Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

‘Data breach notification’ enforcement is on the way...

June 2012 by Marc Jacob

The European Commission has taken further steps towards the regulation of personal data protection. The effort has been going on for many years but, last summer, the Commission has put a regulation for data protection that puts the responsibility to any service, public or private, that carries personal data from A to B. In simple words, if data moves, it must be encrypted as a mean of protection. And whoever carries this data is responsible for ensuring that protection. Before that, service providers were fast to put the responsibility on end-users to protect their data. Furthermore, if there is a data breach, then the “provider” (which could be a service provider, but also any private organisation that moves data in their networks), has to notify a central body about the breach: this body is a national institution designated in each country, referred as the Data Protection Authority. In early 2012, the regulation went further by stating that this notification must be done within 24 hours of the breach...!

Of course, it is the duty of each country to now enforce this law, and it would take some time because service providers and large corporations would want to negotiate extra time to implement the necessary protection measures (potentially every network link must be protected by network encryption). And some surveys made in the public are also putting pressure for better transparency (meaning public information about breach); see a June 2012 survey as an example => http://www.disuk.com/news/2012/06/consumers-frustrated-by-data-breach-notification-process/

In addition, the recent conference of all EU member states regarding Data Protection, in May 2012, has strengthened the emphasis of “accountability” for whoever and whatever processes data.

So there is no doubt that this new regulation will reach the public institutions (at least all public services incl. healthcare) in some future months. The Law is there. The problem is that, with the current crisis and budget constraints, some prioritization of projects may get in the way. So it is not a matter of IF but only a matter of WHEN.

If you wish to follow the current state of data protection regulation in your local country, look at http://ec.europa.eu/dataprotectionofficer/dpl_transposition_en.htm as an entry point

In Luxembourg, the law is already enforceable, as stated in http://www.cnpd.public.lu/fr/declarer/notification_violation_securite/index.html

In the UK, the law has been under way for some time (see http://www.zdnet.co.uk/news/security-management/2010/04/27/data-breach-notification-law-coming-says-watchdog-40088780/). The bank HSBC knows very well about it because, in 2009, it has been fined 3 million pounds for failings in security measures => http://www.fsa.gov.uk/pages/Library/Communication/PR/2009/099.shtml

In France the current privacy law has been amended by a decree of 24 August 2011, so should start being implemented => http://www.cnil.fr/en-savoir-plus/textes-fondateurs/loi78-17/ ; the issue has been covered by the specialized press at the time => http://www.solucominsight.fr/2011/08/notification-des-atteintes-a-la-securite-des-donnees-etape-1-les-operateurs-telecoms/

SECURING THE CLOUD, INSIDE OUT...

According to a recent Gartner research (report #G00227599, dated 9 March 2012), bankers have explained “why the cloud won’t work for me”...!
The #1 issue expressed is that Financial Services Institutions (FSI’s) have to deal [today] with regulatory restraints that are often “inconsistently regulated, audited and enforced”. And the primary concern of these FSI’s is about the data: where is it, and can they rely on its integrity. The FSI’s reckons that data security and encryption is a HUGE challenge. As a consequence, FSI’s are reluctant to deploy cloud services, as this step would only exacerbate the challenges of security and integrity of their data.

This solution enables to take Certes encryption directly inside the physical servers, inside their VMware stack, in order to protect the VM’s (virtual machines). So, with vCEP, customers can encrypt from a VM to a remote (or central) site protected by physical CEP encryptor. Or they can encrypt from VM to VM, inside the virtualized data center, or between virtualized data centers. With vCEP, which is a software virtualized version of the CEP code, customers can “embark” encryption, attached to their VM’s to protect them. Besides, if a IT device is capable of running a VMware stack, then there is good chance that customer can also upload vCEP inside that device and obtain an embedded encryptor with it.

Why to encrypt access to VM servers? Well, some customers (especially those hosting their applications to an Managed Service Provider or hosting company) may not be fully comfortable about the idea that hundreds of organisations, and potentially thousands of staff unknown to them, would be able to see their data in the clear as long as they have access inside the data center. Global Payments, a financial institution dealing with credit cards, has experienced a data theft of some 1.5 million cards recently, due to “potential unauthorized access to servers containing personal information” => http://www.networkworld.com/news/2012/061312-global-payment-data-breach-260123.html?hpg1=bn

This vCEP solution has received appraisal from VMware who recently listed it in their Solution Exchange web site => https://solutionexchange.vmware.com/store/products/7772 ; this WMware URL link can be good for you when you talk to VMware customers or resellers.

According to Infonetics, and despite the many challenges that clouds surely raise, the forecast for Cloud and CPE Managed Security services is poised to hit $18 Billion by 2016... Thanks to Certes’ vCEP, which gracefully embeds AES-256 encryption with virtualized machines (VM), you won’t miss this fast-moving train !

