Category Archives: Encryption
Facebook Messenger Will Now Have End-To-End Encryption By Default – Lowyat.NET
Meta has just announced their biggest set of improvements to Messenger since it was first launched in 2011. Firstly, both Messenger and Facebook will now have end-to-end encryption (EE2E) by default for private chats and calls, which means no third party can pry into your private communicationnot even Meta itself. The importance of end-to-end encryption cannot be overstated, especially after the Sunbird-powered Nothing Chats botched their encryption.
Once updated to the latest version, users on Messenger will be asked to set up a PIN in case they need to recover messages on a new device later. The global rollout will take months to complete as the app has over a billion users, but Meta has yet to announce when the update will begin and how long it will take for it to be fully operational.
Source: Meta.According to Meta, EE2E has been in the app since 2016, but only as part of the Secret Conversations function. Company CEO Mark Zuckerberg noted the platform has begun working on bringing this feature as a regular function since 2019. Furthermore, as it moves forward with updating security, Meta said it also plans to rebuild Messenger features from the ground up.
In addition to a set of privacy and safety features, Messenger will also improve the image quality of photos and videos, as Meta is currently testing HD media sharing with a small test group before releasing it in the coming months. Additionally, the app will also be receiving other tools that are seemingly inspired by WhatsApp, namely the ability to edit already sent messages (for up to 15 minutes after sending), voice message playback outside the chat or app, read receipts control, and disappearing messages after 24 hours something made available to all chats as end-to-end encryption has become the default.
(Source: Meta, Engadget)
Follow us on Instagram, Facebook, Twitter or Telegram for more updates and breaking news.
Continued here:
Facebook Messenger Will Now Have End-To-End Encryption By Default - Lowyat.NET
Data breaches expose 2.6 billion personal records and highlights the need for end-to-end encryption – Tech Guide
More than 2.6 billion personal records have been compromised in data breaches in the last two years and its only getting worse but it does emphasise the need for end-to-end encryption in the cloud.
Apple published an independent study by Massachusetts Institute of Technology (MIT) professor Stuart Mednick which showed data breaches have tripled in the last 10 years.
In the last two years alone, more than 2.6 billion personal records have been exposed.
The way companies are addressing these threats is by employing end to end encryption.
More than 80 per cent of breaches in 2023 involved data stored in the cloud with attacks targeting cloud infrastructure doubling from 2021 to 2022.
Last year Apple launched advanced data protection for iCloud which uses end to end encryption and offers Apples highest level of cloud data security with the ability to further protect your important data even in the case of a data breach.
iCloud can provide protection for 14 sensitive data categories using end to end encryption for things like passwords in iCloud Keychain, health data and even protecting your notes and photos.
Bad actors continue to pour enormous amounts of time and resources into finding more creative and effective ways to steal consumer data, and we wont rest in our efforts to stop them, said Craig Federighi, Apples senior vice president of Software Engineering.
As threats to consumer data grow, well keep finding ways to fight back on behalf of our users by adding even more powerful protections.
The report shows a dramatic rise in data breaches since companies started digitising users personal information and hackers are using more sophisticated methods to get around security that previously held them back.
Cyber criminals steal credentials or information that allows them to target employees or systems within the organisation.
And even when customers do the right thing to secure their sensitive data, the risk is still there from hackers if their information is stored in a readable form by the organisation they trusted with that information.
Recent examples of global data breaches included 23andMe a genetic testing company which potentially exposed 300TB of user data in October 2023.
Global clothing brand Forever 21 was hacked in early 2023 and exposed personal and health insurance information of more than half a million current and former employees.
MGM Resorts, the global hospitality and entertainment company, was the victim of a ransomware attack in September 2023 which resulted in operational outages across its properties in the US, China and Japan.
In Australia there were two major data breaches one against Latitude Financial and the other targeting health insurance provider Medibank. Together this impacted more than 23 million people.
The Australian Cyber Security Centre says reports of cyber crime have increased by 23 per cent in the 2023 fiscal year alone.
Apple developed Lockdown Mode for anyone being targeted with extreme threats like mercenary spyware because of who they are or what they do.
Apple also has Advanced Data Protection for iCloud which can protect against these growing threats and keep most user data in iCloud protected even in the event of a data breach.
The number of ransomware attacks in the first three quarters of 2023 has increased by almost 70 per cent compared to the same period in 2022.
And Australia is in the top four countries being targeted for ransomware alongside the U S, the UK and Canada.
