Townsend Security Data Privacy Blog

Notable Data Security Breaches of 2014

Posted by Michelle Larson on Jan 8, 2015 10:40:00 AM

Make 2015 your year for increased data security with Encryption & Key Management

During the 2014 holiday season, the Sony data breach made the headlines even though the numbers affected weren’t in the millions like their 102 million PlayStation Network records that were breached back in 2011. This time, beyond all the damage done to their systems, Sony Pictures Entertainment became one of the most publicly blackmailed corporate breaches to date. The group that took over their company network had a list of demands that went along with the financial data and legal information being leaked on to file-sharing sites and sent directly to rival Hollywood studios.   

While the end results of the Sony breach may take time to be fully realized, there were a number of other large scale data breaches this year. Some of these you may be familiar with, more may yet be reported, and others might surprise you: 

  • eBay - online retailer
    The breach is thought to have affected the majority of the 145 million global members when a database containing customer names, encrypted passwords, email addresses, physical address, phone numbers, and dates of birth was compromised.
  • JPMorgan Chase
    76 million people were affected by the loss of PII including names, addresses, phone numbers, and email addresses.
  • Google
    5 million people had their account information compromised with the theft of usernames and passwords.
  • Home Depot
    In a large nationwide malware attack, 56 million card records were stolen through point-of-sale systems. In a second attack in Atlanta, 20,000 employees personal information was stolen and used to open fraudulent credit cards by 3 human resource employees.

Those are some pretty significant numbers, and most likely everyone that reads this blog has been affected in some way by at least one of these events, or by one of the 600+ breaches reported so far this year. What we all need to remember is that cyber crime isn’t limited to “Black Hat” hackers that only go after the big piles of data. Sometimes it is a disgruntled employee that destroys or releases sensitive data. Sometimes it is an unintentional employee error, or loss of an employee’s laptop/thumbdrive that thieves go after. Often it is the smaller company or mid-sized Enterprise that hasn’t yet implemented security steps, like encryption and authentication, to protect their sensitive information. For example, the unintentional loss of data on unencrypted backup tapes would be considered a reportable data breach event.

A new study from researchers at Gartner indicates that it is markedly less expensive for companies to invest in new security and encryption technologies than it is for them to respond to a data breach. According to the analyst firm, businesses pay roughly $6 per year per user for encryption tools, or $16 per user per year for intrusion prevention software licenses, versus paying out an average of $90 per user to address problems after a breach has occurred.

Five steps you can take to make sure this doesn’t happen to you:

  1. Have a defense-in-depth strategy that meets your level of risk tolerance.

  2. Make sure you know where all of your sensitive data is stored, and who has access to it.

  3. Use standardized encryption algorithms to make that data unreadable.

  4. Use an encryption key management solution to protect keys away from the data.

  5. Use two-factor authentication whenever possible, because passwords are no longer enough.

To help open up the conversation around your conference table, download this eBook on “Turning a Blind Eye to Data Security” and find out more about the tools & resources to begin discussions about data security in your company!

Turning a Blind Eye to Data Security eBook

Topics: Data Security, Encryption, Encryption Key Management, Data Breach, Video

Traditional Encryption Key Retrieval vs. On-Board Encryption?

Posted by Michelle Larson on Dec 23, 2013 10:20:00 AM

Supporting two models for encrypting data = Alliance Key Manager

Traditional encryption key retrieval with local encryption is when you retrieve the encryption key from the hardware security module (HSM) key server and use it with your own local encryption library to encrypt or decrypt data. The encryption key is transmitted securely from the key manager to your application, your application uses the key as long as it needs to, and then destroys that key.

On-board encryption is where you can send the data to the server, along with the name of the encryption key, and ask the server to encrypt or decrypt the data. In this case you never retrieve the encryption key, you actually send the data to the HSM device encrypted or decrypted, the encryption takes place on board actually within the hardware security module (the key manager itself), and you get the results sent back securely to your application.

When would you typically choose to do on-board encryption rather than retrieve the encryption key and then do encryption locally?

  • Vulnerable client applications - you would want to use onboard encryption when you have more risk in an exposed environment (web application or ATM or kiosk), that way the encryption key (which is the secret you're trying to protect) remains within the HSM and never leaves it.
  • Amount of data to be encrypted is small - Small chunks of data, such as credit card numbers, Social Security numbers, e-mail addresses, etc., are prime examples of things you can use onboard encryption for effectively.
  • If you don’t have encryption library - if you're working with an embedded system and you have a small amount of resources on your application side.

When should you not use onboard encryption for applications?

  • When you have large amounts of data it is best to retrieve an encryption key and perform the encryption locally.

How does Townsend Security’s encryption key manager, Alliance Key Manager, implement on-board encryption?

  • Your application will launch and create a secure encrypted TLS connection to Alliance Key Manager. There is an authentication mechanism that requires you to have a proper certificate and private key.
  • When that connection is open and authenticated, you send the data that you want encrypted and the name of the encryption key to be used to the key manager HSM.
  • Once the encryption is complete and the key manager sends data back to your application over the same secure channel, the connection can then be torn down.

Once a developer has decided to use onboard encryption with Alliance Key Manager what do they need?

There are three mechanisms that we deploy to make it a straightforward and simple process for developers use on-board encryption or key retrieval.

  • First we provide some software libraries, dynamic link libraries, in Windows or .NET assemblies or LINUX of shared libraries that can be used out of the box to perform these kind of tasks. These software libraries are on our AKM supplemental CD image and are free to use.
  • We also provide actual sample source code, that can be used as a starting point for an on-board encryption or traditional encryption key retrieval project.
  • We also provide purpose built applications that are ready to use out of the box to implement onboard encryption (typically by a configuration option when our software is installed).

For more information this brief video will talk about traditional encryption key retrieval versus onboard encryption services on the Alliance Key Manager device:

  • When you want to use, or avoid using, onboard encryption
  • Practical guidelines on how Alliance Key Manager implements the encryption service
  • How your applications will actually use either key retrieval or onboard encryption
  • Some performance and connection issues, and then
  • We'll point you to some resources that might be helpful as you do your project

Topics: Alliance Key Manager, Encryption, On-Board Encryption, Encryption Key Management, Video