Identity Wars: Episode IX – The rise of Skywalker and cybersecurity

Identity Wars: Episode IX – The rise of Skywalker and cybersecurity

Paul Cleary | Senior Solutions Engineer, Venafi More About This Author >

The final episode of the expansive Star Wars saga sees the Resistance engage in one last, great battle with what has evolved from the First to the Final Order. Ultimately this battle is representative of the larger scale struggle of the series, the Dark Side vs. the Light Side of the Force, but it also lends itself rather well to an analogy for the opposing forces present in the cybersecurity space. Everyone in our industry, from customer support engineers to CISOs, and all the security admins and enterprise architects in between are our Jedi army. The Sith, on the other hand, are represented by all the malicious actors out there hiding in encrypted traffic, selling stolen credentials and machine identities, and using every attack vector they can to get access to critical systems and data.

In the first two episodes of this blog series, my colleague at nCipher, Juan Asenjo, and I discussed some of the phantom menaces that target machine identities and can threaten an organization’s security. We offered insight into tools and best practices that can help protect against those threats. Juan’s most recent post in the series, “Identity Wars: Episode VIII – The Last Jedi,” outlines how a secure root of trust provided by a hardware security module (HSM) like nShield, acts as the last line of defense for the security of the enterprise, and how an organization can incorporate that strong root of trust into their code-signing processes. In this final blog of our series, I’ll focus on how organizations, and their Jedi armies, can rise to the challenge of protecting their critical machine identities.

THE CASE OF MISTAKEN IDENTITY

Emperor Palpatine, thought to be long defeated, is revealed to be calling the shots once more. Even more surprising is just what he’s been able to accomplish in that forgotten state, including producing a massive fleet of Star Destroyers that will eventually be used in a final push to take over the galaxy once and for all. All of this was made possible because he’d been using a puppet (Snoke) to do his bidding, gather followers and spread his message.

In the world we live in, a mistaken machine identity, or perhaps better put, a compromised machine identity, can be just as dangerous. The difference between Star Wars and the real world is the fact that if a machine identity is compromised and used as an entry point to an enterprise network or used to legitimately sign a piece of malware, it’s going to take more than 120 minutes and some special effects to recover from the damage. In fact, it might even be too late.

The best defense is to be prepared. Be aware. Have visibility into the identities, both human and machine, that are in use in your organization. Ensure that these critical identities are as secure as possible to prevent a compromise from happening in the first place. If a machine identity compromise does happen, have the tools needed to discover and alert you when it does and a plan in place to recover quickly.

NEXT-GENERATION CODE-SIGNING

A code-signing certificate is a type of machine identity – signing a piece of code legitimizes that code and lets the end user know that it’s safe to install and use. It’s been said that, today, ALL companies are software companies. Even if your organization doesn’t publish applications consumed by your customers, there’s an increasingly likely chance that it employs some developers still writing software. It doesn’t matter whether the software will be packaged and shipped to millions of users, or if it’s only going to be used internally by a few teams in your organization – it must be trusted, and that trust is established using a machine identity. Even better, it originates from, and is secured in an HSM, which provides greater entropy for the initial private key generation and stronger, more secure hardware storage.

When it comes time to actually utilize that machine identity to sign code, the process to check the code-signing certificate out of secure storage needs to be protected as well. The certificate should only be accessible by specified users or build processes, and it should be available only at the time of signing. Once the code has been signed, there should be a clear audit trail providing details about that process. What code was signed? Which user or bot initiated the build? Did it receive the proper approvals beforehand? It’s much easier to answer these questions if you have the tools in place designed to secure the process.

THE FORCE OF THE ECOSYSTEM

If the Jedi are the security experts protecting us from the evils of the dark side of threat actors, then the ecosystem of integrated tools and technologies is the force that supports the efforts of those experts. You should feel confident that you have the industry leaders behind you, building tools that seamlessly connect and make securing the data and machines of the enterprise a little easier. Together, nCipher and Venafi provide the tools needed to securely generate and store machine identities and orchestrate and secure the process by which those identities are automatically renewed, provisioned, and used.

To learn more, join Juan and me for our webinar Beware the dark side, use trusted machines and HSMs to support critical business and may the force be with you.

Identity Wars: Episode VIII – The Last Jedi

Identity Wars: Episode VIII – The Last Jedi

Juan Asenjo | Director of Product, Solutions and Partner Marketing - nCipher Security More About This Author >

In Episode VIII of Star Wars – The Last Jedi, the First Order uses a device to track the Resistance across hyperspace to execute a surprise attack. Today in the real world, organizations deploy more and more machines including applications and physical devices to conduct critical business operations. Ensuring one can account for the legitimacy of deployed machines is vital. Illegitimate applications and devices can infiltrate organizations and cause severe damage. In this blog, and in an accompanying one by Paul Cleary from our technology partner Venafi, we explore the growing importance of machine credentials to thwart cyber-attacks. Here, I focus on the last line of defense needed to securely produce credentials and sign code. For insight into the hidden threats that forgotten machine identities can pose, check Paul’s blog “Machine Identity Wars, Episode IX – The Rise of Skywalker.”



Machine credentialing

While connected machines outnumber users across most enterprise systems, to date the identities of machines have not been protected with the same rigor that user identities have received, even when many manage critical systems. The good news is that this is changing. Gartner’s 2020 Hype Cycle for identity and access management shows increased market expectation for machine identity management.

