Read Time: 3 minutes

Crypto-shredding is the technique to discard the encryption keys for the encrypted data without zeroizing/deleting the encrypted data, hence making the data undecipherable.

Over the past many years, the topic of data protection has been hitting the headlines. The unstoppable movement of data from various sources is susceptible to various risks and threats that had impacted millions of users in a short time. In the present technological era, data encryption has become the de-facto standard within the various industries; however, the management of encrypted data has become an uphill task for the stakeholders.

While discussing the management of encrypted data, there are two types of encrypted data to be looked into: Active encrypted data & Passive encrypted data.

With the active encrypted data, the data is used by various crypto-systems and being handled appropriately within the security ecosystem, whereas, with the passive encrypted data, the data is not used actively and is ready to be destructed.

Challenges in data destruction

Data destruction is a challenging task while exercising it as an individual’s right for erasure, specifically in reference to data protection regulations such as GDPR. While exercising the right to erasure, the organization has to look up all the references of concerned data within their databases, logs, backups, etc., find the relevant data and delete it from their systems; however, this is not a straightforward task and contains pros & cons of its own.

Next comes the solution to this problem, i.e., crypto-shredding.

Crypto-shredding: Solution to data destruction

As we know, in the crypto-shredding, the encryption is key is discarded/destroyed, and since the key is destroyed, the data that is encrypted by the key automatically becomes unusable as it can’t decrypt it without the key; however, we need to make sure there are no other copies of the key which could be used by bad actors to decrypt the data as the data is still available and lies in an encrypted fashion.

Also, there could be another possibility of breaking the encryption algorithm that can be safely discarded as if the algorithm would have been breakable. It would be considered and marked as vulnerable by the relevant authorities, and any organization would not be using it in the first place itself to encrypt the data.

Considering the above pointers, we can safely assume that the crypto-shredding is equivalent to deleting/zeroizing the data itself.

Crypto-shredding tackles the problem of searching/indexing the specific data reference across the entire infrastructure in a different way by focusing only on one crucial aspect, i.e., management of encryption keys. For example, when the new data is created and is supposed to be stored/backed up/replicated. Before performing any action on this, the data would be encrypted first and then processed further for any action. When the data is supposed to be deleted, rather than searching the data references in your infrastructure, it simply deletes the encryption keys to make the data undecipherable.

Till now, we have understood the strengths of crypto-shredding. Let’s look at the weaknesses as well:

  1. If the encryption applied to the data is not strong enough, the data breach could still occur, and in this case, the process of crypto-shredding won’t be useful.
  2. Since the crypto-shredding deletes the keys only, the encrypted data still exists, and that would require the management of storage in your environment.
  3. As the whole concept of crypto-shredding revolves around the key deletion, the organizations must have an efficient key management system that involves secure key deletion.

Conclusion

Currently, there are no standards in place for crypto-shredding as such. However, certain compliance standards require something called “the right to be forgotten” where the customer has the right to ask that all their personal data be completely deleted without undue delay. Crypto-shredding is an efficient technique to manage the passive encrypted data, but with its own limitations. Many organizations still do not use crypto-shredding as it’s not prescribed by authorities such as NIST, GDPR, etc. Instead of crypto-shredding, customers can take a look at NIST Special Publication 800-88 revision 1, which is a NIST document discussing the sanitization of data. 

Resources

NIST.SP.800-88r1

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

Read time: 9 minutes, 30 seconds

In this discussion whiteboard, let us understand what is PKI? What are several components involved in Public Key Infrastructure (PKI)? What are the important skill set required for a candidate to become PKI admin? Are there any specific trainings to undergo for becoming PKI admin? We will discuss these points at high level in this blog article. Let’s get into the topic:

There is a day-by-day increase in the demand for cybersecurity services with the rising penetration of various mobile and wireless devices. The enhancement in mobile and internet infrastructure and advancements in the technology across the globe are propelling the adoption of smart devices across enterprises and consumers. At the same time, enterprises are rapidly embracing cloud platforms and other networking technologies. Because of these advancements, companies are becoming more vulnerable to various cyber-attacks.

In 2017, cyber-attacks on mobile devices increased by over 40% with an average of over 1.2 million attacks per month. Hence, cyber security modules such as cryptography, Data Loss Prevention became more and more critical for the end-users and organizations dealing with sensitive data. The global cybersecurity market is set to grow from its market value of more than $120 billion in 2019 to over $300 billion by 2024. The cybersecurity market is propelled by the increasing need among enterprises to minimize security risks.

All these factors combined contributed to the growth in demand for cybersecurity especially key technologies like PKI – Public Key Infrastructure. With the increase in demand for PKI there is a high requirement in the cyber market for job roles such as PKI admin. In this article we will be focusing on the important skills and trainings that one has to undergo to become PKI admin. Before jumping into the main topic, let us first understand the basics of what is PKI?

What is Public Key Infrastructure – PKI?