Apple: Just a Reminder That You Can Encrypt Your iCloud Data – PCMag
People may have forgotten, but Apple would like remind the public that end-to-end encryption is available for their iCloud data to keep it protected from todays cyber threats.
A year ago, the company began enabling end-to-end encryption for iCloud through a feature called Advanced Data Protection, which can prevent Apple itself from accessing most of the iCloud data stored in a users account. Instead, only the person's enrolled deviceswhich hold the encryption keycan view the data.
This end-to-end encryption can thwart cybercriminals from obtaining a users data through a breach, should it ever occur. The issue is that Apple first rolled out Advanced Data Protection through a beta software program before a mainstream iOS and macOS release. Hence, not all consumers may be aware of it.
On Wednesday, Apple held a briefing with journalists to reiterate the importance of bringing end-to-end encryption to iCloud storage. A company representative noted that many Apple usersincluding those who own iPhones on iOS 16.2 or laternow meet the minimum system requirements to activate the feature.
Apple is also highlighting the encryption when hacker-led breaches and ransomware attacks continue to scoop up massive amounts of user data each year, exposing victims to identity theft and other malicious schemes. Today, the company is publishing a study from MIT ProfessorStuart Madnick that finds the number of data breaches has tripled over the past decade.
The findings underscore that strong protections against data breaches in the cloud, like end-to-end encryption, have only grown more essential, Apple says.
(Credit: Stuart Madnick )
Advanced Data Protection wont stop hackers from breaking into third-party platforms and stealing user data; the feature will only secure the users iCloud data. Still, Apple says that more companies are adopting end-to-end encryption in their own systems, which could help protect the entire IT ecosystem.
Apple created a support document that outlines how to turn on Advanced Data Protection. One notable requirement is that the user needs to ensure that all their Apple devices, including the Apple Watch and Apple TV, are running compatible software versions to enable the feature.
Advanced Data Protection also comes with some trade-offs. The support document notes: With Advanced Data Protection enabled, Apple doesn't have the encryption keys needed to help you recover your end-to-end encrypted data. If you ever lose access to your account, youll need to use one of your account recovery methodsyour device passcode or password, your recovery contact, or recovery keyto recover your iCloud data.
By default, Apples iCloud will already use end-to-end encryption for 14 categories of user data. However, the Advanced Data Protection can increase the number of categories to 23, including for photos, iCloud Drive, iCloud Backup, along with notes and reminders. Only iCloud Mail, Contacts, and Calendar are exempt from the end-to-end encryption since all three are designed to work with legacy systems that dont require such encryption.
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Read more from the original source:
Apple: Just a Reminder That You Can Encrypt Your iCloud Data - PCMag
Meta Makes End-To-End Encryption Default On Messenger – ABP Live
Meta is implementing default end-to-end encryption (E2EE) for personal messages and calls on Messenger and Facebook starting December 7. Alongside this, the social networking giant is introducing a range of new features that aim to empower the user to have greater control over messaging experience. End-to-end encrypted conversations come with additional nifty features, including the ability to edit messages, sending media files in higher quality and disappearing messages.
The added security layer of end-to-end encryption ensures that the content of users' messages and calls with friends and family remain protected from the point they leave their device to when they reach the recipient's device. This also means that no one, including Facebook parent Meta, can access the content unless the user opts to report a message to the company.
It should be noted that earlier in 2016, Facebook Messenger gave the option to users to turn on end-to-end encryption, but now, it is changing private chats and calls across Messenger to be end-to-end encrypted by default.
"This has taken years to deliver because weve taken our time to get this right. Our engineers, cryptographers, designers, policy experts and product managers have worked tirelessly to rebuild Messenger features from the ground up. Weve introduced new privacy, safety and control features along the way like delivery controls that let people choose who can message them, as well as app lock, alongside existing safety features like report, block and message requests. We worked closely with outside experts, academics, advocates and governments to identify risks and build mitigations to ensure that privacy and safety go hand-in-hand," Loredana Crisan, Head of Messenger, said in a statement.
The company noted it is committed to safeguarding messages and privacy, while making the announcement.
Disappearing messages on Messenger now last for 24 hours after being sent. Meta is also improving the interface to make it easier to tell when disappearing messages are turned on. This will help people be confident that their messages stay secure and wont stick around forever. Disappearing messages on Messenger are only available for end-to-end encrypted conversations, but users can still report disappearing messages if they receive something inappropriate, and Meta notify them if it detects that someone screenshots a disappearing message.
Users can now edit messages that may have been sent too soon, or that they would simply like to change, within a 15-minute window after sending them. Users can still report abuse in an edited message and Meta will be able to see the previous versions of the edited message.
Here is the original post:
Meta Makes End-To-End Encryption Default On Messenger - ABP Live
Announcing Fortanix Key Insight A Solution to Discover and … – Dark Reading
PRESS RELEASE
SANTA CLARA, Calif., Nov. 27, 2023 Fortanix Inc., a leader in data security and pioneer of Confidential Computing, today announced Key Insight, a new industry-first capability in the Fortanix Data Security Manager TM (DSM) platform designed to help enterprises discover, assess, and remediate risk and compliance gaps across hybrid multicloud environments. At AWS re:Invent 2023, Fortanix will showcase the capabilities of Key Insight at booth #118.Data breaches lead to massive monetary losses, hefty penalties and severe brand damage. While traditional firewall and cloud security defenses shield the perimeter, the data itself remains vulnerable. Encryption is the final line of defense, but enterprises lack robust control over encryption keys, leading to significant risk.Enterprises need to fortify security beyond just its perimeter layers and are driving the paradigm shift towards a rigorous, data-centric security model with complete visibility and control over its encryption assets.According to a Gartner report, It is critical to understand if access to data and encryption keys by the CSP, by internal staff, or if the data residency locations across CSP platforms will create business impacts due to security or compliance risks.Fortanix Key Insight is the first and only solution to provide consolidated insights and control of all cryptographic keys to protect critical data services. Security, cloud and developer teams can collaborate to assess risk posture and remediate compliance gaps consistent with policies, regulatory mandates, or industry standards (e.g., NIST, GDPR, PCI, etc.). Key Insight expands the power of Fortanix DSM, a unified data security platform for enterprise key management, data tokenization, secrets management, and more.Key Insight provides a unique combination of discovery, assessment and remediation of encryption keys and cloud data services in one Enterprise Key Posture Management (EKPM) solution, helping enterprises prevent data breaches and failed regulatory audits, said Anand Kashyap, co-founder and CEO at Fortanix. Key Insight is aligned with our value statement Look. Know. Further., by allowing companies to look across siloed encryption environments, know their data security risk posture, and go further with complete control of their data, including remediation.Fortanix Key Insight offers several innovations to enhance data security:
Discover all encryption assets and provide a detailed mapping between encryption keys and data services in an intuitive and easy-to-understand dashboard
Assess data security risk posture through visual heatmaps that quickly pinpoint risks, gaps and priorities against established policies, regulations and industry standards
Remediate gaps in policy and compliance to eliminate risk to achieve crypto agility at scale, with robust reporting to demonstrate continuous improvements over time
As the global leader in AI-based advanced imaging for healthcare applications, Rapid AI is fully committed to security, compliance, processes and technologies to protect its platform and sensitive patient data, especially in the cloud, said Amit Phadnis, CTO of Rapid AI. In this endeavor, awareness and proper management and remediation, where necessary, of encryption keys is of prime importance. Any tool that helps ease our encryption keys posture management would be desirable for our security and compliance teams. Organizations can ill afford data breaches and non compliance of globally proliferating privacy regulations," said Craig Gledhill, CEO of ACA Pacific. "Data encryption is crucial for protecting data, but equally crucial is the ability to pinpoint blind spots and remediate risks and compliance gaps. It is in this regard that the introduction of Fortanix Key Insight can be of great help to our customers in their quest for multicloud data security and compliance."This latest addition to Fortanix DSM adds another industry first to the platforms robust list of capabilities, which include enterprise key management, data masking/tokenization, secrets management, code signing, and confidential AI and confidential data search.
Read the original:
Announcing Fortanix Key Insight A Solution to Discover and ... - Dark Reading
Proton Drive arrives for macOS with full end-to-end encrypted cloud storage – 9to5Mac
Proton has released a number of updates and new privacy-focused solutions this year, including family plans, its end-to-end Proton Pass password manager, and more. Now, the company has launched a native Mac app for its Proton Drive secure cloud storage.
Proton CEO Andy Yen shared all the details in a blog post:
Cloud storage is a critical piece of our mission to build an internet that protects your privacy and secures your data. Its where you keep your most sensitive files, from personal photos to identity documents. Unfortunately, the leading cloud storage providers today can scan your data and dont use end-to-end encryption by default.
