key-management-policy-

Understanding Key Management Policy – Part 2

In the first part of this two-part series on Key Management, we saw how an increasing number of organizations are encrypting their sensitive data to mitigate cybersecurity risks. As covered earlier, with cybercriminals getting more sophisticated, merely encrypting data is not sufficient.

With data encryption, the risk is transferred from the data to the encryption keys and to ensure optimal data protection, organizations should make sure that their encryption keys are efficiently managed and safeguarded at each stage of their lifecycle.

In this part, we will cover the various benefits of centralizing your key management and guide you on how to adopt key management for your organization.

Centralized Key Management

When it comes to securely storing the encryption keys, three pertinent questions should be addressed:

1. Where are the keys stored – in third-party applications, in the cloud (private, public or hybrid?), in a heterogeneous environment that supports multiple databases?

2. Are the keys protected with strong access management mechanisms that prevent unauthorised access?

3. Is your approach to key security compliant with the statutory mandates of the regulatory bodies?

As more and more data gets encrypted, the dependence on encryption keys increases and safeguarding all the keys (throughout their entire lifecycle) becomes challenging. The task becomes more daunting in an environment where organizations use diverse vendor systems that generate their own keys.

Further, as encryption keys undergo a lot of changes throughout their lifecycle – like creation, key versioning, distribution, rotation, storage, archival, backup, and ultimately destruction, managing the keys at each juncture of their lifecycle becomes critical.

This is where centralized key management comes handy. With the inherent ability to safely store and manage all the encryption keys centrally in a secure and efficient manner, organizations can uniformly view, control, and administer the encryption keys for all their sensitive data – whether it resides in the cloud, in storage, in databases, or virtually anywhere else.

Leading Key Management Solutions (KMSs) can seamlessly manage keys across heterogeneous encryption platforms and offer extensive support for the Key Management Interoperability Protocol (KMIP) standard, as well as for proprietary interfaces, managing a disparate set of encryption keys becomes easier.

Apart from secure storage and management, another important aspect of centralized key management is key governance. Merely storing and managing the keys is not sufficient but ensuring foolproof access management is equally important. Centralized key management enables proper key governance – even when the data and people move from department to department within the organization.

Requisites for Effective Centralized Key Management

Now that we understand why organizations should adopt centralized key management to ensure optimal data protection, let’s look at the three important requisites for centralized key management to work smoothly:

1. Key Management Server

At the heart of any good Key Management Solution is a FIPS 140-2, Level 3-certified intrusion-resistant, tamper-proof hardware server (also known as a Hardware Security Module or HSM) that plays the important role of creating, storing, retrieving, rotating, archiving and deleting the encryption keys.

This server also facilitates seamless communication with all other applications (both internal as well as external) through native encryption using the Key Management Interoperability Protocol (KMIP).

Below are three important points that organizations should consider while selecting a key management server:

(1) Adherence to Regulatory Compliances

The server must comply with federal security requirements that mandate the destruction of all the stored encryption keys upon detection of a forced entry.

(2) Role Management

The server should have in-built role management features that provide separation of duties between various user roles with handy tools to quickly assign/delete roles. As more and more data gets encrypted leading to an increasing dependence on encryption keys, role management becomes a crucial feature for any organization.

(3) Interoperability

The server should be able to coherently interoperate with other business applications by providing access to its user interface through APIs, web services and encryption connectors.

As a best practice, organizations should:

(a) Store all encryption keys (and not just the Root of Trust Master Key) in the hardware server.

(b) Ensure that the autorotation and versioning of keys take place as per a pre-defined schedule without any downtime during the key rotation process, and

(c) Ensure that the whitelisting of the IP address happens within the secure hardware server itself.

2. Key Management Policies

As seen in our previous post, a key management policy (KMP) is a pre-defined set of rules that cover the goals, responsibilities, and overall requirements for securing and managing an organization’s encryption keys.

