Date: Thursday, 25 June 2020
Date: Thursday, 25 June 2020
Date: Thursday, 18 June 2020
Date: Friday May 8 2020
I had an earworm this morning, Ian Dury and the Blockheads 1979 hit “Reasons to be Cheerful, Part 3.” By coincidence it reached number 3 in the UK charts back then. It might be a somewhat tenuous link but it did get me thinking about nShield customers and why they might have reasons to be cheerful! In the enterprise domain many of our customers want to develop highly scalable applications using modern tools and techniques. Web services is one area where given the proliferation of the internet, web servers, client servers and associated infrastructure are now ubiquitous. For those unfamiliar with the terminology, web services are essentially a set of rules and technologies that enable two or more components (usually servers or appliances) on the web to talk to each other. These components talk to each other using a simple language or protocol called HTTP or HTTPS where the S denotes secure. Many web pages are now delivered by default by Google, Microsoft et al., using HTTPS. Want to see HTTP/HTTPS commands for yourself? Just go to your internet browser, top right pull-down menu, select developer tools, select the network tab and there you go - a stream of HTTP/HTTPS commands are visible handling calls to the site hosting the web service. Every click you make on a browser initiates this traffic.
In addition to web services, another useful concept has been embraced by the IT community. These are called REST or REST APIs where REST stands for REpresentational State Transfer. In brief, REST enforces good behaviour when appliances, network servers, clients and other entities (collectively called resources) interact. Importantly REST uses HTTPS to communicate. State transfer relates to the servers, appliances or resources. It means that the HTTPS payload going from one server to another doesn’t need to have pre-existing knowledge of its destination. The payload contains all the information it needs to be sent to any relevant resource. This is handy because if one resource is busy, the payload can be redirected elsewhere.
So returning to the main topic…reasons to be cheerful. nCipher has launched the latest version of its Web Services Option Pack (WSOP), a plug-in for use with nShield hardware security modules (HSMs) and Security World Software. Customers who want to deploy an HSM in a web services environment should consider the following cheerful reasons to adopt WSOP:
Reason 1: Typically, HSM deployments require proprietary software to be installed on the application server to allow them to communicate with the HSM. The software footprint requirement doesn’t lend itself particularly well to dynamic and highly scalable environments where customers don’t want application servers to be reliant on proprietary code, drivers etc. By embracing web services and REST, WSOP negates the need for an application server software footprint. With WSOP, any number or type of application servers can communicate seamlessly with the HSM using simple HTTP commands.
Reason 2: I mentioned earlier about how the HTTP payload didn’t need to have pre-existing knowledge about its destination. This is useful when it comes to managing a pool of HSMs and distributing the workload evenly. Customers may want to make use of their own off-the-shelf load balancing appliances. These are designed to consume HTTP traffic and are therefore ideal for managing the workload on a pool of back end resources. With WSOP in conjunction with nShield HSMs you can now do that.
Reason 3: Application servers generally communicate with HSMs using APIs such as PKCS#11, MSCAPI and Java JCE. Typically, you require crypto expertise to develop/integrate with these APIs. Customers ideally want something more intuitive, a solution that doesn’t require expert API programming knowledge. By adopting WSOP with your nShield HSM deployment you can generate keys and carry out simple crypto operations such as sign, verify, encrypt and decrypt using the universal HTTP protocol. It’s simple, straight-forward syntax means you won’t need to tie up your crypto experts learning how to program securely with complex APIs.
So back to Ian Dury’s song, Reasons to be Cheerful, Part 3. We’ve found three good reasons to consider deploying nCipher’s Web Services Option Pack in conjunction with an nShield HSM infrastructure!
Download the datasheet to learn more about the nShield Web Services Option Pack and visit our dedicated cloud security landing page here. You can also follow nCipher on Twitter, LinkedIn, and Facebook.
Containerization is the architectural model of choice in forward-thinking cloud and enterprise deployments for those seeking the benefits containers offer in terms of scaling, flexibility and orchestration. Using small, well-defined, isolated functional blocks of code containers are the virtualized antithesis of the traditional large monolithic software application of yesteryear but lend themselves well to the new dynamic, scalable world of today.
However, many organizations and their developers, while keen to embrace the bright new world of containerization, have yet to actually cut their teeth in developing and deploying containers. For some of these developers the barrier may be how to port legacy applications – particularly those tightly integrated with a hardware security module (HSM), which are tamper-resistant hardware products designed to create and use cryptographic keys in a robust secure environment. In these deployments the developers appreciate the role of the HSM in securely handling cryptographic transactions in their legacy application but are unsure how to go about porting that into a containerized world. It feels like a technically challenging pain that they could do without!
Another barrier may be for developers working with containerized applications who appreciate the benefits of implementing security cryptographic operations in hardware but are unfamiliar with the complexities of high assurance HSM integration. For them the problem is how do they go about integrating their containerized application with an HSM? How can they design it to flex and scale as their dynamic containerized apps are spun up and torn down? Additionally, let’s not forget the time constraints. Can this be done in a timely fashion without spending months noodling around trying to figure it out?
The nShield Container Option Pack (nCOP) was introduced in January 2020 by nCipher to help to break down these adoption barriers. It provides a proven, scalable, dynamic, on-premises or cloud-ready architecture delivered by a set of scripts which delivers a robust, seamless integration of nShield HSMs with containerized apps.
Are you a developer working on a new containerized project, where small well defined applications or micro services are in play? Perhaps you are in the IoT space, smart metering, technology, healthcare or financial sector? If so, consider using the nShield Container Option Pack in conjunction with nShield HSMs. It will get you up and running quickly using FIPS 140-2 and Common Criteria certified HSMs while providing unlimited dynamic support for your containerized applications.
Download the datasheet to learn more about the nShield Container Option Pack and visit nCipher’s dedicated cloud security landing page here. You can also follow nCipher on Twitter, LinkedIn, and Facebook.
Many of us take planes, trains and automobiles. We don’t have to be hydraulic specialists, railroad engineers or car mechanics to use these modes of transportation. But it doesn’t hurt to know how to navigate an airport and read a train schedule or understand the rules of the road.
Of course, today our journeys aren’t always in the physical world. When we want to go somewhere or do something, we often do it online.
Understanding how to navigate and stay safe in the virtual world is critical. In the physical world, we protect ourselves with safety methods, for example, by buckling our seatbelts and standardizing airbags. In the digital world, we need to safeguard our data, devices and privacy from vulnerabilities.
You don’t need me to tell you the importance of cybersecurity. Data breaches, ransomware and other online security events are in the news almost daily. That is why encryption is one of the strongest and most effective way to protect critical data.
But encryption is a fairly new concept to many individuals and organizations. We wanted to understand just how much Americans understand about encryption. So, we fielded a survey of 1,000 U.S. adults to find out. Here’s a snapshot of what we discovered.
Most Americans correctly identified the definition of encryption
More than 72% of the survey group was able to select the right definition of encryption.
The right definition is that encryption “means making data unreadable to anyone other than those holding the encryption key.”
However, the rest of the group either selected one of the two wrong answers. Or they said they had no idea what the correct answer was.
Even more said that encryption – in general and related to cloud – is important
Additionally, more than 87% of the survey group said that encryption is important. And more than half said they understand that their private data is safe in the cloud if it is encrypted.
That is encouraging, especially given the expanding threat landscape. As more applications and endpoints go online, cybersecurity becomes an even greater challenge.
Just look at where things are going. Gartner expects the public cloud services market to grow to $266.4 billion by the end of this year. Forrester thinks the public cloud market will grow to $411 billion by 2022, and 451 Research says nearly 14 billion IoT devices could be online by 2024.
But many appeared uncertain about who can and should encrypt what and how it works
Only a little more than half the survey group (53.3%) understand that individual consumers can encrypt their own personal data. Nearly a third (32%) said they didn’t know if consumers can do so. And 14.7% incorrectly answered that individuals cannot encrypt their own personal data.
That suggests that businesses and government must work to educate consumers about encryption. The upside is that some already are doing that. For example, nCipher, an Entrust Datacard company, has sponsored this survey, and we regularly write and speak about encryption. In addition, the U.S. Federal Trade Commission advises members of the public to use encryption to keep their personal information secure.
When asked why people and companies encrypt data, however, fewer than half of our survey group answered correctly. Slightly more than 47% rightly said that individuals and organizations use encryption to keep data secure until it’s unencrypted. Even fewer were able to correctly identify cryptographic keys when provided with a series of answers. Just 45.9% correctly identified cryptographic keys as a series of codes needed to unlock encryption.
Nonetheless, most understand the case for using encryption to protect their finances
More than half of the survey group indicated that they understand that encryption can be used to secure online banking (55.7%) and financial information (52.6%). Forty-six percent said it can be used to secure mobile payments. And more than 42% said it can safeguard mobile wallets. That is encouraging, since financial gain is the most common driver of data breaches. The 2019 Verizon Data Breach Investigations Report said 71% of breaches are financially motivated.
That explains why financial institutions encourage their customers to use encryption. This Bank of America FAQ page is one example of that. It talks about how encryption works to secure online banking, financial information and mobile payments.
Consumers apparently want their financial services companies to use encryption, too. More than half (54.9%) of the survey group said they place the highest trust in the financial services sector to encrypt their data. The health care industry (38.7%), technology (36.1%) vertical and public sector (30%) ranked next on the “most trusted to encrypt your data” list.
Still, plenty of confusion exists, and many people would like more certainty
However, there appears to be a fair share of confusion as to which applications encryption can secure. There are lots of them, including blockchain, cloud, digital payments, and IoT.
Nearly 40% of Americans misunderstand what encryption is. Survey results suggest this group either thinks encryption means you have to enter a password before you can unlock data or that it occurs when you’ve installed an antivirus system on your computer.
Yet, as more breaches occur and more connected endpoints join the fray, more people are becoming aware of the need to use encryption to secure their data and devices. And they’re wanting more certainty related to encryption and cybersecurity.
A proof point of the need for greater certainty is the fact that 74.3% of survey participants said they would feel very or somewhat safe that their private information was secure if they knew it was given a formal seal of encryption, while 47.9% said they would trust a company that used a formal seal of encryption.
Such certification could be in our collective future. And proven encryption solutions exist today.
People and organizations wanting to protect their enterprise infrastructure, network communications and sensitive data against threats should get onboard with encryption today.
nCipher’s nShield XC hardware security modules (HSMs) have received Common Criteria EAL4+ certification. This certification confirms that nShield HSMs meet the requirements of the European Union’s electronic Identification, Authentication and Trust Services (eIDAS) regulation.
With this Common Criteria certification, service providers who issue digital certificates, time stamps, or digital signatures can use nShield HSMs as a part of eIDAS compliant solutions.
In addition to their eIDAS and Common Criteria certifications, nCipher nShield HSMs are certified to FIPS 140-2 Level 2 and Level 3, a standard defined by the US National Institute of Standards and Technology (NIST) and the most widely adopted security benchmark for cryptographic solutions in government and commercial enterprises.
Earlier this year, nCipher also announced its nShield HSMs had enabled Red Hat, a leading provider of open source solutions, to achieve Common Criteria validation for its Red Hat Certificate System. To obtain its Common Criteria certification, Red Hat was required to protect critical root CA keys with FIPS 140-2 Level 3 certified hardware. A long-standing nCipher partner, Red Hat used the nShield HSM to meet this requirement and provide a root of trust.
To learn more about the Common Criteria EAL 4+ certification, please see the official press release. For a comprehensive overview of how nCipher helps organizations meet legal and compliance standards, check out nCipher’s dedicated landing page and stay tuned for an upcoming blog post.
Autonomous vehicles. Cloud computing. Connected medicine. Data breaches.
These inventions, use cases and challenges have been key tech topics for several years now. And all of the above are poised to undergo significant change in the year ahead.
These likely changes are driven by a combination of recent learnings, technological advancements and better organization. And that’s mostly – but not all – good.
So, what can we expect in these important areas in 2020? Here are my predictions.
The road ahead for autonomous cars becomes longer and more limited
If you think vehicles that drive themselves sound like science fiction, you’re not alone. Many of us still think that autonomous cars sound pretty far out. And, in a sense, they are.
