Search
Close this search box.
Facebook Instagram Linkedin

Tag: key management

Categories
Data Protection

Cryptographic Key Management in the cloud, meet DPoD

Many organizations face difficulties in implementing an effective cryptographic key management system. This is due in part to the complexity of the process and the tools needed to implement and maintain a secure system. This is when HSM in the cloud makes the difference.

To reduce complexity in Cryptographic Key Management, companies implementHardware Security Modules (HSM) solutions that can be deployed on-premises or in the cloud.

HSM in the cloud overcomes the challenge of Cryptographic Key Management

HSM in the cloud basically consists of a secure hardware device that is being managed by a cloud provider.

The cloud provides access to cryptographic keys for the business applications that need them, without exposing the keys to the security risks associated with the Internet.

Companies are increasingly interested in using the cloud for their business because of the advantages it offers, such as flexibility, scalability, and cost-effectiveness.

By allowing keys to be managed outside the corporate network, the cloud simplifies the process and makes it more secure.

This means that keys no longer have to be stored in a single location and can be accessed from anywhere in the world, 24 hours a day.

Managing cryptographic keys using HSM in the cloud also offers more flexibility in terms of scalability.

Keys can be created and managed dynamically to meet business needs, without the need for a large up-front investment.

HSM in the cloud also allows keys to be easily shared across different departments and geographies, which simplifies collaboration and makes it easy for teams to work together.

Finally, cryptographic key management using HSM in the cloud offers greater control and traceability. Keys can be tracked and monitored to ensure they are being used according to company policies.

Are Cloud Cryptographic Key Management as secure as on-premise HSMs?

When it comes to security, people tend to think that “local is always better”. However, this is not always true, especially when it comes to cryptographic key management.

In fact, many organizations are discovering that using cloud HSMs can offer more security than on-premise security modules.

This is because cloud HSMs are generally more secure than on-premise HSM. After all, they are running in a secure environment being managed by highly experienced security teams.

In addition, Cryptographic Key Management using cloud HSMs generally have more security features than on-premises security modules, which means they are less likely to be compromised.

However, it is important to note that cloud HSMs are still susceptible to attacks.

Therefore, organizations should take steps to secure their security modules, as well as look for providers that offer robust security features.

Thales Data Protection on Demand (DPoD): not just security, data protection on demand

Thales Data Protection on Demand is a cloud-based platform that provides a wide range of Cryptographic Key Management services using and HSM in the cloud through a simple online marketplace.

With Data Protection on Demand (DPoD), security is simpler, more cost-effective, and easier to manage because there is no hardware to buy, deploy, and maintain.

Thales Data Protection on Demand is just a click away. Just click and deploy the protection your company needs, provision services, add security policies, and get usage reports in minutes.

Achieve data security quickly and efficiently

With Data Protection on Demand, you have access to a wide range of security services simply by clicking and deploying what you need to protect dozens of applications and use cases.

It’s as simple as that.

Zero upfront capital investment and pay-as-you-go pricing

There is no hardware or software to buy, support, and upgrade, so you have no capital expenditure.

Plus, with unique pay-as-you-grow pricing, you have the flexibility to purchase services to meet your changing business needs.

 

 

Protect data anywhere and meet compliance mandates

With DPoD, you can protect sensitive data in any environment, cloud, hybrid or on-premises, to manage your security policies and meet regulatory and compliance requirements. Protect the data you create, store, and analyze.

Enable your applications with cryptography: Blockchain, Cloud, and Internet of Things.

Centralize management of Cryptographic Keys across all clouds

Data Protection on Demand is cloud-independent, so whether you use Salesforce.com, Amazon Web Services, Google, IBM, and Microsoft Azure, or a combination of cloud and on-premises solutions, you are always in control of your encryption key management.

Easily integrate with your cloud, hybrid, and IT services

Data Protection on Demand comes with pre-configured APIs that make it easy to integrate Luna Cloud HSM and cryptographic key management services to protect your applications and data.

With seamless key migration between Luna Cloud HSM services and Luna HSM on-premises appliances, Thales helps customers ensure that their data and the keys to that data are secure.

This holds true regardless of where your information resides. In addition, the company supports third-party HSM integration, common SDK and API support, and high-availability group access for local Luna devices and DPoD services.

Infinite scalability and elasticity

Scale up or down the cryptographic key management and HSM services as your requirements change. You can easily extend cloud and hybrid HSM and key management capabilities and encryption features without limitations.

Focus on your business

Not in the management of security hardware and software. Find out how the Eval and Thales partnership can help your company.

Use Data Protection on Demand and you won’t need to purchase, provision, configure, and maintain hardware and software for your HSM and cryptographic key management needs.

All physical hardware, software, and infrastructure are managed by the existing official partnership between Eval and Thales, including an SLA, so you can focus on your business.

We deploy and manage cryptographic key management module services and hardware security, on-demand and in the cloud.

  • Focus on services, not hardware;
  • Implants in minutes, not days;
  • Buy only what you need and reduce costs;
  • Protect data anywhere;
  • Real-time reporting and visibility;
  • It integrates easily with existing applications, infrastructure, and IT services.

Data Protection on Demand (DPoD) has expanded its service capabilities to include partner-led security services, expanding the value of Thales Luna HSMs’ extensive range of integrations across the entire security ecosystem.

With on-demand data protection, Eval and Thales can offer encryption and key management services quickly and easily.

Eval Professional Services has a team of specialized professionals with the best practices in the market

Benefit from our years of experience and expertise in information security and compliance with the General Data Protection Act (LGPD).

We will be your partner for realizing digitization projects in compliance with security and data protection regulations.

We share our expertise across all business flows in healthcare organizations to help you minimize risk, maximize performance, and ensure the data protection your patients and partners expect.

