Welcome to the Thales Key Management digital media news centre.
As companies look to protect their customer data and other sensitive information, encryption is being deployed more widely. Yet if an encryption key is lost then that data cannot be recovered. Avoiding this problem demands formalized processes and robust technologies for key management making the protection, management and secure use of cryptographic keys a fundamental component of modern IT security.
This Thales media center provides information on international industry issues and trends relating to the general topic of key management. There's a also a Q & A page here which aims to answer some of the frequently asked questions on the subject. Key management affects organizations across all sectors and this site includes information on global best practices, regulation, technology, deployment scenarios and key management strategy.
Thales leads in the provision of information and communication systems security solutions for government, defence, critical infrastructure, enterprise and the finance industry. Thales’s comprehensive portfolio of security products and services protect electronic information – safeguarding transactions, IT operations and information transfers within highly sensitive and regulated environments.
How many organizations currently transfer sensitive data to the cloud? Who should be responsible for looking after that data? Are organizations capable of protecting their data once it has been transferred to the cloud? And how do organizations apply encryption to protect data in the cloud?
These are just some of the questions that our brand new study – Encryption in the Cloud – answers.
Last Thursday news broke that a hacker group leaked around 450,000 account passwords stolen from Yahoo! Voices, a subsection of the Yahoo! site where users submit their own content. In this case it appears that the passwords were stored in their original plaintext and not even hashed. The stolen data is now publicly available for anyone to download and use to attack other cloud services.
Cyber criminals frequently attack social media sites which have large user databases and are perceived to have weaker security, a topic I discussed in length here. Web users often use the same password for multiple sites so the compromise of a password on one social network can give criminals access to higher value services elsewhere. While this is another high profile attack where the hacker chose to publish details of their exploits, we can assume there may be just as many covert breaches where the motives of the attacker require them to keep details of their attack secret.
This latest Yahoo! breach hammers home how websites need to use strong password hashes and better still application level encryption to protect usernames, passwords and other sensitive data. At the same time, web users must remain vigilant with their online identities and refrain from using the same password for multiple sites or risk their identities being compromised.
The importance of managing cryptographic keys continues to grow, driven by the increase in regulatory demand for encryption, cloud computing and public data exposures. This series explores the latest approaches to pragmatic key management, what they mean for enterprise deployment and how to select a strategy that suits an organizations’ particular project requirements.
Since the European Commission outlined its overhaul of EU data protection laws in June (see earlier post here), debate has continued about the scope and impact of the reforms, especially in reference to cloud computing.
The draft document is not due out until November but there has been considerable speculation on the details of the Directive, particularly over whether it will shift liability to the cloud provider in the event of a data breach.
As the final in a series of posts on key management in the Cloud, following are the remaining three possible strategies that organisations could look to adopt when thinking about how to secure their information in the Cloud.
The Just In Time Strategy is where keys and sensitive materials are stored on premise, only being released into the Cloud for a short time when needed. Quite a few companies are starting to offer such solutions with a large on-premise management system and a small software plugin for the Cloud applications which can fetch and use keys when needed. This is a promising model but it’s early days: watch out for highly proprietary systems, vendor lock-in and the need to modify applications directly to take advantage of the solution. And remember - the keys have still been exposed to the Cloud, no matter how briefly.
Having outlined yesterday the need to take an information-centric approach to key management in the cloud, today I would like to share the first half of a series of six strategies that could help organisations take this approach.
The first strategy I would like to outline is the Trust EveryoneStrategy, where existing applications, keys and management tasks are fork-lifted from the datacentre into the service provider. No special steps are taken to address the control challenges introduced by the Cloud. However, as we all know, no matter what else you outsource you can’t outsource your responsibility, so this strategy is not really an option. I’m all for SLAs bridging the gap between business desires and technical reality but wholesale handover of sensitive operations is probably a bridge too far.
As outlined in my last post, crypto and key management clearly have a lot to offer in terms of the Cloud, but in a bid to get ahead sometimes important details get overlooked. To ensure that cryptography and key management are deployed to best use in the Cloud, we need to take a step back and remember why these solutions exist and why we use them the way we already do. What drove people to choose one approach over another? Why have best practices and standards of due care developed in the way they have? In key management, as in all matters of security we need to return to the why before we can decide on the what and the how.
There is a lot of talk in certain circles at the moment about key management in distributed on-demand computing environments (aka ‘the Cloud’), but much of this seems too deeply product- or technology-oriented.
All this ‘solution-first’ talk approaches the problem in the wrong way. We need to return to our roots, look at why key management has become important and revalidate the use of cryptography to solve Cloud security issues.
There is no doubt that cryptography and key management are vital tools in the Cloud information security battle and companies with long experience in crypto and key management have much to offer this immature space. But we must re-examine the way we employ these tools in this new context and make sure that the technology is solving the problems, not defining them.
RSA have finally broken their silence over the extent of the SecurID breach and the implications are not good.
When I last wrote about this breach, RSA were understandably coy about the details and were looking into the size of their exposure. As time went on without further comment, the only logical conclusion had to be that the breach was big. Really big.
So, Sony got hacked. Again. According to LulzSec, the collective who hacked internal Sony networks and websites, they compromised over 1 million accounts, including admin details and passwords, along with 75,000 "music codes" and 3.5 million "music coupons".
What caught my attention in the LulzSec statement was the following:
“What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it.”
