13.6 C
London
Tuesday, September 26, 2017
Home Tags Vormetric

Tag: Vormetric

Vormetric data encryption will be available as a service to the public sector on the Government’s new G-Cloud 8 Framework; Delivers a high assurance and agile key management platform for HMGLONDON, England – 31 January 2017 Thales, a leader in critical information systems, cybersecurity and data security, announces that its specialist cryptographic services provider Trustis has been awarded a place on G-Cloud 8, the UK Government’s cloud services procurement framework.

Trustis is making Vormetric data... Source: RealWire

Vormetric Data Security Platform expansion includes patented, non-disruptive encryption deployment and advanced Docker encryption

December 8, 2016 – Thales, a leader in critical information systems, cybersecurity and data security, today announced the release of new capabilities for its leading Vormetric Data Security Platform.

These advances extend data-at-rest security capabilities with deeply integrated Docker encryption and access controls, the ability to encrypt and re-key data without having to take applications offline, FIPS certified remote administration and management of data security policies and protections, and the ability to accelerate the deployment of tokenization, static data masking and application encryption.

Announced today by Thales:

  • General availability of Vormetric Transparent Encryption Live Data Transformation Extension: A patented solution that enables organisations to deploy and maintain encryption with minimal downtime.

    Enables initial encryption and rekeying of previously encrypted data while in use.

    Available previously as a pilot – now generally available.
  • Vormetric Transparent Encryption Docker Extension: Extends Vormetric Transparent Encryption’s OS-level policy-based encryption, data access controls and data access logging capabilities to internal Docker container users, processes and resource sets.

    Deploys and protects without the need to alter containers or applications.

    Enables compliance and best practices for encryption, control of data access, and data access auditing for container accessible information.

    Find additional information here: https://www.vormetric.com/products/containers.
  • FIPS 140-2 level 3 certified remote data security management and policy control for Vormetric Data Security Manager V6100 appliance.

    This innovation enables organisations with the most stringent compliance and best practice requirements to easily manage the full Thales line of Vormetric data security platform solutions without physical visits to data centers.
  • Batch Data Transformation: Eases initial encryption or tokenization of sensitive database columns in environments that are protected with Vormetric Application Encryption or Vormetric Tokenization.

    Also supports Static Data Masking requirements.

"IT system downtime is costly for any business, even when it is planned," said Bob Tarzey of UK-based Quocirca. "The financial consequences of IT disruptions arise from lost sales and productivity; in addition, consequent reputational damage can have a longer term knock-on effect," he added. "Downtime need not be caused by system outage, it can be due to data processing, which includes encryption.

The idea behind Vormetric's Live Data Transformation is to solve this problem, even for large databases with high transaction volumes.

Any organisation which needs to ensure both constant data security and availability should take a look at such technology."

Compliance requirements and best practices increasingly call for organisations to encrypt and control access to sensitive data, while also logging and auditing information about sensitive data access.

The company’s recent 2016 Vormetric Data Threat Report revealed that perceived “complexity” is the number-one reason that enterprises do not adopt data security tools and techniques that support these capabilities more widely.

These advanced data security controls directly address this problem by enabling enterprises to confidently support their digital transformation more easily and simply, and in more environments, than ever before.

“Thales continues to innovate by providing advanced data security solutions and services that delivers trust wherever information is created, shared, or stored,” said Vice President of Product Management for Thales e-Security, Derek Tumulak. “No other organisation offers the depth and breadth of integrated data security solutions, or enables enterprises to confidently accelerate their organisation’s digital transformation, like Thales.”

Availability: All new offerings are planned to be available in Q1 2017

About Thales e-Security
Thales e-Security + Vormetric have combined to form the leading global data protection and digital trust management company.

Together, we enable companies to compete confidently and quickly by securing data at-rest, in-motion, and in-use to effectively deliver secure and compliant solutions with the highest levels of management, speed and trust across physical, virtual, and cloud environments.

By deploying our leading solutions and services, targeted attacks are thwarted and sensitive data risk exposure is reduced with the least business disruption and at the lowest life cycle cost.

