Blog

Posts Tagged ‘encryption’

« Older Entries
Newer Entries »

Zserver Protects Data in the Cloud

Friday, June 18th, 2010

A ComputerWorld article title Cloud Security in the Real World: 4 Examples cites Zecurion’s Zserver as a cloud-based storage encryption solution. 

Examining the issue of data encryption in the cloud, the article states “Several providers of cloud-based backup storage install appliances at the customer site to accommodate encryption, but Flushing was not interested in that setup.”

It also explains “At Flushing Bank in New York, CIO Allen Brewer turned to the cloud for data backup after getting fed up with on-site tape backup. Using Zserver from Zecurion, Flushing is now sending files over the Internet to be stored for backup.”

 Read the white paper Protecting Data in the Cloud to learn more about encrypting and protecting data in the cloud with Zecurion’s Zserver.

Tags: , , , , ,
Posted in Data Storage Security | 1 Comment »

Penn State Server Compromised by Botnet

Wednesday, June 9th, 2010

Penn State University has sent out data breach notification letters to nearly 16,000 individuals to let them know that a computer in its Outreach Market Research and Data office was found to be actively communicating with a malicious botnet and that personal information including Social Security numbers may have been compromised.

Penn State has not used SSNs as a student identifier for 5 years, however an archived copy of a legacy database apparently still existed on the compromised server.

A Penn State spokesperson explained that “We have, of course, standard defenses: site-licensed antivirus, unit firewalls, patching, vulnerability scanning, web application scanning, intrusion detection and blocking of confirmed hostile sites or frequently probed ports. When a machine is compromised, it must be re-installed from known ‘good’ media before it’s allowed back on the network, since it’s not possible to truly clean a machine that’s been fully compromised.”

All of those are excellent security controls and fit nicely with established security best practices. However, the data itself should be encrypted so that if and when an attacker figures out how to circumvent those defenses the data itself will still be impervious to unauthorized access.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

How Many Stolen Laptops Does It Take?

Thursday, May 27th, 2010

You may or may not realize this, but one of the primary advantages of notebook and netbook computers is their portability. Being able to computer from hotel lobbies, corner coffee shops, and the random McDonald’s certainly has its advantages, but I’ll let you in on a little secret–thieves like the small size, light weight, and portability of laptops too.

Just in the past couple weeks there have been two incidents of laptops from medical centers being lost or stolen. One from the Oconee Physician Practices contained name, date of birth, gender, height and weight, blood pressure and some other medical data connected with the EKG from more than 600 patients. Another laptop from Loma Linda University Medical Center had patient’s name, medical record number, diagnosis, surgery date, and the type of procedure for more than 500 patients.

How many laptops have to be lost or stolen before IT administrators and executive management realize that data has to be proactively encrypted and protected? The investment in the right tools to do the job–like Zecurion Zserver Suite–is significantly less than the cost–financially and to the company’s reputation–from being responsible for compromising the sensitive and confidential data of customers or employees.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Zecurion Announces Zserver Suite 6.0

Wednesday, March 31st, 2010

Zecurion this week launched Zserver Suite 6.0–the latest version of its leading data encryption software. The new Zserver Suite has a number of updates, including new reporting capabilities, but the two biggest changes introduced in the new Zserver are EKMS and cloud data encryption.

EKMS–or Enterprise Key Management Server–automates and simplifies the arduous task of key management for encrypted data. Alexey Raevsky, CEO of Zecurion and developer of Zecurion’s patented AME (adaptive multithreaded encryption) technology, describes EKMS like this. “Keys stored by EKMS can be automatically uploaded to Zserver-protected servers, and when required, a Zserver-managed server can be configured to automatically open encrypted disks after the requested keys are obtained from EKMS.”

The second major change relates to encrypting data in the cloud. Many organizations are exploring how to take advantage of the operational and financial benefits of storing data in the cloud, however that data still needs to be protected. Using Zserver Suite 6.0, Zecurion customers can automatically encrypt entire dedicated servers in the cloud, or encrypt data on a file-by-file basis prior to transferring it to the cloud.

Check out the press release for more details about Zserver Suite 6.0, and feel free to contact Zecurion if you have any questions or need any more information.

Tags: , , , , , ,
Posted in Data Storage Security | No Comments »

Protecting Data in the Cloud

Monday, March 1st, 2010

Everything seems to be about the “cloud” these days. The term “cloud” is really nothing more than a word for describing the Internet. Rather than building a data center and hosting servers internally, server capacity and data storage space can be bought or leased from third-party data centers on the Internet–or “in the cloud”.

Cloud computing provides an array of benefits for companies of all sizes, but it also introduces some new and unique challenges when it comes to data protection. Trusting your data to be stored in the cloud requires extra diligence to ensure it is protected and that any applicable compliance requirements are met.

Protecting Data in the Cloud discusses the benefits of data storage in the cloud, as well as some of the caveats and concerns to be aware of. It also talks about the need to protect your data in the cloud and some solutions to help you.

Tags: , , , ,
Posted in Data Storage Security | 1 Comment »

State Laws Encourage Backup Encryption

Sunday, January 24th, 2010

I heard a rumor recently that Iron Mountain, a leading provider of offsite storage for backup data, was implementing a new policy that all customer data must be encrypted.

It makes sense. Unencrypted backup media seems to be an increasingly common source of data breaches. Chase Bank lost data on an unencrypted backup tape. Information Vaulting Services lost a backup tape from the state of Arkansas containing unencrypted personal information on over 800,000 individuals. A third-party storage vendor lost an unencrypted backup tape from Bank of New York Mellon with sensitive information from 4.5 million customers. The list goes on, and on, and on…..and on.

While the organization entrusted with the data–Chase Bank, the state of Arkansas, or Bank of New York Mellon in the cases cited above–ultimately must pay the price for the data breach, both in terms of the broken trust with customers and damaged reputation, as well as any fines, penalties, and the cost of notifying and protecting customers, the fact is that these losses also reflect poorly on the third-party organizations responsible for securely storing the backup media.

Organizations like Iron Mountain that provide offsite storage have no way of knowing what data is contained on the media it stores for its customers, nor whether or not that data is encrypted or protected in any way. A tape is a tape is a tape and they are all handled and treated the same. Granted, a company that exists to provide secure offsite storage for backup data should not lose its customer’s backup media, but it shouldn’t bear any additional responsibility for personal or sensitive information being compromised as a result.

It turns out that the rumor I heard was incorrect. I spoke with Iron Mountain and I was told that it does not require customers to encrypt backup data–although it does believe its a good idea and highly recommends that customers consider doing so.

Apparently, the rumor stems, at least in part, from laws enacted in Nevada and Massachusetts. Those state laws require that personal information that could lead to identity theft be protected–even on backup media. Iron Mountain may not require it, but Nevada and Massachusetts do require that organizations in those states, or that conduct business in those states and/or result in personal information from citizens of those states being retained, encrypt information on backup media.

Suffice it to say, its just a good idea. Data at rest should be encrypted whether it is stored on servers on your internal network, or backup media stored offsite with a third-party.

Tags: , , , , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »

A Safe Isn’t Safe When it Comes to Protecting Data

Tuesday, January 19th, 2010

It sounds like a good idea to provide some extra security for your backup data by storing the media in a locked safe. It is certainly better than storing the media in an unlocked drawer or on a shelf somewhere. But, if a thief simply takes the whole safe, as happened to Goodwill of Greater Grand Rapids in Michigan, the data is not really protected any more.

While it seems fair to assume that the thief expected to find money inside, the safe actually contained names, addresses, dates of birth, and Social Security numbers from thousands of Goodwill workers. Since the thief took the whole safe, it also seems fair to assume he or she had a plan for how to open it and extract its contents.

After that, it gets a little more difficult to speculate. According to Jill Wallace, VP of Community Relations for Goodwill, the official stance seems to be based on an assumption that the thief is simply too dumb to know what a backup tape is or how to find out what is stored on it. “Basically it would be impossible for an individual to even know what to do with that data or even how to open it up.”

I’ve worked with backup tapes. While they may not be your standard audio cassette tape, it is obvious that it is a tape. Contrary to Wallace’s sentiment that the data must be safe because the thief would be too clueless to use it, I think its reasonable to believe that the thief *would* know that its a data tape, and–especially after the disappointment of realizing there is no money in the safe–the thief would do everything possible to determine what *is* on the tapes and try to make lemonade from lemons by capitalizing on the data they contain.

According to the article from the Grand Rapids News Channel 3 Web site, “Goodwill of Greater Grand Rapids thought that personal data would be more secure if those tapes were not in a corporate office, but inside one of its stores. The organization has decided not to do that anymore.”

I think Goodwill missed the point and learned the wrong lesson. The location of the safe is not the problem–thieves are just as likely to break into the Goodwill corporate office and take the safe. The issue is that the data stored on the backup tapes–or any other media you might store your backup data on–should be encrypted so that the data is protected even if the storage container is breached.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Protecting Your Fourth Amendment Rights in the Cloud

Monday, January 18th, 2010

It should not come as a surprise to learn that technology and digital data are evolving faster than the law can adapt. From copyright to privacy law, issues arise on a regular basis where existing laws and legal precedence simply don’t make sense in the context of electronic media and Internet communications.

The Fourth Amendment of the Constitution of the United States protects citizens against unreasonable search and seizure of property. Storing data in the cloud creates some gray area when applying  those Fourth Amendment rights, though. If a law enforcement agency has a probable justification to investigate the cloud storage provider and seize the servers they own, how does that impact your Fourth Amendment rights not to have *your* data on those servers seized?

A recent article on CNet explores the question of whether or not your Fourth Amendment rights are protected in the cloud. The article focuses on discussing a paper featured in the June 2009 edition of the Minnesota Law Review titled ”Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing.” In the paper, University of Minnesota Law School student David A. Couillard, provides a detailed and insightful analysis of the issues faced when applying the Fourth Amendment on the Internet.

In the paper, Couillard notes:

Hypothetically, if a briefcase is locked with a combination lock, the government could attempt to guess the combination until the briefcase unlocked; but because the briefcase is opaque, there is still a reasonable expectation of privacy in the unlocked container. In the context of virtual containers in the cloud…encryption is not simply a virtual lock and key; it is virtual opacity.

Basically, the fact that your data is stored in an encrypted state–even when stored on servers belonging to a third-party–implies an expectation of privacy.

Ultimately, Couillard suggests a legal framework that applies Fourth Amendment rights by treating data stored on with third-party providers the same as personal possessions kept in s storage unit, or valuables stored in a bank safe deposit box:

[T]he service provider has a copy of the keys to a user’s cloud “storage unit,” much like a landlord or storage locker owner has keys to a tenant’s space, a bank has the keys to a safe deposit box, and a postal carrier has the keys to a mailbox. Yet that does not give law enforcement the authority to use those third parties as a means to enter a private space.

The same rationale should apply to the cloud. In some circumstances, such as search engine queries, the third party is clearly an interested party to the communication. But when content data, passwords, or URLs are maintained by a service provider in a relationship more akin to that of landlord-tenant, such as private Google accounts, any such data that the provider is not directly interested in should not be understood to be open to search via consent or a waiver of Fourth Amendment protection.

This paper is simply a proposal from a law student, and doesn’t represent any existing legal framework or precedent. However, the arguments seem sound. In the absence of an established legal precedent that makes sense, ensuring your data is stored in an encrypted state can serve as a reasonable expectation of privacy and help to ensure your Fourth Amendment rights even in the cloud.

Tags: , , , ,
Posted in Data Storage Security | 6 Comments »

A Server Breach Does Not Have to be a Data Breach

Monday, January 11th, 2010

Stop and think about your bank for a minute. Do they pile the money up in the middle of the lobby? Why not?–There are locks on the doors.

No. The bank does have locks on the doors…and an alarm system…and armed security guards…and video surveillance…and yet, they still keep the money locked in a vault–just.in.case. Even if intruders manage to break through or bypass all of the other security measures, the money will still not be compromised because it is in a locked vault.

Organizations need to treat sensitive data the same way banks treat money. The security controls in place–firewalls, intrusion detection, antimalware, etc.–are great, and necessary, but sensitive information like Social Security numbers, account numbers, etc. needs to be encrypted for that extra measure of protection to ensure it can not be breached even if malicious intruders manage to cricumvent the other security controls.

The school district in Eugene, OR had security in place on its server, but attackers were able to bypass it. That server contained information on 13,000 current and former employees including names, addresses, dates of birth, Social Security numbers, tax identification numbers and direct-deposit bank account information. If the school district had encrypted the data on the server using a tool like Zecurion ZServer Storage, the sensitive information could have been protected even though attackers breached the server.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 9 Comments »

So Much Data, So Easy to Lose

Wednesday, December 30th, 2009

USB thumb drives are very convenient. It was only about ten years ago that 3.5″ floppy disks that could only hold 1.44 megabytes of data were the norm. It was revolutionary when Iomega introduced the Zip disk that could hold 100 megabytes in the same amount of space. A lot changes in a decade.

Now there are flash drives the size of your thumb that can hold 128 gigabytes of information. That is the equivalent of more than 90,000 3.5″ floppy disks and it fits nicely in your pocket, or attached to a key chain. The same features that make them useful and convenient, though, also make them easy to lose or steal and make them a significant risk to data security.

In Canada recently a USB thumb drive containing personal information such as name, address, phone number, date of birth, health card number, doctor’s name and other health information for over 83,000 patients was lost. Companies and organizations need to realize the risk posed by storing gigabytes of sensitive, unencrypted data on a device the size of your thumb.

Policies should be defined and enforced to provide guidance regarding what data is allowed to be stored on portable media like USB thumb drives. Zecurion’s Zlock can provide the tools necessary to enforce that policy–providing controls to restrict access to external devices, including printers. For data that is allowed to be stored on USB flash drives, Zlock can create a shadow copy providing an audit trail detailing the data that was transferred.

Additionally, organizations should use secure USB flash drives like Ironkey or SafeStick, and/or protect the data using tools like Microsoft’s BitLocker-to-Go encryption to ensure that any data contained on the drive is protected even if the device is lost or stolen.

Tags: , , , , , ,
Posted in Data Storage Security | 2 Comments »

« Older Entries
Newer Entries »