While a key management server can centrally manage all the encryption keys and enforce set policies, it cannot create a KMP on its own. The onus of chalking out a comprehensive KMP lies with the organization’s Cybersecurity & IT Heads, like the Chief Information Security Officer (CISO), Chief Risk Officer (CRO), etc. who are responsible for ensuring the adoption of KMPs for data protection. ‘Unambiguity’ is one of the most important pillars of a good KMP that makes sure that there are no misinterpretations whatsoever while accessing the encryption keys. For example, a KMP can unequivocally state that the employees of one business unit or department cannot access the encryption keys of another unit, or that access to the keys can be granted only through the corporate LAN.

3. Key Management Processes

Key management processes are a host of diverse processes like inputs, activities, and outputs that are pivotal to centralized key management.

These processes help users in using their organization’s KMP and can be automated or implemented manually. For example, depending on the sensitivity of the data to be accessed, the Key Management Process may instruct users to either connect through a VPN or through the corporate LAN.

3. Key Management Processes

As the global leader in enterprise key management, Gemalto’s SafeNet KeySecure is widely adopted by organizations across the globe to centralize manage their encryption keys.

Available as a hardware appliance or virtual security appliance, SafeNet KeySecure is a plug-and-play, secure centralized key management platform that can be quickly deployed in physical, virtualized infrastructure and public cloud environments.

Holistically supporting data encryption and key management of a diverse set of databases like Oracle, IBM DB2, Microsoft SQL, Mongo DB, etc., SafeNet KeySecure also seamlessly supports the generation, storage and exporting of keys in a Bring-Your-Own-Key (BYOK) environment from cloud players like Microsoft Azure, Amazon Web Services, etc.

Below is a quick snapshot of the diverse integrations ecosystem that Gemalto’s SafeNet KeySecure supports:

For organizations that have already invested in HSM devices, Gemalto offers a cost-friendly Virtual Key Management Solution – SafeNet Virtual KeySecure that centralizes all cryptographic processing and provides scalable key management at remote facilities or cloud infrastructures such as VMware or AWS Marketplace.

To Sum It Up

With rising incidents of cyber attacks and data breaches, neither front line defense mechanisms suffice, nor does mere data encryption. To safeguard sensitive data, organizations should not only secure their encryption keys from unauthorized access, but also efficiently manage them centrally through a state-of-the-art, highly scalable key management solution. Learn more about Enterprise Key Management and how it can help your organization efficiently manage your encryption keys.

key-management-policy-1

Understanding Key Management Policy – Part 1

With rising incidents of data breaches, organisations across the globe are realising that merely implementing perimeter defense systems no longer suffice to thwart cyber attacks.

While front line defense mechanisms like firewalls, anti-theft, anti-spyware, etc. definitely act as a strong deterrent against cyber attacks, they are rendered useless when a hacker gains inside entry by exploiting their vulnerabilities to bypass them.

Alarmed by a spike in data breaches, many regulations like the Payment Card Industry Data Security Standard (PCI DSS), UIDAI’s Aadhaar circulars, RBI’s Gopal Krishna Committee Report and the upcoming Personal Data Protection Bill in India now urge organisations to encrypt their customers’ personal data.

This has resulted in an increasing number of organisations adopting data encryption as their last line of defense in the eventuality of a cyber attack. Unfortunately, with cybercriminals getting smarter and more sophisticated with every passing day, merely encrypting data is no longer the proverbial silver bullet to prevent data breaches.

In this two-part blog series, we will deep dive into the concept of (encryption) key management and cover the pivotal role a well-defined Key Management Policy (KMP) plays in data protection.

Let’s first begin with the basics!

Types of Encryption (Crypto) Keys

Crypto keys can be broadly categorised in two types – ‘symmetric keys’ and ‘asymmetric keys’.

In symmetric key encryption, the cryptographic algorithm uses a single (i.e. same) key for both encryption and decryption. Contrastingly, in asymmetric key encryption, the algorithm uses two different (but related) keys for encryption and decryption. These keys are known as ‘public keys’ and ‘private keys’.