Thales e-Security and Vormetric are part of Thales Group. www.thales-esecurity.com

About Thales
Thales is a global technology leader for the Aerospace, Transport, Defence and Security markets. With 62,000 employees in 56 countries, Thales reported sales of €14 billion in 2015. With over 22,000 engineers and researchers, Thales has a unique capability to design and deploy equipment, systems and services to meet the most complex security requirements.
Its exceptional international footprint allows it to work closely with its customers all over the world.

Positioned as a value-added systems integrator, equipment supplier and service provider, Thales is one of Europe’s leading players in the security market.

The Group’s security teams work with government agencies, local authorities and enterprise customers to develop and deploy integrated, resilient solutions to protect citizens, sensitive data and critical infrastructure.

Thales offers world-class cryptographic capabilities and is a global leader in cybersecurity solutions for defence, government, critical infrastructure providers, telecom companies, industry and the financial services sector. With a value proposition addressing the entire data security chain, Thales offers a comprehensive range of services and solutions ranging from security consulting, data protection, digital trust management and design, development, integration, certification and security maintenance of cybersecured systems, to cyberthreat management, intrusion detection and security supervision through cybersecurity Operation Centres in France, the United Kingdom, The Netherlands and soon in Hong Kong.

Contact:
Dorothée Bonneil
Thales Media Relations – Security
+33 (0)1 57 77 90 89
dorothee.bonneil@thalesgroup.com

Liz Harris
Thales e-Security Media Relations
+44 (0)1223 723612
liz.harris@thales-esecurity.com

Vormetric Live Data Transformation solution recognised for innovation, functionality and originalityLONDON, England, November 25, 2016 – Thales, a leader in critical information systems, cybersecurity and data protection, has announced that its Vormetric Live Data Transformation was named Security Innovation of the Year in the Computing Security Excellence Awards, following a ceremony in London. Judged by an independent panel, the awards celebrate the achievements of the IT industry's best security companies, solutions, products and personalities.

This category was highly competitive, with the judges looking for products and services that can demonstrate something truly new and innovative. With cyber threats and compliance requirements increasing in tandem, it is important that encryption can be deployed and managed with minimal impact on business processes and user experience. However, when very large data sets are involved, initial encryption deployments can reduce data availability and require lengthy maintenance windows.

Compounding matters further, maintaining data security compliance often requires routine encryption key rotation even after initial deployments have been successfully completed. When large data sets have been encrypted, significant processing time and long periods of planned downtime may be required to support the rekeying of data.

These realities have often forced security and IT teams to make tough trade-offs, fundamentally having to choose between security and availability. “The use of encryption is critical to securing data at rest, but trying to encrypt very large databases or millions of files can span hours and even days, which can be a non-starter for applications that can’t afford long maintenance windows,” said Louise Bulman, Vice President of U.K. and Ireland Sales for Thales. “Our Vormetric Live Data Transformation is a real game-changer.

For the first time, the operational impact of protecting data is effectively zero – organisations can be confident that their data, wherever it resides, is secured, without worrying about the disruption traditionally associated with encryption.

As such, we are very proud to have been recognised in this category at the Computing Security Excellence Awards.” With Vormetric Live Data Transformation from Thales, encryption is delivered with minimal disruption, effort, and cost.

The solution’s transparent approach enables security organisations to implement encryption without changing application, networking, or storage architectures. Launched earlier this year, the product offers patented capabilities that deliver breakthroughs in resiliency and efficiency, while also highlighting Thales’ drive to continue offering organizations the most innovative, easy to deploy and operate data security solutions available. “With this solution, businesses can ensure data protection while continuing to operate without interruption – no matter how many files are involved or how large their databases are,” continued Bulman. “Our Vormetric Live Data Transformation product offers significant improvements in security and data availability, while reducing the operational costs typically associated with encryption. We thank the judges for recognising our ongoing commitment to data encryption and protection.” # # # About Thales e-SecurityThales e-Security + Vormetric have combined to form the leading global data protection and digital trust management company.

Together, we enable companies to compete confidently and quickly by securing data at-rest, in-motion, and in-use to effectively deliver secure and compliant solutions with the highest levels of management, speed and trust across physical, virtual, and cloud environments.

By deploying our leading solutions and services, targeted attacks are thwarted and sensitive data risk exposure is reduced with the least business disruption and at the lowest life cycle cost.

