nCipher Security achieves Common Criteria EAL4+ certification

nCipher Security achieves Common Criteria EAL4+ certification

nCipher’s nShield XC hardware security modules (HSMs) have received Common Criteria EAL4+ certification. This certification confirms that nShield HSMs meet the requirements of the European Union’s electronic Identification, Authentication and Trust Services (eIDAS) regulation.

With this Common Criteria certification, service providers who issue digital certificates, time stamps, or digital signatures can use nShield HSMs as a part of eIDAS compliant solutions.

nCipher security achieves

In addition to their eIDAS and Common Criteria certifications, nCipher nShield HSMs are certified to FIPS 140-2 Level 2 and Level 3, a standard defined by the US National Institute of Standards and Technology (NIST) and the most widely adopted security benchmark for cryptographic solutions in government and commercial enterprises.

Earlier this year, nCipher also announced its nShield HSMs had enabled Red Hat, a leading provider of open source solutions, to achieve Common Criteria validation for its Red Hat Certificate System. To obtain its Common Criteria certification, Red Hat was required to protect critical root CA keys with FIPS 140-2 Level 3 certified hardware. A long-standing nCipher partner, Red Hat used the nShield HSM to meet this requirement and provide a root of trust.

To learn more about the Common Criteria EAL 4+ certification, please see the official press release. For a comprehensive overview of how nCipher helps organizations meet legal and compliance standards, check out nCipher’s dedicated landing page and stay tuned for an upcoming blog post.

2020 Predictions: What’s next for the cloud, connected cars and medicine, and cybersecurity

2020 Predictions: What’s next for the cloud, connected cars and medicine, and cybersecurity

Peter Galvin | Chief Strategy Officer More About This Author >

Autonomous vehicles. Cloud computing. Connected medicine. Data breaches.

These inventions, use cases and challenges have been key tech topics for several years now. And all of the above are poised to undergo significant change in the year ahead.

These likely changes are driven by a combination of recent learnings, technological advancements and better organization. And that’s mostly – but not all – good.

So, what can we expect in these important areas in 2020? Here are my predictions.

The road ahead for autonomous cars becomes longer and more limited

If you think vehicles that drive themselves sound like science fiction, you’re not alone. Many of us still think that autonomous cars sound pretty far out. And, in a sense, they are.

As we all know, autonomous vehicles exist in the real world today. However, that doesn’t mean we’ll see them out in force on Main Street any time soon. Instead, the majority of autonomous vehicles successfully coming to market will have a narrow scope and reach.

Figuring out how to safely put autonomous vehicles on the road is a huge challenge. So, it’s understandable that such efforts might hit a few bumps in the road. But autonomous vehicles have faced much bigger problems than anticipated, including a fatal collision.

As a result, autonomous vehicles are much further out than initially predicted. Because of that, we’ll see a shift in how they’re used. They’ll be limited to certain routes, at certain speeds and used only for set distances. Much like a ski shuttle, they’ll be on a very specific track and tasked only with a small set of responsibilities.

The Boomerang effect drives greater multi-cloud, multi-deployment adoption

IDC estimates worldwide public cloud spending of $229 billion this year and nearly $500 billion in 2023. And a Gartner survey indicates 81% of public cloud users work with two or more providers. But the firm advises enterprises against jumping straight from on-premises to multicloud. Nuances between platforms make it difficult to build services in more than one, it says, so businesses should go slow to give in-house staff time to climb the learning curve.

I expect to see greater multicloud adoption in the year ahead, despite challenges. But I also believe 2020 will bring a greater focus on technologies that cater to on-premises and private cloud environments in addition to public ones. We can credit that to the boomerang effect.

Just a couple years ago many organizations were planning to go 100% public cloud. And, in some cases, these businesses moved a number of their applications to the cloud. During that process, many discovered that the public cloud didn’t always meet all of their needs. Security issues, having to rewrite applications and other challenges brought about this realization. As a result, certain apps boomeranged back to on-premises deployments.