It is easy to understand user identities. We are all familiar with usernames, PINs, passwords, and tokens. We use these methods to authenticate ourselves and gain access to applications and systems. Machines are no different. As machines increasingly perform operations autonomously, they also must prove “who” they are before they can connect to other machines. Instead of using the authentication methods users typically employ, they use cryptographic keys and certificates to establish their machine identities. With the number of connected machines continuing to grow, organizations need to adopt automated life cycle management of machine identities.

Code signing

Keys and credentials identify machines and ensure that only legitimate ones, authorized to perform their intended functions, gain access to other machines and systems. However, there are also vital components we cannot overlook, firmware and software. Without firmware and software, machines can’t do what they are supposed to do. Code is regularly updated to keep machines running smoothly. Code updates are part of the application and device lifecycle, often executed automatically in the background with little or no human intervention. While code updates are meant to be part of continuing improvements to enhance performance and address security issues, these updates are increasingly a vector for attacks. Just as the applications and devices themselves need to be authenticated to ensure legitimacy before connecting to other applications and devices in a system, code updates must also be authenticated. Authentication of code updates is necessary to ensure they come from the right source and are not carrying malicious code that can corrupt and spread throughout the system.

Code signing employs certificate-based digital signatures to enable organizations to verify the identity of firmware and software publishers and certify the code has not been tampered with since publication. The technology is analogous to a tamper seal on medication. Just as we would not ingest a drug from an unsealed container, we should never update applications and devices with unverified and possibly altered code. Code signing provides a proven cryptographic process for software publishers and in-house developers to protect end users from cybersecurity dangers. Digital signatures enable end users to verify publisher identities while simultaneously validating that the installation package has not been changed since it was signed. As more software and firmware is regularly updated to support an exponentially increasing number of applications and devices, counterfeit code is on the rise. Hackers are using stolen code-signing certificates to bypass security appliances and infect systems. Protecting these certificates is therefore critical.

Last line of defense

To protect the underpinning cryptographic keys that secure identity credentials and code signing certificates, a robust root of trust is required. As the deployment of applications and devices continues to grow, enterprises seek tools to orchestrate machine identities and to sign the code that runs within applications and devices. The concept of a root of trust is fundamental, keys stored in software can be susceptible to file and memory scraping. When enterprises orchestrate their SSL/TLS certificates and SSH keys, as well as their code signing, mobile, and IoT certificates, it is critical that these be produced with high entropy random number generators, and that they be given high assurance protection throughout their lifecycle. Separating this function from the rest of the system within strong hardware with dual controls, ensures no single individual or entity can subvert established key use policies. Considered to be a best practice among security professionals, this approach significantly enhances security.

Hardware security modules (HSMs) provide Federal Information Protection Standard (FIPS)-compliant certificates and signing keys with maximum entropy, using random number generation. HSMs are specialized, hardened devices designed especially for the purpose of generating and protecting underpinning cryptographic keys.

Using the force

Just as the Jedi were the last line of defense against the First Order, HSMs establish the foundation for securing increasing numbers of machines conducting critical business. nCipher has joined forces with Venafi to help address machine identity and code signing challenges. Read our new solution brief for details. nCipher nShield HSMs, deployed on-premises or as a service, and Venafi Trust Protection Platform enable leading machine identity providers like CAs and machine identity consumers like application delivery controllers, web application firewalls, secrets management applications, and network monitoring and analytics software, to securely orchestrate machine identity and code signing processes.

To learn more, watch our webinar Beware the dark side, use trusted machines and HSMs to support critical business

LinkedIn Live! Q&A with a PKI expert and top 3 takeaways

LinkedIn Live! Q&A with a PKI expert and top 3 takeaways

Mark Penny | PKI security consultant, nCipher Security More About This Author >

I’ve just participated in a LinkedIn Live session with my colleague Jules Anderson where we discussed a number of PKI related topics, all in the space of 20 minutes! I will recap some of the items we discussed below.

We covered some of the issues we've seen in relation to PKIs as a result of the coronavirus pandemic and some of the effects that the pandemic has had. One thing this has brought home to me is the importance of proper planning when it comes to PKI lifecycle events. What I mean by 'PKI lifecycle events' is regular activities which need to be undertaken to ensure your PKI continues to run smoothly. The specific example we discussed was Root CA CRL renewals.

The pandemic has really underlined the importance of good planning and well documented procedures when it comes to PKI. We had one customer who wanted our assistance with their annual Root CA CRL renewal. For something like this, we'd normally attend in person but due to the pandemic it just wasn't possible. Moreover, the ceremony itself had to be postponed. It was scheduled for April, but because the UK was in ‘lockdown’ it was impossible to access the relevant buildings where the Root CA artefacts were securely stored. Now, because the customer had planned the Root CA CRL renewal well in advance and considerably prior to when the Root CA CRL actually expired, they were able to postpone the ceremony and perform it at a later date without any operational impact to their PKI. When the ceremony was eventually able to run, I don't think I've ever attended a Root CA CRL issuance remotely using collaboration tools before, or ever seen hand sanitiser used as part of such a ceremony!