Thats why were pleased to announce that Proton Drives encrypted cloud storage is now available on all major platforms with the launch of our macOS app. In addition to Proton Drive apps for iPhone, Android, Windows, and web, we now offer Mac users a privacy-first alternative to Big Tech.
Andy highlights that with Apple, end-to-end encryption isnt on by default for iCloud Drive (you have to enable Advanced Data Protection for that).
Along with Proton Drive using end-to-end encryption for all your data across all devices, it also does the same for all of your metadata, like file names and date modification details.
Proton Drive for macOS is secured with cryptographic signatures to guarantee file authenticity and prevent data tampering. Plus, like Protons other services, Proton Drive for macOS will be open source and is being independently reviewed.
Proton offers 1 GB of free encrypted storage with other plans going from $3.50/month (when paying for two years) or $3.99/month (when paying for one year). The Proton Family plans included 3 TB of storage starting from $19.99/month (when paying for two years).
You can download the new free Proton Drive for Mac (and other platforms) directly from Proton.
FTC: We use income earning auto affiliate links. More.
View post:
Proton Drive arrives for macOS with full end-to-end encrypted cloud storage - 9to5Mac
Fortanix debuts Key Insight to manage enterprise encryption keys – VentureBeat
Are you ready to bring more awareness to your brand? Consider becoming a sponsor for The AI Impact Tour. Learn more about the opportunities here.
Fortanix, the seven-year-old Santa Clara, California-based startup focused on enterprise key management and data security for companies that use software, is upgrading its Fortanix Data Security Manager (DSM) platform for securing cloud, on-premises, and hybrid digital data with a powerful new tool.
The tool, Key Insight, was unveiled this week at Amazon Web Services (AWS)s annual re:Invent 2023 conference in Las Vegas. Fortanix describes it as the first and only solution to provide consolidated insights and control of all cryptographic keys to protect critical data services.
In other words, Key Insight is like a tracking system for all your organizations digital encryption keys a very intelligent one.
Cryptographic keys service all sorts of purposes in computer security, and encryption keys in particular are designed to allow information to be encrypted or turned from its original state into a special secret code so that only trusted and properly permissioned users can decrypt, translate, and access it.
The AI Impact Tour
Connect with the enterprise AI community at VentureBeats AI Impact Tour coming to a city near you!
When you encrypt the information on your Mac computer or PC, it is encryption keys that allow you to access it and change it later. Organizations of all sizes rely on encryption keys to keep their sensitive data safe and relegated to only authorized users.
Encryption keys are a good practice for any software and data-dependent organization to follow. But they are not foolproof. Hacks at Microsoft, GoTo, CircleCi, and laptop maker MSI in recent years have shown that encryption keys can fall into the wrong hands if those entrusted with them are not careful or dont have the right protective infrastructure. Key Insight, along with the larger Fortanix DSM, aims to provide just that to organizations, specifically those who store information in the cloud (and these days, who doesnt)?
Not only does the new Fortanix Key Insight tool maintain awareness of all the cryptographic keys your employees and trusted users and applications rely upon on, but it also provides an easy-to-use dashboard showing which keys are mapped to which services and users. And it does so in a glanceable, information-rich format.
Some of the information Fortanix Key Insight provides to enterprise customers includes the total number of keys, the number of accounts using them, the regions in which they are being used, and the services they are linked to, as well as the encryption status of said services. It also shows the key source, or where they originated/were issued from, and if they were used recently and by how many different accounts.
Key Insight provides a unique combination of discovery, assessment and remediation of encryption keys and cloud data services in one Enterprise Key Posture Management (EKPM) solution, helping enterprises prevent data breaches and failed regulatory audits, said Anand Kashyap, co-founder and CEO at Fortanix.
Based on the information displayed in Fortanix Key Insight, organizations can see which encryption keys and attached services/applications and users show evidence of increased risk, anomalous behavior, and/or deviation from the companys policies and industry-specific regulatory requirements. Using this information, Fortnaixs enterprise customers can have IT security team members deactivate certain keys or conduct investigations to close the security holes and reduce risks of improper access to information.
Fortanix Key Insight can further be used by organizations to help ensure they are complying with relevant industry data storage and security regulations and best practices (e.g., NIST, GDPR, PCI, etc.), according to Fortanix.
