Blog

Posts Tagged ‘data protection’

« Older Entries

Zlock Rewrites the Rules

Monday, May 10th, 2010

ChannelWeb’s Edward Moltzen took a detailed look at Zecurion’s Zlock and praised the product in his article titled Zecurion’s Zlock Rewrites the Rules.

Moltzen begins by explaining the issue faced by organizations “Even well-meaning and well-trained employees can put data at risk on a network, and even heightened network firewalls can’t keep all data from walking out the door. Having data on a network means it could become available for download onto DVDs, floppy drives or thumb drives. Sensitive data could even be errantly left on a printer’s hard drive or cache–allowing anyone with the know-how to steal it.”

The conclusion Moltzen arrives at after seeing Zlock in action: “That’s why we think the approach taken by emerging security vendor Zecurion makes so much sense. Zecurion’s Zlock application provides a straightforward approach to securing and managing a network’s potential open doors and breaches, and it’s an approach that it makes too much sense to ignore.”

Moltzen adds “We think Zecurion could be on the way to becoming one of the stronger players in the data security space, and the company is a strong alternative for VARs to consider when looking at solutions for small or midsize businesses or workgroups.”

Read the complete article for more from ChannelWeb. To learn more about Zlock, click here.

Tags: , , ,
Posted in Data Storage Security | 1 Comment »

Stolen Hard Drive Puts Data from 5,418 Patients at Risk

Friday, April 30th, 2010

On April 1st a hard drive was stolen from the mammography suite of The Medical Center at Bowling Green. The missing drive contained information on 5,418 patients who had undergone bone density testing between 1997 and 2009–including names, addresses, birth dates, physician names, medical records, and possibly Social Security numbers.

Of course the data was not encrypted or protected on the drive itself, placing it at risk of exposure to anyone who happens to examine the contents of the drive. The medical center managed the investigation internally for 17 days before notifying authorities and turning the case over as a criminal incident. At that point, it also began to notify the affected patients.

Looking at the positive side of the incident “Since the theft occurred, hospital officials have taken steps to strengthen the security of patient information and that includes linking to a secure network eliminating the need for computer hard drives, such as the one that was stolen.”

Yet again, a case of reacting after the fact. Installing a sprinkler system AFTER the building burns down offers little consolation for the lost building–yet so many companies and IT administrators seem to be willing to gamble with the personal information they are entrusted with–and frequently lose.

A small investment in proactively encrypting data to prevent unauthorized access would have protected the data and saved the Medical Center from the bad publicity and damaged reputation. “Fixing” the problem after the fact is almost always a more costly proposition than doing right in the first place.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Zecurion Announces Zserver Suite 6.0

Wednesday, March 31st, 2010

Zecurion this week launched Zserver Suite 6.0–the latest version of its leading data encryption software. The new Zserver Suite has a number of updates, including new reporting capabilities, but the two biggest changes introduced in the new Zserver are EKMS and cloud data encryption.

EKMS–or Enterprise Key Management Server–automates and simplifies the arduous task of key management for encrypted data. Alexey Raevsky, CEO of Zecurion and developer of Zecurion’s patented AME (adaptive multithreaded encryption) technology, describes EKMS like this. “Keys stored by EKMS can be automatically uploaded to Zserver-protected servers, and when required, a Zserver-managed server can be configured to automatically open encrypted disks after the requested keys are obtained from EKMS.”

The second major change relates to encrypting data in the cloud. Many organizations are exploring how to take advantage of the operational and financial benefits of storing data in the cloud, however that data still needs to be protected. Using Zserver Suite 6.0, Zecurion customers can automatically encrypt entire dedicated servers in the cloud, or encrypt data on a file-by-file basis prior to transferring it to the cloud.

Check out the press release for more details about Zserver Suite 6.0, and feel free to contact Zecurion if you have any questions or need any more information.

Tags: , , , , , ,
Posted in Data Storage Security | No Comments »

Protecting Sensitive Information from Inside Threats

Tuesday, March 16th, 2010

I had the privilege of joining host Tom D’Auria for the weekly IMI-TechTalk radio show once again this week. The show airs weekly on KFNX AM 1100 out of Phoenix, AZ at 3pm local time. Because Arizona doesn’t play Daylight Savings with the rest of the country, though, that means that half the year its on Mountain time and the other half its on Pacific time–so for now the show airs at 6pm Eastern / 5pm Central. If you are not in the Phoenix listening area, you can also listen to the show streamed live via the Web.

The topic of discussion this week was Protecting Sensitive Information from Inside Threats. Tom and I talked about the prevailing perception that information security is an ‘us vs. them’ or ‘inside vs. outside’ battle, while the reality is that internal employees pose a much larger threat than malware or malicious attacks from outside. The default security model relies on simple file and folder permissions to determine access rights for sensitive information, but offer no safeguards or protections regarding what the authorized user does with the data once its accessed.