VOIP ENCRYPTION
In recent weeks, we have seen an increasing level of requests to encrypt VOIP traffic. Some organisations may have suddenly realised that encrypting data is not good enough if the phone conversations within the organisation have been hacked ! I guess that stories such as the one that hit the FBI and Scotland Yard recently (read it at http://www.foxnews.com/scitech/2012/02/03/hackers-claim-to-have-intercepted-call-between-fbi-scotland-yard/ ) are making the point.
Why is this good for Certes solution? Because, unlike data which is often encrypted point-to-point (hence that can be sufficiently secured with archaic VPN IPSec tunnel-based methods), voice generally requires mesh topology and multicast. And VPN tunnels are not good for this sort of traffic, because they have not been designed (some 15 years ago) for this ! Instead, Certes’s tunnel-less group encryption offers the perfect fit.

“SELECTIVE ENCRYPTION” FOR DUMMIES

There are many ways to do network encryption and there are many encryptors available in the market today. As you know, Certes encryptors not only encrypt but also authenticate every frame (all all layers, including layer 2). But we have more differentiating features and “selective encryption” is one of them. What is it about? Certes encryptors not only encrypt at wire speed and at all layers, but they are also capable of making exception rules based on L2, L3 or even L4 header information. And this is done regardless of the layer of encryption (L2/L3/L4). And, because Certes software is exactly the same on all encryptors, the features are identical at all speeds, from say 3Mbps to 10Gbps.
Let’s explain why it is important. Network signalling protocols such as LACP, STP or routing protocols like OSPF, RIP or BGP, are vital for the network operations and could present a serious obstacle if they are not treated correctly in a existing network design. SO, if a L2 encryptor would not know that such frame is related to network protocols rather than data, it will encrypt it blindly. As a result, the network will also be blind because it won’t get this vital information. This problem is very typical of MPLS public networks too, where L3 encryption (such as VPN IPsec) doesn’t work properly because it encrypts the L4 header (with NAT, QOS, etc.) which is generally needed by the MPLS network to make it optimal.

So, for example, Certes encryptors can not only encrypt at L2 but, if needed (and per VLAN for example), they can bypass vital network signalling protocols based on any L2/L3/L4 layer control information such as Ethertype, MAC address and/or IP protocol. So this is very important to operate L2 encryption, with selectors, into public or private L2 networks such as Metro Ethernet (which are becoming popular, because of lower costs) or VPLS (the L2 variant of MPLS). To operate L2 encryption beyond simple point-to-point links (that would make as if the two sides of the link belong to a same LAN), selectors is truly important, and you can now understand why. And, as of today, there are no L2 encryptors in the market that can truly understand and select frames from BGP, RIPv2 or OSPF network protocols to make a decision to encrypt it or not: they would generally treat these frames as “L2 multicast” with no differentiation whatsoever. Certes encryptors can “see” them all, even up to TCP or UDP ports, and apply decisions based on selective encryption policies, all configurable through our simple TrustNet Manager (TNM) software.

CERTES GAVE BIRTH TO “BABY” CEP

Last month, we announced the availability of a new encryptor, in the low-end range: the CEP5. It is about half the size of a CEP10, and ideally aimed to remote offices, personal VIP encryption, ATM machines, and so on. For more information, please look at http://www.certesnetworks.com/products/cep5.html
This announcement has been echoed in the specialized press, such as:
http://www.idevnews.com/stories/5246/Certes-Networks-Ships-Encryption-Appliance-for-Networks-Clouds

And, if you wish to get some of these new small devices (list priced below $1000 in the US), why not take advantage of the CEP5 Promotion that runs until end June 2012? With this promotion, you sell the CEP5 at $600 to an enduser (US price, but there is equivalence in local country and currency), and buys it from Certes, or your distributor, at this same promotion price minus your normal business discount.

CERTES IS “COOL”....

Certes Networks has recently been named “Cool Vendor” by Gartner in May 2012 => http://www.certesnetworks.com/news/2012_gartner.html
This is a great endorsement from the leading analyst firm, showing that our vCEP solution has hit the right chord !

TREND MICRO “LIKES” vCEP
The announcement of vCEP has also been “twitted” by Trend Micro staff, and posted in their blog at http://cloudsecurity.trendmicro.com/data-in-motion-the-other-side-of-the-cloud-encryption-coin/
Hey, Twitter is not just good for the girlfriends of the politicians... :-)
By the way, you can also find Certes Networks on Facebook... => http://www.facebook.com/#!/pages/Certes-Networks/114423158592841 (and don’t forget to click “Like” before leaving the page )

JIM DOHERTY ON THE INTERNET

Jim Doherty, our Chief Marketing Officer, has been interviewed by TMC during a Cloud Computing event in the US. This interview has been posted over the Internet at http://www.tmcnet.com/tmc/videos/videoiframe.aspx?vid=6561&width=450&height=270%3E%3C/iframe%3E

CERTES NETWORKS ON YOUTUBE

If you like the video format, why not look at Certes in YouTube? There you would find several videos posted by the company and by international resellers too => http://www.youtube.com/ then search for “Certes Networks”

That’s all for now... until next news.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts