flash_area

Have any questions?

contactUs


The Futurex Blog. News, Announcements and Much More.


Key Management Refresher: Beyond the Bare Minimum

by Futurex on November 21st, 2014

For any organization managing encryption keys, the process of creating, maintaining, and improving a key management system can seem like a frustrating or even impossible task. These feelings of frustration often stem from a few prominent mistakes that frequently occur. Beyond simple annoyance with an inefficient system, key management mistakes can have a far more damaging effect: data breaches.   Fortunately, these mistakes are easily preventable with some instruction. In our whitepaper, Ten Key Management Mistakes…And How to Avoid Them, we discuss ten actions that can make or break a key management system.

Data security practices are seldom black and white. Rather, they’re more like a scale of bad to best. It’s easy to identify bad practices, but the problem organizations often face is settling for “good” practices instead of striving for “the best.” This problem usually originates from the belief that achieving the goals outlined by auditors in order to meet compliance means that their organization has done all it needs to do to enforce proper data security measures. The truth of the matter is that “checkbox compliance” is not the end goal. It’s the bare minimum.

This is not a problem that can be solved simply by adding more boxes to the checklist. System administrators must learn to think critically about their IT infrastructures. Compliance mandates are by necessity very broad and overreaching, as there is no way to address every minute detail for every organization. It is up to your administrators to apply basic concepts to their specific infrastructure, analyzing the system and determining what additional actions need to be taken to fully protect their environment, instead of simply meeting the requirements and calling it quits.

How can administrators apply these concepts to their key management policies? Let’s think of actions in terms of the bad (things prohibited by auditors), the good (things recommended by auditors), and the best (things that go beyond the recommended approach).

It’s obvious that using “Password” as a password is a bad practice. Using a password such as “Ilikesoccer” significantly improves its strength, but don’t stop there. Consider a truly secure password like “iL2plAs0cEr”. Yes, that password will be hard to remember, but that’s where pass phrases can make things easier. Use a passphrase like “I like to play soccer” to help you remember the password.

Most likely, your key management system requires dual control, but this security measure can be enhanced further with the use of dual factor authentication. Usually there are three types of authentication:

  1. Something you know, such as a password
  2. Something you own, such as a smart card
  3. Something you are, such as genetic factors like fingerprints or iris scans

Organizations recognize the importance of employee training, but how much value is placed on it? Instead of simply having a best practices training session once a year, hold engaging meetings on a regular basis, with varied content that isn’t simply repeating the same information over and over again.

Want to know more about key management best practices? Download our whitepaper or contact us today.


Bookmark and Share

Have you registered for the Futurex Portal yet?

by Alex Hopkins on November 17th, 2014

The Futurex Portal is a personalized resource designed to provide our customers and partners with easy access to a large, dynamic collection of information including user guides, technical documentation, and more. We have recently made a number of enhancements to the Portal to better fulfill customer and partner needs, including broader documentation, information on the VirtuCrypt Hardened Enterprise Security Cloud, and easier-to-use navigation system.

Futurex has a long-standing record of providing our users with support of the highest caliber. Our Portal is intended to continue that tradition, with our vast library of information and assistance available to our customers and partners whenever they need them. Within the Portal, users can effortlessly find specific material related to their Futurex products as well as a simplified Xceptional Support request form, regulatory compliance information, project management functionality for custom development initiatives, and much more.

We invite you to visit the Futurex Portal, register for an account, and explore the personalized material available for you.


Bookmark and Share

Data Security & Fraud Prevention Roundup – November 14th, 2014

by Futurex on November 14th, 2014

Our Data Security & Fraud Prevention Roundup contain links to the best data security and fraud prevention-related articles, blog posts, news releases, interviews, and anything else that we found interesting from around the web over the course of the last two weeks and our thoughts on them.

#1: 5 Essentials to Reduce Healthcare Data Breaches by HIT Consultant (November 7, 2014)

Healthcare organizations all over are being affected as data breaches threaten to compromise sensitive patient information. This article offers 5 steps that healthcare companies can take in order to avoid or reduce the likelihood of prevent data breaches.

#2: Network Firewalls as relevant to data security as ever by Warwick Ashford, Computer Weekly (November 11, 2014)

Network firewalls perform an important role in the enterprise IT ecosystem. In this article, Gil Shwed, CEO of Check Point, discusses the various ways in which firewalls can still help your organization combat data security breaches.

#3: Retailers Behind on Fraud Deterring Chip Technology CBS New York (November 12, 2014)

EMV cards offer up the prevention of data theft for consumers and are becoming more appealing as retailers are being breached. Many of these companies, however, have not yet implemented the technology necessary to use these secure smart cards in their POS systems, but why?

#4: The 4 Factors of Planning a Cloud Deployment by Karen Scarfone, FedTech Magazine (November 12, 2014)

So you’ve decided to move your company’s data to the cloud. Now what? The cloud certainly offers an increased level of convenience and cost-effectiveness, but data migration still requires careful consideration and planning. In this article, Karen Scarfone discusses four aspects of cloud deployment your organization should know about.

If you find something interesting that you’d like to see considered for our next Data Security & Fraud Prevention Roundup, don’t hesitate to let us know. We’re always on the lookout for new and interesting perspectives on data security news, issues, thoughts, and best practices. Send your best links to info@futurex.com, or share them with us on Twitter (@Futurex).


Bookmark and Share

TLS/SSL Encryption and You

by Futurex on November 10th, 2014

Transport Layer Security (TLS) keeps our information safe by providing a way to secure and encrypt data used for important and sensitive tasks. TLS, which is the successor to SSL, can be used to establish an encrypted link between host servers or applications and endpoints. These endpoints can be any electronic device capable of TLS encryption, but is most commonly a device such as a computer, phone, tablet, or Point of Sale terminal. For many of us, TLS and SSL knowledge ends with ensuring the web address includes an ‘s’ at the end of ‘http’ when making an online purchase or logging into a website that contains a lot of personal information. Beyond that application, TLS encryption is capable of protecting all kinds of data.

Those with endpoint devices already supporting TLS encryption may find that their host application is incapable of reading TLS/SSL encrypted data. This means that data must be received as clear data, unencrypted, and is therefore much less secure. This is where the Futurex Kryptos TLS Server comes in. It acts as a kind of translator, encrypting or decrypting data as necessary for the host application. Hardware security module (HSM) solutions, like the Kryptos TLS Server, are capable of data encryption and decryption from a multitude of sources including: online transactions, POS terminals, encrypted e-mails or even just between two data centers. If the data is transmitted through TCP/IP, it is able to be securely processed by the Kryptos TLS Server.

This type of encryption process is sometimes called link encryption, where data is encrypted or decrypted at each end point (such as between a browser and a web server). The Kryptos TLS Server is a relatively easy way to add an extra level of security for processing your client’s sensitive data. This level of security can significantly minimize risk from eavesdroppers or similar attacks on the data you’re looking to protect.

The following infographic details three scenarios:

  • 1. There is no TLS/SSL encryption at the data creation point, and therefore the host application receives clear data. This leaves the data vulnerable, unencrypted, and not secure.
  • 2. TLS/SSL encryption is possible, but the host application can’t interpret the incoming data.
  • 3. Kryptos TLS Servers decrypt incoming TLS/SSL encrypted data, and the data is unencrypted only on a secure local network, usually inside of a data center. The data is re-encrypted before it leaves, and remains protected.


Bookmark and Share