Voltage Security http://www.voltage.com Sat, 22 Nov 2014 02:30:56 +0000 en-US hourly 1 Reflections on Strata + Hadoop World: Q &A With Sudeep Venkatesh, Voltage Security VP of Solutions Architecture http://www.voltage.com/blog/voltage/reflections-strata-hadoop-world-q-sudeep-venkatesh-voltage-security-vp-solutions-architecture/ http://www.voltage.com/blog/voltage/reflections-strata-hadoop-world-q-sudeep-venkatesh-voltage-security-vp-solutions-architecture/#comments Thu, 13 Nov 2014 19:59:10 +0000 http://www.voltage.com/?p=6353 […]

The post Reflections on Strata + Hadoop World: Q &A With Sudeep Venkatesh, Voltage Security VP of Solutions Architecture appeared first on Voltage Security.

]]>
pic_sudeep

Recently, Voltage Security attended the Strata + Hadoop World conference in New York. While there, Voltage’s Sudeep Venkatesh, vice president of solutions architecture, spent the course of the three days interacting with other attendee’s. Upon returning from Strata + Hadoop World, Sudeep sat down to answer some questions.

Q: What did Hadoop World tell Voltage about the state of security and Big Data?

S. Venkatesh: It was interesting that among the hundreds of vendors represented at Hadoop world, only three provided security solutions. Among the 200+ breakout sessions listed in the Hadoop World schedule, not a single session dealt with security of any kind. However, it was completely opposite to what we were hearing from hundreds of attendees visiting the Voltage booth. Several of these attendees were from the financial services and healthcare verticals. Their data analysis needs require them to have sensitive information such as customer names, addresses, social security numbers, credit card numbers, and dates of birth in Hadoop. These attendees repeatedly said that several Hadoop projects were stalled because of a lack of security.

Q: What common Big Data security issues did you hear?

S. Venkatesh: In industries such as financial services, healthcare, government and telecommunications, this sensitive data includes PII (Personally Identifiable Information), PHI (Protected Health Information), and PCI (Payment Card Industry) data. Potentially exposing this data to a wide audience through a Hadoop deployment is not only bad practice from a security perspective, but also violates several industry and government regulations. This was the biggest security issue that we were hearing at Hadoop World.

Q: What element of data security were attendees the most interested in?

S. Venkatesh: At Hadoop World, attendees were most interested in field level encryption and tokenization technologies. Technologies such as Voltage Format-Preserving Encryption (FPE) and Voltage Secure Stateless Tokenization (SST) can protect sensitive data elements such as customer names, addresses, social security numbers, credit card numbers, dates of birth, etc. and still retain their format. This means that the vast majority of analysis can now happen on de-identified data. We have observed that up to 90% of Hadoop jobs can run on de-identified data, without ever having the need to access the real data.

Q: Why is security for Big Data important now more than ever?

S. Venkatesh: The lifecycle of data in Hadoop is very different to that in RDBMS technologies such as Oracle, SQL Server, and MySQL. With RDBMS technologies, data-centric protection can be “bolted on” at a later date and the sensitive data can be replaced with its encrypted counterpart or with tokens. This is in sharp contrast to HDFS, which is great at storing data but not at editing it. Once sensitive data enters HDFS, it is extremely hard to get rid of it without erasing the entire cluster. Enterprises that plan to store sensitive data in Hadoop should invest in a data-centric encryption or tokenization solution from day one.

For information on Voltage solutions for Big Data and Hadoop please visit http://www.voltage.com/solution/enterprise-security-for-big-data. More information on Strata + Hadoop World 2014 can be found at http://strataconf.com/stratany2014.

The post Reflections on Strata + Hadoop World: Q &A With Sudeep Venkatesh, Voltage Security VP of Solutions Architecture appeared first on Voltage Security.