While the public key is used for data encryption, the private key is used for data decryption. Since any data encrypted with the public key cannot be decrypted without using the corresponding private key, ensuring optimal security of the private keys is crucial for foolproof data protection.

Key Management

Since crypto keys pass through multiple phases during their lifetime – like generation, registration, distribution, rotation, archival, backup, revocation and destruction, securely managing these keys at each phase is very important.

Effective key management means protecting the crypto keys from loss, corruption and unauthorised access.

Challenges to Key Management

As more and more organisations generate thousands of crypto keys today for a diverse and disparate set of encryption-dependent systems spread across multiple businesses and geographical locations, key management becomes a big challenge.

To ensure that crypto keys do not fall in the wrong hands, a common practice followed by many organisations is to store these keys separately in FIPS-certified Hardware Security Modules (HSMs) that are in-built with stringent access controls and robust audit trail mechanisms.

However, with organisations using a diverse set of HSM devices like Payment HSMs for processing financial transactions, General Purpose HSMs for common cryptographic operations, etc., key management woes intensify. Further, merely storing the keys separately in HSM devices is not sufficient, as apart from secure storage, efficient management of the crypto keys at every phase of their lifecycle is very important.

Some of the other key management challenges that organisations face include using the correct methodologies to update system certificates and keys before they expire and dealing with proprietary issues when keeping a track of crypto updates on legacy systems.

Hence, cybersecurity experts recommend that organisations centralise the management of their crypto keys, consolidate their disparate HSM systems and chalk out a comprehensive KMP that provides clear guidelines for effective key management.

Key Management Policy (KMP)

While most organisations have comprehensive Information Security and Cybersecurity policies, very few have a documented Key Management Policy.

A well-defined KMP firmly establishes a set of rules that cover the goals, responsibilities, and overall requirements for securing and managing crypto keys at an organisational level.

Designed to cohesively cover each stage of a key’s lifecycle, a robust KMP should protect the key’s:

1. Confidentiality
2. Integrity
3. Availability, and
4. Source Authentication.

The KMP should also cover all the cryptographic mechanisms and protocols that can be utilised by the organisation’s key management system.

Last, but not least, a good KMP should remain consistent and must align with the organisation’s other macro-level policies. For example, if an organisation’s information security policy mandates that electronically transmitted information should be securely stored for a period of 7-10 years, the KMP should be able to easily align to such a mandate.

To Sum It Up

Data encryption is no longer sufficient to prevent data breaches and merely storing the crypto keys separately no longer guarantees foolproof protection against sophisticated cyber attacks.

The need of the hour is to safeguard the keys at each phase of their lifecycle, manage them centrally and implement a robust KMP to ensure optimal data protection.

In the next part, we will discuss how organisations can leverage Key Management Interoperability Protocol (KMIP) to manage their encryption keys and how Gemalto’s Key Management Platform can help to streamline their key management centrally.

In the meantime, familiarize yourself with our Key Management Platform, and learn how security teams can uniformly view, control, and administer cryptographic policies and keys for all their sensitive data—whether it resides in the cloud, in storage, in databases, or virtually anywhere else.

gemalto-blog5

The Future of Cybersecurity – A 2019 Outlook

From the record-breaking number of data breaches to the implementation of the General Data Protection Regulation (GDPR), 2018 will certainly go down as a memorable year for the cybersecurity industry. And there have been plenty of learnings for both the industry and organisations, too.

Despite having two years to prepare for its inception, some companies were still not ready when GDPR hit and have faced the consequences this year. According to the law firm EMW, the Information Commissioner’s Office received over 6,000 complaints in around six weeks between 25th May and 3rd July – a 160% increase over the same period in 2017. When GDPR came into force, there were questions raised about its true power to hold companies to account – with the regulation saying fines could be implemented up to £16.5 million or 4% of worldwide turnover. The latter half of this year has shown those concerns were unfounded, with big companies, including Uber as recently as this week, being fined for losing customer data. What 2018 has shown, is the authorities have the power and they’re prepared to use it.