About Eval

With a track record of leadership and innovation dating back to 2004, Eval not only keeps up with technological trends, but we are also in an incessant quest to bring news by offering solutions and services that make a difference to people’s lives.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Cryptographic Key Management: Learn How to Protect Yourself

Hardware Security Module (HSM) basically consists of a physical device that provides extra security for sensitive data. This type of device is used to take care of cryptographic key management for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases.

Companies can use an HSM to protect trade secrets with significant value. This ensures that only authorized individuals can access the device and use the key stored on it.

Responsible for performing cryptographic operations and Cryptographic Key Management

HSM solutions are designed to meet stringent government and regulatory standards and often have strong access controls and role-based privilege models.

Designed specifically for fast cryptographic operations and resistant to logical and physical tampering, adopting an HSM is the most secure way to perform cryptographic key management. However, its use is not so practical and requires additional software.

The use of HSM should be standard practice for any highly regulated organization, thus preventing these companies from losing business from customers such as the government, financial and healthcare systems, which require strong protection controls for all data considered sensitive in their operations.

It is also important for companies that adopt, as part of their strategies, the care not to take risks due to lack of necessary protection, these being able to tarnish the image of the organization.

Best practices and uses of the HSM

The use of HSMs can provide improved cryptographic throughput and result in a more secure and efficient architecture for your business.

HSM becomes a vital component in a security architecture, which not only minimizes business risks but also achieves top performance in cryptographic operations.

Some of the best practices and use cases for HSMs used by leading security practitioners are as follows:

Storage of certificate authority keys

The security of certificate authority (CA) keys is most critical in a Public Key Infrastructure (PKI). If a CA key is compromised, the security of the entire infrastructure is at risk.

CA keys are primarily stored in dedicated HSMs to provide protection against tampering and disclosure against unauthorized entities. This can be done even for internal CAs.

Storage and management of application keys

Cryptography, considered essential in many businesses, is also helped by the powerful performance of HSMs, doing an incredible job of minimizing performance impact of using asymmetric cryptography (public key cryptography) as they are optimized for the encryption algorithms.

A prime example of this is database encryption, where high latency per transaction cannot be tolerated. But don’t forget to encrypt only what is necessary, so your solution won’t spend time on non-sensitive information.

Encryption operations

Encryption operations are sometimes time consuming and can slow down applications. HSMs have dedicated and powerful cryptographic processors that can simultaneously perform thousands of cryptographic operations.

They can be effectively used by offloading cryptographic operations from application servers.

Full audit trails, logging and user authorization

HSMs should keep the record of cryptographic operations such as key management, encryption, decryption, digital signature and hashing according to the date and time the operation was performed. The process of recording events involves the authenticity and protection of the time source.

Modification of the date and time settings interface requires strong authentication by a smart card or at least two people to sanction or authorize this task.

Destruction of keys in case of attacks

HSMs follow strict safety requirements. The most important content for an HSM is the keys. In the event of a physical or logical attack, they reset or erase all your keys so they don’t fall into the wrong hands.

The HSM should “reset” itself, deleting all sensitive data if it detects any undue tampering. This prevents an attacker who has gained access to the device from gaining access to the protected keys.

The full lifecycle of keys

NIST, the National Institute of Standards and Technology, a non-regulatory agency of the US Department of Commerce, defines the encryption key lifecycle as 4 main stages of operation: pre-operational, operational, post-operational and deletion, and requires that, among other things, an operational encryption period be defined for each key. For more details, click here and see from page 84 to page 110.

Therefore, a cryptographic period is the “time interval during which a specific key is authorized for use”.

In addition, the cryptographic period is determined by combining the estimated time during which encryption will be applied to the data, including the period of use and the period in which it will be decrypted for use.

Long-term encryption

But after all, since an organization may reasonably want to encrypt and decrypt the same data for years on end, other factors may come into play when considering the cryptographic period:

You can for example limit it to:

  • Amount of information protected by a given key;
  • Amount of exposure if a single key is compromised;
  • Time available for physical, procedural and logical access attempts;
  • Period within which information may be compromised by inadvertent disclosure.

This can be boiled down to a few key questions:

  • For how long will the data be used?
  • How is the data being used?
  • How much data is there?
  • What is the sensitivity of the data?
  • How much damage will be caused if data is exposed or keys lost?

So the general rule is: as the sensitivity of the protected data increases, the lifetime of an encryption key decreases.

Given this, we see that your encryption key may have a shorter active life than an authorized user’s access to the data. This means that you will need to archive deactivated keys and use them only for decryption.

Once the data has been decrypted by the old key, it will be encrypted by the new key and over time the old key will no longer be used to encrypt/decrypt data and can be deleted.

Life cycle management of cryptographic keys using HSM

It has often been said that the most difficult part of cryptography is key management. This is because the discipline of cryptography is a mature science where most of the major issues have been addressed.

On the other hand, key management is considered recent, subject to individual design and preference rather than objective facts.

An excellent example of this is the extremely diverse approaches HSM manufacturers have taken to implementing their key management, which eventually led to the development of another product line, Ciphertrust. It has several features of HSMs and others that are unique, such as anonymization and authorization for example.

However, there have been many cases where HSM manufacturers have allowed some insecure practices to go unnoticed, resulting in vulnerabilities that have compromised the lifecycle of cryptographic keys.

Therefore, when looking for an HSM to manage full lifecycle, secure and general purpose, it is essential to inspect those that have excellent customer references, long deployment life and quality certifications.

HSM in a nutshell

To summarize, an HSM is typically a server with different levels of security protection or simply “protection” that prevents breaches or loss. We can summarize it like this:

  • Tamper-evident: addition of tamper-evident coatings or seals on bolts or latches on all removable lids or doors.
  • Tamper resistant: adding “tamper detection/response circuitry” that erases all sensitive data.
  • Tamper proof: complete module hardening with tamper evident/resistant screws and locks, together with the highest sensitivity “tamper detection/response circuit” that erases all sensitive data

With many organizations moving some or all of their operations to the cloud, the need to move their security to this architecture has also emerged.