]]>
http://www.voltage.com/blog/voltage/reflections-strata-hadoop-world-q-sudeep-venkatesh-voltage-security-vp-solutions-architecture/feed/ 0
The Results Are In – Strata + Hadoop World Survey http://www.voltage.com/blog/security/results-strata-hadoop-world-survey/ http://www.voltage.com/blog/security/results-strata-hadoop-world-survey/#comments Fri, 07 Nov 2014 23:49:50 +0000 http://www.voltage.com/?p=6338 […]

The post The Results Are In – Strata + Hadoop World Survey appeared first on Voltage Security.

]]>
In October, Voltage Security attended the Strata + Hadoop World Conference in New York. Over the duration of the show, Voltage conducted an anonymous survey querying attendees about their protection of sensitive data, and their current approach to securing data in Hadoop. With over 224 attendees participating, the results are revealing and show that protecting sensitive data in Hadoop is a top-of-mind concern for over 70% of the survey participants.

Below is a quick summary of the survey results:

  • Seventy-five percent of the survey participants said their business currently uses some form of sensitive data such as PCI (payment card information), PII (personal identity information) or PHI (personal health information).
  • When it comes to protecting that sensitive data, 51 percent said they are protecting that sensitive data using encryption and 17 percent are protecting with tokenization.
  • Nearly 70% of the survey attendees said they are planning big data projects involving sensitive data.
  • When asked what kind of sensitive data they need to secure for their Big Data projects, 35% said they need to secure credit card numbers, 27% need to secure social security numbers, 45% need to secure names and addresses and 29% need to secure date of birth.

As Hadoop adoption continues to accelerate across the enterprise landscape, data security clearly becomes a key consideration. As the survey reveals, well over two-thirds of Hadoop projects will involve some form of sensitive data, from credit cards to customer names and addresses. Data-centric protection, such as that delivered by Voltage SecureDataTM secures the data itself through high performance Voltage Format Preserving EncryptionTM and Voltage Stateless Secure TokenizationTM.

More information can be found at www.voltage.com/breach.

The post The Results Are In – Strata + Hadoop World Survey appeared first on Voltage Security.

]]>
http://www.voltage.com/blog/security/results-strata-hadoop-world-survey/feed/ 0
Voltage Comments on Apple Pay http://www.voltage.com/blog/payments/voltage-comments-apple-pay/ http://www.voltage.com/blog/payments/voltage-comments-apple-pay/#comments Thu, 18 Sep 2014 00:06:16 +0000 http://www.voltage.com/?p=6189 […]

The post Voltage Comments on Apple Pay appeared first on Voltage Security.

]]>
With the new Apple Pay announcement, Apple validates the data-centric security model and shines a spotlight on the need for the payment world to move on from vulnerable static credit card numbers and magnetic stripes to protected versions of data such as tokenized or EMV style authenticated payments.

With this data-centric security strategy, as applied to mobile-originated payment transactions, Apple Pay may help reduce risk of data breaches and credit card theft.- However, payment ecosystems will have mixed traditional card payments and new restricted use payment tokens and a variety of wallets, such as Host Card Emulation varieties (HCE). To avoid any risk from advanced threats, merchants should continue to protect all transaction data unilaterally, given the likely mix of older at risk data, and less risky, but still potentially valuable payment tokens in transaction flows. This is already easily achievable with current data-centric security solutions, such as Voltage SecureData.

The retail world today is still in an early adoption phase with regard to new payment methods and mobile wallets. US based retailers in particular still have to contend with EMV upgrades, legacy mag-stripe data, card-not-present e-commerce capture and a variety of advanced threats. Merchants will also need to update their retail infrastructure to accept Apple Pay, and likely many other wallet schemes. Thus for many years, legacy static credit and debit cards, EMV cards and newer schemes like Apple’s will need to co-exist, and advanced threats across all of them need to be mitigated to avoid continued breaches and customer data exposure.

Fortunately, even with exciting innovation like Apple Pay, mixed payment environments and credit card data can be secured end-to-end, from the point of card/wallet read to the secure payment host, with Voltage’s contemporary encryption solutions and advanced tokenization technology. This enables retailers to accept new and old payment approaches, all protected under a unified data-centric protection framework, to thwart advanced threats and protect customer data while ensuring a seamless, yet secured, customer experience.