In fact, the role of GDPR was to give more power back to the end user about who ultimately has their data, but it was also ensuring companies start taking the protection of the data they hold more seriously. Unfortunately, while the issue around protecting data has grown more prominent, the methods to achieving this are still misguided. Put simply, businesses are still not doing the basics when it comes to data protection. This means protecting the data at its core through encryption, key management and controlling access. In our latest Breach Level Index results for the first half of 2018, only 1% of data lost, stolen or compromised was protected through encryption. The use of encryption renders the data useless to any unauthorised person, effectively protecting it from being misused. Another reason to implement this is it is actually part of the regulation and will help businesses avoid fines as well. With such a large percentage still unprotected, businesses are clearly not learning their lessons.

So, moving on from last year, what might the next 12 months bring the security industry? Based on the way the industry is moving, 2019 is set to be an exciting year as AI gains more prominence and, quantum and crypto-agility start to make themselves known.

2019 Predictions
1. Quantum Computing Puts Pressure on Crypto-Agility

Next year will see the emergence of the future of security – crypto-agility. As computing power increases, so does the threat to current security protocols. But one notable example here is encryption, the static algorithms of which could be broken by the increased power. Crypto-agility will enable businesses to employ flexible algorithms that can be changed, without significantly changing the system infrastructure, should the original encryption fail. It means businesses can protect their data from future threats including quantum computing, which is still years away, without having to tear up their systems each year as computing power grows.

2. Hackers will launch the most sophisticated cyber-attack ever using AI in 2019

Up until now, the use of AI has been limited, but as the computing power grows, so too do the capabilities of AI itself. In turn this means that next year will see the first AI-orchestrated attack take down a FTSE100 company. Creating a new breed of AI powered malware, hackers will infect an organisations system using the malware and sit undetected gathering information about users’ behaviours, and organisations systems. Adapting to its surroundings, the malware will unleash a series of bespoke attacks targeted to take down a company from the inside out. The sophistication of this attack will be like none seen before, and organisations must prepare themselves by embracing the technology itself as a method of hitting back and fight fire with fire.

3. Growing importance of digital transformation will see the rise of Cloud Migration Security Specialists in 2019

As organisations embrace digital transformation, the process of migrating to the cloud has never been under more scrutiny; from business leaders looking to minimise any downtime and gain positive impact on the bottom line, to hackers looking to breach systems and wreak havoc. As such, 2019 will see the rise of a new role for the channel – the Cloud Migration Security Specialist. As companies move across, there is an assumption that they’re automatically protected as they transition workloads to the cloud. The channel has a role to play in educating companies that this isn’t necessarily the case and they’ll need help protecting themselves from threats. It’s these new roles that’ll ensure the channel continues to thrive.

4. A Boardroom Issue That Needs to Yield Results

With 2018 fast disappearing, the next year is going to be another big one no matter what happens, as companies still struggle to get to terms with regulations like GDPR. With growing anticipation around the impact of technologies like quantum and AI, it’s important that companies don’t forget that the basics are just as vital, if not more, to focus on. So, while 2018 has been the year where cybersecurity finally became a boardroom issue, 2019 needs to be the year where its importance filters down throughout the entire company. For an issue like cybersecurity, the company attitude towards it needs to be led from the top down, so everyone buys into it. If that happens, could next year see no breaches take place? Extremely unlikely. But maybe it could be the year the industry starts to turn the tide against the hacking community.

gemalto-blog4

The Cost of a Data Breach

How much does a data breach cost? So far, $242.7 million and counting if your company happens to be Equifax. That is how much the company has spent since its data breach that exposed sensitive personal and financial information for nearly 148 million consumers, according to its latest SEC filing. All because it left consumer information unencrypted and in the clear, which was highlighted in testimony before for the U.S. Senate Commerce Committee last year (watch the video below).

