Search
Close this search box.
Categories
Data Protection

Secure Data with Encryption: Protect Valuable Assets

In a business environment where data security has become a critical pillar, understanding and applying encryption correctly is more than a necessity – it’s a strategic advantage.

It’s worth realizing that this journey is essential, especially for CIOs and information security specialists, when it comes to secure data with encryption for companies.

This provides a clear vision of how technologies, especially when combined with Hardware Security Modules (HSMs), can transform data security from a challenge into a competitive differentiator.

With a focus on innovation, we will explore how encryption not only protects valuable data, but also strengthens the company’s position with regard to regulatory compliance and customer trust.

Secure Data with Encryption for Business: The Current Scenario

Globally, in 2023, the data breach scenario presents a complex dynamic. Despite a significant reduction in the number of data records exposed in the United States,
the number of data breaches and breached accounts remains alarming
with 31.5 million accounts affected globally by September 2023. Secure Data with Encryption for Companies

In Brazil, the situation is also worrying.
Data from Surf Shark
reveal that, from January to November 2021, more than 24 million Brazilians had their data exposed on the internet.

The average cost of a data breach in Brazil increased from R$157 to R$175, while the total cost exceeded R$3 million. This increase is attributed in part to the growth of remote work during the pandemic, incorrect use of misconfigured devices and the lack of a specialized IT and LGPD team in most companies.

According to
IBM’s 2023 report
the average cost of data breaches in Brazil fell slightly to R$6.20 million, but spending on detecting and resolving breaches increased by 24%.

The health, services and technology sectors are the most affected in terms of costs related to data breaches in Brazil.

Impact of Data Breaches

The implementation of AI and automation has been shown to significantly reduce the costs and time needed to detect and contain data breaches in the country.

In addition, phishing has been the main form of entry for attacks in Brazil, closely followed by compromised credentials. Attacks originating from malicious insiders are notoriously the most costly,
reaching an average cost of R

$ 7,10

million per incident
.

This data emphasizes the urgent need for robust and effective solutions that implement secure data with encryption for companies. This is where Hardware Security Modules solutions play a crucial role.

With the threat landscape constantly evolving, both globally and in Brazil, companies must be prepared to face and mitigate these risks with advanced technologies and well-planned security strategies.

The Importance of HSM to Keep Data Secure with Encryption

The Hardware Security Module is a fundamental part of the data security architecture, offering a level of protection that goes beyond what software encryption can achieve.

In short, HSMs are dedicated physical devices that manage and protect cryptographic keys, crucial for the security of sensitive data and transactions. They provide a highly secure environment, isolated from the operating systems and networks where the risks of breaches are greatest.

Practical benefits of using HSMs when it comes to keeping data secure with encryption
  • Enhanced Security:

HSMs protect against unauthorized access attempts and manipulation of cryptographic keys. They are designed to be resistant to physical and logical attacks, ensuring that the keys remain secure even in the event of a system breach.

  • Regulatory Compliance:

Many security standards and regulations require the use of HSMs to guarantee the integrity and confidentiality of cryptographic keys. Organizations that handle sensitive data, such as financial and health information, can meet regulatory compliance requirements through encryption more easily using HSMs.

  • Performance and Efficiency: Practical benefits of using HSMs

HSMs are optimized to perform cryptographic operations quickly and efficiently, reducing the impact on system performance. So keeping data secure with encryption is no longer a major challenge for companies.

  • Centralized management:

With HSMs, organizations can centralize key management, simplifying administration and reducing the margin for human error.

  • Versatility and Scalability:

HSMs can be used in a variety of applications, from protecting data at rest to supporting digital signatures and authentication. They are easily scalable to keep up with the growth of the organization.

To maximize the benefits of HSMs, organizations must integrate them into their existing IT infrastructure and data security strategies.

This includes evaluating specific requirements, choosing the appropriate equipment and the right configuration to ensure that security operations are optimized, thus achieving greater efficiency in keeping data secure with encryption.

Thales HSM as a Crucial Resource for Securing Data with Encryption

Thales HSMs, specifically the Luna network hardware security modules, represent an essential tool for advanced data protection.

These devices offer high-assurance security, tamper resistance and networking, with market-leading performance.

Unique capabilities of Thales HSMs:


  1. Advanced Cryptographic Key Protection:
    Thales HSMs protect the entire lifecycle of cryptographic keys within the limits validated by FIPS 140-2, guaranteeing key security superior to other storage methods.

  2. Market-leading performance:
    Thales’ Luna Network HSMs are faster than other HSMs available, ideal for use cases that demand high performance, such as SSL/TLS key protection and high-volume code signing.

  3. Scalable Security for Virtual and Cloud Environments:
    These devices can be divided into up to 100 cryptographically isolated partitions, acting as multiple independent HSMs, providing enormous scalability and flexibility.

  4. Simplified Administration:
    Thales Crypto Command Center facilitates the management of multiple HSMs, offering on-demand provisioning and efficient monitoring of encryption resources.

  5. De facto Standard for the Cloud:
    Thales HSMs are widely deployed in public cloud environments, adjusting to different cryptographic performance requirements in on-premises, private, public, hybrid or multi-cloud environments.

  6. Extensive Partner Ecosystem:
    Thales has an extensive ecosystem of partners, including Eval is part of it, facilitating the integration of its HSMs with a wide range of standard applications.

  7. Support for Emerging Technologies:
    Thales HSMs are able to adapt to evolving threats and emerging technologies such as IoT and Blockchain.

  8. Regulatory Compliance:
    These devices meet compliance and audit requirements in highly regulated sectors, ensuring adherence to standards such as the General Data Protection Act (GDPR), GDPR, eIDAS, FIPS 140, Common Criteria, HIPAA, PCI-DSS and others.

Thales HSM is an invaluable resource for companies looking to protect valuable data with encryption. Its advanced technology, superior performance, flexibility and regulatory compliance make it an ideal choice for organizations that need a reliable and effective data security solution.

Eval and Thales Partnership: Experience and Knowledge at the Forefront of Data Protection

The partnership between Eval and Thales represents a powerful combination of expertise and cutting-edge technology in the field of data security.

With Eval’s expertise and Thales’ advanced solutions, companies have access to a complete package for implementing robust data protection strategies.

In practice, the partnership between Eval and Thales results in several benefits for the companies:


Proven experience:
Eval brings a successful track record in secure data implementations with Cryptography, complementing Thales’ advanced technological solutions.


Customized Solutions:
This partnership makes it possible to create customized security solutions that meet the specific needs of each company, guaranteeing the best possible protection.


Specialized Support and Training:
The combination of Eval’s technical expertise and Thales’ technology offers comprehensive support, including training and guidance for internal teams, ensuring efficient implementation and management.


Access to cutting-edge technology:
Thales, as a leader in HSM solutions, ensures that companies benefit from the latest innovations in data security.

In terms of results, the partnership between Eval and Thales is a significant differentiator for companies seeking not just a data security solution, but an integrated and efficient strategy that combines the best technology with specialized knowledge.

Get in touch and find out more

Interested in deepening your understanding of how encryption and Thales HSMs can transform your data security?

The Eval-Thales partnership is ready to offer customized solutions that perfectly align with your needs.

To find out more about our services and how we can help strengthen your company’s data security, contact us today.

Together, we can create a robust strategy that not only protects your data, but also raises your organization’s confidence and compliance.

About Eval

With a track record of leadership and innovation dating back to 2004, Eval not only keeps up with technological trends, but we are also in an incessant quest to bring news by offering solutions and services that make a difference to people’s lives.

With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Written by Arnaldo Miranda, Evaldo. Ai, reviewed by Marcelo Tiziano and designed by Caio.

Categories
Data Protection

Hardware Security Module (HSM): Concept and Use

In today’s digital age, cybersecurity is a growing priority for companies of all sizes and industries. At the center of this fight against growing digital threats, the Hardware Security Module (HSM)stands out as a robust and reliable protection solution.