The Public Key Infrastructure (PKI) is the set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public-keys. PKI or Public Key Infrastructure is cyber security technology framework which protects the client – server communications. Certificates are used for authenticating the communication between client and server. PKI also uses X.509 certificates and Public keys for providing end-to-end encryption. In this way, both server and client can ensure trust on each other and check the authenticity for proving the integrity of the transaction. With the increase in digital transformation across the globe, it is highly critical to use Public Key Infrastructure for ensuring safe and secure transactions. PKI has vast use cases across several sectors and industries including Medical and Finance.

Explore the complete information about Public Key Infrastructure here:

What are important components in Public Key Infrastructure?

There are three key components: Digital Certificates, Certificate Authority, and Registration Authority. PKI can protect the environment using the three critical components. These components play a crucial role in protecting and securing digital communications, electronic transactions.

  • Digital Certificates:

    Most critical component in Public Key Infrastructure (PKI) is Digital certificates. These certificates are used to validate and identify the connections between server and client. This way, the connections formed are very secure and trusted. Certificates can be created individually depending on the scale of operations. If the requirement is for a large firm, PKI digital certificates can be purchased from trusted third party issuers.

  • Certificate Authority:

    Certificate Authority (CA) provides authentication and safeguards trust for the certificates used by the users. Whether it might be individual computer systems or servers, Certificate Authority ensures digital identities of the users is authenticated. Digital certificates issued through certificate authorities are trusted by devices.

  • Registration Authority:

    Registration Authority (RA) is an approved component by Certificate Authority for issuing certificates for authenticated users based requests. RA certificate requests ranges from individual digital certificate to sign email messages to companies planning to setup their own private certificate authority. RA sends all the approved requests to CA for certificate processing.

What are the responsibilities of PKI administrator?

As a PKI admin you will be reporting mostly either to a CIO or a CISO depending on the organization’s hierarchy. Important responsibilities as PKI admin would be to administer the Certificate Authorities (CA) and Hardware Security Modules (HSMs) of the company’s Public Key Infrastructure (PKI) and Key Management. Also, you will be responsible in handling large scale enterprise and commercial/publicly trusted PKI services. Additionally, you are expected to perform and understand the below requirements:

  • Administer Windows 2008 R2 and Windows Server 2012
  • Active directory services
  • Hardware Security Modules
  • Certificate lifecycle management – Installation, Renewal, Revoke
  • Certificate Enrolment Web Services

These are the core expectations from any firm handling Public Key Infrastructure would have from a PKI admin. Along with these responsibilities, it you would need to manage the Service Level Agreement (SLA) timelines and enhance the efficiency of the process. Currently, there are automated solutions to handle most of the features of PKI. Hence, it is important to have an automation bend of mind to understand, handle and enforce those solutions in the company.

Skillset requirement for PKI Admin

PKI administrator requires quite a good amount of skillsets to handle the day to day activities. This would have been the realization after going through the responsibilities mentioned above. The desired skills for a PKI admin would be as follows:

  • PKI hands on experience in handling Certificate Authority Administration, Certificate Enrollment Web Service & Policy Web Service, Active Directory Certificate Services (ADCS) monitoring.
  • Data-in-motion and Data-at-rest Encryption.
  • Understanding of PKI architecture.
  • System Administration of Windows Server 2012/R2 or 2016 and Windows 10, Unix, or Linux, and/or database skillset.
  • Expertise in Public Key Infrastructure (PKI) machine identity technologies such as SSH, SSL, TLS.
  • Disaster Recovery process and Business Continuity procedures.
  • Experience in managing Key Management Systems (KMS).

It is always important and good to have coding skills while handling such critical infrastructure as PKI. Some of the development technologies that a PKI admin should know are Java, PowerShell scripting, Command line tools, HTML, XML, JavaScript.

Knowledge requirement

As PKI administrator you might not be expected to having a complete hands-on experience on the following criteria but you need to have a fair understanding on the concepts of cryptography solutions such as:

  • Symmetric/asymmetric cryptography
  • Secure hash functions
  • Digital signatures
  • SSL Certificates

Experience

PKI administrator is a critical position in any company’s cyber security landscape. So, in majority of the cases companies expect the person handling the role of PKI admin to be hands-on experienced on the key responsibilities and skillsets mentioned above in this article. It is expected from you to have a solid experience in PKI, SSL/TLS, and SQL. Other than the direct experience, if you are an IT administrator with cyber security knowledge and skills then there would be higher chances on cracking the opportunity. Just keep in mind that there are no entry level positions for Public Key Infrastructure (PKI) administrator. You would require specialization. Immediately undergo trainings provided by Encryption Consulting or any other reputed certified providers.

Understand the security best practices followed by major firms across industries. Along with the above mentioned responsibilities and skill sets, it would be a major bonus point if you understand what a PKI health check is and how to perform the health checks on a regular basis.

Why should firms worry about PKI Health?

Public Key Infrastructure is not a one-time setup and forget activity. Regular health monitoring is as important as the initial implementation of your PKI as it plays a crucial and deciding role in the firm’s cyber security. PKI Health monitoring and checking activity will ensure that steady state of operations is achieved. Majority of the certificate policies states that an audit has to be performed on a regular basis for safeguarding the compliance of the Certificate Authorities (CAs). It is highly advisable to perform a complete check once a year at least.