Contact us here for more information or to talk to one of our data-centric security experts.

The post Voltage Comments on Apple Pay appeared first on Voltage Security.

]]>
http://www.voltage.com/blog/payments/voltage-comments-apple-pay/feed/ 0
Securing Hadoop: What are Your Options Webinar by Hortonworks / Voltage http://www.voltage.com/blog/voltage/securing-hadoop-options-webinar-hortonworks-voltage/ http://www.voltage.com/blog/voltage/securing-hadoop-options-webinar-hortonworks-voltage/#comments Tue, 09 Sep 2014 21:18:16 +0000 http://www.voltage.com/?p=6140 […]

The post Securing Hadoop: What are Your Options Webinar by Hortonworks / Voltage appeared first on Voltage Security.

]]>
Thanks to all who joined us on our Hortonworks/Voltage webinar, “Securing Hadoop: What are Your Options?”  For those who couldn’t attend, we’re sorry we missed you.  We’ve included a link to the webinar recording below, and we hope you can listen in!   On the webinar, Hortonworks’ Vinod Nair presented the recently-announced Apache Argus incubator: a central policy administration framework across security requirements for authentication, authorization, auditing and data protection.  Sudeep Venkatesh, of Voltage Security, defined data-centric protection technologies that easily integrate with Hive, Sqoop, MapReduce and other Hadoop interfaces.

Questions

A number of questions were asked on the webinar—here are a few:

Q: How far has Hortonworks come in development for Windows?

  • With HDP 2.1, the code lines for Windows and Linux for HDP Stack components have converged. HDP 2.1 is supported on Linux and Windows. The few functional gaps are being addressed in the near term. Details can be found at http://hortonworks.com/hdp/.

Q: Are you going to support OAuth for authorizing a resource in Argus?

  • Support for OAuth as a means of authenticating a user will be made available in a future release of HDP as part of Apache Knox.  The authorization framework in Apache Argus covers fine-grained access control for HDFSHBase and Hive in HDP 2.1.
Q: If data is protected at rest, using a data-centric encryption approach like those offered by Voltage,  will that data  still be encrypted when it travels through the network?

  • Yes, this is one of the benefits: with Voltage’s format-preserving technologies, sensitive data that is protected remains protected even as it transits the network, and also as it is used (and often can be used in analytics in its protected form).

 

Listen Now!  Link to the recording

Stay Connected:

Hortonworks: http://hortonworks.com/blog/

Voltage: http://www.voltage.com/

The post Securing Hadoop: What are Your Options Webinar by Hortonworks / Voltage appeared first on Voltage Security.

]]>
http://www.voltage.com/blog/voltage/securing-hadoop-options-webinar-hortonworks-voltage/feed/ 0
Regarding the Recent Supreme Court Rulings http://www.voltage.com/blog/miscellaneous/regarding-recent-supreme-court-rulings/ http://www.voltage.com/blog/miscellaneous/regarding-recent-supreme-court-rulings/#comments Wed, 02 Jul 2014 21:28:25 +0000 http://www.voltage.com/?p=6086 […]

The post Regarding the Recent Supreme Court Rulings appeared first on Voltage Security.

]]>
Recently the Supreme Court issued several rulings that will help stem the tide of lawsuits filed by patent trolls. Please go here to read the rulings.

Likely nervous about this, Protegrity’s law firm  issued a press release which was a misleading and incorrect attempt at characterizing our recent settlement with their client.

Please go here to read the original Voltage blog post on the Voltage/Protegrity settlement.

The post Regarding the Recent Supreme Court Rulings appeared first on Voltage Security.

]]>
http://www.voltage.com/blog/miscellaneous/regarding-recent-supreme-court-rulings/feed/ 0
Data Breaches – Lognormal Distribution? http://www.voltage.com/blog/breach/data-breaches-lognormal-distribution/ http://www.voltage.com/blog/breach/data-breaches-lognormal-distribution/#comments Wed, 11 Jun 2014 20:33:31 +0000 http://www.voltage.com/?p=6029 […]

The post Data Breaches – Lognormal Distribution? appeared first on Voltage Security.