With the continuous growth of threats, combined with the increasing volume and sensitivity of the data managed by organizations, investment in security becomes more and more crucial.

The HSM, also known as the Hardware Security Module, plays a key role in safeguarding data and cryptographic keys.

This article will discuss the vital role these devices play in the cybersecurity of organizations, as well as provide guidance on how to effectively implement them to ensure comprehensive protection of business operations and customers.

Unraveling the HSM: the guardian of Cryptographic Keys and sensitive data

Basically, a Hardware Security Module is a physical security device designed to protect, manage, and perform cryptographic operations with cryptographic keys.

HSMs are available in various forms, each designed to meet the specific needs of enterprises and their IT infrastructures.

Current and most commonly used formats in the market include:

External Devices

Security modules are stand-alone devices, usually connected to servers or IT systems via a USB interface, or network.

They are easy to install and manage and can be used in environments with diverse IT infrastructure.

Server Expansion Cards

These HSMs are installed directly on the servers as an expansion card, connecting to the system bus for faster performance and integration.

They are ideal for high performance and security demanding environments such as data centers and financial institutions.

Cloud Hardware Security Module (Cloud HSM)

These devices are managed services by the cloud providers, allowing enterprises to leverage the security and performance of security modules without the need to purchase and manage physical hardware.

They are an attractive option for companies looking for flexibility, scalability, and cost savings.

Robust protection and optimized performance for your business

In practice, HSMs offer robust protection and optimized performance to ensure the security of cryptographic keys and sensitive data:

  • Robust protection:

Hardware security modules are designed with multiple layers of security to resist both physical and logical attacks. They include features such as tamper-resistant enclosures, tamper detection, and automatic key deletion in case of attempted unauthorized access.

In addition, the devices implement logical security mechanisms, such as encryption of stored keys and role-based access management, ensuring that only authorized persons can access and manage the cryptographic keys.

  • Optimized performance:

HSMs are built with specialized hardware components and optimized to perform cryptographic operations quickly and efficiently.

This is essential for processing large volumes of transactions or secure communications without adversely affecting system performance.

In addition, security modules efficiently manage the encryption load on servers and IT systems, freeing up resources for other tasks and improving overall performance.

  • Scalability and flexibility:

As we have seen, HSMs are available in various forms and configurations, including external devices, expansion cards for servers, and cloud managed services.

This diversity of options allows companies to choose the equipment best suited to their specific needs, ensuring scalability and flexibility as business needs evolve.

In this way, companies ensure that cryptographic keys and sensitive data are protected efficiently and securely, making it an essential solution for the cybersecurity of their business.

HSMs in action: crucial applications to protect your digital assets

Let’s look in detail at how HSMs are applied in crucial situations to ensure the security and integrity of digital assets:

  1. Cryptographic Key Management

Hardware security modules are designed to manage the complete lifecycle of cryptographic keys, including generation, storage, rotation, and their secure destruction.

This ensures that the keys are protected against unauthorized access and malicious manipulation.

  1. Data encryption and secure storage

HSMs offer high-performance encryption to protect data at rest and in transit.

They ensure that data stored on servers, storage devices, and cloud environments is protected with strong cryptographic algorithms and securely managed keys.

  1. Authentication and Access Control

Hardware security modules can be used to authenticate and verify the identity of users, devices, and systems, ensuring that only authorized parties access critical resources.

They also support role-based access management to provide granular control over who can access and manage cryptographic keys and sensitive data.

  1. Digital signature and data integrity

The security modules are essential for the generation and verification of digital signatures, ensuring the authenticity, integrity, and non-repudiation of electronic transactions and communications.

They secure business processes and help meet regulatory requirements, such as signing electronic documents and complying with payment security standards.

  1. Public Key Infrastructure (PKI)

HSMs are widely used in PKI solutions to protect and manage private keys used in issuing and revoking digital certificates.

This ensures the security and reliability of authentication and encryption processes that rely on PKI, such as secure communications and access to critical resources.
  1. Financial transaction protection

Hardware security devices are key to securing financial transactions such as credit card payment processing, bank transfers, and digital currency transactions.

They ensure the security and confidentiality of financial information and help meet business-related compliance standards.

Why Ignoring Cybersecurity Could Be Your Company’s Biggest Mistake

In today’s digital age, protecting sensitive information and data is critical to the success of businesses. Cyber threats are constantly evolving, becoming more sophisticated and damaging every day.

This is where hardware security modules come into the picture, providing advanced and reliable security to protect organizations’ digital assets.

Here are some reasons why companies actually need HSM equipment in their business operations:

Data Protection

With the increasing volume of data generated and stored by companies, the need to protect this data has become even more important.

HSM security appliances provide robust protection for sensitive information and critical data, ensuring that only authorized people can access it.

In practice, security modules offer an additional layer of protection for cryptographic keys and sensitive data. They are built with advanced physical and logical security features, such as tamper-resistant enclosures and tamper detection.

Role-based access management ensures robust protection against physical and cyber attacks.

Cost reduction

While the initial implementation of HSMs may involve a significant investment at the start of the implementation project, the long-term benefits include reduced costs related to data breaches and compliance.

In addition, the improved performance and operational efficiency provided by the devices can lead to even greater efficiency in managing cybersecurity investments.

Compliance with regulations and standards

Companies need to meet various regulations and compliance standards related to data security and privacy.

A clear example is the General Law of Data Protection (LGPD), which came into force in Brazil in 2020. The LGPD requires companies to implement appropriate security measures to protect the personal data of their customers and users.

HSMs help companies comply with these regulations and standards, minimizing the risks of data breaches and associated fines.

Brand trust and reputation

Data protection and privacy are growing concerns for consumers and customers.

By investing in hardware security modules, companies demonstrate their commitment to protecting information, strengthening customer trust and loyalty, and thus fostering successful and long-lasting relationships.

Risk Reduction

Data breaches and cyber attacks can have devastating consequences for companies, including financial losses, reputational damage, and disruption of business operations.

By implementing HSMs, companies can significantly reduce the risk of data breaches and minimize the impact of potential cyber attacks.

Competitiveness

Companies that adopt HSMs and other advanced security technologies can stand out in highly competitive markets where data protection and compliance are key success factors.

The implementation of security devices can be a strategic differentiator, providing competitive advantage and attracting new customers and business partners.

Considering these factors, it is clear that companies need HSM equipment in their business operations to ensure efficient and secure protection of their digital assets and customers.

HSM device deployment is a key part of enterprises’ cybersecurity strategy

By effectively incorporating hardware security modules into their cybersecurity architecture, companies can ensure that their valuable information is protected. They also help to maintain compliance with the regulations and standards applicable to your business segment.

In this scenario, Eval, a specialist in the information security segment, stands out as a reliable and experienced partner for the implementation and management of HSM solutions.

The official partnership between Eval and Thales, a global leader in cybersecurity solutions, ensures customers have access to cutting-edge technologies and an innovative approach to protecting their digital assets.

Together, these companies offer high-performance, reliable, and scalable solutions tailored to the specific needs of each organization.

Investing in HSMs is a key step for companies toward a comprehensive and effective cybersecurity strategy. Eval and Thales’ expertise is crucial to ensure this evolution of cyber security.

This partnership provides customers with the support they need to protect their data, ensure business continuity, and promote trust between customers and partners.

Take the next step toward securing your digital assets: contact Eval now!

If you are ready to strengthen your company’s cybersecurity and protect your digital assets with an HSM implementation, Eval is the ideal partner to help you on that journey.

With the expertise and partnership with Thales, Eval can offer customized and effective solutions that fit your specific needs.

Don’t put your company’s security off until later. Contact the Eval team today and find out how our HSM solutions can take your data protection to the next level.

Click the button below to schedule a free consultation with our experts and start building your company’s digital fortress.

Contact Eval now!