To put the size and scope of Equifax’s remediation efforts in comparison, in just seven months Equifax has spent nearly what Target spent ($252 million) in two years after its 2013 data breach. Equifax will likely continue to spend millions for the next several quarters on the cleanup.

For many years analysts and security professionals have tried to estimate what a data breach can cost a company. From the expense of having to upgrade IT infrastructure and security to paying legal fees and government fines – there are a lot of costs that are both tangible and intangible. In addition, there are the impacts to a company’s stock price and the erosion of customer trust (“Will they come back?”). For management teams it can also have a very real impact professionally. For example, the chairman and CEO of Target resigned months after the data breach, and the CEO resigned of Equifax resigned within weeks of its data breach.

Many studies have been done to calculate the cost of a data breach, including the annual Ponemon Institute’s Cost of a Data Breach report which calculates the cost down to the data record. According to the latest Ponemon annual report, the average cost of a data breach is currently $3.62 million globally, which comes to $141 a record. In the U.S., the cost is almost double that at $7.35 million. But do these research reports actually gauge what a data breach will cost a company? At the end of the day, equating data breach damages to a “per record” cost makes data breaches just an actuarial exercise of acceptable risk.

And this kind of goes with the prevailing sentiment that data breaches don’t cost companies that much. The thinking goes like this. For the breached company, the stock price will take a hit, customers will be enraged and money will be spent notifying customers and upgrading security. But, eventually the company recovers and it’s back to normal. After all, so the thinking goes, what is a couple million dollars in IT upgrades and fines to a company that worth $50 billion.

This type of thinking must change because we are at a tipping point on the implications of data breaches. The costs have become more real to companies and the boards who run them. CEOs and other members of the management team are now losing their jobs because data breaches now have more potential to be more life-threatening, if not killers, for companies. Take for example the TalkTalk data breach, which caused the company to lose more than 100,000 customers, and the fact that Yahoo! had to lower its purchase price by $350 million in its acquisition by Verizon. The last and most important factor is that governments are now taking notice and doing something about it. The European Union’s General Data Protection Regulation (GDPR) is a prime example of this, and countries around the world are looking at it as the model for their own regulations.

If costs and risks of data breaches are increasing (and they are), companies need a radical shift in their approach to data security if they are going to more successful in defending sensitive data they collect and store. With organizations extending their business to being cloud- and mobile-first, their attack surface and likelihood of accidental data exposure continues to grow. These trends all point to a consistent theme – security needs to be attached to the data itself and the users accessing the data. Only then can companies maintain control of their data in the cloud, manage user access to cloud apps, and keep it secure when it falls into the hands of adversaries. By implementing a three step approach – encrypting all sensitive data at rest and in motion, securely managing and storing all of your encryption keys, and managing and controlling user access – companies can effectively prepare for a breach. It’s being done by many companies today and is also a requirement for transitioning from a strategy optimized for breach prevention to a strategy optimized for a “Secure the Breach” strategy.

gemalto-blog3

Why Data Encryption and Tokenization Need to be on Your Company’s Agenda

As children we all enjoyed those puzzles where words had their letters scrambled and we had to figure out the secret to make the words or sentences legible. This simple example of encryption is deployed in vastly more complex forms across many of the services we use everyday, working to protect sensitive information. In recent years the financial services industry has added a new layer of encryption called tokenization. This concept works by taking your real information and generating a one-time code, or token, that is transmitted across networks. The benefit is that if the communication is intercepted your real details are not compromised.

According to our Breach Level Index there were 1,765 breaches in 2017. And these breaches are getting faster and larger in scope, over two billion records were lost last year. The fallout for companies is significant so it is in their interests to do whatever they can to protect their customer’s data.

Of course, encryption is a very complicated field of research, and one shouldn’t expect board level executives to understand how the cryptographic algorithms work. But they must understand just how vitally important it is that data is secure, whether at rest or in motion.

