the cypherwire - encryption doesn't have to be cryptic

© 2015 Echoworx. All Rights Reserved.

Adaptive Encryption for Evolving Risk & Compliance

The Cypher WireEncryption doesn’t have to be cryptic.

Encryption is Easy...

Your Workforce, Putting Data at Risk

Reliance on Data Residency

The message is loud and the message is clear. Comply with evolving regulatory mandates

Why then do you seem to be bombarded by high-profile data leak stories?

Survey findings, employees playing fast and loose with corporate data

Borders are porous. Data is not solely held. Effective data security is applied in layers.

www.echoworx.com

FALL | 2015FALL | 2015


WELCOME TO THE CYPHER WIREIt is an interesting time to work in cybersecurity and a particularly exciting time for the Echoworx team. Over the summer, we have been quietly transforming our business to better serve our clients and the extended community of IT and security professionals that work to protect the privacy of the data within their organizations and that of their clients.

One of the most noticeable changes is the launch of a brand new look and feel for our website. Not only a showcase for OneWorld, the market’s first smart message encryption platform; our new site has been designed from the ground up to be a valuable source for information on the latest in security trends, privacy regulation and encryption technology. In short, it has been designed with you in mind.

But we don’t plan to stop here.

The Echoworx team is eager to reach beyond our website to share with you the latest insights in data security and message encryption.

RYAN TOLLOFSON, VP MARKETING

Echoworx brings simplicity and scalability to encryption

while assuring its integrity. OneWorld, our flagship solution,

is the first smart message encryption platform that makes

secure messaging easy and cost effective – designed to

adapt to any environment and all forms of encryption. Our

passionate encryption experts transform chaos into order

for world leading enterprises and OEM providers who

understand the requirement for secure communication is of

the upmost importance. Visit us at www.echoworx.com

COVER PHOTO

By Jordi Bernabeu Farrús

Licensed under CC BY 2.0

Cryptic Encryption

doesn’t have to be

www.echoworx.com

Therefore, it is my pleasure to welcome to the first edition of our new digital magazine: The Cypher Wire. Jam packed with original articles and data rich infographics; I am confident you will find our magazine an informative and easy read.

The Cypher Wire will be published digitally on a quarterly basis and our inaugural edition has been produced with one goal in mind – to demystify encryption.

Starting with Kai Cheung, Echoworx VP of Architecture, making the case that while encryption is easy it’s the human element that is the most confounding. With over 54% of workplace Millennials accessing confidential data from their personal devices, that is a sobering thought. Robby Gulri then highlights how deploying smarter and more adaptive encryption solutions can reduce this risk and help organizations stay compliant; while Greg Aligiannis, our resident security guru, looks at the important and trending topic of data residency.

Thank you for taking the time to read The Cypher Wire.

I encourage you to comment and share anything you find of value within these pages. Welcome to the conversation!

FALL | 2015

MORE EXPOSED THAN EVER BEFOREAn ever-growing landscape of costly data breaches and increasing security threats are constant reminders of our need to improve the protection of corporate and personal information. They also remind us to pay closer attention to the litany of evolving compliance and regulatory requirements.

The nature of personal information and data has changed. Beyond names, email addresses and phones numbers, individuals regularly disclose their birth dates, interests, and a range of relationships. Public pressure to respect and protect this information has led both local and federal governments to transform data regulations and hammer down enforcement. In short, protect private, sensitive information or pay the price.

Adaptive Encryption Evolving Risk & Compliance

RISK & COMPLIANCEROBBY GULRI, CHANNEL MANAGER


THINK SMARTER. DON’T ASSUME

Look close at the type of encryption

that cloud-based service

providers are using.

Are they utilizing the right

encryption strength?

Do the encryption methods adapt

to user requirements, both sender

and recipient?

for

ENFORCE OR TAKE THE HITThe message is loud and the message is clear. Comply with evolving regulatory mandates or you will get punished severely. Global regulatory agencies are enforcing protection of data security like never before. Today we find entire agencies, such as the Occupational Safety and Health Administration (OSHA) in the US, being chiefly funded via collected fines and penalties. In light of these enforcement efforts, even companies with established data security compliance programs are re-evaluatingtheir activities and security methods; this includes their existing encryption methods.