Nowadays, organizations are increasingly embracing multi-cloud, multi-deployment environments. They’re deploying applications because they offer the best technology, and because they’re secure – regardless of whether they’re on-premises or in the cloud.

It’s my opinion that we will continue to see a rise in business applications that mimic cloud environments – even if they technically don’t fall under the public cloud umbrella. Organizations will build infrastructure and architect in a way that allows them to stretch and expand applications, and turn on and turn off workloads. These environments will look strikingly similar to the public cloud but will be built on-premises or in a private cloud.

Connected medicine makes more house calls

A few years ago, WIRED published an article titled “Healthcare 2020: The e-Doctor Will See You Now.” It noted the likely decrease of paper-based processes in the medical profession. It said patients would take greater control of their health care over time. And it noted that wearables would monitor the health of patients, wherever they might be.

These trends have already emerged to some extent. Look for them to become even more prevalent in the year ahead.

In 2020, we’ll see large medical devices, like breathing machines, that have traditionally been available only in medical facilities, make their way into homes. These devices will be smaller, internet-connected and available for at-home use because they are network-attached. Being able to access these machines at home will save both the medical industry and consumers time and money. They also hold the potential to improve health and save lives.

Data breaches continue to be a major challenge

More connected devices and migration of personal data to connected systems also increase risk. That’s why 2020 will see just as many – if not more – data breaches than 2019’s tally.

Criminals have come to realize that data breaches are a potential cash cow. Consequently, we’ve gone from the lone hacker to organized criminal conglomerates seeking out personally identifiable information (PII).

Medical data, which provides a value treasure trove of information, is particularly attractive to bad actors. Reports indicate full medical records can bring up to $1,000 on the dark web. That’s far more than just credit card information or social security numbers alone. Unauthorized parties can get to medical records by hacking wearable and implanted devices to forge a path to a health system with patients’ electronic health records.

There are several other factors adding to the tenuousness of the overall cybersecurity challenge. They include human error and businesses struggling to find the balance between “just enough” and “too much” security.

Organizations need security and privacy controls, but not so many that they drive away consumers. Finding that sweet spot is a challenge. Those organizations that err on the side of too little security will find themselves in the data breach crosshairs in the year ahead.

Visit nCipher’s website to learn more about our security solutions. You can also follow the company on Twitter, LinkedIn, and Facebook.

The clock is ticking on California’s Consumer Privacy Protection Act

The clock is ticking on California’s Consumer Privacy Protection Act

Cindy Provin | SVP Entrust Datacard and General Manager, nCipher Security More About This Author >

2020 will be one for the history books.

On Jan. 1, the California Consumer Privacy Act (CCPA) will take effect.

Some are calling this law California’s version of the European Union’s General Data Protection Regulation (GDPR). But, while it comes in the wake of GDPR, CCPA itself is considered a ground-breaking development. CCPA is the nation’s first statewide data privacy law. And it could very well set the direction for the rest of the United States.

Consumers Need to Take Action for CCPA to Work

CCPA was enacted in light of high-profile events involving the exposure and misuse of consumer data. That included hacks and the Facebook-Cambridge Analytica scandal. In the latter case, the research firm used consumers’ Facebook profile data to target voters in the 2016 U.S. election.

These disturbing events prompted citizens and politicians to call for laws giving people greater control of their personal data. And California’s elected officials delivered.

Under CCPA, California residents can demand that companies disclose what data those organizations have collected about them. They can request that companies delete their personal data and expect them to do so. And they can forbid companies from sharing their personal data with third parties.

The onus is on consumers to act, but businesses need to be ready to respond.

Businesses must be prepared to field data requests

Businesses that fail to comply stand to face significant CCPA fines.

Each intentional violation is punishable with a $7,500 fine. Non-intentional violations cost $2,500 each. And there’s a $750 per affected user in civil damages cost.

CCPA as it now stands applies to organizations that have annual gross revenues of $25 million or more, interact with data on more than 50,000 California consumers each year, and/or make more than half of their revenue selling consumer data. Out-of-state businesses that sell to California residents or display a website in the Golden State are covered by the CCPA, too.

If that includes your business, act fast, but don’t panic. The good news is there’s a six-month grace period before CCPA enforcement kicks in.

Americans say encryption is the best way to protect personal data

In an effort to better understand consumer views about cybersecurity and privacy on the eve of the CCPA’s debut, we did a survey. It involved gathering feedback from 1,025 Americans.

Nearly a quarter (23%) of our survey group told us that encryption is the best form of security an organization can use to protect personal data. Almost 19% said they don’t know what is the most effective way for organizations to protect consumer information. Firewall was the third most popular response to our question about the best form of security an organization can use to protect personal data; it got 17% of the vote.

Meanwhile, 11% of Americans said a unique password. About the same share said antivirus solutions are the best method. And slightly less than 7% said nothing can protect personal data.

Passwords are also helpful, but related behaviors and opinions are mixed

Good digital hygiene has been the topic of an array of media reports in recent years. Password creation and change are often key themes of these cybersecurity and personal data privacy conversations. But expert opinions on these subjects vary. And actual consumer behavior related to password creation and change frequency is mixed.

Including the current year, our personal information such as birthdates and names, in passwords is not ideal. It makes it easier for bad actors to guess your password. Yet many of us do that anyway. It helps us recall the array of passwords we need to remember.

We asked survey participants if they have ever included the current year (2019) when setting up a new password. About 69% said no. But a quarter said yes, and the rest said sometimes.

As for password change frequency, 28% of Americans said they update their passwords a couple of times annually. Less than a quarter (24%) said they do it once a month or more. About a fifth (19%) update their passwords every other month. Eleven percent do it less than once a year. And 10% admitted that they don’t update their passwords at all.

But one thing Is certain – the CCPA will drive change in the year ahead

Many people consider the new year as a unique opportunity for improvement. So, we also asked Americans about their password- and personal data security-related plans for next year.

The vast majority – 72% – said they will update passwords and practice better personal security habits in the year ahead. Only 15% said they do not plan to improve on these fronts. And just 13% said they don’t think they’ll update passwords or practice better security in 2020.

Also, 47% admitted they currently don’t know or are not aware of their online privacy rights. But many Americans clearly care about data privacy. Thirty-one percent told us they have stopped using online services from companies including Amazon, Apple, Facebook, Google, Instagram and LinkedIn as a result of their personal data concerns.

Very soon, consumers in California will have a lot more power over their personal data. Media and privacy advocacy groups are likely to help educate the public about those rights. So, a broader share of Californians, and other Americans, will become more informed on this issue.

That gives businesses another incentive to employ cyber and personal data security solutions. Organizations that invest in advanced credentialing, encryption, public key infrastructure, and tokenization will be much better positioned to comply with the CCPA, meet customer expectations, and protect their reputations and revenues in 2020 and beyond.

For more information on security solutions, please visit nCipher’s website. You can also follow nCipher on Twitter, LinkedIn, and Facebook.

‘Where in the World is Peter Carlisle’: Around the world in 20 days (special edition)

‘Where in the World is Peter Carlisle’: Around the world in 20 days (special edition)

nCipher: So what is this all about?

PC: In October 2019, we attempted something ambitious. We set out to run three channel partner conferences back-to-back covering our three major world-wide territories. The branding and the core content needed to be the same and the partner experience needed to be consistent. However, we had to leave enough space to allow for a regional flavour at each event.

The venues were:

EMEA: Amsterdam – APAC: Ho Chi Minh City – AMS: New Orleans

We chose venues based on accessibility for international travellers, choice of cultural activities and availability of suitable venues for the various aspects of the event.

Here are some of the headlines in terms of what we had to deliver across 12 days and on three continents:

  • We hosted 400 delegates from 55 countries and needed to help procure 108 visas for travel
  • We needed 1378 hotel nights for our guests who nibbled over 2500 canapés and ate over 3000 meals.
  • There were 35 main stage presentations, 102 workshops and 67 awards and prizes given out.

nCipher: Sounds complicated and a lot of work – why would you do this?

PC: Well, the channel is vital to the success of the nCipher business. You could say it is our life blood. All of our business in EMEA and APAC is done in partnership with the channel and over half of our AMS business is too. nCipher sells into 153 countries world-wide and we need the channel for their local relationships, cultural and local knowledge, export and import skills, regulatory compliance and language abilities. No matter how big I grow my sales team, I can never replicate the amazing network our channel brings to us.

nCipher: But did you have to do them all so close together?

PC: We wanted to do that so that the messaging could be 100% consistent at all three events in terms of company updates, product roadmaps, industry news and so forth.

nCipher: What makes a good channel partner conference?

PC: As someone once said - long after people have forgotten what you said or what you did, they will remember how you made them feel. A good conference needs to create a feeling of positivity that will survive in the delegate’s minds long after they have returned to their day jobs.. In order to achieve this we focus on a few key deliverables: education, motivation, information and appreciation.

Getting that balance right means a lot of focus on honing the agenda so that it covers all of those areas. I have attended many events where I felt the balance was wrong and the opportunity to connect with the attendees got lost. A good event needs to flow and move along at a lively pace. No session should outstay its welcome and there needs to be variety to keep the delegates engaged. We move regularly from larger main stage sessions to smaller workshop sessions as that helps to keep energy levels up.

Messaging needs to be clear and any slideware highly visual. We are, after all, dealing with a wide range of nationalities at our events and English is not everyone’s first language. There also need to be plenty of breaks to allow people to digest what they have heard, but also to network, as all of the side conversations that take place at conferences are some of the most valuable parts of the puzzle as people get to know each other and develop real relationships.

nCipher: Seems like there’s a lot of moving parts to think about. What else do you have to consider?

PC: The nCipher team needs to be visible and accessible to the delegates throughout the event. I believe that our openness and transparency as a leadership team is a key strength and we can really focus on that by networking, running feedback sessions and giving our time to the partners throughout the event.

Finally, and not to be underestimated, is a bit of showbiz glitz. A slick event with high quality audio visuals, great sound and lighting, and professional set design will help to hold the audience in a really effective way. People respond well to the fact that the event team has clearly thought about the delegate experience and made an effort to deliver an enjoyable event. A good conference should not have to be “endured”.

nCipher: So what was on the agenda across the events?

PC: There were plenary sessions on all of the “big picture” topics, company strategy, the Entrust Datacard business, product roadmap, partner program and so forth. Then, we had multiple workshops getting into the details of our use cases and discussing how to engage effectively in the marketplace. Finally, we had a “Tech Expo” area supported by a number of nCipher technology partners, an awards dinner and the chance to participate in some local cultural activities before heading home.

nCipher: How do you ensure that everything works? There is clearly a lot that could go wrong!

PC: Planning and attention to detail are critical. Firstly, I would never host an event at a venue that I have not visited personally along with the core event team. You need to meet the hotel management, walk the floor, check the bedrooms and be comfortable that you really know the venue. Then, it’s about storyboarding the delegate experience and making sure every element is covered. This includes pre-event travel support, understanding special requirements, clear direction and signage throughout the event and the right quality of catering and entertainment.

nCipher: Speaking of catering and entertainment, how did you entertain guests in each location??

PC: We really worked on this aspect to give our partners in each venue a night to remember.

In Amsterdam we took over a 15th century landmark in the city centre for a wonderful candlelit dinner. We also hosted the daytime sessions in a beautiful 17th century domed former church so the historical element of one of Europe’s great cities really came to the fore.