The good news is that many of the leading HSM manufacturers have developed solutions to install traditional HSMs in cloud environments.

Therefore, the same levels of “protection” will apply as we have a traditional HSM in a cloud environment.

Learn more about the use of HSM in cryptographic key management in our blog and find out how to apply encryption technology effectively in your business by contacting Eval’s experts.

We are available to answer your questions and help you define the best ways to protect your organization against data leakage and theft.

About Eval

A Eval está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias. 

Com valor reconhecido pelo mercado, as soluções e serviços da Eval atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a Lei Geral de Proteção de Dados (LGPD). Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos. 

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível. 

Eval, segurança é valor. 

Categories
Data Protection

Encryption and Cryptography: 10 posts you need to read

The concepts behind the emergence of cryptography are quite simple. However, knowing how to take advantage of the benefits of this technology and avoiding pitfalls in the management of your business are other issues.

Cryptography is an evolution and an alternative to techniques and methods against cyber attacks and data theft. It continues to evolve alongside technological advances. After all, new solutions are emerging and more companies are turning to encryption to guarantee privacy and protection.

Not so long ago, the industry defined cryptography as the method by which a plain text, or any other type of data, is converted from a readable format into an encoded version that can only be decoded by another entity that has access to a decryption key.

This definition has expanded and changed in recent years, as companies like Eval have entered the market with products that offer advances in encryption and practical solutions.

Thus, the innovation went beyond the main objectives of encryption. Since it currently has several benefits. These include, for example: reducing costs, increasing productivity and strategic management for different types of companies, regardless of size or segment.

Eval’s blog articles present a series of concepts and practices that readers can use at various stages of the acquisition, deployment and management cycle. That way, we can help them make the most of the benefits of encryption.

Implement digital signatures, adopt a document management-centric approach or invest in policies. There is information here that will certainly help your company in its quest for effective data protection.

Data protection as a priority

Before we even start our list, it’s important to highlight the consequences of a lack of investment in security and privacy. That’s why we’re going to show you the problems caused by a lack of data protection in your organization.

In this article, as well as understanding the importance of data protection through our list of publications, you can get an idea of the risks we are currently experiencing.

The fact is that data protection has become a concern for institutions such as the International Monetary Fund (IMF), the government itself and other organizations that have information security as a priority.

Now, let’s get to our list!

The basis for understanding the importance of cryptography

Basically, we’ll divide our list into two parts. The first of these serves to provide a foundation and teach good practices related to encryption and cryptographic key management.

1. About cryptography and key management

In the article Data encryption and key management, we covered aspects relevant to information security related to encryption.

The aim was to present the basics of cryptographic technology, cryptographic services and, finally, cryptographic key management.

We also show the importance of correctly managing cryptographic keys for programming cryptographic services.

2. Why manage cryptographic keys?

After all, why should you manage cryptographic keys? In this article, we show you that management means protecting against loss, theft, corruption and unauthorized access.

Therefore, data protection is not just about adopting encryption in business processes, management and sharing. After all, you need to efficiently manage all the elements related to the use of technology.

3. What if the encryption keys are still lost?

For those who haven’t been convinced of the importance of managing cryptographic keys, or haven’t understood the problem of mismanagement, the article The truth no one ever told you about key loss shows the consequences.

4. The search for the best way to protect data

So far, you’ve seen the concepts, the benefits of adopting cryptography in business and the impacts of managing cryptographic keys.

In the article ” Is native encryption the best way to protect data?”, we showed that Enterprise Key Management (EKM) solutions in companies have become essential to comply with existing market regulations.

This type of solution also provides access to other important data protection benefits for any organization.
5. Important facts about cryptography

To close the first part of our list, we have the article What you didn’t know about encryption software. He clarifies doubts and shows important points about this subject, which companies and professionals are often unaware of.

Therefore, we conclude this stage by pointing out issues that cannot be ignored in a technology adoption process.

Encryption in practice

There’s no point in theory without practice, is there?

These success stories demonstrate that the use of cryptography is one of the main ways to guarantee information security and data protection.

So let’s begin the second stage of our list of articles on encryption.

6. Where encryption applies

In the article Places where you use cryptography and don’t even know it, we show everyday situations where technology is applied and often we don’t even know it.

An interesting piece of content that shows how technology is successfully applied, guaranteeing privacy and data protection.

7. The famous relationship between cryptography and the financial market

Cryptography has become well known through its applicability in the financial market.

That’s why it’s only fair that our first success story is featured in the article How does crypto benefit the financial market?

8. Encryption goes through our credit card

One of the most critical points when it comes to data theft is the misuse of credit cards and other forms of payment that are part of our daily lives.

By the end of the article Encryption for financial records and payment data, the reader will understand why this technology has become so vital for our financial transactions and personal information.

9. Yes, encryption is also in communication

This is yet another case that shows that technology is in our daily lives and we don’t even realize it.

In the article Encryption for communication applications: learn more, the reader will realize that privacy and data protection go through our main channels of conversation.

The main messaging apps have already adopted this technology as their main data security tool.

10. Our information is kept confidential through the use of encryption

To conclude our list of articles, the content Secrecy and origin verification using asymmetric cryptography shows the case of applying this technique to find out where a message came from.

Despite being conceptual, the article makes an analogy with a real situation: the importance of the confidentiality of the information we share on a daily basis.

What did you think of our list? Did it help you understand the concepts and importance of encryption in your professional and personal life? Keep following our blog to find out more about E-VAL’s technology and news.

About Eval

A Eval está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.  