Those working on encryption face a challenge to ensure that access to applications, databases and files is unimpeded by the need to encrypt and decrypt data. There is a performance issue here, and so companies need to evaluate and test while decided what data, when, how and where should be encrypted.

The worrying thing is that despite the clear need for such work, there is a distinct lack of cyber security professionals worldwide—and especially in encryption. Indeed, you’ll often see job postings for security positions where experience of encryption isn’t even mentioned.

As the statistics show, this is having a huge effect on companies. In 2017, less than 3% of data breaches involved encrypted data. If we accept that companies are going to get hacked it is imperative that any data that is stolen is rendered useless through encryption.

Encryption would have mitigated the damage to brand image, reputation, company financial losses, government fines and falls in stock prices as well as damage to their executives image and reputation. It is also a major disincentive to criminals as the effort needed to crack the algorithms makes it entirely unprofitable while there are so many other available targets.

So if the problem is so clear, and the solution so obvious, why are companies delaying investing in encrypting data?

Well, many executives I speak to daily in Latin America tell me that the security of their Big Data is handled by their cloud service provider. And if there was a leak, it would be the supplier’s responsibility.

This completely overlooks that customers, authorities, investors and the wider public do not care about this distinction. They will all associate any breach with the company, never a supplier of services. So, while ultimately liability may fall at the feet of the cloud service provider, the immediate and potentially catastrophic impact will be felt by the breached company.

It is therefore crucial that companies start taking serious responsibility for the data of their customers. Whether internal staff or cloud provider, conversations need to be had about how data is encrypted. This includes:

• Checking that the cryptographic algorithms used are certified by international bodies 
• Checking to ensure that your cryptographic keys are stored in an environment fully segregated from where you store your encrypted information (whether held by third parties or in your own systems, files, or databases).

PwC suggests that one of the biggest concerns CEOs fear is a cyber-attack. Given the severity of the threat, we must recognize that we are all responsible for promoting data security. And that means adopting best practices for data protection, deploying encryption, and optimizing management of cryptographic keys.

gemalto-blog2

Breached Records More Than Doubled in H1 2018, Reveals Breach Level Index

Break Down of the 2018 Breach Level Index Stats:

• 18,525,816 records compromised every day
• 771,909 records compromised every hour
• 12,865 records compromised every minute
• 214 records compromised every second

Data breaches had a field day in 2018. According to the Breach Level Iindex, a database compiled by Gemalto to track publicly reported data breaches disclosed in news media reports, 2018 is one of the only years where more than two billion records were compromised in publicly disclosed data breaches. The only other year to do so was 2013 due to the exposure of all three billion Yahoo users’ accounts.

Gemalto has analyzed the Breach Level Index during the first half of 2018 and the findings are truly staggering. In just six months, the system tracked more than 3.3 billion breached data files. This figure represents a 72 percent increase over the first half of 2017.

The Breach Level Index didn’t contain as many reported incidents in the first half of 2018 as it did over the same period last year with 944 reported security events during the reporting period compared to 1,162 breaches reported in the first half of 2017.

Break Down of the 2018 Breach Level Index Stats:

• Identity theft yet again the top data breach type: Identity theft was responsible for nearly four billion records compromised in the first half of the year, which represents growth of more than a thousand percent compared to the previous year. During the same time frame, the number of incidents involving identity theft decreased by a quarter.

• Malicious outsiders and accidental loss the most prevalent sources of data breach: The number of events involving malicious outsiders accounted for 56 percent and 34 percent of all data breaches, respectively.

• Social media weathered the greatest number of compromised records: Facebook wasn’t the only social giant that suffered a data breach in the first half of 2018. Twitter also experienced a security incident where a software glitch potentially exposed the login credentials of its 330 million users. In total, data breaches compromised 2.5 billion records stored by social media giants.

• Incidents in healthcare and financial services declined: The number of compromised files and data breaches decreased for both healthcare and financial services. These declines at least in part reflected the introduction of new national regulations that help regulate health data and financial transactions.

• North America led the way in publicly disclosed data breaches: This region represented more than 97 percent of data records compromised in the first half of 2018. In total, there were 559 events in the region, a number which represented 59 percent of all data breaches globally in the first half of 2018.

New Data Privacy Regulations Take Effect:

In the wake of new data protection regulations, reporting of security incidents is on the rise. Following the passage of the Australian Privacy Amendment (Notifiable Data Breaches) Act, the Office of the Australian Information Commissioner (OAIC) received 305 data breach notifications by the end of the second quarter of 2018. This number is nearly triple the amount of the number submitted to the OAIC for the entire 2016-2017 fiscal year. Such growth in data breach reporting will likely continue through the rest of 2018 and beyond under GDPR and New York’s Cybersecurity Requirements for Financial Services Companies.

gemalto-cloud-security

Cloud Security: How to Secure Your Sensitive Data in the Cloud

In today’s always-connected world, an increasing number of organisations are moving their data to the cloud for operational efficiency, cost management, agility, scalability, etc.

As more data is produced, processed, and stored in the cloud – a prime target for cybercriminals who are always lurking around to lay their hands on organisations’ sensitive data – protecting the sensitive data that resides on the cloud becomes imperative.

Data Encryption Is Not Enough

While data encryption definitely acts as a strong deterrence, merely encrypting the data is not enough in today’s perilous times where cyber attacks are getting more sophisticated with every passing day. Since the data physically resides with the CSP, it is out of the direct control of the organisations that own the data.

In a scenario like this where organisations encrypt their cloud data, storing the encryption keys securely and separately from the encrypted data is of paramount importance.

Enter BYOK

To ensure optimal protection of their data in the cloud, an increasing number of organisations are adopting a Bring Your Own Key (BYOK) approach that enables them to securely create and manage their own encryption keys, separate from the CSP’s where their sensitive data is being hosted.

However, as more encryption keys are created for an increasing number of cloud environments like Microsoft Azure, Amazon Web Services (AWS), Salesforce, etc., efficiently managing the encryption keys of individual cloud applications and securing the access, becomes very important. Which is why many organisations use External Key Management (EKM) solutions to cohesively manage all their encryption keys in a secure manner that is bereft of any unauthorised access.

Take the example of Office 365, Microsoft’s on-demand cloud application that is widely used by organisations across the globe to support employee mobility by facilitating anytime, anywhere access to Microsoft’s email application – MS Outlook and business utility applications like MS Word, Excel, PowerPoint, etc.

Gemalto’s BYOK solutions (SafeNet ProtectApp and SafeNet KeySecure) for Office 365 not only ensure that organisations have complete control over their encrypted cloud data, but also seamlessly facilitate efficient management of the encryption keys of other cloud applications like Azure, AWS, Google Cloud and Salesforce.

Below is a quick snapshot of how SafeNet ProtectApp and SafeNet KeySecure seamlessly work with Azure BYOK:

1. SafeNet ProtectApp and KeySecure are used to generate a RSA Key Pair or required Key size using the FIPS 140-2 certified RNG of KeySecure.

2. A Self-SignedCertificateUtility.jar (which is a Java-based application) then interacts with KeySecure using a TLS-protected NAE service to fetch the Key Pair and create a Self-signed Certificate.

3. The Key Pair and Self-signed Certificate are stored securely in a PFX or P12 container that encrypts the contents using a Password-based Encryption (PBE) Key.

4. The PFX file (which is an encrypted container using a PBE Key) is then uploaded on Azure Key Vault using Azure Web API / Rest.

5. The transmission of the PFX file to the Azure Key Vault is protected using security mechanisms implemented by Azure on their Web API (TLS / SSL, etc.).

6. Since the PFX files will be located on the same system on which the SelfSignedCertificateUtility.jar utility will be executed, industry-best security practices like ensuring pre-boot approval, enabling two-factor authentication (2FA), etc. should be followed.

7. Once the Keys are loaded on Azure Key Vault, all encryption operations happen on Azure platform itself.