As we all know, autonomous vehicles exist in the real world today. However, that doesn’t mean we’ll see them out in force on Main Street any time soon. Instead, the majority of autonomous vehicles successfully coming to market will have a narrow scope and reach.
Figuring out how to safely put autonomous vehicles on the road is a huge challenge. So, it’s understandable that such efforts might hit a few bumps in the road. But autonomous vehicles have faced much bigger problems than anticipated, including a fatal collision.
As a result, autonomous vehicles are much further out than initially predicted. Because of that, we’ll see a shift in how they’re used. They’ll be limited to certain routes, at certain speeds and used only for set distances. Much like a ski shuttle, they’ll be on a very specific track and tasked only with a small set of responsibilities.
The Boomerang effect drives greater multi-cloud, multi-deployment adoption
IDC estimates worldwide public cloud spending of $229 billion this year and nearly $500 billion in 2023. And a Gartner survey indicates 81% of public cloud users work with two or more providers. But the firm advises enterprises against jumping straight from on-premises to multicloud. Nuances between platforms make it difficult to build services in more than one, it says, so businesses should go slow to give in-house staff time to climb the learning curve.
I expect to see greater multicloud adoption in the year ahead, despite challenges. But I also believe 2020 will bring a greater focus on technologies that cater to on-premises and private cloud environments in addition to public ones. We can credit that to the boomerang effect.
Just a couple years ago many organizations were planning to go 100% public cloud. And, in some cases, these businesses moved a number of their applications to the cloud. During that process, many discovered that the public cloud didn’t always meet all of their needs. Security issues, having to rewrite applications and other challenges brought about this realization. As a result, certain apps boomeranged back to on-premises deployments.
Nowadays, organizations are increasingly embracing multi-cloud, multi-deployment environments. They’re deploying applications because they offer the best technology, and because they’re secure – regardless of whether they’re on-premises or in the cloud.
It’s my opinion that we will continue to see a rise in business applications that mimic cloud environments – even if they technically don’t fall under the public cloud umbrella. Organizations will build infrastructure and architect in a way that allows them to stretch and expand applications, and turn on and turn off workloads. These environments will look strikingly similar to the public cloud but will be built on-premises or in a private cloud.
Connected medicine makes more house calls
A few years ago, WIRED published an article titled “Healthcare 2020: The e-Doctor Will See You Now.” It noted the likely decrease of paper-based processes in the medical profession. It said patients would take greater control of their health care over time. And it noted that wearables would monitor the health of patients, wherever they might be.
These trends have already emerged to some extent. Look for them to become even more prevalent in the year ahead.
In 2020, we’ll see large medical devices, like breathing machines, that have traditionally been available only in medical facilities, make their way into homes. These devices will be smaller, internet-connected and available for at-home use because they are network-attached. Being able to access these machines at home will save both the medical industry and consumers time and money. They also hold the potential to improve health and save lives.
Data breaches continue to be a major challenge
More connected devices and migration of personal data to connected systems also increase risk. That’s why 2020 will see just as many – if not more – data breaches than 2019’s tally.
Criminals have come to realize that data breaches are a potential cash cow. Consequently, we’ve gone from the lone hacker to organized criminal conglomerates seeking out personally identifiable information (PII).
Medical data, which provides a value treasure trove of information, is particularly attractive to bad actors. Reports indicate full medical records can bring up to $1,000 on the dark web. That’s far more than just credit card information or social security numbers alone. Unauthorized parties can get to medical records by hacking wearable and implanted devices to forge a path to a health system with patients’ electronic health records.
There are several other factors adding to the tenuousness of the overall cybersecurity challenge. They include human error and businesses struggling to find the balance between “just enough” and “too much” security.
Organizations need security and privacy controls, but not so many that they drive away consumers. Finding that sweet spot is a challenge. Those organizations that err on the side of too little security will find themselves in the data breach crosshairs in the year ahead.
2020 will be one for the history books.
On Jan. 1, the California Consumer Privacy Act (CCPA) will take effect.