Com valor reconhecido pelo mercado, as soluções e serviços da Eval atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.  

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.  

Eval, segurança é valor. 

Categories
Data Protection

Why is encryption key management important?

Companies are moving more and more sensitive data over the internet and are heavily migrating their infrastructure to the cloud, in different types of service models. As this happens, the need to use and manage encryption keys grows.

Faced with this reality, security professionals actively protect this data with tried and tested techniques, which are used at different stages of an organization’s productivity cycle, always with the aim of guaranteeing privacy.

However, the guarantee of data protection and availability may not be possible through the use of encryption alone.

Even if there is advanced technology against data breaches, without encryption key management, the risk of information being leaked or stolen will still be high.

Why is managing cryptographic keys important?

Management means protecting cryptographic keys against loss, theft, corruption and unauthorized access. Its objectives include:

  • ensure that the keys are kept safe;
  • change the keys regularly;
  • control how and to whom keys are assigned;
  • decide on the granularity of the keys.

In practice, encryption key management means assessing whether a key should be used for all backup tapes or whether, on the other hand, each one should receive its own, for example.

It is therefore necessary to ensure that the cryptographic key – and anything related to it – is properly controlled and protected. So you can’t not think about management.

If everything isn’t properly protected and managed, it’s like having a state-of-the-art lock on your front door but leaving the key under the mat.

To make the importance of cryptographic key management clearer, we only need to remember the four objectives of cryptography: confidentiality, integrity, authentication and non-repudiation. So we see that with it we can protect personal information and confidential corporate data.

In fact, it makes no sense to use technology that guarantees data security without efficient management.

Managing encryption keys is a challenge, but it’s not impossible

In fact, managing cryptographic keys is not as simple as calling a locksmith. You can’t write the keys on a piece of paper either. You need to provide access to as few people as possible and ensure that it is restricted.

Successful crypto management in the corporate world requires good practices on several fronts.

First, you must choose the right encryption algorithm and key size to have confidence in your security.

It must then ensure that the implementation of the corporate encryption strategy complies with the standards established for this algorithm. This means being approved by a recognized certification authority – in the case of Brazil, those approved by the ITI, within ICP-Brasil.

Finally, it must guarantee efficient encryption key management, combined with security policies and processes that can ensure productive use of the technology.

To have greater confidence in your encryption key management strategy, the first questions to ask are the following:

Many management services retain private keys at the service layer, so your data can be accessible to the administrators of this activity. This is great for availability, but not for confidentiality.

So, as with any technology, the efficiency of encryption depends completely on its implementation. If it is not done correctly or if the components used are not properly protected, it is at risk, as is the data.

From policy creation to cryptographic key management

A common approach to protecting company data through encryption key management is to take stock, understand the threats and create a security policy.

Companies need to know which devices and applications are trusted and how policy can be applied between them and in the cloud. It all starts with knowing what you have.

Most organizations don’t know how many keys they have, where they use encryption and which applications and devices are really trustworthy. This undeniably characterizes a total lack of management of encryption keys, data and its structure.

Undoubtedly, the most important part of an encryption system is its key management, especially when the organization needs to encrypt a large amount of data. This makes the infrastructure more complex and challenging.

Standardizing the process is fundamental

The standardization of products is fundamental. After all, even properly implemented encryption means little if an attacker gets into someone’s machine or if an employee is dishonest.

In some cases, for example, encryption can enable an attacker and render the entire security investment useless, causing damage that goes far beyond financial losses. So standardization is vital to creating useful policies and processes, reducing the possibility of loopholes that can result in cyber attacks and data theft.

Encryption really does create more business opportunities for different types of companies, not just by mitigating concerns such as cyber attacks, but by creating an organized, efficient and strategic data access cycle.

Finally, in times of digital transformation and so many technological and market disruptions, adopting encryption key management is vital for companies seeking sustainable growth.

Now you know a little more about cryptographic key management, keep up to date with this subject via our LinkedIn page.

About EVAL

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and the General Data Protection Law (LGPD). In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Cryptography and Key Management – Important Concepts

The use of encryption and key management, as well as cryptographic services are vital for protecting data at rest or media, a reality for companies and users of services such as cloud storage, messaging and many others.

However, those responsible for these services are presented with many options for cryptographic mechanisms and consequently there are many choices to be made.

Inappropriate choices can result in little or no gain, creating a false sense of security. Cryptography, key management and cryptographic services - Life cycle

For example: encrypt a database and keep the cryptographic key in a file on the server.

In this article we intend to address some aspects relevant to information security that are related to cryptographic keys. With this we will show the importance of their correct management for the programming of cryptographic services.

To facilitate understanding, we will divide the article into three parts. Starting with the basics of cryptography, key management and cryptographic services.

Basic concepts of data encryption

Cryptography is a set of principles used to guarantee the security of information.

To do this, it uses techniques to transform one piece of information (cipher) into another (cryptogram) that is readable only by those who know the secret (secret key).

By keeping this secret safe, we prevent unauthorized persons from gaining access to the original information (decrypt).

Secrecy

The security of cryptographic services is based on the secrecy of the cryptographic key, which allows encryption and decryption, and not on the method of transforming the information, i.e. the algorithm used, which must be public.

Symmetric and asymmetric keys

In cryptography and key management there are two basic types of algorithms: symmetric and asymmetric. The former use a single key to encrypt and decrypt the data, while the latter adopt a pair of keys, one for encryption and the other for decryption.

The diagram below shows the use of a symmetric key to encrypt a message. We can see that the key used by John is the same one adopted by Alice.

Cryptography, key management and cryptographic services - Symmetric and asymmetric keys.
Figure 2 – Symmetric key algorithm

The next diagram shows the use of an asymmetric key. The key used by Alice to encrypt is the public key of John, who uses his private key to decrypt.