In Ho Chi Minh City we took our partners down the Saigon River to a beautiful outdoor location lit with hundreds of bamboo lanterns for a night of traditional Vietnamese food and entertainment.

New Orleans led us to having the street closed by the police while we walked behind a band and a group of stilt-walkers to the banks of the Mississippi where we boarded a traditional paddle steamer for a dinner cruise with live jazz along with tarot readings on the lower deck. We were also in town over Halloween, which was highly entertaining!

All very much of their place and all highly memorable.

nCipher: There must have been a lot of travel for you and the nCipher team?

PC. My own October agenda involved nine flights covering close to 30,000 miles. I touched down in Qatar, Vietnam, Japan and the US before getting back to the UK. Many of the team had similarly complex journeys to manage but no-one missed a single day!

nCipher: Have you received feedback from the partners?

PC: We are still collecting feedback, but, with over 100 surveys received so far we are scoring 4.9 out of 5 across the board on all aspects of the events, which I’m pretty happy with.

nCipher: Traditionally, we always close these sessions with a question about whether you have been inspired to write a song for your Blues band. Well?

PC: Oh yes! “Halloween on Bourbon Street” has already taken shape and will feature in our rehearsal sessions next month!

If you’d like to learn even more about Peter, please visit his LinkedIn page. If you’d like to learn more about nCipher, please follow the company on Twitter, LinkedIn, and Facebook.

How cloud migration trends translate to HSM in the cloud

How cloud migration trends translate to HSM in the cloud

Jim DeLorenzo | Solutions Marketing Manager More About This Author >

The public cloud big bang

Since cloud computing was introduced around the turn of the century its use has exploded. Consider a few illuminating data points from two recent reports about cloud computing trends:

  • 91% of enterprises now use public cloud
  • 84% of enterprises have a multi-cloud strategy
  • Further, an estimated 83% of enterprise workloads will run in the cloud by 2020

It’s also notable that between 2018 and 2020 the fastest growing trends or factors driving public cloud adoption are artificial intelligence/machine learning (16% growth) and the Internet of Things (13% growth). Cloud computing has clearly matured beyond merely digitizing traditional ways of doing business and is now foundational to new use cases.

More cloud workloads = more security requirements

With many organizations taking a cloud-first – or even cloud-only – approach for their workloads, the need for stringent security strategies is more critical than ever. Indeed, the biggest challenge for organizations using public cloud is security. Cloud workloads deserve the same levels of security planning and design as is given to on-premises computing and storage.

How cloud migration trends translate to HSM in the cloud

However, some aspects of the security stack have traditionally functioned best on-premises, including hardware security modules. HSMs are central to an enterprise’s security as they protect critical keys and cryptographic material, but because they have traditionally been housed within the organization’s data center, connecting them with cloud-based applications and services has been challenging. Until now.

HSM as a Service – across any cloud

nCipher’s nShield as a Service delivers a cloud-native, subscription-based solution to these challenges. Instead of acquiring and maintaining physical devices, nShield as a Service customers are able to generate, access and protect their cryptographic key material, separately from sensitive data, using dedicated FIPS 140-2 Level 3-certified nShield Connect HSMs. Critically, this solution also provides a secure execution capability that allows developers to run sensitive code within the HSM’s boundaries, whether that’s business logic associated with banking, smart metering, digital signatures or custom encryption processes.

Because nShield as a Service is cloud-agnostic, customers can continue with their multi-cloud strategies with the peace of mind that if they want to move data or workloads from one cloud to another, their encryption keys are not locked into a particular cloud provider’s HSM. nShield as a Service customers own and maintain full control over their keys at all times.

As organizations continue to move beyond proofs of concept with artificial intelligence, machine learning and IoT projects, more and more sensitive data and intellectual property will come into play. Anytime that encryption is required to protect this information, nShield as a Service provides easy, efficient access to cryptography as a service.