]]>
As I have noted before, the size of data breaches seems to closely follow a lognormal distribution. But if you spend a while collecting all that’s available about the breaches from last year and start writing R programs to analyze it, you soon find that this does not seem to be true anymore.

But if you plot the data, a reasonable explanation seems to appear: while lots of the data fits a lognormal model fairly well, there is very little information about very small breaches. This is not really too surprising. When data breaches were not as common as they are now, people might have been more diligent about reporting every breach, even if it exposed a few records. But now, it is probably the case that nobody really cares about the micro-breaches, so they are essentially not reported.

But in any case, here is a graph that summarizes the 2013 breaches that I could easily find information about. The grey bars represent the actual breaches while the blue line shows a lognormal model for the data. The two seem to agree fairly well, except for the very small breaches, where I could not find any such breaches reported, so I would guess that the same model is still fairly accurate today.

Capture

The post Data Breaches – Lognormal Distribution? appeared first on Voltage Security.

]]>
http://www.voltage.com/blog/breach/data-breaches-lognormal-distribution/feed/ 0
Cryptography for Mere Mortals #12 http://www.voltage.com/blog/pci/cryptography-mere-mortals-12/ http://www.voltage.com/blog/pci/cryptography-mere-mortals-12/#comments Tue, 10 Jun 2014 17:34:31 +0000 http://www.voltage.com/?p=6005 […]

The post Cryptography for Mere Mortals #12 appeared first on Voltage Security.

]]>
An occasional feature, Cryptography for Mere Mortals attempts to provide clear, accessible answers to questions about cryptography for those who are not cryptographers or mathematicians.

Passwords, part 1

Q: Why does it seem like after every website hack, we’re told both “We don’t believe passwords were compromised” and “You should change all your passwords”?

A: “It’s complicated”—the answer has multiple facets.

First, remember that the word “believe” is in there: the company doesn’t want to say “Your password is absolutely safe”, because, as we’ve learned repeatedly, the facts surrounding a breach tend to evolve. So even if the first indications are that there was essentially no risk—say, the passwords were hashed with a salt and then stored in an database protected with strong encryption, and the breach was that someone stole a laptop containing the encrypted database—it might turn out later that things weren’t as secure as believed (the laptop’s owner finally admits that there “um, might be a Post-It in the bag with the machine that has the database password on it…and oh, yeah, we also discovered that the update to salt the passwords didn’t ‘take’, so they’re just hashed…”).

Second, by now the public expects to hear “Reset your password” after a breach, if anything vaguely resembling passwords was involved. Thus the concern is that it would sound unconvincing to say “Oh, no, don’t worry, your passwords are safe, honest, trust us!”—especially when you consider that the biggest post-breach problem the victim is usually worried about is contained in that word “trust”: the stolen data is stolen, gone, nothing they can do about it except figure out how it happened and keep that from happening again; what they need to do is convince their customers that it’s OK to continue doing business with them.

Third, we all know that changing passwords periodically is a good idea anyway and that we don’t do it often enough (except for those sites that force us to, and we grumble when they do so). So when LinkedIn gets breached and everyone is told “Change your passwords”, the folks who don’t use LinkedIn ignore the advice; but then when eBay gets hit, a bunch more will respond. So the net is that more people get around to changing their passwords, which is a public good.

The risk, of course, is “breach fatigue”: that people hear this so often that they stop paying any attention to news about breaches, and never change their passwords!

And of course if Voltage SecureData is used, then the cost of a data breach is minimized—persistently protected data is of no value to an attacker, and in fact does not trigger breach notification requirements in most cases.

The post Cryptography for Mere Mortals #12 appeared first on Voltage Security.