Click here to listen to the recorded MP3 of the show: Protecting Sensitive Information from Inside Threats.

Tags: , , , ,
Posted in Data Storage Security, Events | 1 Comment »

A Look Back at the 2010 RSA Security Conference

Thursday, March 11th, 2010

The 2010 RSA Security Conference was a great opportunity for us to meet potential new customers and partners and share Zecurion products and Zecurion’s vision for protecting data with information security professionals from around the world.

At times it was a little frustrating to be solicited by so many other vendors–selling employee recruiting services, public relations services, or working to get us to commit to attend other events and trade shows. Vendors of other events and trade shows in particular should be sensitive to the fact that we paid a fair amount of money to represent Zecurion with a booth at the RSA Security Conference, and that we did that so we could market Zecurion to decision makers, potential customers, and information security professionals in general–not to make it easier for solicitors to find us and steal our time.

Thankfully, those encounters were not the majority. We enjoyed meeting with and interacting with all of you who stopped by our booth. We appreciated the opportunity to share what Zecurion does, and we look forward to working with many of the people we met in San Francisco.

Throughout the week, I wandered the exhibition floor checking out the hundreds of booths. It occurred to me that there are really only a handful of security problems for organizations to deal with–maybe ten. Yet, there were probably a thousand companies represented at the RSA Security Conference, all pitching their own unique approach or potential solution to one of those ten issues. Some of the products and services are innovative and have tremendous potential, while many of them will fail to truly meet the needs they’re intended for, or  live up to the hype in the marketing brochures.

We appreciate that you, too, may have had a similar thought as you perused the rows and rows of exhibitor booths. We appreciate that the RSA Security Conference is a vast treasure of information about products and services, but that it can also be overwhelming and that it may be hard for you to separate the hype from the real solutions and make intelligent choices for securing and protecting data.

We hope you had a chance to stop by the Zecurion booth and give us a chance to answer your questions about protecting your data and securing your organization against insider threats. If you did not stop by to see us, or if you were not even at the RSA Security Conference, or even if you did stop and visit us but you still have questions, please feel free to contact us for more information. We are passionate about helping our customers solve data security challenges and we look forward to working with you.

Tags: , , ,
Posted in Events | 1 Comment »

2010 RSA Security Conference

Monday, March 1st, 2010

The RSA Security Conference is considered by many to be the one, premier, must-attend information security event of the year. Over the next few days hundreds of security vendors and thousands of information security professionals will descend on San Francisco’s Moscone Convention Center for a total immersion in all things information security.

Many security vendors choose to take advantage of the RSA Security Conference as a platform for major new announcements and product launches. There are hours upon hours of seminars, keynote speeches, training sessions, and other opportunities to gather information. There are also virtually endless opportunities for information security professionals to share ideas and opinions with one another and network with other information security professionals from around the world.

Zecurion is one of the vendors supporting the 2010 RSA Security Conference. Stop by Booth #2651 in the vendor exhibition hall Tuesday, March 2 through Thursday, March 4 to meet the Zecurion team, and learn more about how Zecurion can help protect your data and guard against insider threats.

We look forward to seeing you there.

Tags: , , , ,
Posted in Events | No Comments »

Protecting Data in the Cloud

Monday, March 1st, 2010

Everything seems to be about the “cloud” these days. The term “cloud” is really nothing more than a word for describing the Internet. Rather than building a data center and hosting servers internally, server capacity and data storage space can be bought or leased from third-party data centers on the Internet–or “in the cloud”.

Cloud computing provides an array of benefits for companies of all sizes, but it also introduces some new and unique challenges when it comes to data protection. Trusting your data to be stored in the cloud requires extra diligence to ensure it is protected and that any applicable compliance requirements are met.

Protecting Data in the Cloud discusses the benefits of data storage in the cloud, as well as some of the caveats and concerns to be aware of. It also talks about the need to protect your data in the cloud and some solutions to help you.

Tags: , , , ,
Posted in Data Storage Security | 1 Comment »

A Safe Isn’t Safe When it Comes to Protecting Data

Tuesday, January 19th, 2010

It sounds like a good idea to provide some extra security for your backup data by storing the media in a locked safe. It is certainly better than storing the media in an unlocked drawer or on a shelf somewhere. But, if a thief simply takes the whole safe, as happened to Goodwill of Greater Grand Rapids in Michigan, the data is not really protected any more.

While it seems fair to assume that the thief expected to find money inside, the safe actually contained names, addresses, dates of birth, and Social Security numbers from thousands of Goodwill workers. Since the thief took the whole safe, it also seems fair to assume he or she had a plan for how to open it and extract its contents.

After that, it gets a little more difficult to speculate. According to Jill Wallace, VP of Community Relations for Goodwill, the official stance seems to be based on an assumption that the thief is simply too dumb to know what a backup tape is or how to find out what is stored on it. “Basically it would be impossible for an individual to even know what to do with that data or even how to open it up.”