Fortanix is providing live demos of Key Insight and other capabilities to interested parties and potential customers at its re:Invent booth number 118 during the week.
AWS re:Invent 2023 is a fitting venue for Fortanix to debut the new feature given that Fortanix DSM and other Fortanix products are already available for enterprises to use, for hourly fees, through the AWS Marketplace.
The company started in 2016 and has raised a total of $122 million from big-time investors including Intel Capital, Goldman Sachs, In-Q-Tel, and others. It also partners with AWS cloud rivals Google and Microsoft.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.
Read more:
Fortanix debuts Key Insight to manage enterprise encryption keys - VentureBeat
NYPD Moves Towards Encrypting Radio Transmissions After Years … – Techdirt
from the our-security-trumps-your-security dept
New York City residents will, once again, be asked to foot the bill for NYPD efforts that solely benefit the nations largest police department. Its not enough that theyve been asked to spend hundreds of millions of dollars every year to bail out officers hit with civil rights lawsuits. Its not enough that theyve been asked to foot the bill for the NYPDs repeated refusal to comply with public records laws.
Now, theyre being asked to pay for even more opacity, this time taking the form of full encryption of police/dispatch radio transmissions.
The NYPD is set to fully encrypt its radio broadcasts by the end of next year as part of a nearly $400 million planned system upgrade setting off alarm among local politicians and press advocates.
[]
The NYPDs massive network of radio communications is expected to go dark by the end of 2024 as the department switches from an analog to a digital network, according to Chief of Information TechnologyRobert Beltran.
This will effectively cut one form of public oversight out of the loop. Journalists and others keeping an eye on police activity will no longer be able to perform this public service. Instead, the NYPD will spend $400 million in public funds to ensure only cops know what cops are up to.
A decade ago, the NYPD was actually encouraging people to keep their smartphones updated to ensure they could avail themselves of device and communication encryption offerings. Not long after that, the tune changed, led by Police Commissioner Bill Bratton and Manhattan DA Cyrus Vance.
Bill Bratton, following the lead of then-FBI Director James Comey, said device encryption did a terrible disservice to the public by making it more difficult for police to obtain data and communications from seized phones. Bratton also claimed the move towards default device encryption (as well as end-to-end encryption for communications) was nothing more than mercenary behavior by device manufacturers that served nothing more than their bottom line.
Cyrus Vance engaged in his own brand of encryption demonization, claiming (without supporting facts) the NYPD was sitting on dozens of uncrackable devices, insinuating that all the phones he tossed on the press conference table were loaded with evidence crucial to ongoing investigations and prosecutions. Warrant-proof was the term deployed by DA Vance, a term frequently deployed by consecutive FBI directors as they complained about the public being allowed to secure their devices and communications.
But encryption is apparently ok if its the PD using it. Thats the takeaway from this planned deployment, which NYPD officials claim is crucial to ensuring officer safety. That it helps prevent the public from keeping an eye on cops is just an added bonus one that is deliberately ignored when police officials discuss the encryption rollout. According to the NYPD, the fact that the NYPD communicates anything at all through social media accounts and press releases is far more than the public deserves.
Beltran said the switch was necessary to protect cops and the personal details of crime victims, arguing during the hearing that the police department can be trusted to get important information out to the public in a timely manner.
The department provides information to reporters many times a day every day. We also have hundreds of digital media officers assigned to precincts that are also updating information on social media in real time, he said.
Yes, the citys journalists and citizens should be thrilled to be blessed by fully vetted PR releases, rather than being allowed to draw their own conclusions from radio transmissions and activity witnessed at crime scenes ones theyre able to locate thanks to previously unencrypted transmissions.
Somewhat ironically, one of the most notable victims of this shift to encryption is the controversial crime-reporting app, Citizen. This app and its developers have courted controversy in the past by encouraging users to act as ambulance chasers and rush to crime scenes to provide other users with footage and speculation. The company that courted voyeurs and vigilantes is now a bit nonplussed that this shift to encryption will render its product mostly useless.
We have spent six years building up this network and saving a tremendous amount of lives and this threatens all of this progress, said Andrew Frame, CEO of Citizen, adding that many New Yorkers rely on the app to stay safe.
I can believe the six years building up this network. The claim that Citizen has saved lots of lives is completely ridiculous. The app was never about improving public safety. It was always about filling crime scenes with rubberneckers and encouraging peoples worst impulses.