About Eval

With a track record of leadership and innovation dating back to 2004, Eval not only keeps up with technological trends, but we are also in an incessant quest to bring news by offering solutions and services that make a difference to people’s lives.

With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Written by Arnaldo Miranda, Evaldo. Ai, reviewed by Marcelo Tiziano and designed by Caio.

Categories
Data Protection

Cryptographic Key Security in the Digital Real

The evolution of payment systems and the growing demand for fast, secure and efficient solutions, led the
Central Bank of Brazil (BCB)
to create the Real Digitalproject, a Central Bank Digital Currency (CBDC).

Learn about the relationship between Real Digital and
Hyperledger Besu
the technology behind the pilot project and the importance of using security devices such as the Hardware Security Module (HSM).

Real Digital and Hyperledger Besu: a strategic integration

To achieve the goals of agility, security and efficiency in the operations of the new currency, the Central Bank has been studying and testing various technologies and solutions, with Hyperledger Besu being one of the options under analysis.

The choice of Hyperledger Besu as a possible platform for Real Digital is strategic, because the solution, based on Ethereum and
developed by the Linux Foundation
Foundation, offers scalability and high performance, and is adaptable to public and private networks.

These characteristics allow for greater flexibility and adaptability to the specific needs of the Brazilian financial system.

The integration between the technologies involves the implementation of a distributed ledger platform (
Distributed Ledger Technology – DLT
), which allows the registration and tracking of tokenized financial assets such as the Real Digital.

The Benefits of Convergence

Hyperledger Besu supports smart contracts (
Smart Contracts
), which enable the automation of processes and transactions in the financial ecosystem, ensuring the security, transparency and efficiency of operations.

In this context, the integration between Real Digital and the Besu Hyperledger can bring several advantages, such as:

  • Interoperability:

The platform facilitates communication between different systems and financial institutions, allowing information exchange and transactions to be carried out more quickly and efficiently.

  • Safety:

The blockchain technology used by Hyperledger Besu guarantees the immutability of records and the authenticity of transactions, providing greater security and reliability to Real Digital.

In addition, the Central Bank announced that the network that is to operate the Digital Real will be the same as the SFN, which is considered to have a high level of security.

  • Customization:

Hyperledger Besu, being an open source solution, allows customization and adaptation to the specificities and regulations of the Brazilian financial system, meeting the needs and requirements demanded by the Central Bank.

  • Innovation:

The integration of Real Digital with Hyperledger Besu enables the development and implementation of new digital financial products and services, stimulating innovation and competitiveness in the Brazilian financial market.

Hyperledger Besu: a solid, collaborative foundation for blockchain applications

The name “Besu,” as the technology is also called, is a Japanese word meaning “base” or “foundation,” reflecting the platform’s purpose to be a solid and reliable foundation for building enterprise blockchain applications.

In addition, Besu also suggests the idea of teamwork, as it is a shortened form of “besugo”, which means “snapper” in Japanese – a type of fish usually found in schools.

This connotation of teamwork is key, as the platform is designed to enable collaboration and data sharing between different parts of an enterprise blockchain network.

The Hyperledger Besu technology stands out for its advanced features and modular architecture. Some important features include:


  1. Support for Smart Contracts
    : Besu is compatible with the Solidity programming language and allows the creation and execution of smart contracts for process and transaction automation in the financial ecosystem.

  2. Privacy and Confidentiality
    : Hyperledger Besu enables the implementation of private transactions and confidential communication channels between network participants, ensuring the protection of sensitive data and information.

  3. Interoperability
    The platform facilitates integration with other networks and systems, promoting communication and information exchange between different financial institutions and allowing transactions to be carried out more quickly and efficiently.

  4. Monitoring and Management
    : Besu has tools and features that make it easy to monitor and manage the blockchain network, including support for JSON-RPC and GraphQL APIs, as well as graphical interfaces and performance analysis capabilities.

In practice, the Hyperledger Besu technology represents a robust and collaborative solution for building enterprise blockchain applications.

Its modular architecture, support for smart contracts, and concern for privacy and interoperability make this platform a solid and promising option for the implementation of innovative projects, such as Real Digital.

Securing the Digital Real: The Strategic Value of HSM in Protecting Cryptographic Keys

Transaction security is key to Real Digital’s success. The use of PKI (Public Key Infrastructure) in Hyperledger Besu allows certificates issued by a trusted authority to manage node and account identities in the following ways:

  • Node Permission

Only authorized nodes can connect to other nodes on the network using TLS for communication, and an ICP certificate would further enhance the security of the network, as it already works for the SPB.

Using it for authentication would make the network even more reliable.

  • Block Proposal Allowance

Only blocks proposed by authorized validators are accepted within an ICP chain, with a focus on ensuring the security and integrity of the network.

This allows other validators on the network to verify that the proposer is authorized to create a block on the network, ensuring that only blocks proposed by authorized validators are accepted. The importance of the block proposal permission is to ensure the security and integrity of the network.

Imagine if anyone could propose new blocks on the network, this could lead to malicious attacks, such as including fraudulent transactions or modifying previous blocks.

Block proposal permission, therefore, helps prevent these types of attacks by ensuring that only authorized validators can create new blocks.

Strengthening the security of cryptographic keys

Adding to the use of digital certificates, within an ICP chain, comes another important issue, which is where the cryptographic keys will be securely stored.

In a classic example, imagine that you install a high-security lock on your door to protect your home from possible intruders. However, instead of keeping the key in a safe and secure place, you leave it under the mat in front of the door.

With this approach, the lock becomes useless, since anyone can find the key and easily enter your home.

Even if you use a cloud platform, there is the recommendation of the Cloud Secure Alliance (CSA) in EKM-04 which says that the keys should not be stored in the cloud the data is in, so they should preferably be in HSM or in a cloud HSM external to the cloud infrastructure, such as DPoD.

The HSMs or DPoD provide advanced protection against physical and logical attacks, guaranteeing, through the use of encryption algorithms, the integrity and confidentiality of the cryptographic keys involved and, consequently, greater security in financial transactions, as is already the case with the SPB.

Increased efficiency in performing cryptographic operations

HSMs are optimized to perform cryptographic operations efficiently, improving transaction speed and decreasing latency in the system.

Performance being one of the fundamental requirements in the financial sector.

Compliance with safety regulations and standards

Using HSMs helps to comply with security regulations and standards set by the relevant agencies, such as LGPD and ISO 27001, ensuring legal compliance and enhancing the organization’s reputation.

This point, vital for the Digital Real and for the other services involving financial operations, are also important in Central Bank resolution 4893.

Centralized management and access control of cryptographic keys

HSMs allow centralized management of cryptographic keys, facilitating access control and the implementation of security policies.

Here, the essential point is to ensure that only authorized people can access and use the keys.

Redundancy and recovery of cryptographic keys

HSMs can be configured in clusters, providing redundancy and guaranteeing the availability of cryptographic keys even in case of hardware failures or other incidents.

This ensures continuity of operations and prevents loss of sensitive data.

Integration with the Besu Hyperledger platform

The HSMs are compatible with the Hyperledger Besu platform, making it easy to implement secure and efficient enterprise blockchain solutions for Real Digital.

The integration between the two technologies strengthens Real Digital’s infrastructure and enables the development of new financial services and products.

Indeed, the use of HSMs in the context of Real Digital and Hyperledger Besu can offer significant benefits in terms of security, performance, and compliance, and is an effective and proven solution for protecting cryptographic keys and ensuring the integrity of financial transactions.

The combination of these technologies creates a solid foundation for the evolution of digital payments and the expansion of financial services in Brazil.

Do you know Thales HSM Luna?

O
Thales HSM Luna
is a high-performance security device designed to protect cryptographic keys and perform cryptographic operations securely and efficiently.

Its robust architecture is built with physical and logical security mechanisms to prevent unauthorized access and extraction of sensitive information.

In addition, HSM Luna offers accelerated transaction processing, compliance with regulations and industry standards, centralized key management, and transaction traceability.