]]>
http://www.voltage.com/blog/pci/cryptography-mere-mortals-12/feed/ 0
Eight Best Practices for Private Email Communications http://www.voltage.com/blog/security/eight-best-practices-private-email-communications-2/ http://www.voltage.com/blog/security/eight-best-practices-private-email-communications-2/#comments Mon, 02 Jun 2014 22:01:57 +0000 http://www.voltage.com/?p=5996 […]

The post Eight Best Practices for Private Email Communications appeared first on Voltage Security.

]]>
Earlier this month, Voltage Security hosted a webinar entitled “Rethinking Email Security: Eight Tips For Private Email Communications”.  The webinar was positively received by the all those who attended. Below we share the link to the full webinar recording, and excerpts from the content.

With the ongoing concerns about enterprise privacy, and the pervasiveness of email communications, these eight tips are more timely than ever!

 Full webinar recording can be found here.

 1. End to End is a Must: Ensure data is protected while at rest and in transit. By shifting focus to protecting the data itself, it will be secured persistently, wherever it goes. Email Encryption solutions that rely on two or more different encryption technologies inevitably end up splitting messages at some point in the mail flow, creating security gaps and allowing room for data to be compromised. A single, streamlined solution – based on a single technology for all use cases – ensures that data is protected persistently. In recent months, many organizations have been migrating to an email service in the cloud, where it is critical that sensitive information must be encrypted before it enters the cloud, protecting it from access by IT operations and breaches.

2. Don’t Hinder ComplianceEncryption does not have to break, or require extensive additional infrastructure for, compliance scanning, archiving, and e-discovery. The ability to roll out encryption while still maintaining critical features such as archiving, eDiscovery, DLP, and email hygiene scanning is a must. Your solution should be able to encrypt and decrypt messages based on compliance and mail routing policies, and should offer lightweight tools and plugins to support existing archiving and e-discovery business processes.

3. Stateless Critical for Simplified Operations: Deploy a solution that is stateless, with no certificates or keys to manage, ensuring lower infrastructure and operational costs. Keys can be generated dynamically, on demand when they are needed, eliminating the need to keep and maintain a key store. With a stateless solution, the need for keys or certificates to be backed up and replicated across servers is eliminated, providing infinite scalability. Additionally, disaster recovery should be as simple as taking a one-time backup of the master secret, which can then be used to easily recreate a new key server that can generate keys for past and future messages – with no loss of data.

4. One Encryption Technology  IBE: Deploy a single encryption technology that can work across all use cases and all end points, whether that is a desktop, mobile device, smart phone, tablet, or web browser. Voltage Identity-Based Encryption™ (IBE) can address all of these use cases for both internal and external email communications. Whenever an email is encrypted, always use the same delivery mechanism – email should follow a push delivery model to the recipient’s existing inbox, rather than having to create a separate inbox for the sole purpose of maintaining secure email communication. Needlessly managing multiple encryption technologies and delivery methods only increases complexity and cost across the IT and Help Desk organizations, and frustrates users.

5. Ease of Use for Senders and Recipients: Implement a solution that is easy to use, with the freedom to send ad-hoc secure communication to anyone, without having to worry about doing a key exchange, or whether the recipient has a certificate or shared password. The solution should work across a variety of commonly used endpoints, including mobile devices, email clients, and Web browsers – with little to no impact on how senders and recipients use email.

6. One Infrastructure – Multi-Tenancy Capable: Find a solution that supports multi-tenancy, where each tenant can have its own policies and branding to address the unique requirements and use cases of different lines of business, departments, and geographic regions – all under a single email encryption infrastructure.

7. Flexible Architecture that Enables Business: Find a solution that is flexible in terms of its architecture – one that will not lock your enterprise into a specific deployment model, and that can support on-premises, cloud, and hybrid deployment models. The solution should also be able to address complex mail flows, and integrate with a variety of email infrastructure, business applications, and websites. An ideal solution is one that is able to work today, but also one that will be able to adapt to changing business needs in the future.