Public Key Infrastructure health checks involve multiple steps and factors. Out of all these, some of the important processes that are included in a standard PKI health checks are:

  • Patch management and backup
  • Certificate checks: Issuing and revoking of certificates
  • Auditing of the Certificate Authority

PKI health check benefits

  • Performing regular PKI health checks will ensure a strong overall cyber security posture of the organization.
  • Operational effectiveness will be monitored on a regular basis by performing PKI health checking activity regularly.
  • Compliance with the regulatory standards and frameworks will be ensured as there is periodic check on certificate health.
  • Threat vectors of data loss will be reduced considerably with a reduction in risk.
  • High availability of critical processes will ensure smooth running of the business.

Encryption Consulting’s PKI training complete package

Encryption Consulting LLC (EC) is offering a complete all-round package on training for Public Key Infrastructure (PKI). This PKI course can be taken by candidate who is at any level – be it a beginner, intermediate level or advanced level. PKI course is recommended for anyone using or managing certificates, designing or deploying a PKI enterprise solution, or evaluating & selecting a commercial PKI Technology Solution.

Planning a Public Key Infrastructure (PKI) can have a significant skill ceiling, as an organization’s authentication, encryption, and digital signing can depend on how the PKI is built. An organization needs a robust and secure PKI infrastructure to ensure security and privacy and meet regulations and compliance. Creating and managing a PKI requires ample knowledge about it, which Encryption Consulting brings along with the experience needed for organizations to have a custom solution for their needs.

In our three days, PKI Training delivered online, In-person focusing on Microsoft Active Directory Certificate Service (ADCS) Training, customers will learn how to deploy or design PKI solutions in the enterprise.

You will learn how to build a PKI on Windows Server 2019, focusing on areas such as integration with HSM, Two-tier PKI, Cloud PKI, and more.

There is a strong emphasis on: PKI Governance, PKI Design best practices, Certificate Lifecycle Management process and PKI operations and hands-on skills lab.

For more details on PKI training by Encryption Consulting (EC), please click here:

Free Downloads

Datasheet of Public Key Infrastructure

We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.

Download
Implementing & migrating PKI solutions for enterprises

About the Author

Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

Read Time: 7 min

IT world across the globe has been dominated by the news of global data breaches and cloud data leaks. From the accidental sensitive data disclosure to stolen card data across the board, it appears that the trend will continue and nobody is sure how safe their data is especially in the cloud. 

Due to this, we saw a continuous uptrend in the usage of encryption technology in every organization’s IT department because it provides a safety layer to the company’s critical data and makes it unusable for anyone who doesn’t have the associated key be it internal or external bad actor.

Based on the industry experience, we can simply say that the security provided by any crypto entity doesn’t depend much on the cipher mechanism used in the entity but surely depends upon the security of the associated keys. You can use any cipher with good key length but that doesn’t guarantee the protection unless keys are secured. When it comes to managing a single security key manually, it is relatively easy, however, if the number of security keys in use is huge, the task of managing those keys becomes cumbersome. Thus, the need arises for automated key management services for data encryption.

Now, the key management service for any crypto system can be considered as managing the complete lifecycle of keys including generation, storage, activation, distribution, rotation, expiration, revocation, and destruction.

We can classify the key management systems under three broad categories:

      • Software-based KMS

        Software-based KMS can be considered as standalone software installed in a physical or virtual environment. From a cost perspective, software-based KMS solutions are cheaper and easy to install as compared to hardware-based KMS solutions.

      • Hardware-based KMS

        Hardware-based KMS can be considered as a specialized, tamper-proof hardware appliance built for cryptographic operations or key management and known as Hardware Security Module i.e., HSM. HSM can be integrated with Software-based KMS or KMS software can be embedded into the HSM as well.

      • Cloud-based KMS

        Cloud-based KMS can be considered as a service offering from cloud service providers. All three biggest CSPs (AWS, Azure, and GCP) provide KMS as a managed service with a pay-as-you-go model which means that the customer doesn’t have to manage the underlying software/hardware. Also, other services within the CSPs environment are seamlessly integrated with their KMS services.

      Now, since we have discussed the types of KMS in general, deciding which cloud-based KMS vendor is best for you is the next obvious question. 

      Choosing among three CSPs (Amazon Web Services, Microsoft Azure, or Google Cloud Platform) is heavily debated by users. The transition towards uploading data on the public cloud is becoming the standard for organizations. The two main factors for protecting data are to protect the data from unauthorized access and to meet compliance regulations. Cloud Security must be the main priority of everyone in the organization. In the next section, we will summarize our comparison among three biggies of the cloud computing world: 

      1. Amazon Web Services (AWS) Key Management System (KMS)
      2. Microsoft Azure Key Vault
      3. Google Cloud Platform (GCP) Key Management System (KMS)

      AWS Key Management Service (KMS)

      AWS KMS is a managed service that is used to create and manage encryption keys. The two types of encryption keys in AWS KMS are Customer Master Keys (CMKs) and Data keys. CMKs can be used to encrypt and decrypt up to 4-kilobytes of data whereas data Keys are generated, encrypted, and decrypted by CMKs. The CMKs can never leave the AWS KMS and keys created by the AWS KMS service are never sent outside of the AWS region in which they were created and can only be used in the region in which they were created. The CMKs could be customer-managed or AWS-managed. CMKs are used to encrypt/decrypt the data keys whereas data keys are used to encrypt/decrypt the actual customer data. AWS KMS does not store, manage or track data keys.