Cryptography, key management and cryptographic services - Asymmetric key algorithm
Figure 3 – Asymmetric key algorithm

An interesting point about this type of algorithm is that after encrypting with the public key, only the private key can decrypt.

Examples of uses for these algorithms include a database that uses the AES algorithm (symmetric key) to encrypt certain information in the database and the digital signing of documents using the RSA algorithm (asymmetric key).

We would also like to point out that the secret in these two types of algorithms lies in protecting the symmetric key and the private key (in the case of asymmetric keys).

Finally, another aspect is that these algorithms are complementary and serve as the basis for programming cryptographic services.

Cryptographic summary and digital signature

In relation to cryptography and key management, a cryptographic digest is a value that represents information. It is generated using an algorithm, such as SHA256, to analyze the data bit-by-bit and creates a value that cannot be falsified in practice.

Cryptography, key management and cryptographic services - Cryptographic summary
Figure 4 – Cryptographic summary

However, the cryptographic digest cannot be used on its own, because although it cannot be falsified, it can be replaced.

So, to be used in practice, the cryptographic summary is encrypted with the private key (asymmetric), generating a digital signature.

This way, everyone who has the public key can generate the cryptographic summary and compare it with the one in the digital signature.

You can then check whether the data is valid. Fundamental actions in cryptography and key management.

Cryptography, key management and cryptographic services - Digital signature
Figure 5 – Digital signature

Let’s take SHA256 with RSA for example. It uses the SHA256 summarization algorithm and the RSA encryption algorithm to generate the digital signature. However, this is still not enough, as we have no way of identifying who a given public key belongs to.

This requires a new element: the digital certificate.

A digital certificate basically consists of textual information that identifies an entity (person, company or server), a public key and a purpose of use. It has a digital signature.

It is important to note that the digital certificate must be signed by a trusted third party (digital certification authority).

Thus, we introduced the concept of a relationship of trust. According to him, if we trust entity A and it trusts entity B, then we also trust B.

Cryptography and key management and cryptographic services - Trust relationship
Figure 6 – Relationship of trust

This concludes the basic concepts of cryptography. In the next part, we’ll talk about the cryptographic services that can be created from them.

Cryptographic services

As part of the cryptography and key management lifecycle, basic cryptographic mechanisms such as symmetric encryption and cryptographic digest are used to support confidentiality, integrity, authorization and irretrievability or non-repudiation services.

Thus, one cryptographic mechanism can be used to support several services. It is also important that cryptographic services should be used together to guarantee security.

Below we will briefly describe the basic cryptographic services:

Confidentiality

This service provides data confidentiality through encryption and key management. It also ensures that the information cannot be viewed by third parties and that only authorized persons have access to it. Fundamental to cryptography and key management.

Examples include encrypting files, file systems and databases with symmetric keys. We also have information encrypted with the certificate’s public key, so only those who have the corresponding private key can open the information.

Integrity

The integrity service must ensure that a given piece of information is not modified in an unauthorized way after it has been created, during transmission or storage.

Whether the change is accidental or intentional, the insertion, removal or replacement of data must be detected. Cryptographic mechanisms such as cryptographic digest, also known as hash, and digital signature provide the support for this service.

Authentication

The authentication service verifies the identity of a user or system requesting authorization to access information.

The digital signature is a cryptographic mechanism generally used to support this service, as the identification of the user has already been validated before the digital certificate is issued, either by a trusted ICP-Brasil Certificate Authority or another that the organization trusts, such as an Internal Certificate Authority.

At ICP-Brasil Certifying Authorities, it is in the process of issuing the digital certificate that the person needs to attend a face-to-face validation, with original documents proving the applicant’s identity.

 
Irretractability

The non-retractability service provides the means to guarantee that whoever created the information cannot deny its authenticity.

In this sense, it is linked to the digital signature, in which the owner of the private key cannot deny that he has held it for a particular purpose.

This concludes the description of cryptographic services. In the next section, we will present the main factors to be considered in key management – cryptography and key management.

Authorization

Additionally, after authentication, it is possible to use the information of the authenticated user in the system to define the authorization of the information. The authorization service provides approval or permission for the execution of an activity.

As an example, the authorization service can be employed to define the permissions to use a cryptographic key that would consequently allow access to a certain piece of information.

Cryptographic key management

Cryptographic keys are the foundation of cryptography and key management, and the security of encrypted data lies in them. Breaches can lead to compromised keys and, consequently, the leakage of sensitive information.

The increased use of encryption for data protection, mainly due to government regulations, means that companies have to deal with multiple encryption solutions.

Because of the diversity of vendors, organizations also need to define various procedures for managing cryptographic keys, and these are not always adequate.

Cryptographic key management consists of storing, protecting, organizing and ensuring the proper use of cryptographic keys, managing their lifecycle and maintaining backup copies in a secure and consistent manner.

When managing keys, we must take a few points into account, which we will describe below:

Secure storage of keys

The keys should be stored securely, i.e. encrypted and with access control.

Encryption should preferably be carried out using keys (KEK) protected on cryptographic hardware.

Identification of keys

It must be possible to identify a key, its type, its purpose, who is authorized to use it and the period of use.

User authentication and authorization

The use of cryptographic keys should only be allowed after the user has been identified.

Therefore, for proper key management, the system must provide authentication and authorization mechanisms or allow integration with existing systems, such as Microsoft’s Active Directory.

Life cycle of cryptographic keys

The lifecycle of cryptographic keys must be controlled so that they are used properly during their validity period – in other words, only authorized people or systems can use them during a predefined time and with secure mechanisms so that they are not compromised.

We will describe the life cycle of the keys, according to NIST recommendation.