Some are calling this law California’s version of the European Union’s General Data Protection Regulation (GDPR). But, while it comes in the wake of GDPR, CCPA itself is considered a ground-breaking development. CCPA is the nation’s first statewide data privacy law. And it could very well set the direction for the rest of the United States.
Consumers Need to Take Action for CCPA to Work
CCPA was enacted in light of high-profile events involving the exposure and misuse of consumer data. That included hacks and the Facebook-Cambridge Analytica scandal. In the latter case, the research firm used consumers’ Facebook profile data to target voters in the 2016 U.S. election.
These disturbing events prompted citizens and politicians to call for laws giving people greater control of their personal data. And California’s elected officials delivered.
Under CCPA, California residents can demand that companies disclose what data those organizations have collected about them. They can request that companies delete their personal data and expect them to do so. And they can forbid companies from sharing their personal data with third parties.
The onus is on consumers to act, but businesses need to be ready to respond.
Businesses must be prepared to field data requests
Businesses that fail to comply stand to face significant CCPA fines.Each intentional violation is punishable with a $7,500 fine. Non-intentional violations cost $2,500 each. And there’s a $750 per affected user in civil damages cost.
CCPA as it now stands applies to organizations that have annual gross revenues of $25 million or more, interact with data on more than 50,000 California consumers each year, and/or make more than half of their revenue selling consumer data. Out-of-state businesses that sell to California residents or display a website in the Golden State are covered by the CCPA, too.
If that includes your business, act fast, but don’t panic. The good news is there’s a six-month grace period before CCPA enforcement kicks in.
Americans say encryption is the best way to protect personal data
In an effort to better understand consumer views about cybersecurity and privacy on the eve of the CCPA’s debut, we did a survey. It involved gathering feedback from 1,025 Americans.
Nearly a quarter (23%) of our survey group told us that encryption is the best form of security an organization can use to protect personal data. Almost 19% said they don’t know what is the most effective way for organizations to protect consumer information. Firewall was the third most popular response to our question about the best form of security an organization can use to protect personal data; it got 17% of the vote.
Meanwhile, 11% of Americans said a unique password. About the same share said antivirus solutions are the best method. And slightly less than 7% said nothing can protect personal data.
Passwords are also helpful, but related behaviors and opinions are mixed
Good digital hygiene has been the topic of an array of media reports in recent years. Password creation and change are often key themes of these cybersecurity and personal data privacy conversations. But expert opinions on these subjects vary. And actual consumer behavior related to password creation and change frequency is mixed.
Including the current year, our personal information such as birthdates and names, in passwords is not ideal. It makes it easier for bad actors to guess your password. Yet many of us do that anyway. It helps us recall the array of passwords we need to remember.
We asked survey participants if they have ever included the current year (2019) when setting up a new password. About 69% said no. But a quarter said yes, and the rest said sometimes.
As for password change frequency, 28% of Americans said they update their passwords a couple of times annually. Less than a quarter (24%) said they do it once a month or more. About a fifth (19%) update their passwords every other month. Eleven percent do it less than once a year. And 10% admitted that they don’t update their passwords at all.
But one thing Is certain – the CCPA will drive change in the year ahead
Many people consider the new year as a unique opportunity for improvement. So, we also asked Americans about their password- and personal data security-related plans for next year.
The vast majority – 72% – said they will update passwords and practice better personal security habits in the year ahead. Only 15% said they do not plan to improve on these fronts. And just 13% said they don’t think they’ll update passwords or practice better security in 2020.
Also, 47% admitted they currently don’t know or are not aware of their online privacy rights. But many Americans clearly care about data privacy. Thirty-one percent told us they have stopped using online services from companies including Amazon, Apple, Facebook, Google, Instagram and LinkedIn as a result of their personal data concerns.
Very soon, consumers in California will have a lot more power over their personal data. Media and privacy advocacy groups are likely to help educate the public about those rights. So, a broader share of Californians, and other Americans, will become more informed on this issue.
That gives businesses another incentive to employ cyber and personal data security solutions. Organizations that invest in advanced credentialing, encryption, public key infrastructure, and tokenization will be much better positioned to comply with the CCPA, meet customer expectations, and protect their reputations and revenues in 2020 and beyond.