For more information about nShield as a Service, please visit nCipher’s dedicated landing page. You can also follow the company on Twitter, LinkedIn, and Facebook.

Personal data privacy is an urgent topic today – and the spotlight on this will only get brighter in 2020

Personal data privacy is an urgent topic today – and the spotlight on this will only get brighter in 2020

Cindy Provin | SVP Entrust Datacard and General Manager, nCipher Security More About This Author >

It’s October. That means it’s National Cybersecurity Awareness Month, which emphasizes personal accountability and the importance of taking proactive steps to enhance cybersecurity at home and in the workplace. This year’s theme – Own IT. Secure IT. Protect IT. – puts the focus on topics such as citizen privacy, consumer devices and ecommerce security.

To protect their privacy and security, individuals need to understand their rights and recourses. That is a challenge in today’s dynamic technology and regulatory environments.

The good news is that individuals are gaining more control over the ownership of their data. And that will enable people to take a more active role in protecting their privacy.

GDPR set the stage for legislation in the U.S.

The General Data Protection Regulation is the most high-profile development on the personal data front. GDPR, which took effect in May of 2018, gives European Union residents more control of their personal data. Under GDPR, businesses:

  • can only collect data required for the efforts to which people have agreed
  • must explain why they collect the data that they do
  • have to disclose with which other organizations they share users’ personal data
  • are required to alert EU residents within 72 hours of a breach impacting their data
  • need to correct, delete and/or provide lists of their data at their customers’ request

GDPR – and the Equifax breach and the Facebook-Cambridge Analytical scandal – have prompted legislators and regulators elsewhere on the planet to address cybersecurity and personal data privacy, too. The California Consumer Privacy Act was one of the new regulations that emerged as a result.

California’s new consumer privacy act is nearly here

This ground-breaking law takes effect Jan. 1, 2020.

It applies to academic, biometric, employment, geolocation and internet browsing data. It also impacts data indicating what products individuals have looked at or purchased, as well as inferences drawn to create personal profiles indicating preferences.

The CCPA will:

  • give California residents the right to demand that companies disclose what personal data they have collected about them
  • enable Golden State consumers to ask companies to delete their personal data
  • allow individuals there to forbid companies to share personal data with third parties
  • The CCPA applies to companies that do business in California. That includes companies with more than $25 million in gross revenue, businesses with data on more than 50,000 consumers and firms that make more than half of their revenue selling consumer data. It also covers out-of-state merchants that sell to California residents or display a website in the state.

    How cloud migration trends translate to HSM in the cloud

    Some law and privacy experts actually expect CCPA to have the effect of a national law. Their thinking is that this will happen by default because companies will find it easier to apply CCPA nationwide than to create separate systems for compliance.

    There’s also a push for a national personal data privacy law

    That notion, and the fact that other states might follow suit, greatly concerns companies whose fortunes are tied to personal digital data.

    Many technology organizations have lobbied aggressively for the creation of a federal privacy law.

    Ernesto Falcon, legislative counsel at the Electronic Frontier Foundation, commented: “It’s clear that the strategy here is to neuter California for something much weaker on the federal level. The companies are afraid of California because it sets the bar for other states.”

    How this will all ultimately play out remains to be seen. But at least one report suggests it’s unlikely a federal privacy bill aimed at preempting state law like the CCPA will come before Congress this year. Meanwhile, CCPA appears on track to take effect at the beginning of the new year. And at least one thing is for certain: Cybersecurity and personal data privacy remain in the spotlight well beyond National Cybersecurity Awareness Month and into the year ahead.

    Visit our website to learn how nCipher Security can help protect valuable data. You can also follow the company on Twitter, LinkedIn, and Facebook.
Subscribe to
Want to be part of our team? Explore
Get in contact with a specialist Contact Us