The life cycle of a key starts with generation and ends with destruction, passing through one or more of the states described below:

  • Generation: when the key is created and not yet ready for use;
  • Pre-activation: the key has been generated, but is not yet ready for use because it is waiting for the period of use or the issue of a certificate;
  • Activated: the key is available for use;
  • Suspended: use of the key is temporarily suspended. In this state, it can no longer perform ciphering or signing operations, but can be used for data recovery or verification of signatures previously performed.
  • Inactivated: the key can no longer be used for encryption or digital signature, but is kept for processing encrypted or signed data prior to inactivation.
  • Compromised: indicates that the key has had its security affected and can no longer be used in cryptographic operations (encryption and key management). In some cases, as in symmetric keys, it can be used to recover the encrypted data for later encryption with another key.
  • Destroyed: this status indicates that a key is no longer needed. The destruction of the key is the final stage and can be achieved due to the end of the key’s usage cycle or the compromise of its security.

Backing up cryptographic keys

The main function of backups is to guarantee the recovery of keys and, consequently, encrypted data in the event of loss or failure.

Just like keys, which must be stored securely during use, backup copies also need to be protected.

They can be stored in encrypted files or cryptographic hardware suitable for this purpose, which should be kept in secure locations.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and the General Data Protection Law (LGPD). In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level. Eval, safety is value.

Categories
Data Protection

Key Management with Cryptography, how to protect data?

In recent years, suppliers in the data storage market have started to pay more attention to the use of the Key Management Interoperability Protocol (KMIP) in their solutions for integration with encryption key managers.

There are two main reasons for this. The need to comply with data protection regulations is an important reason.

There are also the benefits of Enterprise Key Management (EKM) solutions for companies.

Find out what these benefits are in this article.

Application of good practices in information security

The definition of what is adequate or sufficient to meet regulatory demands about protecting data varies greatly between companies.

Many solutions offer internal support for key management with encryption. Depending on the context, this may be enough.

However, adopting this model could compromise data security. After all, we must consider that the encryption key responsible for protecting them is embedded in the storage solution itself.

In addition, it is common to find scenarios with different storage solution providers, where each one programs their key management models with encryption.

This can lead to human error and compromise data availability in the event of an unsuccessful encryption operation.

The use of an external key management solution provides adequate segregation of roles. It also offers a standardized model for all encryption processes.

In addition, these solutions usually offer international certifications for the implementation of encryption algorithms. This prevents, for example, the use of algorithms or key sizes that are considered weak.

On the Owasp website you can find a very interesting cryptography guide, in which it is not recommended to use the MD-5, SHA-0, SHA-1 hash algorithms and the DES symmetric encryption algorithm.

In addition, key management solutions with encryption can be coupled with equipment designed to provide protection with a high level of security.

For example, Hardware Secure Modules(HSMs) and Enterprise Key Management(EKM). Protection is thus centralized for all the organization’s data storage systems.

Efficient Key Management with Cryptography

Typically, solutions that offer encryption capabilities don’t worry about the lifecycle of a key. Thus, they ignore, for example, validity, activation, deactivation, exchange with preservation of already encrypted processes and destruction.

Using the same encryption key for a long time is inappropriate. After all, this compromises security in the event of a data leak.

A management solution not only provides the necessary requirements for the entire key lifecycle. After all, it also presents these features in a user-friendly interface, from a centralized console.

It even defines access profiles based on integration with a Lightweight Directory Access Protocol (LDAP) database.

Flexibility of Implementation and Key Management with Cryptography

The decision to keep applications on your own infrastructure or migrate to an external data center depends on several factors.

If the key management solution with encryption is coupled with the storage system, the decision to keep it in-house or migrate to the cloud must take this into account.

 

Ability to generate audit reports during key management with encryption

For these cases, it is necessary to offer information with a high level of trust and access to keys. In this way, you should detail who accessed it, the time of the event and the success or failure of the operation.

In addition, alert mechanisms can notify staff if problems arise with the key management equipment or other devices that communicate with the manager.

One of the main benefits of an external key management solution is its ability to enhance audit reports.

Trying to prove to an external compliance auditor that the keys are safe, secure and have strong access controls would be much more difficult with native storage, especially if there is more than one solution. This will also require all systems to be audited individually.

Segregation of profiles

External key management systems can define permissions for the administrators and users who will use the keys.

A common example of this is the ability to allow an administrator to create a key, but not be able to use it to encrypt or decrypt using LDAP or Active Directory (AD) user attributes.

Normally, the systems’ own cryptography does not have this level of granularity in the administrative functions. As a result, the storage administrator is also responsible for the key.

Variety of systems where sensitive data can be stored

From CRMs, File Systems, Virtual Machines, structured or unstructured databases, there is a possibility that there is information that needs encryption to avoid exposure in the event of a security breach.

Encrypted key management, with the ability to integrate with open protocols, provides the necessary resources to meet the needs of a wide range of environments.

There are at least four perspectives that can be addressed regarding the location of the data to be protected: file system, operating system, database and memory.

The effort to implement encryption increases in this order and exceeds the complexity, considering the variety of environments and systems in the end-to-end flow of the data to be protected.

As you may have realized, native encryption is not necessarily the best way to protect data. If you still have questions about this, leave them in the comments. We’ll be happy to answer your questions.

Sobre a Eval 

Eval has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With recognized value by the market, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and the General Law of Data Protection (LGPD). In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Is Proper Key Management Really a Challenge?

Data protection leads companies to implement various encryption solutions. In this sense, one aspect that cannot be overlooked is the need for proper key management.

This is mainly due to the widespread use of encryption as a result of governance and compliance requirements. This shows that we have made progress in terms of data protection, but exposes the major challenge of key management.

After all, it’s common to manage keys in Excel spreadsheets, which can bring a great risk to organizations, since losing control or even losing cryptographic keys can cause the company to lose its data.