      AWS KMS cannot use the data key to encrypt/decrypt data for you. Users have to use and manage data keys on their own. By default, AWS KMS uses FIPS 140-2 validated hardware security modules (HSM) and supported FIPS 140-2 validated endpoints ensuring confidentiality and integrity of your keys.

      Microsoft Azure Key Vault

      Microsoft Azure Key Vault is used to store secrets like tokens, passwords, certificates, and API keys. Azure Key Vault can also be used as a key management solution. Key Vault can encrypt keys and secrets in hardware security modules (HSMS). Key Vault supports RSA and Elliptic Curve keys only. Microsoft will not see your keys, but processes the keys in FIPS 140-2 Level 2 validated HSMs.

      GCP Key Management Service

      Google Cloud Key Management Service (KMS) is an encryption key management offering from Google Cloud that is used to implement cryptographic functions for enterprises. Google Cloud KMS uses AES 256-bit key to protect the data and can also be used to manage the keys encrypting other types of sensitive data such as API tokens, user credentials, etc. Google provides Google Cloud KMS service via REST APIs so that users can create, list, update and destroy the keys that help in managing a large number of keys specifically for enterprises that span across the globe. It also provides AES keys in a five-level hierarchy with a 24-hour delay in key deletion action.

      The below table provides a summarized view of comparison among AWS KMS, Azure Key Vault, and Google Cloud KMS Services categorized on the features of the service:

      # Feature AWS KMS Azure Key Vault Google Cloud KMS
      1 Key Storage Appliance (Software + Hardware) Appliance* (Software) Appliance (Software + Hardware)
      2 FIPS 140-2 Level Level 2 Level 2 Level 1
      3 Key Types Symmetric and Asymmetric Asymmetric Symmetric and Asymmetric
      4 BYOK (Bring Your Own Key) AES 256-bit wrapped by RSA 2048-bit RSA wrapped by AES and RSA-OAEP AES 256-bit wrapped by RSA 3072-bit
      5 Symmetric Key Length 256-bit AES None 256-bit AES
      6 Asymmetric Key Length 2048-bit, 3072-bit, 4096-bit RSA 2048-bit, 3072-bit, 4096-bit RSA 2048-bit, 3072-bit, 4096-bit RSA
      7 Encryption Modes AES-GCM, RSA-OAEP AES-GCM, RSA-OAEP RSA PKCS#1v1.5, RSA-OAEP
      8 Plain-text size limit 4KB 0.25KB 64KB
      9 Signature Modes
      • RSA-PSS
      • RSA PKCS#1v1.5
      • ECDSA with P-256
      • ECDSA with P-384
      • ECDSA with P-512
      • ECDSA with SECP-256k1
      • RSA-PSS
      • RSA PKCS#1v1.5
      • ECDSA with P-256
      • ECDSA with P-384
      • ECDSA with P-512
      • ECDSA with SECP-256k1
      • RSA-PSS
      • RSA PKCS#1v1.5
      • ECDSA with P-256
      • ECDSA with P-384
      10 Key Capabilities
      • AWS Managed Service
      • Encryption/Decryption
      • Sign/Verify
      • Auditing
      • REST APIs
      • Support Customer Managed Keys
      • Support tokens, passwords, certificates, API keys, and other secrets
      • Encryption/Decryption
      • Sign/Verify
      • Key Vault logging
      • REST APIs
      • Support Customer Managed Keys
      • Encryption/Decryption
      • Sign/Verify
      • Auditing
      • REST APIs

      *Azure Key vault integration with Azure’s Managed HSM is in public preview and might be available sometime in future.

      Conclusion

      The continuous uptrend in encryption technology prompts the requirement of managing more and more keys that force enterprises to use automated key management systems to manage the high numbers of keys with efficiency. Considering the high demand for key management systems, the three biggest CSPs (Cloud Service Provider) are in cut-throat competition to add more and more features to their KMS services in their environment; however, it often becomes confusing with the limited documentation. Encryption Consulting helps customers get familiarized with the latest & advanced security features, tools, documentation and assists them in harnessing the true value for their organization while deploying them within their environment, keeping the organization’s business objective intact.

      Free Downloads

      Datasheet of Encryption Consulting Services

      Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

      Download
      Encryption Services

      About the Author

      Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

      Read time: 10 minutes, 30 seconds

      In this discussion whiteboard, let us understand what is an e-signature? What is digital signature? What is meant by electronic signature? Are both the signatures similar or different? Which signature is more secure and what are various use cases for digital signature as well as electronic signatures? How is code signing relevant to digital signature? What is Encryption Consulting’s CodeSign Secure and how is it relevant to your organization? Let’s get into the topic to understand responses to these questions:

      If you are new to the concept of e-signatures then there are high chances of getting confused between “Digital signature” and “Electronic signature”. Quite often you would encounter people use both digital signature and electronic signature terms interchangeably which is not completely true as there are some key significant differences between these two types of e-signatures. The major difference is security – digital signatures are mainly used to secure documentation and provide authorization as they are authorized by Certificate Authorities (CAs) where as electronic signatures only provide the intent of the signer. Let us first understand what is a digital signature and electronic signature.

      What is a Digital Signature?

      Digital signature is a type of electronic signature as the both are meant to be used of document signing except that digital signatures are more secure and authentic. In digital signature, the signer of the document is mandated to have a Public Key Infrastructure (PKI) based digital certificate authorized by certificate authority linked to the document. This provides authenticity to the document as it is authorized by trusted certificate authorities. Let us understand in a simple way about digital signature by taking paper based documents as example. There are usually two concerns when you involve in documentation process, one is the authenticity of the person signing the contract and other is whether the document integrity is protected without any tampering. To overcome these concerns we have notaries in place for providing authorization and safeguarding integrity of the document.

      Similar to the notary in physical contracts we have certificate authorities (CAs) authorizing digital signatures with PKI based digital certificates. In digital signatures, a unique fingerprint is formed between the digital document and the PKI based digital certificate which is leveraged to achieve the authenticity of the document and its source, assurance of tamper proof document.

      Currently there are two major document processing platforms which provide digital signature service with strong PKI based digital certificates:

      • Adobe Signature

        There are two types of signatures provided by Adobe – Certified and Approval signatures. Certificate signature is used for authentication purpose where a blue ribbon is displayed in the top of the document indicating the actual author of the document and issuer of PKI based digital certificate. Approval signature on the other hand captures the physical signature of the issuer or author and other significant details.

      • Microsoft Word Signature

        Microsoft supports two types of signatures one is visible signature and other is invisible signature. In visible signature, there is a signature field provided for signing similar to physical signature. Invisible signature is more secure as it cannot be accessed or tampered by unauthorized users. Invisible signature is commonly used for document authentication and enhanced security.

      What is electronic signature?

      An electronic signature is not as secure and complex as digital signature as there are no PKI based certificates involved. Electronic signature is mainly used to identify the intent of the document issuer or author and it can be in any form such as electronic symbol or process. Electronic signature can be captured in as simple way as check box as its primary purpose is to capture the intention to sign contract or document. These signatures are also legally binding. In instances where the document is required to be signed by two parties for binding legally to execute certain duties and do not require high level of security and authorization electronic signatures are used instead of digital signatures.

      Key differences between digital signature and electronic signature

      Let us understand the key differences between the two signatures by comparing the crucial parameters in a tabular form.

      ParameterDigital SignatureElectronic Signature
      PurposeMain purpose is to secure the document or contract through PKI based digital certificatePurpose of electronic signature is to verify the document or contract
      AuthorizationYes. Digital signatures can be validated and verified by certificate authorities providing PKI certificatesNo. Usually it is not possible to authorize electronic signatures
      SecurityComprises of better security features due to digital certificate based authorizationComprises of less number of security features compared to digital signature
      Types of SignsIn general two types are available. One by Adobe and other by MicrosoftMain types of electronic signatures are verbal, scanned physical signatures, e-ticks
      VerificationYes. Digital signatures can be verifiedNo. Electronic signatures cannot be verified
      FocusPrimary focus is to secure the document or contractPrimary focus is to show intention of signing a document or contract
      BenefitsPreferred majorly more than electronic signature due to high level of securityEasy to use compared to digital signature but less secure

      As per the above comparison it is clearly evident that digital signature takes upper hand compared to electronic signatures. However, while considering the legally binding objective both the signatures will serve the purpose. Digital signatures are now highly preferred due to their enhanced security through PKI based certificates which will provide the much required authorization and integrity of the document.

      What is Code Signing?

      Code signing is the process of applying a digital signature to any software program that is intended for release and distribution to another party or user, with two key objectives. One is to prove the authenticity and ownership of the software. The second is to prove the integrity of the software i.e. prove that the software has not been tampered with, for example by the insertion of any malicious code. Code signing applies to any type of software: executables, archives, drivers, firmware, libraries, packages, patches, and updates. An introduction to code signing has been provided in earlier articles on this blog. In this article, we look at some of the business benefits of signing code.

      Code signing is a process to validate the authenticity of software and it is one type of digital signature based on PKI. Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code. It assures users that this digital information is valid and establishes the legitimacy of the author. Code signing also ensures that this piece of digital information has not changed or been revoked after it was validly signed. Code Signing plays an important role as it can enable identification of a legitimate software versus malware or rogue code. Digitally signed code ensures that the software running on computers and devices is trusted and unmodified.

      Software powers your organization and reflects the true value of your business. Protecting the software with a robust code signing process is vital without limiting access to the code, assuring this digital information is not malicious code and establishing the legitimacy of the author.