This solution is widely used by companies in various industries seeking to protect their digital assets and ensure the confidentiality, integrity, and authenticity of information.

Want to learn more about HSM and all the features it can offer to protect your information and ensure the security of your transactions? Contact Eval, a specialist in information security solutions.

Our team is ready to help you understand how an HSM can benefit your organization and present the best options available on the market. Click here to contact us!

About Eval

With a track record of leadership and innovation dating back to 2004, Eval not only keeps up with technological trends, but we are also in an incessant quest to bring news by offering solutions and services that make a difference to people’s lives.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Written by Arnaldo Miranda, Evaldo. Ai, reviewed by Marcelo Tiziano and designed by Caio.

Categories
News

Real Digital – The Monetary Innovation of Brazil’s Central Bank

The Real Digital is a digital currency proposal from the Central Bank of Brazil (BCB), which aims to modernize the national financial system and improve the efficiency of the payments market.

In this context, information security and data protection are key aspects to ensure the reliability and acceptance of this new way of conducting financial transactions using digital currency.

In this article, we will explore the context of the Digital Real, its development stages, and the importance of information protection in the process.

The growing importance of central bank digital currencies on the global stage

In Brazil, the BCB has been following the topic for a few years. In August 2020 it organized a working group to conduct studies on the issuance of a digital currency by the institution.


The group had representatives from all areas of the Central Bank
and counted on the direct involvement of several departments, especially International Affairs, Financial System Monitoring, Banking and Payment System Operations.

Preliminary results were presented to Directorate of the institution, which determined the establishment of a regular forum to discuss the topic with the Central Bank’s technical staff.

The discussions conducted in this forum motivated:

  1. The publication of the project guidelines in May 2021;
  2. Holding a series of webinars to discuss the potential applications of the new currency with society;
  3. The Lift Challenge Real Digital, with the goal of developing technological solutions for the implementation of the new currency.

According to the Central Bank project coordinator, Fabio Araújo,
the Real in digital format will work as a
a Pix
on a large scale
, allowing instant large-value wholesale transfers, such as for large companies and financial institutions.

The road to the development and implementation of the Digital Real in Brazil

The first phase of the project involves the development of a test platform that registers assets of various types and natures.

The platform chosen was Hyperledger Besu, which operates on open source, which reduces costs with technology licenses and royalties.

Hyperledger Besu is compatible with
technology
Ethereum technology
, which is responsible for the architecture used by the Ether (ETH) cryptocurrency and other decentralized applications.

The technology allows tests in controlled environments, guaranteeing the privacy of transactions. BC’s reasons for choosing Hyperledger Besu.

According to the Central Bank, the testing phase will be completed in December 2023
and in March 2024
, if the Hyperledger Besu platform can support the simulated transactions, it will be used to set up the Digital Real.

The goal is to reach Real Digital maturity starting in 2024

The schedule foresees the availability of Real Digital to the population by the end of next year. During the test phase, each participant from the financial sector is to contribute its share of the infrastructure.

In April, the Central Bank will organize a workshop with financial institutions and technology companies to pass on the guidelines. Starting in May, the monetary authority will choose the participants of the pilot project.

With the participants defined, there will be transaction tests with Real Digital in a simulated environment, without real values. The assets to be used in the pilot will be as follows:

  • Deposits from bank reserve accounts, settlement accounts, and the National Treasury’s single account;
  • Bank deposits on demand;
  • Payment accounts of payment institutions;
  • Federal government bonds.

The National Treasury will participate in the testing phase to enable the construction of cheaper and more efficient technology for trading government bonds in the primary and secondary markets.

In the simulated operations, a fictitious investor will buy government bonds through the bank’s application that will connect to the test platform.

In addition, the tests will also include the possibility of liquidating loans with long-term investment funds without without disposing of the entire financial application.

Successful implementation of the project can lead to a more inclusive, competitive, and efficient financial system. However, there are still challenges and tests to be carried out to ensure the viability and security of the digital currency.

Eval is tracking Real Digital’s progress

Eval, a reference in technology and innovation, closely follows the progress of Real Digital and foresees a scenario of major changes in the country’s financial sector.

In fact, there is the expectation that the new digital currency will transform the Brazilian financial system, bringing greater efficiency and financial inclusion to the population.

Soon, Real Digital should open doors for the development of new financial services, further expanding the offer of technological solutions in the market.

47 projects were presented, of which 9 were selected to “test” the Real Digital. were selected to “test” the Real Digital, innovative solutions that can be developed based on the Brazilian currency platform in digital format.

It is also worth mentioning, the scenario of collaboration opportunities with the Central Bank of Brazil and other financial institutions in the development and implementation of the Digital Real.

As with PIX, Eval, with all its knowledge and expertise in technology and innovation, can contribute significantly to the project’s success.

Ensuring the safety and security of financial transactions will be key to the success of the Digital Real

With the increase in digital transactions, the need for effective security measures becomes even more important to prevent fraud and data breaches.

In this context, solutions such as the
Hardware Security Module (HSM)
or Data Protection on Demand
DPoD
which in short is an HSM in the cloud, play a key role.

HSMs are physical cryptographic devices that provide an additional layer of security to protect cryptographic keys. When integrated with Hyperledger Besu, HSM can raise the level of Real Digital’s reliability.

By using HSMs in the Real Digital infrastructure, the BCB can ensure that financial transactions are processed with a high level of protection.

This protects both the users and the financial institutions involved, and with it greater confidence in the Real Digital.

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

PayShield 10K: Why migrate?

As companies become increasingly digital, the risk of data breaches and cyber attacks increases. One of the most important steps in protecting yourself is to choose the right payment security solution. That’s where payShield 10K does its part.

payShield 9000 is one of the most popular payment security solutions on the market. However, with the release of payShield 10K, businesses now have a new option to choose from.

But why should companies migrate from payShield 9000 to the new payShield 10K? Continue reading the article until the end and learn about the differences and advantages of migrating.

Meet the new payShield 10K

Thales’ fifth generation payment HSM, payShield 10K provides proven security features in critical environments, including transaction processing, protection of sensitive data, payment credential issuance, mobile card acceptance, and tokenization.

Similar to its predecessor payShield 9000, the new version can be used across the global ecosystem by issuers, service providers, acquirers, processors, and payment networks.

payShield 10K offers several benefits that complement the previous versions, showing Thales’ commitment to the continuous improvement of its products.

In practice, the new version:

  • Simplifies deployment in data centers;
  • It offers high resiliency and availability;
  • It provides the broadest card and mobile application support in a timely manner;
  • Supports performance upgrades without hardware change;
  • Maintains compatibility with all legacy Thales payment HSMs.

Top 10 Reasons to Switch to PayShield 10K

1. Thinner format

The new version of payShield 10K reduces the unit height to 1U, which means that you can stack twice as many units in the rack as with payShield 9000, reducing the cost of investment.

The unit is now longer for easier access to the connectors on the back panel and comes with slide rails to help simplify and speed up the installation process.

The front panel design retains the familiar left and right key mechanisms so you can securely lock the HSM in the rack.

2. Lower energy consumption

Every watt of power that a device requires increases your data center’s power and cooling costs.

The new payShield 10K design, leverages the latest energy efficient components and power management techniques to reduce overall power consumption, even while operating at twice the cryptographic performance, by 40%.

This will undoubtedly help reduce your data center’s electricity bill and contribute to your company achieving its “green goals”.

3. Increased resilience and availability

If your company is forced to take an HSM offline for routine configuration tasks or to replace a faulty power supply, it negatively affects the availability of your financial services infrastructure.

Thales in its continuous improvement process, enhances the physical design with payShield 10K, providing two power supplies and hot swappable fans as standard, improving MTBF, providing a very high expected uptime.

As part of the mission to help keep your payShield 10K running 24/7, the new version of the appliance performs additional background monitoring of HSM system processes and application code.

If problems are detected, they will be fixed automatically without any intervention from the IT team.

4. payShield 10K with faster firmware updates

Loading firmware usually means taking the HSM offline for several minutes. With payShield 10K, the firmware upgrade workflow process has been reduced while maintaining all the necessary security checks for authenticity and code integrity.

The reliability and ease-of-use aspects have also been improved, so that if power or connectivity interruptions occur, the charging process will automatically recover to minimize the possibility of the HSM becoming idle.

 

Thales and E-VAL can help you with LGPD

5. Clearer visual indicators

The payShield 10K has a simple and neat front panel design that displays a red warning triangle when a tampering event occurs.

When all is well, the left handle on the front panel is illuminated white, but if regular background integrity checks discover a problem, the handle will turn red.

To help identify which HSM in a rack may need emergency or scheduled intervention, operations staff can now quickly direct local staff to the HSM that needs support by illuminating the front and rear maintenance lights using payShield Manager.

In addition, the front light illuminates the unit’s serial number, making it easy to read if necessary. These are just some of the time-saving features introduced in payShield 10K, some inspired by customer feedback.

6. Clear confirmation of key removal

In the routine of IT infrastructure administrators, it is sometimes necessary to move an HSM from a production environment to another, less secure location.

Under various security audit constraints, critical keys, such as active LMKs, must not be present when the unit is at the new location.

The payShield 10K contains a dedicated key removal confirmation light on the back panel to ensure that no keys or sensitive data reside on the drive and that it is safe to deactivate.

This improved approach to erasing the key provides confirmation even after the unit is turned off.

7. Even stronger tamper protection

payShield 10K has multiple levels of tamper detection that, when activated, erase keys and confidential data in the event of an attack.

A fully locked cover is also used to increase the complexity for any attacker.

Attempts to access the inside of the internal safety module cause the device to be permanently disabled.

8. Broader cryptographic support

To support new payment methods, the new version of the hardware is able to leverage very fast hardware-based ECC processing in addition to the legacy 3DES, AES, and RSA algorithms.

Many of the emerging payment credential issuance use cases use ECC instead of RSA, especially when the payment instrument is a mobile, IoT or connected device.

payShield 10K is ready for enhancement to support a much wider range of cryptographic algorithms and mechanisms as they become formalized as part of the growing range of payment security specifications.

9. Even Higher Performance

Card payments and online digital payments are growing year by year, requiring you to constantly monitor and upgrade your processing bandwidth.

The new version of payShield offers significantly higher RSA and 3DES performance than its predecessors, which can reduce the number of devices in the previous version and lower your costs.

This faster cryptographic engine also provides more consistent and predictable performance across all host commands, even in heavy load situations and when TLS-based secure communications are in use.

10. payShield 10K features superior architecture

As the payments world increasingly looks for new deployment models involving a mix of private and public clouds, payShield 10K is specifically designed to offer secure remote management and monitoring, providing a true ‘contactless’ experience.

This provides support for various types of payment service offerings and more capabilities to perform functions securely across a wide range of operating environments.

With its enhanced features, payShield 10K is well suited to handle the ever-changing landscape of payment security.

payShield 10K ensures payment security

With payShield 10K you are assured that your company meets the highest security standards in the financial industry.

The fifth generation of payment HSMs from Thales, Eval’s partner company, offers a suite of proven security features in critical environments, in addition to transaction processing, protection of sensitive data, payment credential issuance, mobile card acceptance, and tokenization.

The payShield 10K solution can be used throughout the global payments ecosystem by issuers, service providers, acquirers, processors, and payment networks, offering a number of benefits.

Eval Professional Services has a team of specialized professionals with the best practices in the market

Benefit from our years of experience and expertise in information security and compliance with the General Data Protection Act (LGPD). We will be your partner for realizing digitization projects in compliance with security and data protection regulations.

We share our expertise across all business flows in healthcare organizations to help you minimize risk, maximize performance, and ensure the data protection your patients and partners expect.

About Eval

Eval has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Smart Grid: what IT managers should know

A Smart Grid or intelligent power grid is basically a power network that uses internet technologies to enable two-way communication, coordination and control.

The vision of a Smart Grid starts with the overlay of an increasingly IP-based information network on top of the connecting elements of the existing power grid.

In the longer term, the Smart Grid will include rethinking the architecture of power generation and distribution to make the electricity grid more decentralized, resilient, secure and responsive to consumer demand and the provision of public services.

Architecturally similar to the Internet, the Smart Grid is hierarchical and has clear demarcation points. Energy utilities run the generation and interstate links of the network, equivalent to the backbone of an ISP (internet service provider).

Within a metropolitan area or neighborhood, local utilities run a neighborhood area network (NAN), equivalent to a metropolitan area network (MAN).

The Smart Grid reaches individual homes and businesses through the advanced metering infrastructure, which is like a local ISP’s DSL network – the last mile to the “smart meter”.

Within a building or home, consumers and businesses manage a home network or building automation system, which is the smart grid equivalent of a local area network (LAN).

The smart meter also acts as a network termination point or input router, a demarcation between the utility network and the home network or building automation system.

The interface between your building automation network and the utility supply will be smart. This brings huge opportunities for automation as well as severe management and security challenges.

What should IT managers know about Smart Grid?

The introduction of IP coincides with the merger of IT facilities and organizations. Companies are adding automation to buildings and the resulting networks are increasingly managed by the IT department.

The building automation network connected to a Smart Grid is rapidly becoming a network-based application running on a converged LAN, just as voice networks began converging onto data networks a decade ago.

In short, building automation will be an application that you must support on your network in the future. As with voice, this new network application will present unique management, quality of service (QoS) and security issues.

For example, building automation directly affects the physical space in our offices, creating unique management challenges, and systems must be secured against unauthorized access to a building or room.

But even without malicious interference, we need to ensure that future building automation systems and smart grids are as reliable as current systems.

A “smart” light switch should turn on the light instantly and every time, just as a voice over IP (VoIP) phone should provide a dial tone, instantly and every time.

The lesson of VoIP was that mechanical systems are inherently more reliable and it is not simple to achieve the same level of resilience and quality with a computerized system.

The Smart Grid will provide near real-time price updates and statistics on overall energy use

In our example, building automation connected to a Smart Grid will allow you to control the skylight, blinds, lights, vents and even micro power plants such as solar panels, fuel cells and diesel generators.

This can enable adjustment of energy consumption and local generation patterns in response to prices and can also offer organizations the possibility to sell energy back to the grid.

Businesses can also be warned of impending power quality issues (such as power outages, spikes, supply shortages and blackouts) and adjust power usage or distribution to prioritize critical systems or unplug spike-sensitive devices.

Managing and securing this new network will require new skills, new hardware and new software. It will also require new types of firewalls, denial of service protections and security policies.

The Smart Grid will extend to your network, bringing new opportunities and new challenges. To prepare your business for the smart grid, you should start with organizational convergence between IT and facilities, followed by data convergence between IT networks and building automation systems.

Hybrid Infographic HSM

Eval and Thales together to ensure the protection of Smart Grids

At a time when energy utilities play an increasingly important role in our everyday lives, smart grid technologies, including those leveraging the Internet of Things (IoT), present new smart grid security challenges that must be addressed.

Implementing a smart grid without adequate security of advanced metering infrastructure can result in grid instability, loss of private information, utility fraud and unauthorized access to energy consumption data.

Without proper security, the benefits of IoT-based energy, such as reliable directional communication between applications and devices, as well as secure information gathering for accurate big data analytics, would not be realized.

Effective security equipment manufacturers, consumers and utility providers with the confidence to leverage the power of IoT.

Building a reliable and secure smart grid will require robust smart grid security solutions that can be easily deployed at the communication and application layers of the smart grid infrastructure.

Areas where smart grid protection is critical include:

  • Device manufacturing;
  • Secure communications;
  • Internet of Things (IoT) devices and applications;
  • Field firmware updates and provisioning;
  • Device authentication;
  • Secure meter management;
  • Protecting data integrity and privacy.