Updated security assessments are strongly recommended in order to mitigate your organizational risk and ensure the privacy of data. Trust takes years to build and only seconds to break. Help your clients understand what data you collect, why you collect it, what you do with it, and what your policy is for keeping it private. GO PUBLIC WITH PRIVACYWhen you hear the term privacy policy, top of mind you see an image of a long legally formatted text file typically used by e-commerce vendors somewhere on their websites. However, a privacy policy, written with the intent to ensure users they can trust you with their information, can actually be a business strategy. Once created, privacy policies should be shared in all publicly accessed areas within your corporation and a regular review of data protection best practices should be encouraged by your data officer.

Often leakage of sensitive data occurs due to human error not malintent. Ensure all levels of employees understand your privacy policies and are trained in data protection best practices, methods, and processes.

INCLUDE A DIAGRAM OF DATA FLOW IN YOUR PRIVACY POLICY:

• Where is data going once it leaves the network?

• Is it being stored offsite? • Is it traveling over email? • Is it processed by a third-party service

provider? • Are their cloud-based services being

used to manage or maintain the data?

THINKING SMARTERGiven the evolving nature of local and federal data security regulations, your approach to communicating and sharing sensitive data must also evolve. All too often, I hear people loosely throw about the word email encryption. They assume sensitive information contained in emails they send and receive is both secure and encrypted but frequently this is not the case. Your approach to securing email communica-tion must continuously meet industry wide regulations.

Organizations need to look close at the type of encryption that cloud-based service provid-ers are using. Find out if they are utilizing the right encryption strength! Do the encryption methods adapt to user requirements, both the sender and recipient?

The list of compliance and regulatory requirements due to data breaches and security threats are not getting any shorter. Evolving risk & compliance requires adaptive encryption solutions.

Trust takes years to build and only

seconds to break.

www.echoworx.com

FALL | 2015


FALL | 2015

www.echoworx.com

Playing fast and loose with corporate data

Only, 50% of companies are implementing employee training schemes. Employee training is the most effective way of combatting user negligence resulting in data loss.

Choosing the right encryption solution for your

organization is crucial.

Implementing a smart, adaptive

encryption solution,

prevents data loss and the

associated financial and reputational

damage.

Encryption is

THE MATH OF ENCRYPTIONModern encryption is based on mathematical problems that are assumed hard to solve, such as prime factorisation, quadratic residuosity, and discrete logarithms. It would take fundamental advances in higher mathematics to weaken them.

Today, well-designed Open Source libraries like Bouncy Castle and OpenSSL make encryption routines freely available to software writers. These libraries make encryption easy for them to implement.

So why then, if encryption is easy, do you seem to be bombarded by news stories containing high-profile data leaks?

THE CHINK IN THE ARMOUR, HUMANSEncryption libraries are written by people. People make mistakes. The Heartbleed vulnerability discovered in April 2014 is a perfect example.

Security vulnerabilities in software applications are hard to avoid. Furthermore, malicious techniques such as SQL injection, buffer overflow/underflow, and cross-site-scripting are all commonly used by hackers to steal your data, despite underlying encryption.

KAI CHEUNG, VP ARCHITECTURE ENCRYPTION SOLUTIONS


Easy... Firewalls, network intrusion detection systems, and project deadlines create a false sense of security and lure software writers into simply not encrypting at all.

LAPSES LEAVE NETWORKS EXPOSEDIt takes a lot of technical resources to keep your server operating systems up to date. Even when they are, zero-day vulnerabilities, malware, spyware and viruses are often found. Additionally, you have anti-virus and anti-spam systems which also require constant updates.

Any lapse in maintenance will leave your computer networks exposed; with no warning of trouble until it is too late. Social engineering techniques used by hackers can trick you into revealing crucial system information, and malicious insiders or disgruntled employees can leak data out of spite and retribution. Not to mention, someone can simply physically break-in and steal your computers.

WAYS TO COMPROMISE DATA, CONSTANTUnintended mistakes are continuous. Emails are often sent in error and data drives are forgotten in cafés. These are all potential sources of highly-sensitive information. Again, the weakness in data security comes down to - Humans.

In this day and age, people expect their financial and personal data to be secured.

The liability of breach and potential damage to your reputation is incalculable.

More and more companies are outsourcing their security and encryption, subscribing to software-as-a-service (SaaS) from reputable security providers. These providers typically meet and exceed regulatory requirements, providing up-to-date security and scalable encryption services at a reasonable cost.

These security providers hire technical staff that are highly specialised and well-trained in the areas of computing security. Their services provide policy-based controls that can auto-matically encrypt and protect data according to your sensitivity and confidentiality classifications. Moreover, their computing networks are constantly scanned and updated against potential and new types of attacks.

For companies not specialised in security, it is simply infeasible to implement the same level of protection in-house. Encryption is easy, security is hard.

To succeed, companies need to minimize the Human factor and build a solution that is comprehensive, automated, and adaptive. Given the industry-wide acceptance of SaaS models, the case for security and encryption SaaS is particularly compelling.

The flaw in the armour,

Humans.

www.echoworx.com

FALL | 2015

MAKING THE MOVE As organizations move their operations to the cloud, they face the complexities and increasing pressures of protecting sensitive data belonging to them and their customers. Not to mention taking into account local regulatory requirements which often limit where data can be located in order to keep it out of the hands and eyes of prying government policies such as the broad-reaching US Patriot Act. Organizations eager to meet privacy and regulatory requirements place far too much emphasis on data residency alone.

PROTECTING SENSITIVE INFORMATIONGREG ALIGIANNIS, SENIOR DIRECTOR SECURITY

Protect your customer’s data first

and foremost.


Reliance on Data Residency EnoughNOT

www.echoworx.com

FALL | 2015

While it does matter where data is stored, geographic location is not fixed when it comes to the internet.

BORDERS ARE POROUS Data leaks from one jurisdiction to another on the way to its final destination. Data is also not solely held; all those bits can be infinite-ly copied. While the original may reside in a sufficiently approved locale, copies of it can easily exist in unexpected locations. It doesn’t necessarily need to be a malicious act which makes a copy of that data.

Your service providers’ backup or disaster recovery strategies may inadvertently create copies in geographically dispersed datacentres for service redundancy and resiliency. What if those datacentres are not in a jurisdiction which meets your data residency requirements?

THE TRUTH OF THE MATTER IS If your organization is serious about data protection, you cannot solely rely on location and local laws as a means of satisfying your responsibility to your customers to ensure their data is sufficiently protected. Data resi-dency laws alone will not sufficiently solve the problem. They are guidelines and rules. But it isn’t feasible for an organization or their cloud service providers to build datacentres in every country in an attempt to comply with local reg-ulatory requirements either. Even if one could, it would not prevent access to that data from other countries.

EFFECTIVE DATA SECURITY IS APPLIED IN LAYERS. At a minimum, one must insist that your cloud service providers employ some form of strong encryption in addition to data locale. Organi-zations serious about protecting their sensitive data and meeting regulatory requirements must ensure that the data remains protected throughout its entire lifecycle.

It is important to consider technologies which render data useless to anyone but its intended recipient from the moment it leaves your organization until the moment it’s consumed. For example, encryption applied during transport as well as storage will protect sensitive information irrespective of where that data ultimately resides. Furthermore, reliable authentication can ensure that only the intended consumer will have the ability to decrypt that data.

Encrypting sensitive data throughout its entire life cycle can relieve the burden for organizations to implement all of the regulatory requirements imposed on data protection from country to country. This significantly simplifies the task of protecting sensitive data.

Encryption provides protection of your customer’s data first and foremost but also facilitates regulatory compliance as a result.

the cypherwire - encryption doesn't have to be cryptic

Technology