      Encryption consulting’s (EC) CodeSign Secure platform

      Encryption consulting (EC) CodeSign secure platform provides you with the facility to sign your software code and programs digitally. Hardware security modules (HSMs) store all the private keys used for code signing and other digital signatures of your organization. Organizations leveraging CodeSign Secure platform by EC can enjoy the following benefits:

      • Easy integration with leading Hardware Security Module (HSM) vendors
      • Authorized users only access to the platform
      • Key management service to avoid any unsafe storage of keys
      • Enhanced performance by eliminating any bottlenecks caused

      Why to use EC’s CodeSign Secure platform?

      There are several benefits of using Encryption consulting’s CodeSign Secure for performing your code sign operations. CodeSign Secure helps customers stay ahead of the curve by providing a secure Code Signing solution with tamper proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.

      Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security.

      Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security.

      Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Seamless authentication is provided to code signing clients via CodeSign Secure platform to make use of state-of-the-art security features including client-side hashing, multi-factor authentication, device authentication, and as well as multi-tier approvers workflows, and more. Support for InfoSec policies to improve adoption of the solution and enable different business teams to have their own workflow for Code Signing. CodeSign Secure is embedded with a state-of-the-art client-side hash signing mechanism resulting in less data travelling over the network, making it a highly efficient Code Signing system for the complex cryptographic operations occurring in the HSM.

      Explore more about our CodeSign Secure platform features and benefits in the below link:

      CodeSigning Solution

      Use cases covered as part of Encryption Consulting’s CodeSign Secure platform

      There are multiple use cases that can be implemented using CodeSign Secure platform by Encryption Consulting. Majority of the use cases can be relevant to digital signature concept discuss above. CodeSign Secure platform will cater to all round requirements of your organization. Let us look into some of the major use cases covered under Encryption Consulting’s CodeSign Secure:

      • Code Signing:

        Sign code from any platform, including Apple, Microsoft, Linux, and much more.

      • Document Signing:

        Digitally sign documents using keys that are secured in your HSMs.

      • Docker Image Signing:

        Digital fingerprinting to docker images while storing keys in HSMs.

      • Firmware Code Signing:

        Sign any type of firmware binaries to authenticate the manufacturer to avoid firmware code tampering.

      Organizations with sensitive data, patented code/programs can benefit from CodeSign Secure platform. Online distribution of the software is becoming de-facto today considering the speed to market, reduced costs, scale, and efficiency advantages over traditional software distribution channels such as retail stores or software CDs shipped to customers.

      Code signing is a must for online distribution. For example, third party software publishing platforms increasingly require applications (both desktop as well as mobile) to be signed before agreeing to publish them. Even if you are able to reach a large number of users, without code signing, the warnings shown during download and install of unsigned software are often enough to discourage the user from proceeding with the download and install.

      Encryption Consulting will provide strongly secured keys in FIPS certified encrypted storage systems (HSMs) during the code signing operation. Faster code signing process can be achieved through CodeSign secure as the signing occurs locally in the build machine. Reporting and auditing features for full visibility on all private key access and usage to InfoSec and compliance teams.

      Get more information on CodeSign Secure in the datasheet link provided below:

      Code-Signing-Datasheet.pdf

      Which signature to use for your organization?

      This solely depends on the purpose and intent of using the signature for your organization. You might need to perform a clear assessment or approach expert consultants like us – Encryption consulting to understand which certificate will suit your purpose better.

      Encryption Consulting’s Managed PKI

      Encryption Consulting LLC (EC) will completely offload the Public Key Infrastructure environment, which means EC will take care of building the PKI infrastructure to lead and manage the PKI environment (on-premises, PKI in the cloud, cloud-based hybrid PKI infrastructure) of your organization.

      Encryption Consulting will deploy and support your PKI using a fully developed and tested set of procedures and audited processes. Admin rights to your Active Directory will not be required and control over your PKI and its associated business processes will always remain with you. Furthermore, for security reasons the CA keys will be held in FIPS140-2 Level 3 HSMs hosted either in in your secure datacentre or in our Encryption Consulting datacentre in Dallas, Texas.

      Conclusion

      Encryption Consulting’s PKI-as-a-Service, or managed PKI, allows you to get all the benefits of a well-run PKI without the operational complexity and cost of operating the software and hardware required to run the show. Your teams still maintain the control they need over day-to-day operations while offloading back-end tasks to a trusted team of PKI experts.

      Free Downloads

      Datasheet of Public Key Infrastructure

      We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.

      Download
      Implementing & migrating PKI solutions for enterprises

      About the Author

      Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

      Read Time: 10 min

      Let’s define NIST Cyber Security Framework in brief. 

      The NIST Cyber Security Framework known as NIST CSF is a cybersecurity assessment-type framework developed by the NIST (National Institute of Standards and Technology). The core purpose of the NIST CSF is to protect the nation’s critical infrastructure using a set of cybersecurity best practices and recommendations. It’s a voluntary, risk-based, and outcome-oriented cybersecurity framework to help your organization to categorize its security activities around five key functions 1) Identify 2) Protect, 3) Detect, 4) Respond, and 5) Recover.

