Voltage Security http://www.voltage.com Wed, 04 Mar 2015 17:52:55 +0000 en-US hourly 1 Data-centric Encryption Definitely Protects against Data Attacks http://www.voltage.com/blog/breach/data-centric-encryption-definitely-protects-data-attacks/ http://www.voltage.com/blog/breach/data-centric-encryption-definitely-protects-data-attacks/#comments Mon, 23 Feb 2015 22:15:04 +0000 http://www.voltage.com/?p=6632 […]

The post Data-centric Encryption Definitely Protects against Data Attacks appeared first on Voltage Security.

In the aftermath of last week’s data breach at healthcare provider Anthem there have been inaccurate and misleading claims around the ability of strong encryption to protect data against attacks such as this.

In order to understand these issues around strong encryption, we need to first understand Internet protocols. The Internet protocol suite that’s sometimes known as “TCP/IP” defines the communication protocols used in most of today’s computer networks. One notable feature of TCP/IP is how it abstracts the functionality of a network into four layers that we think of as comprising a “stack,” in which information only gets passed between adjacent layers of the stack. A similar conceptual model of an “encryption stack” can help understand both the capabilities and limitations of different approaches to encryption.

The TCP/IP stack as defined in RFC 1122 and RFC 1123 comprises four layers: Application, Transport, IP and Network Access, as shown in Figure 1. As the arrows in Figure 1 suggest, information is only passed between adjacent layers of the TCP/IP stack. So a process running at the Transport layer can pass information to a process running one layer away at the IP layer but not to one running two layers away at the Network Access layer.


Figure 1. Conceptual model of the TCP/IP protocol stack.

Similarly, it can be useful think of encryption as taking place either relative to or at different levels in the TCP/P stack, possibly creating a notional “encryption stack” that closely parallels the TCP/IP stack.

The analogy to an “encryption stack” can be made as follows: TLS encryption, for example, operates between the Application layer and the Transport layer. IPsec operates at the IP layer. Link encryptors encrypt at the Network Access layer. Full-disk encryption operates below the Network Access layer.

There are good reasons to encrypt at different places in the TCP/IP stack, but when you encrypt at a particular location, the encryption only protects against threats that target layers at or below where the encryption takes place. For example, if you protect data with full-disk encryption, it protects the data while it’s on the encrypted disks, but when the data leaves the disks when it gets passed up the stack to a process running at the Network Access layer, that particular form of encryption no longer protects it.

Or if you’re using TLS to encrypt data between the Transport and Application layers, the TLS encryption will protect against attacks that target the Transport layer, the IP layer and the Network Access layer, but it won’t protect against attacks that target processes running at the Application layer. Once data that’s encrypted using TLS gets passed up the stack to the Application layer, the TLS encryption is no longer protecting it.

And if you encrypt at the application layer, then the encryption will protect against attacks that target any layer of the TCP/IP stack at all.

So if Anthem was doing encryption at the Network Access layer, it’s certainly reasonable to assume that the hackers that penetrated their network would have easily been able to bypass this encryption. And in this case, it’s true that strong encryption would not have thwarted the hackers.

But if Anthem had been encrypting at the Application layer, then it’s reasonable to assume that the hackers would only have managed to extract cipher text. If this is the case, then the encryption would definitely been able to thwart them.

This is why data-centric encryption at the Application layer is a more comprehensive solution to data protection -this approach protects against attacks that target any level of the TCP/IP stack, with hackers getting nothing more than cipher text from any of the networks that they manage to penetrate.

Newer data-centric encryption approaches like format-preserving encryption (FPE), and methods like secure stateless tokenization (SST), can protect data in such a way that decryption back to a live and vulnerable form isn’t necessary for most applications. Data-centric security removes the value from data that hackers might get through data breaches because it protects data at rest, in transit and in use. So when an attack happens, the attackers get nothing of value. In fact, Aetna and other organizations can use the data in its secure form for all existing business processes.

This is a unique difference to the encryption most journalists are writing about. Format-preserving encryption provides a new model for data security which has been adopted by payment processors, financial organizations, retailers, enterprises, and data aggregators today. NIST understand the value format-preserving encryption offers to data breach mitigation as demonstrated by its inclusion in the NIST Special Publication 800-38G: Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption (draft).

What defenses did Anthem actually have in place? Right now, that doesn’t seem to be well known, but it will almost certainly be widely discussed over the next few weeks. And it certainly seems likely that a blanket statement that strong encryption would not have prevented hackers from exploiting Anthem will turn out to be false, or at least false in any meaningful way.

