing concern about data leakage and theft.

For this reason, the steps we are going to describe consider cloud computing as the main IT infrastructure adopted by companies to host their products, services and tools that are part of the production process.

1. Develop a data leak response plan

It may seem strange to recommend a response plan before building security policies and processes, but it will make sense. In fact, there is no right order in which to draw up the documents, not least because the construction will be done by several hands and they are all independent.

A data breach response plan consists of a set of actions designed to reduce the impact of unauthorized access to data and to mitigate the damage caused if a breach occurs.

Within the development process, there are stages which, when well defined, will serve as the basis for drawing up your security policies and processes. To give you an idea, the development of this plan brings us approaches like:

  • Business impact analysis;
  • Disaster recovery methods;
  • Identification of your organization’s confidential and critical data;
  • Defining actions for protection based on the severity of the impact of an attack;
  • Risk assessment of your IT environment and identification of vulnerable areas;
  • Analysis of current legislation on data breaches;
  • And other critical points.

We’ve mentioned a few points, but a data breach response plan addresses other areas that also serve as the basis for building security policies.

As we are considering a cloud environment, the strategy to be built into the data breach response plan must involve the cloud infrastructure provider.

It is also worth noting that many of the resources available in the cloud already have their own characteristics that help in the construction and execution of plans.

 
2. Have an information security policy that covers data protection

A security policy is generally considered a “living document”, which means that it is never finished, but is continually updated as technology requirements and company strategies change.

A company’s security policy should include a description of how the company protects its assets and data.

This document also provides a definition of how security procedures will be executed and the methods for evaluating the effectiveness of the policy and how the necessary corrections will be made.

It is worth remembering that part of the security policies is the adoption of a term of responsibility signed by employees so that they are committed to information security and the non-leakage of data.

Like the data breach response plan, the security policy is also a broad document with several points, but which have not been described in this article.

3. Make sure you have trained staff

So, as you may know, training is a crucial point in preventing data leaks. Employee training addresses safety on several levels:

  • Teach employees about situations that could lead to data leaks, such as social engineering tactics;
  • It ensures that data is encrypted as actions are carried out in accordance with security policies and plans;
  • It ensures that the processes involved are as dynamic and automatic as possible in order to achieve compliance with legislation;
  • It ensures that employees are aware of the importance of information security, reducing the risk of attacks.
4. Adopt effective data protection tools

In a cloud architecture adopted by companies, the existence and use of tools that help guarantee information security is mandatory. In addition to hardware and software assets, resources must be found:

  • Tools for monitoring and controlling access to information;
  • Tools to protect data in motion (SSL/TLS channel);
  • Tools to protect data at rest (in databases and files);
  • Tools to protect data in memory;
  • Data loss prevention tools (DLP).

In short, the approaches adopted by these tools are useful and mandatory when the aim is to block the exit of confidential information. They are key to reducing the risk of data leakage when managed through cloud infrastructure services.

5. Test your plan and policies, addressing all areas considered to be at risk

Just as the other sections described are important, the value of carrying out checks, as well as validating security policies and plans, makes this last step one of the most critical.

As a result, the company must carry out in-depth audits to ensure that all procedures work efficiently and without room for error. However, for many, the testing stage must be one of the most challenging parts. So the information security area must always seek to prevent data leaks.

On the other hand, it is very difficult to implement all the procedures described. Mainly due to the fact that we have the company’s operations running at full steam.

If not planned correctly, testing can have a major impact on the organization’s routine. However, this validation is fundamental to protecting the company from data leaks and cannot be neglected.

Finally, the steps described in the article will certainly help your company prevent security incidents. Despite their apparent complexity, it is entirely possible to adopt them and succeed in preventing data leaks.

Finally, subscribe to our newsletter and stay up to date with EVAL’s news and technologies. Keep following our content on the blog and take advantage of our Linkedin profile to stay informed.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and the General Data Protection Law (LGPD). In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho
São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Facebook Instagram Linkedin
logo-tales-azul
keyfactor-logo
logo-valid-certificadora-digital
google-safe-browsing
Privacy Policy

Copyright © 2023, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97