       Let’s look at each function briefly:

      Identify – The Identify function assist you to evolve an overall cybersecurity risk management approach to systems, people, assets, data, and capabilities in the organization. It helps you to identify the critical assets, overall business environment, governance model, and supply chain. 

      Protect – The protect function helps you to set up defensive controls based on the inputs from identify function such as critical assets, risk tolerance/acceptance levels. It also emphasizes the importance of access control & identity management, protecting data, and training & awareness to users. 

      Detect – The detection functions help you to detect anomalies, malicious activities, and other events effectively by continuous security monitoring and with the help of other detection processes & procedures. 

      Respond – To complete the detection function, respond helps you to take the right action immediately through incident response planning, mitigation actions for events, accurate analysis, communication to the designated stakeholders, and continuous improvement with each event.

      Recover – Recover function assists you to get back to the pre-attack condition with the help of recovery planning, continuous improvement, and communication to the designated stakeholders.

      NIST Cyber Security Framework Overview: Core, Tiers, and Profile

      The NIST CSF consists of three sections:

      The core section represents cybersecurity practices, technical, operational, process security controls, and outcomes that support the five risk management functions such as Identify, Protect, Detect, Respond, and Recover.

      The tiers section emphasizes the organization’s processes of managing risks while remaining aligned with NIST CSF.

      The profiles characterize how effectively an organization’s cybersecurity program is managing its risk. It also expresses the state of an organization’s “as is” and ‘’to be’’ cybersecurity postures.


      NIST Cyber Security Framework and AWS Cloud

      Earlier AWS team published a guide on how to implement the NIST CSF in an AWS cloud environment. AWS recommends using NIST CSF as a mechanism to have baseline security in place that can improve the cloud security objectives of an organization. NIST CSF contains a comprehensive controls catalogue derived from the ISO/IEC 27001 (1), NIST SP 800-53 (2), COBIT (3), ANSI/ISA-62443 (4), and the Top 20 Critical Security Controls (CSC) (5).

      There is a listing on the AWS portal that specifies the alignment of NIST CSF to various AWS services that are known as “AWS Services and Customer Responsibility matrix for Alignment to the CSF” (6). This is a comprehensive list that customers can use to align their needs with the CSF in the AWS cloud for their security requirements. Also, this enables the customer to design their baseline security requirements to meet their security goals.

      AWS Cloud Adoption Framework

      Before setting up a baseline, it is important for a customer to have a clear understanding of their business use cases and the customer-owned responsibilities for “security in the AWS cloud”. The customer should review the “AWS Cloud Adoption Framework” (7) to evaluate the governance model that will be required while implementing the NIST CSF into the AWS cloud services. The AWS CAF (Cloud Adoption Framework) lists pointers known as “CAF Perspectives” to identify gaps in security skills, capabilities, and cybersecurity processes.

      NIST CSF Functions and Responsibilities (Customer-owned & AWS-owned)

      AWS team has come up with the concept of NIST CSF Functions categories & sub-categories into 108-outcome based security activities. Every function depicts the Customer-owned and AWS-owned responsibilities that mean security of the cloud owned by AWS and security in the cloud owned by the Customer. Business owners/stakeholders can use the AWS link of “AWS Services and Customer Responsibility matrix for Alignment to the CSF” to tailor their needs as per the organization’s tiers and profile level in the CSF.

      The below figure represents the CSF core functions (Identify, Protect, Detect, Respond, and Recover) with categories defined and those that have been converted to 108-outcome based security activities (8) by AWS.

      Till now we have discussed the NIST CSF alignment with the AWS Cloud Services and how the customer can use CAF (Cloud Adoption Framework) to evaluate the skill gap, capability, and cybersecurity processes using the CAF Perspectives.    

      Let’s discuss how appropriate AWS services can be leveraged to set up effective Security Architecture using NIST Cyber Security Framework.

      The table below provides a summarized view of AWS Cloud Services categorized into the NIST CSF Core Functions based on the nature of the service:

      #IdentifyProtectDetectRespondRecover
      1OrganizationsShieldGuardDutyCloudWatchOpsWorks
      2Security HubCertificate ManagerMacieLambdaCloudFormation
      3ConfigKMSInspectorDetectiveS3 Glacier
      4Trusted AdvisorNetwork FirewallSecurity HubCloudTrailSnapshot
      5Systems ManagerWAF Systems ManagerArchive
      6Control TowerFirewall Manager Step FunctionsCloudEndure Disaster Recovery
      7 CloudHSM   
      8 IAM   
      9 Direct Connect   
      10VPC    
      11 Single-Sign-On   

      Conclusion:

      Having the AWS Cloud Services aligned with the NIST CSF enables the customer to improve their cloud security posture with appropriate risk management and industry-compliant cloud services. Encryption Consulting, a leading cyber-security firm, offers various AWS and NIST related cybersecurity consulting Services catering to its customers a risk and security control maturity assessment based on the outlined standards. Encryption Consulting helps customers to get them familiarized with NIST CSF and AWS security tools & documentation and assist them in conducting a meaningful and quantifiable cybersecurity assessment while keeping the organization’s business goals intact.