Thats not to say the NYPD has completely cut the public out of the loop. It claims it might let a few chosen partners (journalists, Citizen) engage in virtual ride-alongs via limited feed access, but it wont make that decision until long after the heat has died down.
The NYPD hasnt ruled out allowing the press or companies like Citizen to tune in, said Beltran, while noting that such a plan which could include granting delayedaccess to the feeds is under a departmental review that wont be completed until after the entire network is encrypted.
In other words, the NYPD will go dark first. Then it will engage in the much longer process of determining whos allowed to listen in a process that I imagine will involve months or years of discussion, followed by months or years of inaction NYPD officials will claim is actually implementation.
The NYPD is going dark, something it claims is necessary to keep it safe and secure. But its not willing to extend the same courtesy to the people it serves. And it certainly wont be bothered by the extra layer of opacity it provides. The taxpayers lose. Again. And theyre expected to pay for this privilege.
Filed Under: encryption, nypd, transparency
Follow this link:
NYPD Moves Towards Encrypting Radio Transmissions After Years ... - Techdirt
Four considerations when selecting as-a-Service Hardware Security Module solutions to secure your encryptio… – Security Boulevard
Keeping up with the latest security challenges can feel like you are running a race that has endless hurdles. From rapid advancements in technology rendering old hardware obsolete to increasingly stringent requirements and regulations, the time and costs can quickly become enormous.
Many of these challenges are related to the migration of compute, storage, and backup services to cloud services. Picture this, you have moved your databases to the cloud. But are you in control of your encryption keys? Do you know who has a copy or could access a copy?
Todays solutions offer your organization a choice of how to most effectively secure your encryption keys. You can select a solution that allows your organization to secure your keys in an on-premise HSM or one that allows your organization to protect your keys via a secure connection to a cloud-based HSM with an HSM-as-a-Service (HSMaaS) offering such as Entrusts nShield-as-a-Service solution.
Entrust recently partnered with TechValidate to conduct a survey to understand how companies view and are implementing HSMaaS solutions.
From On-Premise to the Cloud
For years, the best practice was to use an HSM deployed on-premise. Concerns about security of software based key storage, separation of keys, and sovereignty requirements made it the only viable option. Over time, as-a-service HSM offerings appeared in the market offering lower costs, and a level of security comparable to on-premise HSMs, with more flexibility and quicker implementation.
The Survey Says
Todays organizations are looking to save time and money. The survey showed that 57% of organizations said a key reason for considering subscribing to an HSMaaS offering is to reduce IT management costs. Further, 69% of respondents said that their organizations would realize reduced spend on physical infrastructure. The next closest benefit noted was improved efficiency with 46% of the respondents selecting that benefit.
The focus on saving time and reducing expenses has also been a significant driver of cloud adoption. With the rise of cloud service providers, as-a-service-HSM offerings evolved even further. Leading cloud service providers offer their own unique approach to securing your encryption keys. While these offerings provide convenience and cost-effective solutions, they do not always meet internal security requirements set by some organizations adding further to the complexity involved when deciding how to store your encryption keys.
In addition to saving time and money, HSMaaS solutions like Entrust nShield-as-a-Service provide the same level of support for a wide range of applications. This is something that was also reflected in the survey results. Respondents indicated that once onboarded, they would leverage an HSMaaS solution for a variety of functions.
The top functions ranked were public key infrastructure (PKI), which was mentioned by 60% of respondents followed by key management which was selected by 57% of respondents. Data encryption/decryption and digital signatures were also mentioned by nearly half of the respondents (49%). These results reinforce the similarities in functionality between on-premise HSM and HSMaaS offerings.
Important Cloud Key Management Considerations
Saving time and money are necessary criteria when considering implementing an HSMaaS solution. However, they are not the only considerations you should have when deciding what as-a-service HSM offering to use when storing your encryption keys. It is important to also consider:
Conclusion
When evaluating these considerations and HSMaaS solutions, partnering with a company that understands your holistic security and encryption needs will simplify this process. While cost is always a driving factor, ensuring you are in control of your keys is the most important. Ensuring where your keys are stored for key sovereignty requirements, the available integrations and the key management capabilities need to be carefully reviewed. The right keys need to be stored in the right places, using a solution that will protect your business and significantly enhance your organizations security.
To learn more about HSM-as-a-Service and how Entrust can help you save capital expenditures, maintain control of your critical keys, and strengthen the security of your data, visit the Entrust website.
The post Four considerations when selecting as-a-Service Hardware Security Module solutions to secure your encryption keys appeared first on Entrust Blog.