We also talked about why certificates are considered fundamental as part of a good cybersecurity strategy. I think that is due to the pervasiveness of keys and certificates when it comes to IT systems and services. Keys and certificates are used everywhere. We covered examples such as certificates to identify and secure commercial websites via TLS, as well as similar certificates that are used to secure IT administration portals that many IT administrators use as a matter of course during their day-to-day IT management activities. Without such certificates, administrative credentials might be passed over the network 'in the clear'. We also mentioned other use cases such as certificates for digital signing activities, network authentication and other possibilities.

Whether an organisation needs to deploy their own PKI to be able to issue certificates to secure such services is largely down to the following; the number of different use cases for keys and certificates an organisation has; the legal and regulatory requirements that need to be met by those certificates; and whether they possess the level of knowledge to be able to deploy and manage a PKI internally. For some organisations, it may make sense to obtain a managed PKI service. This removes the pressure of managing the PKI themselves away from the organisation and leaves it in the hands of experts to manage it on their behalf. Some organisations though do want to retain the relevant skills in-house and if these don't exist, we have previously worked with customers to ensure that those skills can be learned and maintained. This is via our training courses and also during PKI deployments where we do 'knowledge transfer' with customers. This along with well documented PKI operational guides ensures that an organisation’s own employees have the confidence to manage their own PKI.

Finally, we discussed the need to have a good set of requirements for PKI documented if an organisation is considering the usage of keys and certificates to support projects, systems and services. Requirements for keys and certificates should be documented as 'clear, unequivocal statements of intent' and this is really important in ensuring that whatever PKI solution is put in place is capable of meeting those requirements. Requirements should be mapped to design artefacts such that it is clear what aspect of the solution meets the stated requirement. Designs can then be used for deploying internal solutions or can be taken to Managed Service Providers (MSPs) where an organisation may be considering having their keys/certificates managed by a third party. For a good guide to writing requirements, see the NASA Handbook, which I mentioned during the event. Writing requirements and helping with PKI solutions is also something that we can help with at nCipher Security.

We really enjoyed collaborating on our first LinkedIn Live session and are keen to hear from you as to what PKI topics you'd like us to discuss in future. You can contact me via LinkedIn with your thoughts and ideas.

If you missed the live session, why not catch it now here.

Self-contained, ready, and secured - Enhancing Red Hat OpenShift with hardware cryptography

Self-contained, ready, and secured - Enhancing Red Hat OpenShift with hardware cryptography

The purpose of the blog is to introduce you to incorporating high assurance cryptographic security with hardware security modules (HSMs) into your Red Hat OpenShift projects. Since this might be new territory for some in the developer community, I’ll take a moment to explain what an HSM is.

An HSM is a specialized hardware device that is designed for the purpose of protecting encryption keys and conducting cryptographic processes such as creating digital signatures. Keys are generated according to strict security standards and based on an internal high-quality entropy source. HSMs are robust, tamper-resistant devices that incorporate innovative security features to ensure the protection of sensitive key material.

The alternative to using an HSM is to store encryption keys in software – which can be risky since skilled attackers can identify critical key material based on its unique, random characteristics. High value keys should be protected to the best achievable standards, since their loss might cause considerable financial and reputational damage – as well as a compliance violation. HSMs provide this protection and many are certified to internationally-recognized standards like FIPS 140-2 and Common Criteria, while also being recognized by security auditors as an effective tool to mitigate cyber risk.

Applications in a containerized architecture are built, deployed and operated with contemporary methods including orchestration and dynamic scalability. These advancements bring challenges when it comes to including integration with HSMs, in a way that is compatible with this type of modern workflow. This is because applications that rely on HSMs historically require installation of special supporting software and libraries, plus manual configuration of both the server and the HSM to enable secure connections to be made between them.

Now, thanks to the integration of nCipher nShield HSMs with OpenShift, it is possible to easily incorporate highly scalable crypto operations into your containerized application architecture.

Before discussing how to integrate nShield HSMs with OpenShift, it may be instructive to consider visually where the HSM fits in the context of the OpenShift platform:

As depicted in the diagram above, the nShield HSM is an external component accessed over the network. It provides highly available and scalable certified crypto offload for protecting valuable key material – so that it is never exposed within the containerized architecture or platform (where it might be observed or captured by systems administrators).

Building Container Images

Implementing cryptographic operations to enhance application security can be complex. Developers benefit from tools which make this task easier, and that provide an approved reference architecture to follow. Therefore, nCipher provides a set of standard scripts that enable supported integration with and connection to certified nShield HSMs in a streamlined and repeatable way. This reduces development times while using a tested process for delivering high assurance application security.

With these scripts, application developers can easily include the necessary nShield libraries for use with their PKCS11 or Java programs inside container images. Alternatively, off-the-shelf container images provided by third parties can be extended to include such libraries to enable their use with nShield HSMs. Typically this would form part of a CI/CD (continuous integration, delivery and deployment) pipeline so as to allow new versions or iterations of applications to be created with the same capabilities integrated.

Another container image is built with the nShield hardserver to enable and manage the connection to one or more nShield HSMs. These standardized images are stored in the normal enterprise container registry, and can be launched into any compatible container runtime.

Running Containerised Applications in OpenShift

One or more application containers are deployed into a pod alongside an instance of the hardserver container. The latter is supplied with details of the nShield HSM(s) to connect to (which can be in private or co-located hosting, or nShield as a service); while the application containers mount the corresponding Security World1 files from suitable persistent volume storage.

Different applications and/or versions of the same application can share HSMs in the same Security World, making use of the same or their own application keys – which can be permanent or temporary depending on the volume/storage mapping configured.

nShield HSMs can support OpenShift development at any scale and with flexible or dynamic provisioning. Rather than upgrading servers or virtual machines, new application versions are deployed typically alongside and then instead of older versions with traffic distributed using included or external load balancers.

Increased application security

Using the nShield container option pack with Red Hat OpenShift, developers and operations teams can easily integrate their new or existing applications with nShield HSMs in a way that is straightforwardly accessible from contemporary containerized deployments. There is no need to install or configure software and appliances, meaning a much faster “time-to-security.” Instead of leaving potentially valuable application keys vulnerable, they are safely generated and used only within the HSM’s protected and certified boundary.

nShield HSMs are also highly scalable, which make them a good companion for use with large or dynamically deployed containerised application architectures and allows developers to increase capacity with confidence. For implementations leveraging the subscription-based nShield-as-a-Service, the maintenance and management of the HSM itself is offloaded from the IT team.

The integration of the nCipher nShield with Red Hat OpenShift enables projects to be implemented with a new level of security that delivers the scale and flexibility needed for today’s enterprise applications.

To learn more about nCipher nShield HSMs and the integration with Red Hat OpenShift, download our solution brief here. If you’d like to learn more about nCipher’s unique Security World key management architecture click here .

1Security World is nShield’s unique key management architecture which establishes a logical security boundary for deploying and operating a group of nShield HSMs. This ensures interoperability across the organization’s HSM estate and affords rapid scalability.

The new normal – have the fundamentals of data security and encryption changed for Australian businesses?

The new normal – have the fundamentals of data security and encryption changed for Australian businesses?

Jiro Shindo | Digital Security Solutions Marketing Director APAC More About This Author >

While I’m sitting working from home (or at least trying to), watching businesses rise/fall and adapt, how do the once predictable trends in data security and encryption evolve and meet the challenges presented by our “new normal”?

For some businesses, their entire workforce is now working remotely, and the traditional focus on protecting both company and customer data, just because regulations state you must do so, is now giving way to an understanding that protecting data is essential to sustaining a successful organisation. To be truly effective, this requires a corporate wide security strategy.

This is certainly reinforced by the findings of the 2020 Australia Encryption Trends Study which examines the use of encryption and the impact of this technology on the security posture of organisations in this region.

It’s worth noting that our survey was conducted between December 2019 and January 2020 and undoubtedly next year’s report will show different results in several areas. For example, I anticipate we’ll see an even greater uptick in:

  • credential-based authentication of remote workers, based on secure digital certificates
  • cloud adoption and the resulting encryption of data stored in cloud environments
  • digital payment schemes, as consumers move away from using cash.

Even before the pandemic took hold, however, organisations were already demonstrating a shift in priorities, as I’ve highlighted below.

Taking control in the cloud

Corporate security used to be focused on the protection of the perimeter and threat detection – both of which are certainly still necessary in today’s business environment. However, we now see a definite change. Organisations now understand that now their data is going to be dispersed, not only geographically but across the infrastructure of several different cloud service providers. With more and more online applications, remote online channels and a remote workforce, Australian organizations are seeing a huge drive of business into the cloud.

More than 80% of Australian respondents report transferring sensitive data to the cloud, or planning to do so within the next 12 to 24 months. However, they see the need to take control and make sure that the data is protected to the same level of security in the cloud as it is on premise, hence the rise in adoption of encryption (up 11% since last year) in the cloud.

Are encryption keys more important than your data?

While the majority of customers understand the need for better management of security, they don’t always know what questions to ask or what tools are most suitable to their needs.

One of the critical elements of any encryption strategy is the use of hardware security modules (HSMs) to protect the all-important encryption keys. HSMs provide state-of-the art key protection, access control enforcement, and secure code execution.

HSM adoption is growing, not only in Australia, but worldwide – as is their importance to organisations’ encryption and key management strategies. Among Australian respondents, 42% currently deploy HSMs (a massive increase from 25% in 2017) and 84% are knowledgeable about HSMs. Of those respondents whose organizations currently use HSMs, 83% say that HSMs are important to their key management strategy – the highest rate globally.

Securing new payment schemes

Australia is ahead of the curve when it comes to encrypting payment-related data, with 71% of respondents encrypting payment data compared with the global average of 54%. That’s jumped from 44% just two years ago, driven by new digital payment schemes and mobile payment apps – all of which rely on encryption as part of their underlying framework. To support digital payments, organisations need strong data security as well as cryptography coupled with the secure management of encryption keys. These frameworks can’t exist without such measures so the need for properly managed encryption has never been greater.

According to Jay Schiavo, vice president of products and markets for Entrust Datacard's certificate services, “Organisations that have a good handle on what and how to encrypt payment data are now focused on how to automate it to make it easier and future proof encryption plans. It’s not feasible to keep adding headcount to keep it all under control, and it’s becoming difficult for some companies to even understand what crypto they have operating across the business, what complies with internal and external policies, when it expires, etc. So they’re looking for tools to automate finding, provisioning, managing and rotating keys and certificates so that when the next big change comes they’re prepared for it.” And that’s where HSMs come in, helping automate those processes.

Embracing the challenges

As organisations in Australia have realized how essential encryption and cryptography are to their data security, they have steadily increased their adoption of encryption strategies across traditional use cases such as internet communications and laptop hard drives, as well as newer ones like cloud, container and IoT devices. As they rely on more products and applications that perform encryption, they seek solutions that offer support for emerging algorithms, scalability and separation of duties.

Australian organisations are certainly on the right track. The good news is that, from what we can see from the survey, more organisations see encryption as the go-to solution for protecting their data. We can also see that more of them are doing the most critical aspect of any data protection strategy, which is to properly manage the keys.

Click here for more details on the results from the Australian 2020 Encryption Tends Study or for a worldwide view, download the 2020 Global Encryption Trends Study.

The new normal – have the fundamentals of data security and encryption changed for Australian businesses?

The new normal – have the fundamentals of data security and encryption changed for Australian businesses?

Jiro Shindo | Digital Security Solutions Marketing Director APAC More About This Author >

While I’m sitting working from home (or at least trying to), watching businesses rise/fall and adapt, how do the once predictable trends in data security and encryption evolve and meet the challenges presented by our “new normal”?

For some businesses, their entire workforce is now working remotely, and the traditional focus on protecting both company and customer data, just because regulations state you must do so, is now giving way to an understanding that protecting data is essential to sustaining a successful organisation. To be truly effective, this requires a corporate wide security strategy.

This is certainly reinforced by the findings of the 2020 Australia Encryption Trends Study which examines the use of encryption and the impact of this technology on the security posture of organisations in this region.

It’s worth noting that our survey was conducted between December 2019 and January 2020 and undoubtedly next year’s report will show different results in several areas. For example, I anticipate we’ll see an even greater uptick in:

  • credential-based authentication of remote workers, based on secure digital certificates
  • cloud adoption and the resulting encryption of data stored in cloud environments
  • digital payment schemes, as consumers move away from using cash.

Even before the pandemic took hold, however, organisations were already demonstrating a shift in priorities, as I’ve highlighted below.

Taking control in the cloud

Corporate security used to be focused on the protection of the perimeter and threat detection – both of which are certainly still necessary in today’s business environment. However, we now see a definite change. Organisations now understand that now their data is going to be dispersed, not only geographically but across the infrastructure of several different cloud service providers. With more and more online applications, remote online channels and a remote workforce, Australian organizations are seeing a huge drive of business into the cloud.

More than 80% of Australian respondents report transferring sensitive data to the cloud, or planning to do so within the next 12 to 24 months. However, they see the need to take control and make sure that the data is protected to the same level of security in the cloud as it is on premise, hence the rise in adoption of encryption (up 11% since last year) in the cloud.

Are encryption keys more important than your data?

While the majority of customers understand the need for better management of security, they don’t always know what questions to ask or what tools are most suitable to their needs.

One of the critical elements of any encryption strategy is the use of hardware security modules (HSMs) to protect the all-important encryption keys. HSMs provide state-of-the art key protection, access control enforcement, and secure code execution.

HSM adoption is growing, not only in Australia, but worldwide – as is their importance to organisations’ encryption and key management strategies. Among Australian respondents, 42% currently deploy HSMs (a massive increase from 25% in 2017) and 84% are knowledgeable about HSMs. Of those respondents whose organizations currently use HSMs, 83% say that HSMs are important to their key management strategy – the highest rate globally.

Securing new payment schemes

Australia is ahead of the curve when it comes to encrypting payment-related data, with 71% of respondents encrypting payment data compared with the global average of 54%. That’s jumped from 44% just two years ago, driven by new digital payment schemes and mobile payment apps – all of which rely on encryption as part of their underlying framework. To support digital payments, organisations need strong data security as well as cryptography coupled with the secure management of encryption keys. These frameworks can’t exist without such measures so the need for properly managed encryption has never been greater.

According to Jay Schiavo, vice president of products and markets for Entrust Datacard's certificate services, “Organisations that have a good handle on what and how to encrypt payment data are now focused on how to automate it to make it easier and future proof encryption plans. It’s not feasible to keep adding headcount to keep it all under control, and it’s becoming difficult for some companies to even understand what crypto they have operating across the business, what complies with internal and external policies, when it expires, etc. So they’re looking for tools to automate finding, provisioning, managing and rotating keys and certificates so that when the next big change comes they’re prepared for it.” And that’s where HSMs come in, helping automate those processes.

Embracing the challenges

As organisations in Australia have realized how essential encryption and cryptography are to their data security, they have steadily increased their adoption of encryption strategies across traditional use cases such as internet communications and laptop hard drives, as well as newer ones like cloud, container and IoT devices. As they rely on more products and applications that perform encryption, they seek solutions that offer support for emerging algorithms, scalability and separation of duties.

Australian organisations are certainly on the right track. The good news is that, from what we can see from the survey, more organisations see encryption as the go-to solution for protecting their data. We can also see that more of them are doing the most critical aspect of any data protection strategy, which is to properly manage the keys.

Click here for more details on the results from the Australian 2020 Encryption Tends Study or for a worldwide view, download the 2020 Global Encryption Trends Study.

Clocking in from the couch – and how to do it securely!

Clocking in from the couch – and how to do it securely!

Olivier Zemerli | Business Development Manager, nCipher More About This Author >

Over the last few years, IT and information security departments have been faced increasingly with a double whammy – the growing severity of data breaches and increasingly stringent data security and privacy regulations. COVID-19 and the almost overnight change to remote working, served as the final nail for many with IT architectures not set up to handle these new scenarios.

The current adoption of work-from-home policies across industries has created unprecedented opportunities for cybercriminals to exploit security vulnerabilities and trigger a data breach.

As Sandy Shen from Gartner notes, the COVID effect “Is a wake-up call for organizations that have placed too much focus on daily operational needs at the expense of investing in digital business and long-term resilience.”

In April 2020 Google reveled that in just one week gmail saw over 18 million daily malware and phishing emails related to COVID-19. Individuals were (and still are) being sent a huge variety of emails which impersonate authorities, such as the World Health Organization (WHO), in an effort to persuade victims to download software or donate to bogus causes. The numbers are not surprising however, even before the pandemic hit us, email continued to be the number one threat vector in cybersecurity.

Together, all these issues have contributed to a rush from organizations to consider data centric solutions rather than perimeter solutions, with an eye firmly on securing sensitive data and services across all channels.

As more email and file sharing applications are hosted in virtual, cloud-based and hybrid platforms, protecting the confidentiality and integrity of enterprise data can be difficult. Data encryption is an obvious solution, but with many point solutions on the market, these address just one part of the puzzle. This in turn introduces an increased level of complexity when it comes to managing multiple data security solutions. And what of the increased levels of trust demanded by extremely sensitive data sets such as those classified as governmental or organizational top secret.

Encryption can be viewed as complex, and the management of encryption keys can be challenging for those organisations without strong security specialists. It’s important to remember that whoever controls the keys controls access to the data.

  1. Start with your data and operations. How you work and how you value your data is most important: the tool should fit you, not the other way round.
  2. Select encryption and key management technologies that offer a smart, centralised approach. Once data’s lost it’s lost, so no good building a fortress around your datacentre if your laptops are leaky.
  3. Ensure the tools fit your environment and work across clouds, on-premises and in data centres. Consistency is key – less to learn, less to go wrong, greater business agility.
  4. Implement strong identity technologies: hardware-backed PKI for machines, multi-factor authentication for humans

nCipher and Galaxkey have partnered together to provide an easy to use, high assurance encryption platform that allows users to encrypt their email and file data, no matter the network they traverse or where they are stored – so you can sleep peacefully at night!

If you’d like to learn more about protecting your sensitive email, files and electronic document signing, why not check out our webinar with Galaxkey.

Click here to register for the live webinar on July 16, or view on-demand later

Cloudy with a probability of a breach

Cloudy with a probability of a breach

Juan Asenjo | Director of Product, Solutions and Partner Marketing - nCipher Security More About This Author >

In the 2009 movie Cloudy with a Chance of Meatballs, food instead of rain begins to fall from the clouds. Today’s hybrid computing environment employs so many applications using cryptography that clouds are saturated with crypto keys, and you don’t want to find that yours are falling from the cloud into the hands of cybercriminals. In this blog, and in an accompanying blog from our strategic technology partner Cryptomathic, we explore the critical need for key management in the hybrid cloud, particularly among banking and financial applications.

Cloud adoption

According to MarketWatch:

Globally, the financial cloud market is expected to grow from USD 16.55 billion in 2018 to USD 46.03 billion by 2023, at a CAGR of 22.7%. Increasing digitalization across the globe and a growing number of financial institutions that demand advanced IT solutions to gain genuine competitive advantage rather than building and maintaining an expensive IT infrastructure are the key driving factors for the growth of the market.

However, financial services, for obvious reasons, is also one of the most heavily regulated industries. Virtually every regulation that covers the protection of personally identifiable information includes the financial services industry as do such widely applied regulations as PCI DSS, the European Union’s eIDAS and PSD2, the Monetary Authority of Singapore’s Guidance, the U.S.’s Gramm-Leach-Bliley Act, and many more around the world.

Consequently, as financial services organizations take advantage of the cloud to better serve their customers, they must keep in mind that loss, theft, or misuse of even a single critical key can have significant impact on their organizations, including the need to issue breach notifications, loss of revenue, falling share prices, and serious reputational damage.

The recently published Ponemon Institute Global Encryption Trends Study offers some insight into this challenge. The study of 6,457 security and IT professionals in multiple industry sectors across 17 countries found that the top use cases for encryption of sensitive data are associated with cloud adoption. Use of encryption with public cloud services grew 21% over the past four years, and encryption for containers – one of the main technologies accelerating cloud adoption – grew 18% in just the past three years. When asked what the main driver for using encryption was, 47% of respondents said it was to comply with external privacy or data security regulations and requirements. As noted above, banks and financial services organizations are more heavily regulated, and therefore demand more robust security to fulfil their auditing and compliance needs.

Key management

The market for encryption is growing, and with more encrypted data we have more encryption keys to manage. As cryptographic keys underpin the security of applications and data on-premises, in the cloud, and in hybrid environments, properly managing their lifecycle is fundamental. Encryption is only effective if you protect your crypto keys, and that is where hardware security modules (HSMs) come into play. HSMs protect critical cryptographic keys in a dedicated, hardened, hardware-based appliance that establishes a root of trust over your keys, your applications, and your data. Cybersecurity professionals consider the use of HSMs to be a best practice. Deployed on-premises or in the cloud, nShield HSMs deliver FIPS 140-2 Level 3 and Common Criteria EAL4+ certified key protection, access control enforcement, and secure code execution. Giving organizations the option to supplement or replace HSMs in their data centers, nShield as a Service enables users to extend cloud-based cryptography and key management across multiple clouds, align crypto-security requirements with organizational cloud strategy, and simplify budgeting for business-critical security while decreasing time spent on maintenance and monitoring.