The importance of security in Smart Grid with PKI and HSMs

Smart Grid security solutions must be able to deploy on a large scale, with minimal effect on applications.

Smart grid protection at the communication layer will require a system to identify connected meters, to verify that these meters are configured correctly, and to validate these meters for grid access.

The recommended solution for this authentication process is an identity-based model, usually a public key infrastructure (PKI).

PKIs are ideal for large-scale security deployments that require a high level of security with minimal impact on performance.

In a PKI environment, it is essential that private keys and certificates are protected with a trusted key management solution that protects against evolving data threats, such as hardware security modules (HSMs).

Thales Hardware Security Modules provide the highest level of security by always storing cryptographic keys in hardware.

Thales HSMs provide a secure encryption foundation as the keys never leave the FIPS-validated, intrusion-resistant and tamper-resistant device.

Since all cryptographic operations take place inside the HSM, strong access controls prevent unauthorized users from accessing confidential cryptographic material.

In addition, Thales also implements operations that make deploying secure HSMs as easy as possible, and our HSMs are integrated with the Thales Crypto Command Center for fast and easy partitioning, reporting, and monitoring of cryptographic resources.

Learn more about the use of HSM applied to Smart Grid technology from Eval’s experts and learn how to apply encryption capabilities effectively in your smart grid. We are happy to answer your questions and help you define the best ways to make your network smart and reliable.

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Digital Means of Payment: 5 Key Benefits of HSM

Customer demand is the main driver for companies in the financial sector to add new payment options. From traditional, well-established operations to mobile and instant payment, the challenge of ensuring the security of digital means of payment and financial transactions is constant. This is when HSM Technology makes the difference.

In addition, the speed of transactions is also changing the way financial transactions are made. Organizations and consumers are looking for low response times, which means that the availability of the payment system must be high and the information always accurate.

Which leads us to understand that security is at the heart of the payment ecosystem. To be sure to bring the highest levels of security in the increasingly complex and ever-changing digital means of payment and financial transactions, operations rely on the use of HSM (Hardware Security Module) technology.

Digital means of payment and financial transactions: new challenges arise and must be addressed

The banking and financial services sector is challenged every day. In addition to managing payment operations and financial transactions, they need to perform identity and access management, cryptographic key management, use blockchains, go to the cloud and maintain compliance.

To contribute to this real-time process, technology, like HSM, is constantly evolving. New challenges appear and must be met.

As payment systems are unique, hardware providers often find themselves conflicted when trying to keep up with market developments.

The need to implement modifications to existing hardware security modules (HSMs) while maintaining compliance has become an ever-present and unavoidable reality for the payments industry, banks and financial services companies.

An HSM applied to digital means of payment and financial transactions is a tamper-resistant hardware device. It is mainly used by the banking and financial sector to provide high levels of protection for customers’ cryptographic keys and PINs.

These keys and PINs are used during the issuance of magnetic stripe and EMV chip cards (and their mobile app equivalents), and in the subsequent processing of credit and debit card payment transactions.

HSMs dedicated to digital means of payment typically provide native cryptographic support for all major card scheme payment applications and undergo rigorous independent hardware certification under global schemes such as FIPS 140-2, PCI and other additional regional security requirements.

Some of its common use cases in the payments ecosystem include:

  • PIN generation, management and validation;
  • PIN lock translation during network switching of ATM and POS transactions;
  • Card, user and cryptogram validation during payment transaction processing;
  • Issuance of payment credential for payment cards and mobile applications;
  • Point-to-point encryption (P2PE) key management and secure data decryption;
  • Sharing keys securely with third parties to facilitate secure communications.

5 Practical benefits of HSM for securing digital means of payment and financial transactions

HSMs are essential for companies that handle data from digital means of payment, such as credit or debit cards, but other companies can also benefit from using HSMs.

There are many benefits to using an HSM to protect your data in digital payment and financial transactions:

1. Offers maximum security

HSMs provide one of the highest levels of security against external threats. It is safe to use and helps protect against malicious attacks.

2. Take customer data seriously

Show customers that you take their privacy seriously by making an effort to protect their information, especially digital means of payment.

Cloud based HSM DPoD vs On Prem HSM TCO WP

3. Get HSM as a service

For companies that cannot invest in an HSM but need to be PCI DSS certified, some IT providers offer HSM as a service, which makes this technology more accessible and affordable for some companies.

4. Keep your key in only one place

Unlike storing a key in software – where it could virtually end up anywhere – HSM alone keeps the key, making it easier to track and secure. The key cannot leave the device.

5. Enjoy tamper-proof protection

Some HSMs are tamper-proof and others are tamper-resistant depending on their specific features, providing a level of security that is difficult to achieve when using software alone.

HSMs have historically provided the most secure protection for encryption keys

For digital means of payment, hardware security modules (HSMs) mean one important thing: double protection, because they actively protect the keys that secure your data.

These external device or plug-in hardware modules are primarily purchased and provisioned locally in an enterprise data center.

But as businesses rapidly adopt cloud environments – private, public and hybrid – the HSM approach to key management is no longer straightforward.

Unlike purely software-based solutions, they provide hardware-based protection for critical systems such as public key infrastructures (PKIs), databases and web or application servers.

In this way, HSMs offer maximum security against external physical, chemical and mechanical attacks.

But HSMs can do much more for digital means of payment. The processes of encryption and decryption, issuance of electronic certificates, generation of digital certificates or signatures, and authentication of users and devices can be “outsourced” to HSMs for execution in compliance with maximum security standards and legal provisions.

Thus, HSMs also protect safety-critical processes and effectively prevent the reading and manipulation of confidential keys.

Learn more about the use of HSM applied to payment methods from E-VAL experts and how to apply encryption technology effectively in your business.

We are available to answer your questions and help you define the best ways to protect your organization and your digital means of payment against data leakage and theft.

About Eval

Eval has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Hardware Security Module, Choose the Best

Hardware security module (HSM) usage grew at a record rate from 41% in 2018 to 47% in 2019, indicating the need for a hardened, tamper-resistant environment with higher levels of trust, integrity and control for data and applications, said the Ponemon Institute’s 2019 Global Encryption Trends Study report.

Research shows that the use of HSM is no longer limited to traditional use cases such as public key infrastructure (PKI), databases, application and network encryption (TLS/SSL).

Demand for reliable encryption for new digital initiatives drove significant HSM growth in 2018 for code signing (up 13%), big data encryption (up 12%), IoT security (up 10%) and document signing (up 8%).

In addition, 53% of respondents reported using on-premises HSMs to secure access to public cloud applications.

Strengthen your company’s IT security with encryption

The use of encryption is a clear indicator of a strong security posture adopted by companies that deploy encryption and that are more aware of threats to sensitive and confidential information and making a greater investment in IT security.

The adoption of encryption is also being driven by the need to protect sensitive information from internal and external threats, as well as accidental disclosure due to compliance requirements such as the General Data Protection Act (GDPR).

But data sprawl, concerns about data discovery and policy enforcement, along with a lack of cybersecurity skills make this a challenging environment.

This is when HSM becomes part of your safety and security strategy.

Do you need a hardware security module to protect your information?

A hardware security module (HSM) is a physical device that provides extra security for sensitive data. This type of device is used to provide cryptographic keys for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases.

To give an idea, companies can use a hardware security module, for example, to protect trade secrets of significant value by ensuring that only authorized individuals can access the HSM to complete an encryption key transaction, i.e. control access properly and if necessary with multiple authentication factors, which is a security recommendation adopted today.

In addition, the entire life cycle of the encryption key, from creation, revocation and management and storage in the HSM.

Digital signatures can also be managed through an HSM and all access transactions are logged to create an audit trail. In this way, a hardware security module can help companies move sensitive information and processes from paper documentation to a digital format.

Multiple HSMs can be used together to provide public key management without slowing down applications.

But how do you know which hardware security module (HSM) is best for your business needs?

In general, a hardware security module provides cryptographic functionality. There are free downloadable crypto components on the market that do pretty much anything an HSM would do. So why make the investment in an HSM?

Basically, there are three main reasons: Increased security, cryptographic performance, an industry standardized certification and validation program.

Hybrid Infographic HSM

If selected carefully and implemented correctly, an HSM provides a considerable increase in safety and security for businesses. It does this in an operational environment where keys are generated, used and stored on what should be a tamper-resistant hardware device.

It is this ability to securely create, store and use cryptographic keys that is the greatest benefit of HSM.

There are many attributes that vendors emphasize to try to make their product appear superior to others. The following attributes are really desirable from a security perspective:

  • The key generator and secure key storage feature;
  • A tool to assist authentication by verifying digital signatures;
  • A tool for securely encrypting sensitive data for storage in a relatively unsecured location such as a database;
  • A tool to verify the integrity of data stored in a database;
  • A secure key generator for smartcard production.

But companies today are under “relentless pressure” to protect their business-critical information and applications and meet regulatory compliance, and adopting functionality that is considered basic does not make a traditional HSM the best choice.

What makes the Thales Luna HSM solution the best hardware security module option for your company’s needs?

Thales Hardware Security Modules provide the highest level of security by always storing cryptographic keys in hardware.

In addition, they provide a secure encryption foundation, as the keys never leave the FIPS-validated, intrusion-resistant, tamper-proof device.

Since all cryptographic operations take place inside the HSM, strong access controls prevent unauthorized users from accessing confidential cryptographic material.

In addition, Thales also implements operations that make deploying secure HSMs as easy as possible, and our HSMs are integrated with the Thales Crypto Command Center for fast and easy partitioning, reporting, and monitoring of cryptographic resources.

Thales’ HSMs follow strict design requirements and must pass rigorous product verification tests, followed by real-world application testing to verify the security and integrity of each device.

Thales’ HSMs are cloud agnostic and are the HSM of choice for Microsoft, AWS and IBM, providing a hardware security module service that dedicates a single tenant device located in the cloud for the customer’s cryptographic processing and storage needs.

With Thales hardware security modules, you can:

  • Address compliance requirements with blockchain solutions, LGPD and Open banking, IoT, innovation initiatives such as Pix of the Central Bank of Brazil and prominent certifications such as the Central Bank of Brazil. PCI DSS, digital signatures, DNSSEC, hardware key storage, transactional acceleration, certificate signing, code or document signing, bulk key generation and data encryption;
  • The keys are generated and always stored in an intrusion-resistant, tamper-proof, FIPS-validated device with the strongest levels of access control;
  • Create partitions with a dedicated Security Office per partition and segregate by administrator key separation;

Therefore, Thales Luna HSMs have been implementing best practices in hardware, software, and operations that make deploying HSMs as easy as possible.

Thales Luna HSMs meet stringent design requirements and must pass rigorous product verification testing, followed by real-world application testing to verify the safety and integrity of each device.

Make the best choice of HSM technology

HSMs are built to protect cryptographic keys. Large banks or corporate offices often operate a variety of HSMs simultaneously.

Key management systems control and update these keys according to internal security policies and external standards.

A centralized key management design has the advantage of streamlining key management and providing the best overview for keys in many different systems.

Learn more about Thales HSM

The encryption keys are literally the key to accessing the organization’s data. They protect an organization’s most sensitive information, so the system that generates and stores it must be protected at all costs.

Thales Luna HSM not only provides the best physical security, it is usually located at the heart of a company’s secure data center, but it also ensures that stored keys are never breached.

Unless you have an environment where a physical data center is not available, adopt an HSM appliance to secure the organization’s encryption keys and leave virtualized services for the rest of your infrastructure, and take comfort in knowing your encrypted connections and data are always secure.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Instant Financial Transactions: Security with HSM

Instant financial transactions or instant payments, as they are also known, will play a key role in accelerating the economy. One of the reasons that directly impacts the development of trade in general is the lack of agility in transactions.

Despite the technological advances that have taken place to date, we still have a lot to improve.

With the new payment method, baptized by the Central Bank of Brazil as PIX, the main goal of the electronic transfer is to make financial transactions, such as a transfer between accounts, in less than ten seconds, at any time, every day of the week.

However, the immediacy of this new payment method, despite its numerous benefits, raises a problem: if instant payments are made in real time, in a short space of time, is it not also susceptible to fraudulent maneuvers and cyber attacks?

To reduce these risks, the Brazilian central bank has defined fundamental security requirements to ensure the protection of transactions and user data.

And once again, the use of technology will be key for us to adopt instant financial transactions in a safe and efficient way, promoting the transformation of the means of payment.

The big challenge of instant financial transactions

As part of the development of instant payment solutions, banks face an increasing complexity of combating financial fraudulent transactions.

The speed of transactions requires fully automated anti-fraud handling, with no manual review options. The challenge is protection while keeping pace with evolving compliance requirements.

According to the Central Bank, through the PIX technical and business specifications, the instant financial transaction ecosystem should be designed and developed considering good security practices.

This will require ensuring the privacy and protection of users’ data.

Based on this context, the following ecosystem security requirements determined by the CB will need to be met:

Encryption and mutual authentication in communication

Each Payment Service Provider (PSP) must connect to the PIX exclusively via the HTTP protocol using TLS encryption.

There must be mutual authentication when establishing the connection, i.e. both the client and the server must present digital certificates to authenticate themselves.

Digital signature of messages exchanged during instant payments

All messages transmitted on the PIX must be digitally signed by the sender. The receiver will verify the digital signature of each message to ensure its integrity and non-repudiation.

In addition, signatures must appear in the Business Application Header (BAH) of ISO 20022 messages, and the standard adopted is XMLDSig, using the RSA-SHA256 algorithm for signing.

Use and management of Digital Certificates

For both communication encryption and digital signature, ICP-Brasil certificates in the SPB standard should be used.

The activation of a new certificate for a financial institution that makes use of instant financial transactions will take place by sending a specific file in the File Transfer System (STA).

Once the certificate has been validated by the CB, it will be activated automatically.

Cloud based HSM DPoD vs On Prem HSM TCO WP

Maintenance of security logs

All participants in the PIX ecosystem should maintain security logs to record all messages sent and received, allowing for auditing of the messages passed.

The records should contain time references identifying when the messages were signed. In addition, the certificates used and identification of the algorithms used to verify the signature of messages should also be recorded.

While the essence of protecting instant payments lies in data encryption as a solution to protect information relating to PIX transactions, companies can be challenged by the cost and complexity of deploying encryption.

This includes the management of certificates and digital signatures, as well as hardware security modules to protect cryptographic operations.

Indeed, the worsening threat landscape, combined with aggressive cloud adoption and evolving privacy regulations, new challenges related to encryption, privileged access and financial transactions have emerged for financial institutions seeking to evolve the industry.

In addition, many organizations would like to deploy data security more broadly, but are often cautious due to concerns about requirements, complexity, cost and staffing, particularly with respect to encryption and key management.

HSM technology is designed for safety practices and regulatory requirements

When it comes to instant financial transactions, security is one of the most important issues. Banks and financial institutions can suffer considerable financial losses in the event of fraud.

Reliable and flexible protection solutions integrated with payment systems are needed.

A hardware security module (HSM) is a physical device that provides extra security for sensitive data.

This type of device is used to provision cryptographic keys for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases.

As an example, companies can use an HSM to protect trade secrets with significant value. This ensures that only authorized individuals can access the HSM to complete an encryption key transaction.

In the applied context of instant financial transactions, the HSM is recommended for financial institutions to perform the proper management process (generation, safekeeping, activation and revocation) of their digital certificates used within PIX.

HSM solutions are useful for companies that need to run digital rights management or a public key infrastructure.