Key Challenges of Proper Key Management

Management is vital for the effective use of encryption. The loss or corruption of keys can lead to loss of access to systems and render them completely unusable.

Proper key management is a challenge that increases with the size and complexity of your environment. The larger your user base, the more difficult it will be to manage efficiently.

Some of the biggest challenges involve:

User training and acceptance

Users don’t like change. Although not really part of the key management process, failure to accept them can be a major impediment to the success of a project.

Therefore, it is necessary to map the impact of adopting and using cryptography in your production cycle and the difficulties in recovering or resetting keys or passwords.

Listen to user feedback and develop appropriate training to address their specific concerns or difficulties. Develop system benchmarks to check performance before and after the product is implemented.

In other words, manage user expectations.

System administration, key maintenance and recovery

These problems can have a major impact on the organization and should be addressed with the supplier before they are purchased. On an enterprise scale, manual key management simply isn’t feasible.

Ideally, management should integrate with the existing infrastructure, while providing easy administration, delivery and recovery of secure keys.

Recovery is a fundamental process, especially in situations such as an employee leaving the organization without a proper return or when a key is damaged and can no longer be used. It should also be a simple but very safe process.

In proper key management, the generation procedure should be restricted to one person. In practice, we have, for example, a product process that allows a recovery key to be split into several parts.

From there, the individual parts of the recovery key can be distributed to different security agents. Owners must be present when it is used. This process is simple, but secure, because it requires several parties to recreate the key.

What’s more, forgotten passwords can have an additional impact on the support team. The process must therefore not only be simple, but also flexible. Remote and off-network employees need to be considered as well as internal ones. In this case, remote key recovery is an indispensable feature.

Best practices for proper key management

When dealing with key management problems, who can organizations turn to for help?

The specifics of proper key management are largely dealt with by cryptographic software, where standards and best practices are well established.

In addition, like the National Institute of Standards and Technology (NIST) and the Brazilian Public Key Infrastructure (ICP-Brasil), standards are developed for government agencies that can be applied in any business community. This is usually a good starting point when discussing encryption products with your suppliers.

In the meantime, here are some industry best practices to get you started:

  • The usability and scalability of proper corporate key management should be the main focus of product analysis. The ability to leverage existing assets must play an important role in decision-making. Integration with an authentication environment will reduce costs and eliminate the need for redundant systems;

  • Two-factor authentication is a necessary security measure for financial organizations. Due to the increased processing power and capabilities of today’s computers, the strength of passwords alone is no longer enough.

Control and training

Management means protecting encryption keys from loss, corruption and unauthorized access. Therefore, at the end of the procedures and techniques applied to the management process, it is necessary to guarantee:

  • That the keys are kept securely;

  • That they undergo regular change procedures;

  • That management includes who the keys are assigned to.

Once the existing keys have been controlled, the policies and processes for provisioning, monitoring, auditing and termination need to be rigorously applied. For this reason, the use of automated tools can greatly ease the burden of responsibility.

Finally, information security professionals, infrastructure professionals, database professionals, developers and other professionals who need to use encryption keys should be trained, as a lack of awareness of the risks of protection failures is one of the main factors in problems.

If there is no control over access, there will be no security.

For more tips on proper key management and other more strategic topics for information security and data protection, subscribe to our newsletter and stay up to date!

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Loss of Keys and the Truth No One Told You

Today, data theft and regulatory compliance requirements have caused a dramatic increase in the use of encryption keys in companies. This also caused an incidence of key loss due to poor management of these assets.

It is very common, for example, for a single company to use several dozen different encryption tools. Possibly these tools are incompatible, thus resulting in thousands of encryption keys.

How to prevent the loss of keys?

In a perfect world, cryptographic key management has the responsibility for the administration, protection, storage, and backup of encryption keys.

After all, every key must be securely stored, protected, and retrievable. However, reality is different and you should know well how this story ends regarding the loss of keys.

The importance of storing and backing up encryption keys

Key management means protecting the encryption keys from loss and unauthorized access.

Many processes must be used to control and manage keys. This includes changing keys regularly, managing how keys are assigned, and who gets them.

Experience shows us that the loss of keys has a major impact on important business processes in companies. This causes loss of access to systems and data, as well as rendering a system completely useless unless it is formatted and completely reinstalled.

It is worth pointing out that nowadays it is essential for any company to have more than one person responsible for storing and backing up the encryption keys.

In this way, we are directed to several good practices in the market. For example, we have defined the roles of the responsible parties and created an efficient encryption key management policy that is accessible to everyone.

However, there is a big challenge ahead. One of the big known problems is the lack of unified tools to reduce management overhead.

A key management system purchased from one vendor cannot manage another vendor’s keys. This is due to the fact that each implements a management mechanism in its own way.

You are probably remembering some facts related to the lack of efficient storage. Including the cases of lost keys and the impacts to the company.

Lost keys expose data of people and companies

The loss or exposure of encryption keys will never be a good experience. Imagine, for example, a developer accidentally storing keys in a public repository?

Unfortunately this scenario is likely, it can easily happen for any type of encryption keys and in different companies.

Someone might accidentally send the keys in a source code or in any file or data set submission.

Whether in the cloud or in owned data centers, companies need to build a management strategy that prevents the loss of keys and/or undue exposure.

As we have seen, keys must be stored securely and with access limited to those who need them to work. For this reason, some companies use key-loss protection applications.

They serve to check network traffic for data leaks. As well as detecting the accidental or malicious disclosure of confidential or private information.

Not only poor key management can lead to compromised servers. But also if the keys used to encrypt data are lost, the data encrypted with that key will also be lost.

Therefore, there is no substitute for encryption key management.