*** This is a Security Bloggers Network syndicated blog from Entrust Blog authored by Andrew Tweedie. Read the original post at: https://www.entrust.com/blog/2023/11/four-considerations-when-selecting-as-a-service-hardware-security-module-solutions-to-secure-your-encryption-keys/
See original here:
Four considerations when selecting as-a-Service Hardware Security Module solutions to secure your encryptio... - Security Boulevard
Will Quantum Computing change the way we use encryption? – BetaNews
Today, encryption is a cornerstone of our cybersecurity practices. It protects everything from cell phones and SMS messages to financial transactions and intellectual property.
However, a new challenge in the complex landscape of encryption has recently emerged, thanks to the advancement of quantum computing. What challenges lay ahead? Here is the breakdown:
Quantum Computing (QC), invented in the 1970s by David Deutsch, has made significant steps forward in the following decades and has become a viable technology capable of solving complex computational problems. Based on the laws of quantum mechanics, QC is not bound to the restrictions of classical computers, where everything resolves to a 1 or 0. Instead, QC uses "multidimensional computational spaces" to answer nearly impossible questions. It sounds like sci-fi, but it applies to our current computing environment.
Quantum Computing presents a unique challenge to all cybersecurity efforts because it has the potential to break some of the commonly used encryption standards used today.
Organizations use symmetric or asymmetric keys to encrypt their data at rest or in motion. Symmetric cryptography, like the Advanced Encryption Standard (AES), utilizes a single key to encrypt and decrypt data. In contrast, asymmetric cryptography (RSA) uses a public and private key to encrypt and decrypt data. The two types of cryptography differ in the security they provide based on their bit count (AES typically uses 128 or 256 bits, and RSA keys typically use 1024-2048 bits) and the password strength the key creator uses.
Due to QCs threat to circumvent almost any encryption, in 2022, NIST introduced several new encryption key algorithms to address the inherent risks posed by QC. Because of the increased complexity of the algorithms used to generate the keys, they are considered QC-resistant (QCR). The new encryption keys mitigate the potential impact of Grovers Algorithm, which can break AES-128 encryption in seconds today, and Shors Algorithm, which will eventually be able to break RSA encryption as QC technology advances.
In short, suitable algorithms and encryption standards could protect us from the future of QC hackers. But deploying them is a different matter.
Todays lack of widespread QC availability makes QCR encryption a non-existent priority for most organizations because no perceived threat would require immediate action. Many companies IT and cybersecurity teams are already pushed to the maximum and tend to focus their efforts (and budgets) on decreasing current attack surfaces and clearing out the never-ending stream of alarms.
But thats no reason to delay action. Complacency yields breaches, especially in cybersecurity. If encryption is not updated to match tomorrows threats, whats to stop malicious actors from decrypting all of the non-QCR data in the future? IBM estimates a 1-in-7 chance that current encryption keys will be breakable by QC as early as 2026, and that chance skyrockets to 1-in-2 in 2031. If todays data encryption isnt made QCR shortly, companies could see their information harvested or held ransom, damaging an organizations reputation and ability to operate.
The best time to upgrade your encryption is before hackers can break it with these new tools -- an ounce of prevention is worth a pound of cure, as the saying goes. Part of this prevention is identifying where all essential data resides, how users or systems access it, and the encryption used to protect it. For organizations anticipating the addition of new data sources or applications to their enterprise, part of the planning and encryption selection criteria should include support for QCR encryption.In addition, companies that develop enterprise applications in-house should also update their DevSecOps pipeline to include the integration of QCR encryption to prevent potential issues and rework in the future.
Image credit: plotplot/Shutterstock
Jerry Derrick is Vice President of Engineering atCamelot Secure. He leads the company's engineering division and is responsible for the design, development, and sustainment of the Camelot Secure360 platform. Jerry's responsibilities also include the management of the product roadmap, research and development activities, and ensuring the overall security of the platform and customer data. A cybersecurity engineering veteran of over 20 years, Jerry understands and focuses on the importance of fusing people, processes, and technology to ensure Camelot Secure360 enables organizations to know their environments are secure against the latest threats. Before joining Camelot Secure, he worked at top military and government cybersecurity organizations to develop and deploy tools and capabilities to facilitate the more efficient and effective analysis of cybersecurity data.
See original here:
Will Quantum Computing change the way we use encryption? - BetaNews