Luther Martin
Chief Security Architect, Voltage Security

The post Data-centric Encryption Definitely Protects against Data Attacks appeared first on Voltage Security.

http://www.voltage.com/blog/breach/data-centric-encryption-definitely-protects-data-attacks/feed/ 0
HP Gets Serious About End-to-End Data Protection http://www.voltage.com/blog/releases/hp-gets-serious-end-end-data-protection/ http://www.voltage.com/blog/releases/hp-gets-serious-end-end-data-protection/#comments Fri, 20 Feb 2015 18:43:54 +0000 http://www.voltage.com/?p=6623 […]

The post HP Gets Serious About End-to-End Data Protection appeared first on Voltage Security.

This blog was originally posted on Friday February 19th by Albert Biketi at HP Atalla. 

When HP announced our definitive agreement to buy Voltage Security last week, we said that enterprises are facing a new paradigm in enterprise security that requires organizations to protect not just their systems, but the data itself. What our customers need is a data-centric solution that protects sensitive information from the moment it’s created throughout its entire lifecycle. That means protecting data wherever it moves – from emails to databases and attachments, in applications, in big data and analytic tools, through payment systems, mobile devices, on premise and in the cloud, in use, at rest, and in motion – for practically any data, anywhere.

We are genuinely excited about extending the capabilities of every product in the Voltage portfolio and can’t wait to give them the global scale and reach that HP brings, with our technologies and access to thousands of partners around the world. Security and protection of unstructured data throughout its entire lifecycle is critical for enterprises everywhere, and HP’s vision and execution in information governance and e-discovery is industry-leading. In the SecureMail and SecureMail Mobile product families, Voltage has a uniquely scalable and simple-to-manage approach to this problem that brings better security without traditional cost and complexity.

We are fully committed to the Voltage portfolio and are excited to enhance these product families with other powerful HP technologies, as we make them widely available and supported globally.

For additional information about the announcement, please check out the HP Next blog.

The transaction is expected to close in the first half of HP’s fiscal 2015, subject to customary closing conditions.

Read more here about HP’s vision of end-to-end data protection.

Albert Biketi
VP and General Manager, HP Atalla

The post HP Gets Serious About End-to-End Data Protection appeared first on Voltage Security.

http://www.voltage.com/blog/releases/hp-gets-serious-end-end-data-protection/feed/ 0
Five Reasons to Use Data-Centric Security to Secure Your Hadoop Deployment http://www.voltage.com/blog/big-data-2/five-reasons-use-data-centric-security-secure-hadoop-deployment-2/ http://www.voltage.com/blog/big-data-2/five-reasons-use-data-centric-security-secure-hadoop-deployment-2/#comments Tue, 17 Feb 2015 23:16:47 +0000 http://www.voltage.com/?p=6610 […]

The post Five Reasons to Use Data-Centric Security to Secure Your Hadoop Deployment appeared first on Voltage Security.

Apache Hadoop is designed to enable very rapid time-to-insight, decision support, and operational efficiencies. But Hadoop poses many security and regulatory compliance challenges, including automatic replication of data across multiple nodes, multiple types of data concentrated in the Hadoop “Data Lake,” and access by many different users with varying analytic needs.With more companies adopting Hadoop, it is changing the cyberattack landscape. Traditional IT security controls like firewalls and intrusion prevention systems establish a security perimeter that’s designed to keep hackers out. But these technologies cannot fully protect an organization from data breaches and data leakage. This is where a data-centric security model is paramount.

Data-centric security:

1. Protects sensitive data. Analytics consume increasingly large volumes of sensitive data. Customer profiles and personally identifiable information, corporate intellectual property, payments/ transactions data, protected health information and more – is all streaming into Hadoop and promises to deliver profound new insights and real-time decision-making. The best analytics include sensitive data.

2. Enables analytics on protected data. Data-centric security de-identifies the data at field and sub-field level. It’s format-preserving so an email looks like an email, a credit card number looks like a credit card number, and so on–preserving characteristics of the original data, including numbers, symbols, letters and numeric relationships such as date and salary ranges, and maintaining referential integrity across distributed data sets so joined data tables continue to operate properly. Up to 90% of your analytics can be performed on protected data, with no decryption required – so no performance impact.

3. Protects data in motion, at rest and in use. Traditional infrastructure security methods remain problematic, leaving security gaps throughout the data ecosystem. Today’s mega-breaches exploit those gaps. The solution: replace the data–with encrypted and tokenized values that preserve the format, behavior and meaning of the data for secure analytics. Data-centric security protects data pervasively throughout your ecosystem. It’s not just in Hadoop and other Big Data systems but across the multi-platform enterprise. Protection travels with the data.

4. Neutralizes the value of data to cyber attackers. Cyber thieves today are increasingly sophisticated, and always looking for which systems to attack. Hadoop is literally changing the attack landscape, because it simplifies their search by concentrating the data in massive clusters. But de-identified data in Hadoop is protected data, and even in the event of a data breach, yields nothing of value to the thieves, avoiding the penalties and costs such an event would otherwise have triggered.

5. Delivers regulatory compliance and risk reduction. These are board-level issues and can slow or halt the Hadoop implementation that lacks a strong and proven data security strategy from the outset. Data-centric security delivers the safe harbor protection needed in the event of data breach, along with the ongoing assurance of compliance with data privacy regulations.

Voltage Security® is the global leader in data-centric security for Hadoop. Voltage SecureData™ encryption/ tokenization protection can be applied at the source before it gets into Hadoop, or can be evoked during an ETL transfer to a landing zone, or from the Hadoop process transferring the data into HDFS. For more information on Voltage SecureData for Hadoop, please go to www.voltage.com/hadoop.

The post Five Reasons to Use Data-Centric Security to Secure Your Hadoop Deployment appeared first on Voltage Security.

http://www.voltage.com/blog/big-data-2/five-reasons-use-data-centric-security-secure-hadoop-deployment-2/feed/ 0
HP to Acquire Voltage Security to Expand Data Encryption Security Solutions for Cloud and Big Data http://www.voltage.com/blog/releases/hp-acquire-voltage-security-expand-data-encryption-security-solutions-cloud-big-data/ http://www.voltage.com/blog/releases/hp-acquire-voltage-security-expand-data-encryption-security-solutions-cloud-big-data/#comments Mon, 09 Feb 2015 22:00:10 +0000 http://www.voltage.com/?p=6587 […]

The post HP to Acquire Voltage Security to Expand Data Encryption Security Solutions for Cloud and Big Data appeared first on Voltage Security.

HPR_Blue_RGB_150_MDVoltage Security® today announced that it has signed a definitive agreement to be acquired by HP. Voltage’s proven data-centric encryption and tokenization technology will complement HP’s security portfolio, helping customers protect their most sensitive information whether it lives in the cloud, across mobile platforms, in big data environments, or within legacy computer systems for critical regulatory compliance.

HP is a trusted security partner across many industries, including financial services, healthcare, retail and the public sector. Voltage’s powerful data-centric protection solutions will join HP Atalla, HP’s information security and encryption business, expanding HP’s offerings in data classification, payments security, encryption, tokenization and enterprise key management.

HP has the scale and resources to support Voltage customers, helping them take a more proactive defense against adversaries and protect their data from the moment it’s created throughout its entire life cycle. With Voltage, HP will offer customers unparalleled data protection capabilities built to close the gaps that exist in traditional encryption and tokenization approaches.

Voltage’s data-centric strategy aligns with HP’s focus on end-to-end protection of the data itself, helping enterprises neutralize the impact of a breach and proactively combat new security threats. This is particularly important for enterprises that interact with financial payments systems, manage workloads in the cloud, or whose sensitive data flows into Hadoop for analytics – making them attractive targets for cyber-attackers.

Voltage’s highly innovative security solutions are an ideal match for supporting and expanding the HP Atalla portfolio. The addition of Voltage technology will continue HP’s leadership as a highly trusted security platform across industries, protecting the most sensitive information of modern organizations as they transition to cloud and big data ecosystems.

The transaction is expected to close in the first half of HP’s fiscal 2015, subject to customary closing conditions. For additional information, read more at HP Next.

The post HP to Acquire Voltage Security to Expand Data Encryption Security Solutions for Cloud and Big Data appeared first on Voltage Security.

http://www.voltage.com/blog/releases/hp-acquire-voltage-security-expand-data-encryption-security-solutions-cloud-big-data/feed/ 0
Voltage Security – Welcome 2015! http://www.voltage.com/blog/payments/voltage-security-welcome-2015/ http://www.voltage.com/blog/payments/voltage-security-welcome-2015/#comments Fri, 30 Jan 2015 20:56:20 +0000 http://www.voltage.com/?p=6560 […]

The post Voltage Security – Welcome 2015! appeared first on Voltage Security.

HPR_Blue_RGB_150_MDIt’s a brand new year and there’s no better time to reignite our focus and make 2015 the most successful and secure year for businesses to date. At Voltage Security®, we’re excited to be a certified Technology Partner with HP and the HP NonStop community, and a critical player in helping our customers ensure their sensitive data is more secure then ever before.

Over the course of the past year, in particular, cyber criminals have proved adept at thwarting existing IT defenses and exploiting weak links, especially targeting the payments ecosystem. Merchants, enterprises, e-commerce businesses and service providers face severe, ongoing challenges securing payment card data from the point of capture at the card reader or the browser through the transaction lifecycle. Businesses are also under pressure to achieve scope and cost-reduction goals in meeting compliance mandates such as the Payment Card Industry Data Security Standard (PCI DSS), while applying resources to adopting EMV and new digital wallet technologies at the same time.

While data security is a critical concern for all consumer-facing businesses, retailers are a prime example of how an industry is taking proactive measures to combat data breaches by planning to make these technology investments within the next 12 months:
• 32% of retailers plan to adopt P2P encryption in 2015,
• 27% say they will adopt tokenization of the card transaction within a year, and
• 48% plan to adopt EMV in 2015

These three technologies combine together to effectively close security gaps in the payments ecosystem that have been so heavily exploited by attackers–and so damaging to businesses and consumers alike.

Click here to download the full 2015 Store Systems Study

At Voltage Security, one of our top priorities in 2015 is helping retailers and other consumer-transacting businesses, to neutralize data breaches. What’s needed to protect against adaptive, persistent cyber threats is a data-centric approach to protect data going up to the trusted host, and also, to remove live data in back-end systems. Point-to-point encryption (P2PE) from the instant the card data is read, also called end-to-end encryption, encrypts all the payment card data before it even gets to the POS, and has become part of the PCI recommendations, echoed by Visa. If the POS is breached, the data will be useless to the attacker. Tokenization can eliminate live data from post-authorization retail processes like warranty and returns yet enable the retail business to still operate as before – even at scale. Data-centric encryption and tokenization together form a very strong defense. With data-centric security, you put security with the data itself, like the credit card number, the track data, or even the EMV or personal data in loyalty systems.

Voltage Security offers data-centric solutions, including Voltage Format-Preserving Encryption™ (FPE™), and Voltage Secure Stateless Tokenization™ (SST™) for native tokenization on the HP NonStop OS. With EMV to make it much harder to counterfeit physical cards from stolen data, and with P2PE and Tokenization to protect the card data in the retail flow, merchants and enterprises can turn the tables on data breaches in a major way. With the significant reduction in the cost of PCI compliance, there’s a strong ROI to justify it–in addition to avoiding the cost and complications of fines, remediation, and brand damage.

The proven reliability and virtually unlimited scalability of HP NonStop, with Voltage data-centric security, will provide compelling business value for retailers and card-accepting enterprises that must secure sensitive customer credit card and personal data.

If Retailers follow through on their Store Systems investments plans, then our hope is that 2015 will truly be the year that retailers in the U.S. will close the security gap that’s currently vulnerable to malware data breaches (and insider attacks too). Discover how Voltage data-centric security running on the HP NonStop platform can help you neutralize data breaches – learn more at: www.voltage.com/breach

The post Voltage Security – Welcome 2015! appeared first on Voltage Security.

http://www.voltage.com/blog/payments/voltage-security-welcome-2015/feed/ 0
Voltage SecureStorage Complements HDP for Compliance and Data Protection http://www.voltage.com/blog/security/voltage-securestorage-complements-hdp-compliance-data-protection/ http://www.voltage.com/blog/security/voltage-securestorage-complements-hdp-compliance-data-protection/#comments Thu, 29 Jan 2015 20:07:24 +0000 http://www.voltage.com/?p=6548 […]

The post Voltage SecureStorage Complements HDP for Compliance and Data Protection appeared first on Voltage Security.

logo_hortonworks_205x105This blog was originally posted on Friday January 23rd as a guest blog of Hortonworks, hosted by Vinod Nair.  Voltage Security is a Hortonworks Certified Technology Partner.

The demand for Hadoop is accelerating, as enterprises move from proof of concept to full production implementations. With the move to modern data architecture, data security and compliance has become a growing concern.

Securing data in Hadoop is a hot topic and the Hadoop community is investing and providing value-added capabilities in security and governance. A great example of this is the leading position Hortonworks takes with the authentication, authorization, audit and data protection capabilities delivered by Apache Ranger and Apache Knox.

Now Voltage Security®, the global leader in data-centric security for Hadoop, and a certified Technology Partner with Hortonworks, has announced Voltage SecureStorage™ for volume-level encryption in Hadoop. Voltage SecureStorage™ is available as a stand-alone option on a subscription licensing basis, for those looking for “data-at-rest” encryption. Voltage SecureStorage protects against loss of storage media–through human error or physical theft of the hard drive–and offers an initial security response to meet compliance requirements for data protection in Hadoop.

A significant value-added feature, Voltage Stateless Key Management™, is also included in the standalone subscription offer of Voltage SecureStorage. Voltage Stateless Key Management technology provides keys automatically, enabling granular, role-based access to data, and mapping to existing enterprise policies for data access. It eliminates another requirement of traditional security solutions, the key management database and key storage. Voltage Stateless Key Management saves on server costs and administration overhead by doing away with issues such as key roll-over, back-up, recovery and audit, and delivers high performance and scalability well-matched with Hadoop speeds.

For those customers electing to use basic level, data-at-rest protection now, Voltage SecureStorage provides this coverage economically while giving them the ability to grow their capacity and expand their protection in the future.

For those taking a longer view of the journey toward the data lake, Voltage provides the key management behind volume encryption, but this also enables expansion to other use cases for securing Hadoop data as well as other platforms, making Voltage SecureStorage the first step toward full data-centric security for Hadoop in the enterprise. Voltage delivers data-centric security with the Voltage SecureData Suite for Hadoop, which provides field-level data security in all modes of operation, for data-at-rest, in motion, and in use, and can be extended beyond Hadoop to other platforms and databases. The Voltage SecureData Suite for Hadoop includes both Voltage Stateless Key Management and Voltage SecureStorage.

Voltage offers subscription pricing options to support and align with customer purchasing preferences and different customer needs in procurement, from pilot phase to enterprise-wide deployments. Many customers begin by purchasing Hadoop on a departmental basis and they are looking for pricing options such as this new subscription pricing from Voltage. Subscription pricing includes all necessary infrastructure components, for a single, per node price. Subscription pricing can make it easier to configure, and easier to purchase, by reducing the up-front outlay. This pricing also aligns with the Hortonworks Data Platform (HDP) from a pricing perspective so the customer can make a TCO-based decision for the entire stack.

Voltage SecureStorage provides data-at-rest encryption integrated with Voltage Stateless Key Management, as a standalone option for $500/node/year. (Volume discounts are available upon request. Per node subscription pricing includes standard Voltage support.) Go to voltage.com/hadoop for more information and to purchase Voltage SecureStorage.

Carole Murphy

Director, Product Marketing, Voltage SecureData

The post Voltage SecureStorage Complements HDP for Compliance and Data Protection appeared first on Voltage Security.

http://www.voltage.com/blog/security/voltage-securestorage-complements-hdp-compliance-data-protection/feed/ 0
Top 5 Tips for Data-centric Business Security http://www.voltage.com/blog/security/top-5-tips-data-centric-business-security/ http://www.voltage.com/blog/security/top-5-tips-data-centric-business-security/#comments Thu, 22 Jan 2015 22:00:18 +0000 http://www.voltage.com/?p=6534 […]

The post Top 5 Tips for Data-centric Business Security appeared first on Voltage Security.

TerenceData security is one of the hottest tech topics of 2015. Cyber criminals continue their malicious ways with sensitive consumer data and businesses continue to become more and more dependent on using sensitive data. It’s more important than ever to understand how to keep sensitive data safe and secure within corporate systems, and as it flows beyond the enterprise digital boundaries.

Here are five tips for keeping your business data secure the data-centric way:

1. Make it a Mission

A focus on data security should start at the top. Terence Spies, CTO at Voltage Security, offers this tip: “Get senior management buy-in to data protection as a core business value.”

We recommend getting this crucial buy-in from the start. Security and IT need to work together as a team to build security into the core infrastructure as early as possible. Take the time to revisit your corporate values and ensure that data security is part of the overall corporate focus and mission.

2. Get Organized

To protect your company’s data, you need first to know where it is. Sensitive data, such as private employee, customer and/or patient information is probably lurking throughout your company’s applications. Build and maintain an accurate map of sensitive data repositories and create operational policies for the organization to follow. Stay organized by following proven development techniques.

As John Weald, VP of Engineering at Voltage Security points out, “When deploying, start with one application that either receives sensitive data or stores sensitive data.” Continue from that point to assess and secure adjacent applications that deal with sensitive data.

3. Use Proven Data Protection Methods

Always use standards-based and proven data-centric techniques to protect your sensitive data. For instance, when it comes to sensitive data included within emails, Michael Osterman, founder of Osterman Research Inc., says, “Sending sensitive or confidential information through email without encryption is tantamount to posting private information on a bulletin board. Encrypting email, whether manual or policy-based, is a critical best practice and should be implemented for all users in every organization.”

For end-to-end protection of sensitive emails and attachments use Voltage SecureMail™ with Voltage Identity-Based Encryption™ (IBE). IBE solves the traditional key management, operations and scalability challenges.

4. Educate Your Team

There are some basic best practices that all employees involved in secure data should be aware of. Informing them of regular anti-virus and firewall updates, and data de-identification strategies such as tokenization and encryption, can help address accidental data breaches down the line.

It’s important to make time to discuss security with employees. According to Balaji Ganesan, the Senior Director of Enterprise Security Strategy at Hortonworks, “It’s like taming the elephant. Don’t run away from the security discussion.”

Make data security education a vital part of every new employee’s training to ensure consistency across the company.

5. As Needed Only

The more often you access sensitive data, the increased possibility there is that data will be leaked or unintentionally left unprotected. John Weald offers our fifth and last tip: “Protect sensitive data when it is created but only access sensitive data when absolutely necessary.”

It’s an unfortunate reality that cyber criminals are out there looking for ways to take advantage of your sensitive data. It’s up to all of us to take the steps necessary to keep sensitive data safe and secure. Voltage Security can help.

What are your biggest concerns about data security? What other tips would you add to this list? Share your tips with us in the comments below.

The post Top 5 Tips for Data-centric Business Security appeared first on Voltage Security.

http://www.voltage.com/blog/security/top-5-tips-data-centric-business-security/feed/ 0
Cryptography for Mere Mortals #14 http://www.voltage.com/blog/crypto/cryptography-mere-mortals-14/ http://www.voltage.com/blog/crypto/cryptography-mere-mortals-14/#comments Fri, 16 Jan 2015 22:57:43 +0000 http://www.voltage.com/?p=6520 […]

The post Cryptography for Mere Mortals #14 appeared first on Voltage Security.

A bit more than twenty years ago, at a software vendor long since vanished from the planet, a colleague suggested to our VP of Engineering that we should get an Internet connection. His response, enshrined in the memories of all who heard it: “Who will we talk to?”

OK, so he clearly wasn’t a visionary (which we knew too well already). And admittedly, nobody at the time was predicting the Internet’s full impact, or at least, how quickly it would come about. But here we are, two decades later, living on the Web—using it for shopping, reference, research, and more.

In fact, few people that I know would make a major purchase (or, often, even a minor one) without first researching it online. Being able to read real-world product opinions and reviews—crowd-sourced research, if you will—is but one aspect of the disintermediation that is one of the Internet’s big benefits. Today we can make much more informed decisions about which TV, car, or pair of jeans to buy, without having to just believe a salesperson’s claims, or hope that Consumer Reports covered the segment.

So it’s surprising and sad that when buying security products, people who would never believe a sales rep’s spiel when making a personal purchase will blindly accept vendor claims for much larger business purchases. Part of this is because it’s more difficult with enterprise software in general, and particularly with security—the market is relatively specialized, and companies are often particularly reluctant to discuss their usage of and experience with security products—but queries on mailing lists are vanishingly few, and responses even scarcer. When you add in the fact that the higher mathematics involved in things like encryption are well beyond the capabilities of most of us Mere Mortals, the challenge of making an informed decision becomes even more intractable.

The good news is that for the mathematical aspects of security, there’s another way to gain some assurance that the mathematics part, at least, is legitimate: third-party security proofs. I discussed proofs in Cryptography for Mere Mortals #5, but with a somewhat different focus.

There are security products on the market right now that make wild claims—“unbreakable security” is a favorite—without providing anything resembling security proofs. Others provide “proofs” created by the authors of the algorithm, or other parties associated with the company, and thus are not really “third-party”.

Andy Tanenbaum famously wrote, “The nice thing about standards is that you have so many to choose from”, which many take as an indictment of the whole concept of standards. This misses the points of both standards and Mr. Tanenbaum’s comment: because standards have been vetted by a group of experts, a product that adheres to a standard instantly gains imprimatur. And standards are related to proofs, because proofs are typically involved in creating security-related standards.

Voltage Security, Inc. has solicited third-party security proofs of its innovations, and has been involved with standards at various levels, since its inception in 2002. Voltage products are based on NIST, ANSI, IEEE, and other standardized algorithms (AES, KDFs, et al.), and third-party security proofs are available for Voltage Identity-Based Encryption (IEEE standard 1363.3), Voltage Format-Preserving Encryption (NIST draft standard 800-38G), and Voltage Secure Stateless Tokenization (ANSI X9 standards work proceeding). Voltage staffers sit on standards committees and Voltage methods are peer-reviewed and vetted by independent experts, available to our customers for their own independent analysis.

Other vendors hide behind obscurity, using proprietary algorithms that are kept secret. The risk for enterprises using such products is not only that the algorithms may not be inherently secure, but—even more insidious—that the method of implementation may add insecurity.

For example, cryptographic operations must be sufficiently isolated from application code that a malicious user cannot force a memory dump or hack the application code to obtain information to bypass security. This may not be possible if the operation takes place in the same address space as the application.

The only way to truly ensure security in such cases is to isolate the operations in another address space—on the same system, if address space isolation is secure on that platform, or on another server entirely. And many solutions use this approach: the popularity of Web services to perform encryption and tokenization operations is an example. By performing the encryption and tokenization on a separate server, the sensitive data exists only in that other server’s memory.

Yet, as with proofs and standards, some vendors choose the insecure approach. The obvious appeal is that by removing the interprocess call overhead and complexity, products run faster and with less overhead. With any security solution, performance is important, but trading security for performance is the wrong choice—and when such a product is breached, there can be no safe harbor for the company who employed it. It is thus critical to understand both the security and performance aspects of potential solutions, and where a question of trading off security for performance arises, the answer should always be “No”.

When building its solutions, Voltage Security, Inc. considers both issues: we design in high security and also test performance for every release, and optimization is an active area for enhancement. The result is that Voltage products offer excellent performance with proven security, as demonstrated by our numerous enterprise customers.

The post Cryptography for Mere Mortals #14 appeared first on Voltage Security.

http://www.voltage.com/blog/crypto/cryptography-mere-mortals-14/feed/ 0
Insights From EY’s 2014 Global Information Security Survey http://www.voltage.com/blog/risk/insights-eys-2014-global-information-security-survey/ http://www.voltage.com/blog/risk/insights-eys-2014-global-information-security-survey/#comments Thu, 11 Dec 2014 23:45:20 +0000 http://www.voltage.com/?p=6451 […]

The post Insights From EY’s 2014 Global Information Security Survey appeared first on Voltage Security.

“Anticipating cyber attack is the only way to be ahead of cyber criminals.” EY sends this message to all in their Global Information Security Survey 2014. The security survey, published in October, had 1,825 respondents from 60 countries worldwide in 25 different industry sectors. The report covered the foundations of cyber security and the elements that need the most attention in today’s cyber world. By focusing on being prepared for cyber attacks, businesses will be able to transform from an easy target to an impenetrable force. Left unprepared and unprotected, cyber threats will continue to multiply.

The survey found that for many organizations, the biggest setback for cyber security is a lack of skill. The need for cyber security specialists is ever increasing as the threat becomes more prevalent. Five percent of responding organizations have a team with dedicated analysts and external advisors that evaluate for exposure against threat actors. That means that about ninety-five percent of organizations are left without the skill and knowledge to protect them from cyber threat.

Rather than making improvements in adapting to the cyber security world, the data shows that companies are moving backwards. In 2014, over 16 percent of companies admitted that they do not have a data breach detection program. This percentage has increased since the year 2013, when 12 percent of respondents reported not having a data breach protection program. This year only 13 percent of organizations say that their Information Security function fully meets their business’ needs, which is down four percent from the previous year.

According to the survey, upwards of 45 percent of respondents said that their companies “still have a lot to improve” when it comes to cyber security. Over 50 percent of organizations say that it is highly unlikely that their organization would be able to detect a sophisticated attack. This means that often cyber threats are overlooked and when not overlooked, the response is often too late. Increasing understanding and awareness within organizations can help close the door to cyber attacks.

What should organizations do now? The report recommends that companies continue to focus on the foundations of cyber security and make cyber security more aligned with key business processes. An important step that companies can take today is to protect sensitive customer and patient data, such as PII and PHI, from malicious hackers. Retailers and consumer facing businesses can neutralize the threat of data breaches by protecting credit card and PAN data throughout the payment stream with enhanced encryption and tokenization. Voltage makes encryption and tokenization of sensitive data simple and effective through cryptographic innovations. Learn more at www.voltage.com.

For all you need to know about breach protection go to www.voltage.com/breach. For information on securing data in Hadoop, go to www.voltage.com/Hadoop.

The post Insights From EY’s 2014 Global Information Security Survey appeared first on Voltage Security.

http://www.voltage.com/blog/risk/insights-eys-2014-global-information-security-survey/feed/ 0
What You Need to Know About The California Data Breach Report http://www.voltage.com/blog/payments/need-know-california-data-breach-report/ http://www.voltage.com/blog/payments/need-know-california-data-breach-report/#comments Thu, 04 Dec 2014 19:40:15 +0000 http://www.voltage.com/?p=6441 […]

The post What You Need to Know About The California Data Breach Report appeared first on Voltage Security.

With the recent release of the California Data Breach Report from the office of Attorney General Kamala D. Harris, the state of California is left reeling over the increase of data breach victims. In the year 2013, reported data breaches rose 28% over the prior year. The number of Californians’ affected by such data breaches increased by over 600%. The increase was due largely in part by the breach of the major retailer, Target. The Target breach involved the payment card data of 7.5 million Californians, and 41 million individuals, total. Harris made a call to action by stating, “Data breaches are a serious threat to Californians’ privacy, finances, and even their personal security. As California continues to lead the way in technological innovation, we must also continue to ensure that consumers and business are protected from cybercriminals and others who seek to profit from data breaches.”

Most of the data breaches that were reported to the Attorney General’s office were from the retail industry. The report states that the retail industry reported 26% of the total breaches, followed by finance and insurance with 20%, and health care with 15%. More than half of these breaches that took place in 2013 were caused by computer intrusions. Eighty four percent of the retail industry breaches were the result of malware and hacking.

As the numbers continue to rise, the report recommends that California retailers and financial institutions should:

  • Move promptly to update their point-of-sale terminals so that they are chip-enabled and should install the software needed to operate this technology.
  • Implement appropriate encryption solutions to devalue payment card data, including encrypting the data from the point of capture until completion of transaction authorization.
  • Implement appropriate tokenization solutions to devalue payment card data, including in online and mobile transactions.
  • Work together to protect debit cardholders in retailer breaches of unencrypted payment card data.

For retailers, financial institutions and any other consumer facing business that processes and stores sensitive consumer data such as credit card numbers, personal account numbers (PAN), personal identification information (PII), or personal health information (PHI),, a solution such as Voltage SecureData™ can be easily implemented to protect sensitive data at rest, in use, and in transit. It utilizes Voltage Format-Preserving EncryptionTM, Voltage Secure Stateless TokenizationTM, and Voltage Stateless Key Management to protect sensitive data. Voltage SecureData Enterprise is the only comprehensive data protection framework that secures data as it is captured, processed, and stored across devices, operating systems, and databases. It supports compliance regulations such as PCI DSS 3.0 and the Health Insurance Portability and Accountability Act (HIPAA).

For complete point-to-point encryption of retail payment transactions, Voltage offers Voltage SecureData Payments™ which can be implemented with mobile and point of sale devices and existing, legacy payment processing systems.

Cardholder data is then protected or tokenized where it is stored, transmitted, or used. Voltage SecureData Payments renders sensitive information useless to unauthorized users and is a proven solution used by leading payment processors, retailers and financial institutions.

For card-not-present environments, such as e-commerce, Voltage offers Voltage SecureData Web™ providing protection from the browser through the payment processing stream. Voltage SecureData Web features the innovative Voltage Page-Integrated Encryption™ (PIE) technology.

This report sheds light on the threat that data breaches pose to California consumers and businesses. Since data breaches are continuing to increase it is crucial that consumers and businesses also increase their security and level of knowledge on cyber security. In the words of Attorney General Harris, “More needs to be done to fight the scourge of online data theft.”

For more information on Voltage solutions for breach protection, please go to www.voltage.com/breach.

The post What You Need to Know About The California Data Breach Report appeared first on Voltage Security.

http://www.voltage.com/blog/payments/need-know-california-data-breach-report/feed/ 0