The way forward

Interestingly, the Ponemon study also found that the top 10 HSM use cases in 2020 include public cloud encryption. Fifty-six percent of organizations surveyed in the study said they would own and operate HSMs on-premises, and access them real-time by the cloud-hosted applications. When asked if they would lease HSMs from public cloud provider hosted in the cloud, 42% said they had that on their plan for this year.

Perhaps most relevant to this discussion are the findings related to the importance of key management. The use of HSMs for encryption and key management has grown from 33% in 2013 to 64% today. So, more organizations are using hybrid cloud environments to store and process their data, but at the same time, they must comply with increasingly stringent regulations. Key management and HSMs are “key” to their success.

Your critical keys might not be falling from the clouds, but if not well protected, they can certainly fall into the wrong hands. Cryptomathic and nCipher address the key management challenges experienced by banks and financial institutions with a certified bank-grade key lifecycle management platform. To learn more, check out our on-demand webinar: Key Management for the Hybrid Cloud

How To Avoid Blockchain Pitfalls

How To Avoid Blockchain Pitfalls

Pali Surdhar | Chief Security Officer, nCipher Security More About This Author >

Blockchain has been one of the most-talked-about technologies in recent years. IDC estimates spending on blockchain will rise from $2.9 billion in 2019 to $12.4 billion in 2022.

People see blockchain opportunities everywhere. That long list includes banking, connected cars, food safety, healthcare, identity, insurance, smart contracts and more. The thinking is that anything requiring preservation of the integrity of a record could benefit from blockchain.

Some even call blockchain the new internet -- offering traceability, trust and transparency.

But while blockchain offers a lot of promise, it also presents a variety of risks.

A cautionary tale

Mt. Gox serves as just one example of how blockchain can go horribly wrong.

Users relied on the giant bitcoin exchange to manage their bitcoin transactions. Mt. Gox failed to properly secure its customers' bitcoin, which led to a litany of concerns, including fraud, mismanagement and bitcoin theft.

3 keys to successfully upskill your workforce virtually

Bitcoin was easily stolen by bad actors who exploited poor security practices including leaked credentials and transaction malleability, allowing attackers to hijack transactions to their own gain.

Mt. Gox lost a half-billion dollars’ worth of its customers’ virtual currency as a result. The company then filed for bankruptcy protection and suspended operations.

Bitcoin and blockchain represent a new paradigm. People thought they could implement these technologies without having to worry about security. Mt. Gox showed why that thinking is wrong.

A lack of accountability

Traditionally, liability has resided with banks, which are regulated businesses. That way, if something went wrong, you could point your finger at the financial institution. You could call out their weak authentication and demand that they cough up your money.

With blockchain, the model has changed. There is no central regulatory body. You have no recourse, no way to dispute things or get things corrected.

Users have to manage their encryption keys, shifting responsibility from entities like banks to individuals. If you lose your key, you have nowhere to go.

Who is accountable? No one.

That’s part of the challenge -- because with blockchain we’ve turned the model upside down.

A brief word on smart contracts

Speaking of liability, the smart contract also warrants consideration.

Smart contracts are computer programs or protocols running on blockchain. The smart contract says that if A does something to B, then C must happen. You only get your reward if you do things in the correct manner.

But contracts are typically the domain of lawyers, who understand and deal with intent. Managing disputes is not something that we can easily encode into an algorithm. Yet, smart contracts encode that behaviour onto blockchain, and they are written by coders -- not lawyers.

An inability to change

Another challenge with smart contracts and blockchain is that they are really hard to change.

You can’t verify what the contract is doing and that it’s executing as intended. And you can’t alter it if it’s incorrect.

Blockchain’s immutability also conflicts with privacy regulations, like the European Union’s General Data Protection Regulation (GDPR). GDPR and other rules provide individuals with “the right to be forgotten,” but blockchain never forgets.

The fact that blockchain is difficult to edit also makes it attractive to bad actors. Privacy poisoning can easily render an entire blockchain unusable. The attack involves using blockchain to store illegal data or defamatory records, putting the entire network in conflict with local laws.

A new kid on the block

Some of the risk attached to blockchain has to do with its maturity level. It’s important to remember that blockchain is a technology -- it’s not a process or a framework.

Blockchain is simply a ledger that can’t be corrupted. The actual practices of how users do things with and around blockchain, however, are unclear.

It doesn’t have the security development life cycle of security technologies like encryption and key management systems. A security development life cycle includes everything involved in how a solution provider or an implementing organization produces something. That goes from design to implementation, testing and operational maintenance.

Know who holds the keys to the castle

The key life cycle is critical because the one holding the key controls everything.

So, you need to know who is holding and controlling the encryption key.

You need to have a plan for what happens if the key gets lost, too. Again, it’s not that simple on blockchain. It’s up to the blockchain designer to build a backup process for such situations.