I’ve worked with backup tapes. While they may not be your standard audio cassette tape, it is obvious that it is a tape. Contrary to Wallace’s sentiment that the data must be safe because the thief would be too clueless to use it, I think its reasonable to believe that the thief *would* know that its a data tape, and–especially after the disappointment of realizing there is no money in the safe–the thief would do everything possible to determine what *is* on the tapes and try to make lemonade from lemons by capitalizing on the data they contain.

According to the article from the Grand Rapids News Channel 3 Web site, “Goodwill of Greater Grand Rapids thought that personal data would be more secure if those tapes were not in a corporate office, but inside one of its stores. The organization has decided not to do that anymore.”

I think Goodwill missed the point and learned the wrong lesson. The location of the safe is not the problem–thieves are just as likely to break into the Goodwill corporate office and take the safe. The issue is that the data stored on the backup tapes–or any other media you might store your backup data on–should be encrypted so that the data is protected even if the storage container is breached.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Protecting Your Fourth Amendment Rights in the Cloud

Monday, January 18th, 2010

It should not come as a surprise to learn that technology and digital data are evolving faster than the law can adapt. From copyright to privacy law, issues arise on a regular basis where existing laws and legal precedence simply don’t make sense in the context of electronic media and Internet communications.

The Fourth Amendment of the Constitution of the United States protects citizens against unreasonable search and seizure of property. Storing data in the cloud creates some gray area when applying  those Fourth Amendment rights, though. If a law enforcement agency has a probable justification to investigate the cloud storage provider and seize the servers they own, how does that impact your Fourth Amendment rights not to have *your* data on those servers seized?

A recent article on CNet explores the question of whether or not your Fourth Amendment rights are protected in the cloud. The article focuses on discussing a paper featured in the June 2009 edition of the Minnesota Law Review titled ”Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing.” In the paper, University of Minnesota Law School student David A. Couillard, provides a detailed and insightful analysis of the issues faced when applying the Fourth Amendment on the Internet.

In the paper, Couillard notes:

Hypothetically, if a briefcase is locked with a combination lock, the government could attempt to guess the combination until the briefcase unlocked; but because the briefcase is opaque, there is still a reasonable expectation of privacy in the unlocked container. In the context of virtual containers in the cloud…encryption is not simply a virtual lock and key; it is virtual opacity.

Basically, the fact that your data is stored in an encrypted state–even when stored on servers belonging to a third-party–implies an expectation of privacy.

Ultimately, Couillard suggests a legal framework that applies Fourth Amendment rights by treating data stored on with third-party providers the same as personal possessions kept in s storage unit, or valuables stored in a bank safe deposit box:

[T]he service provider has a copy of the keys to a user’s cloud “storage unit,” much like a landlord or storage locker owner has keys to a tenant’s space, a bank has the keys to a safe deposit box, and a postal carrier has the keys to a mailbox. Yet that does not give law enforcement the authority to use those third parties as a means to enter a private space.

The same rationale should apply to the cloud. In some circumstances, such as search engine queries, the third party is clearly an interested party to the communication. But when content data, passwords, or URLs are maintained by a service provider in a relationship more akin to that of landlord-tenant, such as private Google accounts, any such data that the provider is not directly interested in should not be understood to be open to search via consent or a waiver of Fourth Amendment protection.

This paper is simply a proposal from a law student, and doesn’t represent any existing legal framework or precedent. However, the arguments seem sound. In the absence of an established legal precedent that makes sense, ensuring your data is stored in an encrypted state can serve as a reasonable expectation of privacy and help to ensure your Fourth Amendment rights even in the cloud.

Tags: , , , ,
Posted in Data Storage Security | 5 Comments »

A Server Breach Does Not Have to be a Data Breach

Monday, January 11th, 2010

Stop and think about your bank for a minute. Do they pile the money up in the middle of the lobby? Why not?–There are locks on the doors.

No. The bank does have locks on the doors…and an alarm system…and armed security guards…and video surveillance…and yet, they still keep the money locked in a vault–just.in.case. Even if intruders manage to break through or bypass all of the other security measures, the money will still not be compromised because it is in a locked vault.

Organizations need to treat sensitive data the same way banks treat money. The security controls in place–firewalls, intrusion detection, antimalware, etc.–are great, and necessary, but sensitive information like Social Security numbers, account numbers, etc. needs to be encrypted for that extra measure of protection to ensure it can not be breached even if malicious intruders manage to cricumvent the other security controls.

The school district in Eugene, OR had security in place on its server, but attackers were able to bypass it. That server contained information on 13,000 current and former employees including names, addresses, dates of birth, Social Security numbers, tax identification numbers and direct-deposit bank account information. If the school district had encrypted the data on the server using a tool like Zecurion ZServer Storage, the sensitive information could have been protected even though attackers breached the server.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 5 Comments »

« Older Entries