Common situations that lead to the loss of cryptographic keys

Because it is something of relative complexity for certain company employees, you can imagine that the loss of keys does not happen so often. However, there are very common situations in our routines that lead us to key-loss scenarios:

  • The key holder forgets the password to access the key;
  • The employee responsible for the keys does not remember where he stored the key;
  • The manager has a huge amount of keys to manage;
  • The person responsible for the keys leaves the organization, and whoever stays ends up with a big management problem.

The importance of cryptographic keys is obvious to information security professionals. But the complexity of managing them can be almost as daunting as the encryption algorithms themselves.

It all comes down to how important it is for companies to control the keys

First of all, it is important to see what a digital signature is and how it works.

A digital signature is the equivalent of a written signature. Its purpose can be to verify the authenticity of a document or to verify that the sender is who he claims to be.

This shows us the importance of encryption keys in productive processes, as well as the impact generated by the loss of keys in the routines of companies of different segments or sizes.

The main cost of key loss is risk management. This is because it will mainly focus on making companies the target of sophisticated cyber attacks, leading to losses not only financial but also related to the organization’s image.

One of the most recommended practices for reducing incidents related to cyber attacks is to conduct audits. This is because it helps to identify whether the keys are being used in the right way.

This process consists of auditing public key cryptography to identify vulnerable sources and devices, from tokens to TLS certificates.

Available mitigation strategies from vendors can then be reviewed and applied according to risk-based priorities.

The solution to all problems is…

There is no shortage of guidance on how to manage digital identities and how to identify the best option for your company, it all depends on the current environment and available resources.

While using a stronger management policy may be the safest option, this can also result in significant costs. Companies must focus on continuous improvement. In addition, it can help you manage your risks at a price that is compatible with your reality.

Companies must critically evaluate how they protect their systems. They must also consider the root causes of security incidents in their environments as part of a risk assessment.

It is common, for example, to have several security incidents related to compromised accounts. This is mainly due to the lack of proper management of the encryption keys.

As systems become more secure and companies take effective measures to manage their processes. It is worth remembering that initiatives such as authentication and key management are becoming increasingly important.

It is important to ensure that your company is using the appropriate authentication and authorization processes. This requires the use of cryptographic keys based on risk management.

After all, it is already the first step in reducing the risk of incidents and ensuring the confidentiality of customer and employee data.

At the end of our article, answer the following question: What is your company’s current encryption key management strategy?

Subscribe to our Newsletter and stay up to date with EVAL news and technologies. Keep following our content on the blog and also on our Linkedin profile.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Chief Data Officers: why are they vital for companies?

With the growing importance of data management, data protection and analytical competence, CEOs are trying a number of different methods to help their companies meet the challenges. This is when Chief Data Officers are making a difference.

A common approach is to add a new position, Chief Data Officer (CDO), capable of addressing data management, integration and utilization challenges.

What is and why did the position of Chief Data Officer?

You have to go back in time to understand where the need for the CDO came from. With the advent of the internet, everyone had information about everything, and information grew exponentially.

Although information offers many benefits, the right infrastructure must be built to capture data. You need to be able to access and extract data, and then convert it into information.

Thus, the Chief Data Officer was born as an attempt to create a bridge between functional leaders who need real-time information and the IT department.

In a perfect world, functional business leaders(Sales Ops, HR, marketing) would be the “owners” of their information. The CDO would investigate platforms and security, and then create an environment to allow each functional user to access the information they needed.

Chief Data Officers are most effective when there is a software system that allows the end user to perform analysis outside the system. The role is then to find the right BI platform.

This way you can transform data into information, with the aim of democratizing ‘data’.

These professionals exploit data analysis to support operational improvements for IT, marketing, risk management, compliance, production and finance, as well as digital revenue generation.

Which companies are CDOs for?

The first companies to adopt the Chief Data Officer were in the B2C segment, because of the huge amount of data they managed.

As a result, this type of role exists mainly in Fortune 1000 companies or in new companies that are more progressive. Larger institutions tend to be able to absorb the extra expense of hiring a CDO.

Considering that the Chief Data Officer is a senior executive responsible for the company’s information strategies, governance, control, policy development and effective exploitation, he or she will have great relevance within contemporary organizations.

In short, the role of the CDO will combine responsibility for information protection and privacy, information governance, data quality and data lifecycle management, along with the exploitation of data assets to create business value.

 

Is there a rivalry between CDO and CIO?

The question is very common, but rivalry should not exist, considering that they carry out different activities.

The Chief Data Officer plays the role of risk management, compliance, policy management and the business role. It thus directs the information and analysis strategy, serving a commercial purpose.

On the other hand, CIOs must manage IT resources and organizations, infrastructure, applications and the people involved in the area.

In essence, the CDO is like a “glue” between the data strategy and the metrics.

Professional in practice: success story

Mark Gambill, CMO of MicroStrategy, says that there is a B2C company in the Midwest of the United States that was struggling with how to manage data in remote locations.

They wanted to ensure that the data was available in remote locations because it gave them more control. However, the organization was faced with some significant problems:

  • Três armazéns diferentes;
  • Grupos usando diferentes ferramentas de automação;
  • Diferentes bancos de dados que abrigavam diferentes dados;
  • Direitos diferentes aos dados.

The Chief Data Officer came in and merged everything to ensure that the system was efficient. They unified the data and created the right rules and governance.

This has resulted in a more controlled environment for managing and sharing critical information such as KPIs. With this system, the CDO ensured that the right people had access to the right data on their own computers, without the need to ask the IT team to obtain the data.

About Eval

A Eval está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias. 

Com valor reconhecido pelo mercado, as soluções e serviços da Eval atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos. 

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível. 

Eval, segurança é valor. 

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho
São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Facebook Instagram Linkedin
logo-tales-azul
keyfactor-logo
logo-valid-certificadora-digital
google-safe-browsing
Privacy Policy

Copyright © 2023, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97