8. Proven in Real-World Deployments: Look for a solution that that is standards-based and proven in real world deployments. Traditional encryption technologies such as S/MIME, PGP, Symmetric Key, Webmail, and others have failed because they have poor user experiences and are costly to operate. Find a solution that has proven time and again that it can be deployed enterprise-wide, not just within small pockets of an organization. If your company does business globally, then finding a solution that has successfully scaled across multiple countries – with a single infrastructure – is a critical.

9. BONUS: A Look at Heartbleed & IBE: Data centric encryption helps to protect sensitive information when there is a vulnerability like Heartbleed. Another approach to mitigate the risk of vulnerabilities and breaches is to use a solution that can rotate private keys every N days based on policy, which will significantly limit the attack footprint if a private key is compromised. Only the information that was encrypted during that limited time period will be at risk. With traditional PKI, private key rotation is not an option. Finally, be sure to test for the worst case scenario. If your master secret is every compromised, doing a root key rollover should be a routine procedure.

 

Voltage SecureMail meets and exceeds these eight best practices. For more information on Voltage SecureMail, go here  and for a free trial go here.

The post Eight Best Practices for Private Email Communications appeared first on Voltage Security.

]]>
http://www.voltage.com/blog/security/eight-best-practices-private-email-communications-2/feed/ 0
The Next Generation of Encryption http://www.voltage.com/blog/crypto/next-generation-encryption/ http://www.voltage.com/blog/crypto/next-generation-encryption/#comments Fri, 09 May 2014 14:00:21 +0000 http://www.voltage.com/?p=5952 […]

The post The Next Generation of Encryption appeared first on Voltage Security.

]]>
Mark Bower, VP Product Management & Solutions Architecture, Voltage Security on data-centric security at Infosec Europe 2014 via Bank Info Security & Data Breach Today.

 

 

The post The Next Generation of Encryption appeared first on Voltage Security.

]]>
http://www.voltage.com/blog/crypto/next-generation-encryption/feed/ 0
Reducing Payment Card breach risks in e-commerce without impacting the consumer interaction http://www.voltage.com/blog/miscellaneous/reducing-payment-card-breach-risks-e-commerce-without-impacting-consumer-interaction/ http://www.voltage.com/blog/miscellaneous/reducing-payment-card-breach-risks-e-commerce-without-impacting-consumer-interaction/#comments Tue, 22 Apr 2014 16:00:51 +0000 http://www.voltage.com/?p=5917 […]

The post Reducing Payment Card breach risks in e-commerce without impacting the consumer interaction appeared first on Voltage Security.

]]>
It’s sad to see yet another data breach like this one – especially for online shoppers as in this case. But the good news is there are ways to reduce the impact. Another technique to mitigate this risk is to use end-to-end encryption from the browser to the processing host at the merchant, or to a secure payment acquirer. Techniques like Page-Integrated Encryption, for example, enable this end to end model and are used by the world’s largest e-commerce processors and merchants already from card-not-present risk reduction and compliance. With this approach, the one-time-random key encryption of cardholder data can happen in the browser (mobile, desktop etc.) automatically, protecting data in transit beyond where SSL terminates – so the load balancer, webserver, app server and so on don’t see cardholder data. Only the trusted host can decrypt. This can be implemented very quickly, and isolates sensitive data from upstream higher-risk environments.

When implemented correctly and validated, it’s an approach that can both limit the scope of applicable PCI controls, but more importantly provide another simple, no-nonsense method to mitigate the risk of cardholder breaches. There are no silver bullets, but with the right technology, the risk as reported can be dramatically shifted in favor of the merchant without disrupting the business and consumer flow – something that EMV, consumer wallets, and other approaches cannot. Transparency for consumers is critical, and expected in today’s one-click to buy competitive e-commerce landscape.

Regards,

Mark Bower

VP Products & Solutions

Voltage Security

The post Reducing Payment Card breach risks in e-commerce without impacting the consumer interaction appeared first on Voltage Security.

]]>
http://www.voltage.com/blog/miscellaneous/reducing-payment-card-breach-risks-e-commerce-without-impacting-consumer-interaction/feed/ 0