Thales e-Security and Vormetric are part of Thales Group. www.thales-esecurity.com About ThalesThales is a global technology leader for the Aerospace, Transport, Defence and Security markets. With 62,000 employees in 56 countries, Thales reported sales of €14 billion in 2015. With over 22,000 engineers and researchers, Thales has a unique capability to design and deploy equipment, systems and services to meet the most complex security requirements.
Its exceptional international footprint allows it to work closely with its customers all over the world. Positioned as a value-added systems integrator, equipment supplier and service provider, Thales is one of Europe’s leading players in the security market.

The Group’s security teams work with government agencies, local authorities and enterprise customers to develop and deploy integrated, resilient solutions to protect citizens, sensitive data and critical infrastructure. Thales offers world-class cryptographic capabilities and is a global leader in cybersecurity solutions for defence, government, critical infrastructure providers, telecom companies, industry and the financial services sector. With a value proposition addressing the entire data security chain, Thales offers a comprehensive range of services and solutions ranging from security consulting, data protection, digital trust management and design, development, integration, certification and security maintenance of cybersecured systems, to cyberthreat management, intrusion detection and security supervision through cybersecurity Operation Centres in France, the United Kingdom, The Netherlands and soon in Hong Kong. Contact:Dorothée BonneilThales Media Relations – Security+33 (0)1 57 77 90 89dorothee.bonneil@thalesgroup.com Liz HarrisThales e-Security Media Relations+44 (0)1223 723612liz.harris@thales-esecurity.com
Cloud-based key management service helps businesses to retain control of critical assetsPlantation, FL – 12 August 2016 – Thales, leader in critical information systems, cyber security and data protection, announces support for AWS Key Management Service (KMS) with enhanced security and control through bring your own key (BYOK) with hardware key protection. With Thales hardware security modules (HSMs) and key management on premises, organizations can take control of the lifecycle of the keys they use in the cloud, and revoke or retire those keys as necessary.

This gives organizations flexibility in deploying applications in the cloud while retaining control of critical business operations in-house. Jon Geater, Chief Technology Officer at Thales e-Security says:“As organizations focus on moving their more sensitive data and applications to the cloud, sound encryption key management has become a more important consideration.

The ability to manage cryptographic keys in-house and release them to cloud providers only on a ‘need to use basis’ is becoming an increasingly powerful tool and one that Thales has the proven experience and expertise to deliver. Moreover, local control over the generation and storage of keys can help organizations meet the security and compliance requirements needed in order to run their most sensitive workloads in the cloud.” Find out more about AWS Key Management Service here https://aws.amazon.com/blogs/aws/new-bring-your-own-keys-with-aws-key-management-service/ For industry insight and views on the latest key management trends check out our blog www.thales-esecurity.com/blogs Follow Thales e-Security on Twitter @Thalesesecurity, LinkedIn, Facebook and YouTube About Thales e-SecurityThales e-Security + Vormetric have combined to form the leading global data protection and digital trust management company.

Together, we enable companies to compete confidently and quickly by securing data at-rest, in-motion, and in-use to effectively deliver secure and compliant solutions with the highest levels of management, speed and trust across physical, virtual, and cloud environments.

By deploying our leading solutions and services, targeted attacks are thwarted and sensitive data risk exposure is reduced with the least business disruption and at the lowest life cycle cost.

Thales e-Security and Vormetric are part of Thales Group. www.thales-esecurity.com About ThalesThales is a global technology leader for the Aerospace, Transport, Defence and Security markets. With 62,000 employees in 56 countries, Thales reported sales of €14 billion in 2015. With over 22,000 engineers and researchers, Thales has a unique capability to design and deploy equipment, systems and services to meet the most complex security requirements.
Its exceptional international footprint allows it to work closely with its customers all over the world. Positioned as a value-added systems integrator, equipment supplier and service provider, Thales is one of Europe’s leading players in the security market.

Thales solutions secure the four key domains considered vital to modern societies: government, cities, critical infrastructure and cyberspace. Drawing on its strong cryptographic capabilities, Thales is one of the world leaders in cybersecurity products and solutions for critical state and military infrastructures, satellite networks and industrial and financial companies. With a presence throughout the entire security chain, Thales offers a comprehensive range of services and solutions ranging from data protection and trust management, security consulting, intrusion detection and architecture design to system certification, development and through-life management of products and services, and security supervision with Security Operation Centres in France, the United Kingdom and The Netherlands. Press contactsThales, Media Relations SecurityDorothée Bonneil+33 (0)6 84 79 65 86dorothee.bonneil@thalesgroup.com Thales, Media Relations e-SecurityLiz Harris+44 (0)7973 903648liz.harris@thales-esecurity.com
Salesforce.com is stepping up its efforts to woo security-conscious businesses by adding "bring your own key" encryption to its Salesforce Shield cloud services. Introduced a year ago, Shield offers encryption, auditing, and event-monitoring functions to help companies build cloud apps that meet compliance or governance requirements.

Encryption is based on keys generated by Salesforce using a combination of an organization-specific "tenant secret" and a Salesforce-maintained master one. Originally, secrets and keys in Shield were generated and managed through Salesforce's built­-in key-management infrastructure, accessed through a point-and-click interface. "That satisfied the needs of the vast majority of customers," said Brian Goldfarb, Salesforce's senior vice president for App Cloud marketing. "But in regulated industries, there are some who want more." Targeting organizations in such tightly controlled industries -- healthcare and life sciences, for example -- BYOK encryption gives users the option of generating and supplying their own tenant secret to create encryption keys in Shield.

They can then manage those tenant secrets independently of Salesforce through their existing hardware security module (HSM) infrastructure, through open-source crypto libraries such as OpenSSL, or through third­-party services such as AWS Key Management Service.
Salesforce has also partnered with key-brokering companies including Vormetric and Skyhigh as another administration option. "This is pretty darn important," said John Kindervag, a vice president with Forrester. "Without the ability to control your own key materials, how can you be sure you and only you are controlling access rights and your own data?" It will benefit any company that uses data that's "somewhat sensitive and could get them in trouble if it leaks," Kindervag said. The feature could also help alleviate data-sovereignty concerns by making it easier to encrypt data and control the encryption, he added. "Eventually, everyone will come to their senses and realize that the real solution for sovereignty is encryption, not building data centers in various countries," Kindervag said. The new BYOK feature is in pilot testing, with general availability planned for later this year.
It will be included at no extra charge with the Salesforce Shield platform-encryption module.
Security, the future, and the security of the future were some of the key issues that have drawn the attention of Computing readers over the last seven days, with these subjects making up a significant proportion of this week's most popular articles. A full week after Apple revealed its iPhone 6, the Cupertino firm remained a popular subject for our readers, although this time it was for more negative reasons, including disgruntled iTunes users complaining about the unwanted appearance of a certain aging Irish band in their music libraries. Naturally, given the imminence of the big Scottish independence referendum, Scottish IT issues were also on the agenda too... 10. 75 per cent of mobile apps will fail security tests in 2015 - Gartner Analysts love gazing into their crystal balls to see what the future holds, and they love telling everyone about their predictions even more. But first they have to get our attention. That may be why analysts at Gartner decided to combine two key topics of interest for IT professionals - mobile and security - coming to the amazing conclusion that that the ever increasing rise of the former means bad things for the latter. More than three quarters of mobile applications will fail basic security tests next year, the analysts say, putting the enterprise at risk from hackers and other ne'er-do-wells. "Enterprises that embrace mobile computing and BYOD strategies are vulnerable to security breaches, unless they adopt methods and technologies for mobile application security testing and risk assurance," said Dionisio Zumerle, principal research analyst at Gartner, who argued that most enterprises are "inexperienced in mobile application security". 9. Chinese hackers breached US military contractors It's understandable that the fact the United States government has found itself victim of cyber attacks may come as welcome source of schadenfreude to lesser mortals in charge of IT security, while at the same time being something of a worry. On the one hand, it demonstrates that everyone, however big their budget, is vulnerable to hackers, lessening the pressure on the humble CISO; but on the other, if the US authorities can't tell if their systems have been hacked, what chance to the rest of us have? Well, not a lot it seems. A Senate report found that US military contractor networks had been infiltrated by Chinese hackers on at least 20 occasions between June 2012 and May 2013. But at least the attacks have been stopped, right? "Do I have confidence that the Chinese are stopping? No," said Carl Levin, Democratic Senator of Michigan and chairman of the Senate Armed Services Committee behind the report. Oh, right, well then ... that's bad. 8. Western security concerns are 'noise on the periphery' says Huawei exec, as firm looks to impress CIOs With Western governments and organisations wary of cyber espionage by computer hackers from China, Chinese telecommunications firm Huawei often finds itself forced to answer questions about the exact nature of its relationship with the government of its country of origin. Speaking an event at The Savoy Hotel in central London, the snappily-named and -titled Dr Leroy G. Blimegger Jr, senior vice president of Huawei Global Technical Services and global president of Assurance & Managed Services, spoke of plans Huawei has to increase its engagement with CIOs. Computing asked Blimegger how Huawei intends to reach out to CIOs who will be aware that many western governments are wary about the firm's alleged association with the Chinese government. "Yes, there's always news floating around the edges and yes we always have to expend some energy to take care of that," said Blimegger, adding "But the reality is our business is the fastest growing business in Huawei and when we when we talk to CIOs they're not interested in that, they understand a lot of that is just noise on the periphery." 7. Backbytes: Apple offers one-click U2 removal after Bono backlash While computer security issues are obviously very important, there are worse things. The horror of unsuspecting members of the public being forced to listen to music they didn't even buy is obviously right up there with corruption and tax-dodging when it comes to corporate scandals. Initially, when U2 appeared at the event Apple revealed the iPhone 6 and iPhone 6 plus, nobody thought much of it. But apathy soon turned to anger when shortly afterwards it was discovered that every single person who has an iTunes account had been given the "gift" of a brand new U2 album, automatically downloaded without the user even being asked. The outcry saw Apple quickly react and produce a one click tool that allowed those annoyed by their unwanted present (everybody) to remove it from iTunes. 6. Phones 4U pledges to refund Apple iPhone 6 buyers after it goes under In other Apple related news, those iPhone cultists ... we mean enthusiasts ... who rushed out to pre-order an iPhone 6 from Phones4U may find themselves disappointed. Why? Because having handing over at least £500 to the high street retailer, Phones4U called in the administrators and is no longer able to guarantee that it'll be able to fulfil iPhone 6 pre-orders ... or give those who rushed to be one of the first to own an iPhone 6 their money back. The company has pledged to refund customers "in full" for any iPhone 6 orders that have not yet been dispatched, although that decision may be affected by the adminstrators. "Any orders that have not already been dispatched will be cancelled and any payments refunded to customers," said to spokesman Robert White. To put this into perspective the collapse of Phones4U also puts 5,500 jobs at risk. 5. eBay hacked, criticised for slow response While traditional brick and mortar might be struggling, at least buying things from the online giants is completely safe, right? Well, apparently not. It seems as online auction site eBay fell victim to cyber attacks this week, which may have seen cyber criminals make off with the personal details of millions of users. An eBay customer alerted the auction site to the attack on Wednesday, but the firm only addressed the compromise more than 12 hours later. "It is unfortunate that eBay has once again found itself under fire for failing to respond adequately to a data breach incident," said Paul Ayers, vice president EMEA at Vormetric commenting on the issue. "To make matters worse, this latest report comes just a little too soon after attacks on its database and daughter site, Stubhub, which exposed user credentials." 