These systems can be used to provide high levels of security for products that need it, particularly to ensure regulatory compliance.

The direct benefits of HSM applied to instant financial transactions

There are many benefits to using an HSM, these systems are often designed to meet stringent government and regulatory standards, such as the Central Bank’s PIX.

They usually have strong access controls and role-based privilege models, hardware specifically designed for cryptographic operations and resistance to physical tampering, and flexible API options for access.

Using an HSM is the most secure way to store cryptographic keys and manage their lifecycle. Its applicability is now standard practice for any highly regulated organization employing, for example, cloud services.

Cloud providers that don’t offer tools and capabilities are likely to lose business from government, financial and healthcare customers, who demand strong protection controls for all key materials.

To contribute to the transformation process and assist in the implementation of instant financial transaction systems, Eval has digital signature and certificate solutions, such as the E-VALCryptoCOMPE .

Technology developed to provide high performance Digital Signature, or even the EVALCryptoSPB which today serves the digital signature of messages exchanged by the National Financial System. To help with this challenge, your company can count on Eval’s help.

Finally, it is necessary to choose a quality HSM and for this Eval markets the Luna from Thales, the world leader in HSM.

About Eval

A Eval está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital, e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias. 

Com valor reconhecido pelo mercado, as soluções e serviços da Eval atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a Lei Geral de Proteção de Dados (LGPD). Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos. 

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível. 

Eval, segurança é valor. 

Categories
Data Protection

Cryptographic Key Management: Learn How to Protect Yourself

Hardware Security Module (HSM) basically consists of a physical device that provides extra security for sensitive data. This type of device is used to take care of cryptographic key management for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases.

Companies can use an HSM to protect trade secrets with significant value. This ensures that only authorized individuals can access the device and use the key stored on it.

Responsible for performing cryptographic operations and Cryptographic Key Management

HSM solutions are designed to meet stringent government and regulatory standards and often have strong access controls and role-based privilege models.

Designed specifically for fast cryptographic operations and resistant to logical and physical tampering, adopting an HSM is the most secure way to perform cryptographic key management. However, its use is not so practical and requires additional software.

The use of HSM should be standard practice for any highly regulated organization, thus preventing these companies from losing business from customers such as the government, financial and healthcare systems, which require strong protection controls for all data considered sensitive in their operations.

It is also important for companies that adopt, as part of their strategies, the care not to take risks due to lack of necessary protection, these being able to tarnish the image of the organization.

Best practices and uses of the HSM

The use of HSMs can provide improved cryptographic throughput and result in a more secure and efficient architecture for your business.

HSM becomes a vital component in a security architecture, which not only minimizes business risks but also achieves top performance in cryptographic operations.

Some of the best practices and use cases for HSMs used by leading security practitioners are as follows:

Storage of certificate authority keys

The security of certificate authority (CA) keys is most critical in a Public Key Infrastructure (PKI). If a CA key is compromised, the security of the entire infrastructure is at risk.

CA keys are primarily stored in dedicated HSMs to provide protection against tampering and disclosure against unauthorized entities. This can be done even for internal CAs.

Storage and management of application keys

Cryptography, considered essential in many businesses, is also helped by the powerful performance of HSMs, doing an incredible job of minimizing performance impact of using asymmetric cryptography (public key cryptography) as they are optimized for the encryption algorithms.

A prime example of this is database encryption, where high latency per transaction cannot be tolerated. But don’t forget to encrypt only what is necessary, so your solution won’t spend time on non-sensitive information.

Encryption operations

Encryption operations are sometimes time consuming and can slow down applications. HSMs have dedicated and powerful cryptographic processors that can simultaneously perform thousands of cryptographic operations.

They can be effectively used by offloading cryptographic operations from application servers.

Full audit trails, logging and user authorization

HSMs should keep the record of cryptographic operations such as key management, encryption, decryption, digital signature and hashing according to the date and time the operation was performed. The process of recording events involves the authenticity and protection of the time source.

Modification of the date and time settings interface requires strong authentication by a smart card or at least two people to sanction or authorize this task.

Destruction of keys in case of attacks

HSMs follow strict safety requirements. The most important content for an HSM is the keys. In the event of a physical or logical attack, they reset or erase all your keys so they don’t fall into the wrong hands.

The HSM should “reset” itself, deleting all sensitive data if it detects any undue tampering. This prevents an attacker who has gained access to the device from gaining access to the protected keys.

The full lifecycle of keys

NIST, the National Institute of Standards and Technology, a non-regulatory agency of the US Department of Commerce, defines the encryption key lifecycle as 4 main stages of operation: pre-operational, operational, post-operational and deletion, and requires that, among other things, an operational encryption period be defined for each key. For more details, click here and see from page 84 to page 110.

Therefore, a cryptographic period is the “time interval during which a specific key is authorized for use”.

In addition, the cryptographic period is determined by combining the estimated time during which encryption will be applied to the data, including the period of use and the period in which it will be decrypted for use.

Long-term encryption

But after all, since an organization may reasonably want to encrypt and decrypt the same data for years on end, other factors may come into play when considering the cryptographic period:

You can for example limit it to:

  • Amount of information protected by a given key;
  • Amount of exposure if a single key is compromised;
  • Time available for physical, procedural and logical access attempts;
  • Period within which information may be compromised by inadvertent disclosure.

This can be boiled down to a few key questions:

  • For how long will the data be used?
  • How is the data being used?
  • How much data is there?
  • What is the sensitivity of the data?
  • How much damage will be caused if data is exposed or keys lost?

So the general rule is: as the sensitivity of the protected data increases, the lifetime of an encryption key decreases.

Given this, we see that your encryption key may have a shorter active life than an authorized user’s access to the data. This means that you will need to archive deactivated keys and use them only for decryption.

Once the data has been decrypted by the old key, it will be encrypted by the new key and over time the old key will no longer be used to encrypt/decrypt data and can be deleted.

Life cycle management of cryptographic keys using HSM

It has often been said that the most difficult part of cryptography is key management. This is because the discipline of cryptography is a mature science where most of the major issues have been addressed.

On the other hand, key management is considered recent, subject to individual design and preference rather than objective facts.

An excellent example of this is the extremely diverse approaches HSM manufacturers have taken to implementing their key management, which eventually led to the development of another product line, Ciphertrust. It has several features of HSMs and others that are unique, such as anonymization and authorization for example.

However, there have been many cases where HSM manufacturers have allowed some insecure practices to go unnoticed, resulting in vulnerabilities that have compromised the lifecycle of cryptographic keys.

Therefore, when looking for an HSM to manage full lifecycle, secure and general purpose, it is essential to inspect those that have excellent customer references, long deployment life and quality certifications.

HSM in a nutshell

To summarize, an HSM is typically a server with different levels of security protection or simply “protection” that prevents breaches or loss. We can summarize it like this:

  • Tamper-evident: addition of tamper-evident coatings or seals on bolts or latches on all removable lids or doors.
  • Tamper resistant: adding “tamper detection/response circuitry” that erases all sensitive data.
  • Tamper proof: complete module hardening with tamper evident/resistant screws and locks, together with the highest sensitivity “tamper detection/response circuit” that erases all sensitive data

With many organizations moving some or all of their operations to the cloud, the need to move their security to this architecture has also emerged.

The good news is that many of the leading HSM manufacturers have developed solutions to install traditional HSMs in cloud environments.

Therefore, the same levels of “protection” will apply as we have a traditional HSM in a cloud environment.

Learn more about the use of HSM in cryptographic key management in our blog and find out how to apply encryption technology effectively in your business by contacting Eval’s experts.

We are available to answer your questions and help you define the best ways to protect your organization against data leakage and theft.

About Eval

A Eval está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias. 

Com valor reconhecido pelo mercado, as soluções e serviços da Eval atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a Lei Geral de Proteção de Dados (LGPD). Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos. 

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível. 

Eval, segurança é valor.