Choose use cases with care

Developers and users may be able to avoid “the blockchain graveyard” by selecting use cases wisely. Blockchain works best in situations not bound to the constraints of data or subject to volatile markets. It’s also smart to choose use cases in which the data is not that important from a financial perspective.

One potentially appropriate blockchain use case is a supply chain. Then you can actually have peer review with other people. Blockchain could also be used for airline loyalty points.

These are good use cases because they don’t require tight time constraints. If you want something instantly, blockchain is not going to be your friend. But if my loyalty points don’t appear on my frequent flier account immediately, that doesn’t really bother me.

Be selective about what goes on the chain

Also, think about whether you really want to put certain data on the blockchain. And if you have personally identifiable information (PII), don't put it on a blockchain.

Blockchain does not allow users to easily exercise their right to be forgotten or to correct their data. And PII creates legal risks for the organizations that implement blockchain.

Build an escape hatch

There's a growing appetite for automation. Against this backdrop, having no method of intervention or error correction is a big problem.

If there’s no escape valve to error correct, you're in dangerous territory. That said, if you're designing a system, make sure you build in error correction.

It’s not always possible to get ahead of the game with blockchain. But it is important for blockchain designers and users to appreciate these threats on the blockchain landscape.

This article first appeared on Forbes.

Identity Wars Episode I: The Phantom Menace

Identity Wars Episode I: The Phantom Menace

Paul Cleary | Senior Solutions Engineer, Venafi More About This Author >

In the hit saga Star Wars, the series begins with Episode I: The Phantom Menace which introduces viewers to the two sides of the galaxy and sets the stage for the remaining films in the series. The epic battle between the Republic and the Empire, each with their own plans for the galaxy, plays out on a variety of diverse battlefields, employing both overt and covert tactics. In this first Episode, the phantom threat is a behind-the-scenes power struggle driven by greed and opportunity, and really doesn’t start to make itself known until it’s already too late.

In this blog, and the accompanying blog by Juan Asenjo, from nCipher Security, titled “Identity Wars Episode II: The Clone Wars,” we will take a look at some of the challenges organizations face when orchestrating machine identities within their infrastructure, and how proper tools can be used to mitigate the risks associated with those challenges.

Phantom threats

Today, enterprises across the globe are facing similar threats, which are mostly driven by those same factors—greed and opportunity. Often those threats are phantom in the sense that they are typically hiding just below the surface, pivoting silently throughout an infrastructure, and compromising the security of organization. When the threat is finally detected, the damage has already been done. Data has been exfiltrated. Usernames and passwords have been stolen. Machine identities have been compromised.

Add to this scenario the fact that the overwhelming majority of organizations have had to dramatically speed up their digital transformation to enable workforces to continue collaborating on projects, accessing shared company resources, and preventing interruptions to business processes, all while working remotely. It's a daunting task that requires thorough planning from the beginning to ensure the security of the organization is just as strong, if not stronger than it was pre-pandemic.

Identities, both human and machine, play an extremely critical role inside an organization because identities establish trust. They identify an entity that is requesting access to something. This could be a systems administrator logging into a web server to perform maintenance, perhaps to manually install a renewed TLS certificate. This could be a service account using SSH to access a server in order to scale an application. This could be a developer initiating a build pipeline that will push an update to production. In all these scenarios, a compromised identity is a phantom menace that will continue to wreak havoc until it's either discovered and remediated, or the damage becomes too great to recover from.

Both the attack vectors and the desired outcomes for these threat actors can vary greatly from incident to incident. Sometimes the goal is to locate and steal an SSH key that might be exposed and unprotected. At minimum, the attacker now has an invisible entry point to delve deeper into the organization looking for larger targets. Other times hackers target build servers looking for unprotected code signing certificates. Once obtained, it's possible to use the code signing certificate to embed malware in code and then sign that code with a legitimate certificate. It's easy to imagine the damage that can do, both to a company's financial situation and public reputation.

By adopting industry-standard hardware and enforcing best-practice security policies, it's possible to mitigate against these hidden threats and prevent them from happening in the first place.

Hardware security modules provide:

  • Greater entropy for cryptographic keys
  • A FIPS 140-2 secure boundary to store cryptographic material, making it exponentially harder to exfiltrate
  • Integrations to products and tooling that enable automating the delivery of machine identities to the devices, services and applications that are secured by them

A robust machine identity protection strategy provides:

  • Visibility into an organization's machine identities—things like TLS certificates, SSH keys, code signing certificates, etc. And where those identities are being used?
  • Intelligence about those machine identities. Who is requesting them? Do they adhere to the policy set by the InfoSec team?
  • Automation capabilities gained from native integrations with technology partners can mitigate accidental human errors, provide crypto agility, and are able to scale as the organization grows

In closing, it's important to reiterate that organizations today are under constant attack from these phantom menaces that hide inside encrypted traffic. These hidden threats increasingly target identities because of the inherent trust they provide. As nice as it would be to wave a forceful hand and say "these aren't the identities you're looking for," it's not quite that simple. Organizations must be aware of these threats and have plans in place to identify potential risks and prevent attacks before they begin.

To learn more about how Venafi and nCipher partner to provide greater security to the organization, while protecting against these phantom menaces, click here to download the solution brief.

To find out more about Machine Identity Protection, visit www.venafi.com.

Subscribe to Drupal blog posts
Want to be part of our team? Explore
Get in contact with a specialist Contact Us