Date: Wednesday, Oct 24
Time: 11:00 AM EST
nCipher Security’s nShield sales team provide excellent local and remote support during this evaluation period and was invaluable to the process. The excellent depth, breadth and quality of the product documentation gave us confidence that the solution was well thought-out and supportedRobert Fairlie-Cuninghame,QAI technical lead/architect, Memjet
We know the nShield Solo; it’s a foundational component of the system. The system is successful, and it’s been a positive experience working with the nCipher team and its nShield HSM, allowing us to achieve a short time to market and to recover our costs.Gianni Sandrucci, Chief Executive Officer, itAgile
As a global payment solutions and commerce enablement leader, Verifone’s strategy is to develop and deploy “best in class” payment solutions and services that meet or exceed global security standards and help our clients securely accept electronic payments across all channels of commerce. We selected nCipher HSMs to provide robust security, unmatched performance and superior scalability across our payment security platforms, protecting encryption keys from virtually any attack. This helps Verifone to continue reducing merchants’ growing exposure to data breaches and cyber criminals and more aggressively safeguard consumer information…Joe Majka,Chief Security Officer
With our extended experience of relying on nCipher for HSM solutions, when it came to selecting the right component for PassBy[ME] Mobile ID we didn’t need to look at other vendors; nCipher HSMs always deliver the highest level of trust.Dr. Sándor Szöke, Deputy Director of eIDAS Trust Services, Microsec
We have a long history together and we’re extremely comfortable continuing to rely on nCipher solutions for the core of our business. We have used nCipher HSMs for five years and they have always been exceptionally reliable. We’ve layered a lot of code on top of the HSM; it delivers the performance we need and has proven to be a rock-solid foundation.Neal Harris, Security Engineering Manager, Square, Inc
nCipher Security has given us a beautiful solution around which we’ve developed our own software; equipping us with the abilityto offer our customers a truly compellingvalue proposition. We have found nCipher nShield Connectto be far more secure and friendly to usethan competing solutions. It perfectly meets our needs.Evgeny Vigovsky,COO and CTO, Saifu
The unit cost and performance of nShield enable us to offer a commodity-priced device that is simple enough for even the most technically-adverse merchant to understand and operate. Trust, integrity and security are the foundations of our company, and nCipher helps us to achieve those goals.Julia Wolkerstorfer,Marketing Manager at A-Trust
Our nCipher HSMs protect our encryption keys, safeguarding customer data from breaches. Just as importantly, it helped make achieving PCI DSS compliance far easier and more cost-effective. With the nCipher HSMs, we can easily protect, manage, and rotate encryption keys, enabling PCI DSS compliance without the need for timeconsuming manual controlsTerry Mainiero,Follett Higher Education Group
The move from paper-based to electronic invoicing has proved a great success. There was tight cooperation between our system integrator SETCCE and nCipher and their combined knowledge and experience in this specialist area delivered an ideal solution. The service meets all legislative requirements, provides a better level of service and more flexibility for our subscribers. This gives us an important competitive edge.Bostjan Zaversek,Financial Manager for Si.mobil-Vodafone
Piracy is a problem generally associated with digital content and no less so in the film industry where it is an enormous concern for both studios and distributors who lose billions of dollars each year when films are illegally copied and distributed. The encryption and decryption of content is not a major challenge, however the handling and management of security keys by both the cinema and content owners is. nCipher is an expert in encryption key management and the protection of content and intellectual property, its products offer high levels of assurance and operational efficiency and have enabled Qube to develop an online digital…Rajesh Ramachandran,President and CTO
Modernization of clinical trials is a key initiative for both the pharma industry and global regulatory agencies. In an industry with a 20-year patent cliff – SureClinical’s technology accelerates speed to market and saves companies hundreds of thousands of dollars in shipping costs, maximizing return on investment for new drug therapy investments. The adoption of this technology would be out of the question if it didn’t meet the trust and security requirements mandated by regulatory agencies and the industry. Thales was the only company that was able to provide the assurance and strong cryptographic technology that met both the needs of…Zack Schmidt,President at SureClinical