4. Google Gmail users told to change passwords after five million accounts were compromised Well, if you haven't used an online retailer recently, then you're safe from being the victim of computer hackers, right? Wrong again. Google has become the latest company to suffer an embarrassing security breach when Russian hackers released the user name and passwords of five million Gmail users. The breach is serious because the Gmail password might unlock access to a range of Google features, including Google's Drive cloud service and even the mobile payment system, Google Wallet. Gmail users have been advised to change their passwords in order to stop hackers compromising other services. 3. The transition from Spine to Spine 2 - a success story or yet another NHS IT failure? When it comes to happy pairings, government-run bodies and IT projects are up there with Henry VIII and Anne Boleyn. the NHS's huge NPfIT programme was described by MPs as the "worst and most expensive contracting fiasco in the history of the public sector". One of the few projects to emerge from the debacle with any credibility was Spine, version 2 of which was launched earlier this year. Jon Payne, an engineer at software provider InterSystems who has been directly involved with the Spine 2 integration, says along with providing greater speed and flexibility, Spine 2 will also make it much easier for clinicians to access Summary Care Records. The best thing about Spine 2 is that it's the gateway to making things easier and more accessible to the broader NHS community and will enable tangible benefits to be delivered in a cost-effective and timely way," he said. And according to Stuart McCaul, managing director of EMEA at Basho, the Spine 2 project "proves that the NHS can take on a large complex project". "The NHS has vertically integrated this project instead of outsourcing it - it's an amazing success," he added. Unusual.  2. Ellison steps aside as Oracle CEO When one of the most prominent figures in the IT industry steps down it's big news, so the announcement that Oracle CEO Larry Ellison - who's led the firm since the 1970s  - has decided to leave his position is likely to send shockwaves through the industry. But is he really going? Ellison will stay on at Oracle as executive chairman and CTO, while the CEO role will be split between Safra Catz and Mark Hurd. "I'm going to continue doing what I've been doing over the last several years. They're going to continue what they've been doing over the last several years," Ellison said suggesting very strongly that real change is not on the agenda. "There will actually be no changes," echoed Catz. "No changes whatsoever." So that's clear then, but why are they doing it.  "In almost all cases, these co-CEO configurations are a jerry-rigged solution to a political problem," Jeffrey Sonnenfeld, a professor at Yale School of Management, told Reuters, suggesting that the object is merely to remove the aging Ellison from the shop window. 1. Warning over government IT systems should Scotland vote for independence Perhaps it was inevitable in the week leading up to the Scottish independence referendum that a story focusing on that country was Computing's most popular article over the last seven days. With the No campaign eventually securing a victory by 55 per cent to 45 per cent, the issue has been consigned to the history books, at least for now, but that doesn't mean the IT industry wasn't thinking of what might have been. An independent Scotland would have involved removing a number of IT contracts from the authority of Westminster. Indeed it was possible the entirety of Scottish IT infrastructure could be completely shaken up and at an estimated cost of £1bn. "We're planning for both scenarios. We've got a big presence up in Scotland. We've got to plan either way," said Andy Isherwood, HP's managing director for the UK and Ireland. The biggest challenge would perhaps have been in the Department for Work and Pensions (DWP), which is midway through a major project intended to deliver Universal Credit (UC), one of the coalition government's biggest IT projects. Given the ongoing problems surrounding UC IT, it's probably better for everyone concerned that independence didn't throw yet another spanner in the works.
EBay has become the victim of a cross-site scripting attack, which sent some of its users to a malicious website designed to steal their credentials. An eBay customer alerted the auction site to the attack on Wednesday, but the BBC claims that the firm only addressed the compromise after it called to check on the issue more than 12 hours later. This incident follows an eBay database breach in May and a scam affecting its StubHub website in July. Paul Ayers, vice president EMEA at Vormetric, said: "It is unfortunate that eBay has once again found itself under fire for failing to respond adequately to a data breach incident. To make matters worse, this latest report comes just a little too soon after attacks on its database and daughter site, Stubhub, which exposed user credentials.""Data is becoming an increasingly valuable currency, and hackers are becoming sneakier in their quest to steal it. For businesses, this has greatly increased the risk of reputational damage and called for a step change in current data security policies, particularly as consumers are rapidly losing patience with those who cannot safeguard their private information. For eBay, this hat-trick of security incidents will surely do the company no favours in terms of restoring and maintaining consumer confidence."In this day and age, businesses of all sizes need adequate security intelligence mechanisms in place to monitor all activity across their networks, so that they can spot any suspicious activity and stop hackers in their tracks. As has been shown, hackers will find one way or another to get access to data. As a result, encryption of sensitive data, regardless of where it resides, is the only way to ensure that it remains illegible and essentially useless if, or when, it falls into the hands of cybercriminals. Had appropriate lessons been learned from the previous breaches, this might have played out differently. As it stands, this incident serves as yet another example of why a different approach to data security – one that is proactive rather than reactive – is so urgently required."
Security technology used to be seen as a business burden like tax, but the perception of it has shifted to such an extent that budgeting for proper protection against cyber threats is now viewed as a business enabler. That's according to Alan Kessler, CEO of data security and encryption solution provider Vormetric, who made the comments in an interview with Computing. Kessler argued that one of the main reasons behind the shift in perception is the uptake of enterprise cloud computing. "It's largely motivated by organisations that are embracing new models of computing, in particular what's happening with cloud computing," he said, going on to suggest security solutions were seen as something organisations were "forced" to invest in. "Security technology has traditionally been viewed as a tax; nobody wants to pay the tax, they're paying the tax because someone or something is forcing them to do it." However, Kessler (pictured) told Computing that through the use of the correct security technology, organisations are able to reap benefits from deploying cloud-based software. "But with cloud computing, for the first time, the economics are such that you can save so much money and gain flexibility and advantage by moving to the cloud that security is no longer a tax, it's an enabler," he said. "It can help make something positive happen by employing the right technology – like encryption - that you can bring with you to the cloud and help you advance the business or organisation forward," Kessler added. Encryption is a key word for Vormetric, with the firm offering customers the opportunity to "bring their own encryption" (BYOE), allowing them to take advantage of the benefits of cloud services, but use a product to encrypt sensitive data stored within it, thus reducing the probability of potential data loss should the cloud provider's servers be breached. Kessler told Computing that BYOE has therefore been popular with existing customers who want to take advantage of the flexibility offered by cloud, while ensuring that data remains secure. "Often they may have traditionally started with us with protected information in their four walls, they may have had compliance mandates to protect data in their networks," he said. Now they want to move their data into the cloud and they want to use technology they trust with a single management point of control for that information," Kessler continued. "They can bring their own encryption, use the same management tools to control the data in someone else's cloud infrastructure as well as on their own premise." When Computing asked if cloud providers such as Google, Amazon and Apple – the latter recently involved in a breach which saw celebrities' private photos exposed – could be going more to provide security, Kessler responded: "Certainly there's always more that your third-party vendor can do." However, he also suggested that perhaps it is more important for cloud providers to properly inform their users about what they do – and don't do – when it comes to storing and protecting the data of businesses or individuals. "I think for the big cloud providers, being clear about what they do and don't do is in itself a service. Because some individuals may presume certain levels of protection by moving information to a cloud provide," he said. "Yet having an appreciation of what they do and what they'll contractually obligate they do is something that should be understood," he concluded. Earlier this year, Vormetric research suggested fewer than one in 10 IT decision makers feel that their organisation is safe from "insider threats", with "privileged users" such as system or network administrators felt to be the biggest threat to the enterprise.
Fewer than one in 10 IT decision-makers feel that their organisation is safe from "insider threats", those who steal or leak information for personal gain, with "privileged users" such as system or network administrators felt to be the biggest threat....
Large enterprises are not doing enough to detect and address insider threats, a survey of more than 700 IT security decision-makers has revealed. Less than a third of respondents said they block privileged user access to data to mitigate insider attacks, according to the 2013 insider threat study by security firm Vormetric and the Enterprise Strategy Group. This means 73% of organisations polled are failing to block privileged user access to sensitive data, which is a proven method of reducing the insider threat to data security. However, two-thirds use perimeter-focused network intrusion detection and prevention tools for this purpose, although the tools are designed to protect from external threats, not internal. More than half said they use network traffic monitoring to identify and prevent data breaches. “While IT decision-makers are concerned about insider threats and data breaches, they tend to rely on perimeter and network security tools, rather than securing the data at its source,” said Jon Oltsik, senior principal analyst at Enterprise Strategy Group. “This research highlights that large organisations need to switch to data-centric security strategy to prevent and detect insider threats,” he said. The study showed that more forward looking and sophisticated organisations are using technology approaches that are proven protections against malicious insiders and malware attacks that compromise insider credentials. But these were in the minority, with only 40% monitoring privileged user activities, 48% reviewing sensitive data access only monthly, and 76% unable to detect unauthorised data access in realtime. However, the study shows attitudes are changing, with 45% saying that Edward Snowden’s revelations about US internet surveillance has caused them to be more aware of insider threats. Some 53% said they are increasing their security budgets to offset the problem in the next year, with 78% either using or planning to use data encryption and 70% using or planning to use data access controls. “It is clear that organisations of all kinds are concerned with securing access to sensitive data,” said Alan Kessler, CEO of Vormetric. “While many of the respondents are using more of the right security technologies and tools to help reduce their attack surface, a much larger group is falling short in taking the additional step to protect from insider threats and thwart attacks that steal insider credentials,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
New data from a Vormetric study shows that many organizations do not restrict the actions that a privileged user can take on a network. One of the biggest data breaches of all time occurred not by a malicious external actor, but by IT contractor Edward Snowden, who was able to take privileged information from the National Security Agency (NSA).

The fact that Snowden had access is not a unique problem for the NSA, according to a new study sponsored by security firm Vormetric. "One of the big revelations in the survey is that 73 percent of respondents said they don't block privileged users from access to sensitive data," Vormetric CEO Allan Kessler told eWEEK. The Vormetric-sponsored study was conducted by Enterprise Strategy Group and surveyed 700 IT security decision makers. Fifty-four percent of the survey respondents also indicated that it is now more difficult to protect against an insider threat than it was two years ago. There are several reasons for this, according to Kessler, among them being the growing use of cloud computing and virtualization. Contractors are also a particular challenge. Kessler noted that Snowden was a contractor and he had tremendous access to data. "The fundamental problem is that the folks that have access to manage an internal system have incredible amounts of privileges," Kessler said. He added that system administrators need to have privileged access to be able to manage servers and big data stores. "However, very few organizations realize that they can keep privileged users from seeing data and still allow them to do their job," Kessler said. The growing use of the cloud exacerbates the issue of privileged users. Kessler noted that when an enterprise puts its workloads in the cloud, those same privileged users can also see data and can potentially do damage. Role-Based Access Control The idea of role-based access control (RBAC) is one that has existed for decades in IT and still serves a core role in security information.
The new European Union regulation requiring mandatory personal data breach disclosures by telecoms operators and internet service providers (ISPs) comes into force on Sunday 25 August 2013. The new regulation builds out the security breach provisions for telecoms providers and ISPs introduced into EU law in 2009 through the E-Privacy Directive 2009/136/EC. From 25 August, all EU telcos and ISPs will be required to notify national authorities of any theft, loss or unauthorised access to personal customer data, including emails, calling data and IP addresses. Details concerning any incident, including the timing and circumstances of the breach, nature and content of the data involved, and likely consequences of the breach, must be reported. “Controversially, the regulation requires breach notification to national regulators within 24 hours of detection, subject to a "feasibility" request,” said Stewart Room, privacy and information partner at law firm Field Fisher Waterhouse. “In other words, this looks very similar to the approach that the European Commission initially proposed within the draft Data Protection Regulation 2012, which has been almost universally condemned as unworkable, unhelpful and unnecessary. It is hard to detect a substantive logic to this measure and, in more practical terms, it is hard to see why such rapid disclosure is needed," he said. The new regulation also requires telcos and ISPs reporting breaches to detail measures taken to address the breach within three days. Regulation highlights importance of data security  This regulation comes into effect ahead of the broader Draft Data Protection Regulation, which will require a similar response from all businesses that handle personal data, not just telcos and ISPs. Paul Ayers, vice-president for Europe at enterprise data security firm Vormetric, said that while the revised E-Privacy Directive applies only to telecoms and internet service providers, it sets the tone for dealing with data breach incidents for all businesses.  “This should act as a warning shot to all organisations processing personal data, as under the forthcoming regulation, they too will shortly have to follow similar rules,” he said.  Multinational companies will have to be particularly mindful of the fact that member states will enforce the terms of the regulation differently, and they will have to meet the particular requirements in all member states they have operations, said Ayers. “The advent of this latest amendment serves an important reminder of the need to take the security of data seriously,” he said. According to Ayers, the string of data breaches hitting the headlines suggests that it is not a case of if, but when a business will suffer at the hands of hackers or insider threats.  “It is only by taking steps to implement policies and technology solutions that are simple and powerful enough to adapt to regional compliance variations – and by ensuring that data is sufficiently obfuscated in the event of a breach – that organisations will be able to shield themselves from the financial and reputational penalties at stake,” he said. Pitfalls of mandatory data breach notification Information Commissioner Christopher Graham used his keynote speech at Infosecurity Europe 2012 to sound a warning against the introduction of mandatory data breach notification requirements for all companies. He argued that if mandatory disclosure were introduced, as proposed in new draft EU regulations currently under consideration, the Information Commissioner’s Office (ICO) would be “buried” under a deluge of breach notifications. Graham said the ICO needs to be “selective to be effective”, and the current system of voluntary breach disclosure works well because companies know they are less likely to be punished if they are open about breaches, rather than trying to cover them up. “They know that they will be dealt with more severely if they attempt to conceal a breach,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com