      Resources:
      1. ISO/IEC 27001:2013, Information Technology – Security techniques – Information Security management systems – Requirements. ISO. Retrieved February 18, 2021, from: https://www.iso.org/standard/54534.html
      2. NIST Special Publication (SP) 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations. National Institute for Standards and Technology. Retrieved February 18, 2021, from: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
      3. Control Objectives for Information and Related Technology (COBIT), an ISACA Framework. Information Systems Audit and Control Association (ISACA). Retrieved February 18, 2021 from: https://www.isaca.org/resources/cobit
      4. ANSI/ISA-62443-2-4-2018 / IEC 62443-2-4:2015+AMD1:2017 CSV, Security for industrial automation and control systems. International Society of Automation (ISACA).
      5. The 20 CIS Controls & Resources. Center for Internet Security (CIS). Retrieved February 18, 2021, from: https://www.cisecurity.org/controls/cis-controls-list/
      6. AWS Services and Customer Responsibility Matrix for Alignment to the CSF can be downloaded from here: https://aws.amazon.com/compliance/nist/
      7. An overview of the AWS Cloud Adoption Framework (CAF), Ver. 2. Amazon Web Services, Inc.
      8. An overview of AWS capabilities that can be leveraged with NIST CSF: https://d1.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf

      Free Downloads

      Datasheet of Encryption Consulting Services

      Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

      Download
      Encryption Services

      About the Author

      Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

      Read time: 7 minutes

      Let’s define Code signing in brief.

      Code signing is a method of putting a digital signature on a file, document, software, or executable to test its authenticity and genuineness in regards to the functionality and features that it provides. This also ensures that the software entity (file, document, software, or executable) is not tampered with while in transit.

      Code signing can be implemented in two ways: Client-side signing & Server-side signing.

      Both mentioned Code signing methods that were popular until the SolarWinds’ attack came into the limelight and post that Client-side signing became the talk of the town as this doesn’t require to upload/move the signing files, hence preventing the attacks where malicious code is also getting signed as part of the original file/entity signing.

      Time to understand the hashing function first:

      The hashing algorithm is the cryptographic function that generates a fixed-length output that is called digest or hash value from a given input that may be of arbitrary size. The hash function has a property to generate a unique and one-way/non-reversible output which means we can’t get to the original input value by doing a reverse hash operation.

      Let’s look at a hashing algorithm example with a simple hash function:

      In the example above, a cryptographic hash function SHA-256 is shown that converts the arbitrary data into a fixed-size 256-bit hash value.

      Now, let’s understand the Server-side Code signing in detail.

      The following steps are performed while signing the code or any executable in a Server-side signing fashion:

      1. A unique key pair is generated and based on this key pair a CSR (Certificate Signing Request) is generated by a requester/developer.
      2. The CSR is sent to CA (certificate authority) with a code signing template.
      3. CA issues the certificate post validation and returns the code signing certificate with the public key to the requester.
      4. The code/executable to be signed is uploaded to the Code signing server by the requester.
      5. Once the code/executable is uploaded, the hash value of the code/executable is calculated with the help of any cryptographic hash function and since this hash value is computed on the server-side, hence the name Server-side hashing.
      6. The computed hash value is signed by the corresponding private key issued to the requester results in the digital signature.
      7. The digital signature, code signing certificate, and hash function information are now combined into a signature block and placed into the software, which is sent to the receiver/consumer.
      8. When the code/executable is received, the consumer’s computer first checks the authenticity of the code signing certificate.
      9. Once the authenticity is confirmed, the digest is then decrypted with the public key of the created key pair.
      10. The hash function is used on the code/executable to calculate the digest.
      11. The resulting digest is compared to the digest sent by the requester. If the digests match, then the software is safe to install.

      Let’s understand the Client-side signing in detail.

      The following steps are performed while signing the code or any executable in a Client-side signing fashion:

      1. A unique key pair is generated and based on this key pair a CSR (Certificate Signing Request) is generated by a requester/developer.
      2. The CSR is sent to CA (certificate authority) with a code signing template.
      3. CA issues the certificate post validation and returns the code signing certificate with the public key to the requester.
      4. The hash value of the code/executable is calculated with the help of any cryptographic hash function at the client end itself. Since this hash value is computed at the client-side, hence the name Client-side hashing.
      5. The hash value only i.e., digest of the code/executable to be signed is uploaded to the Code signing server by the requester.
      6. The computed hash value is signed by the corresponding private key issued to the requester results in the digital signature.
      7. The digital signature and hash function information is sent back to the client.
      8. The digital signature, code signing certificate, and hash function information are now combined into a signature block and placed into the software at the requester/developer end.
      9. When the code/executable is received at the consumer end, the consumer’s computer first checks the authenticity of the code signing certificate.
      10. Once the authenticity is confirmed, the digest is then decrypted with the public key of the created key pair.
      11. The hash function is used on the code/executable to calculate the digest.
      12. The resulting digest is compared to the digest sent by the requester. If the digests match, then the software is safe to install.

      Conclusion

      Code signing has become a quintessential requirement for software developers and the reason is code signing ensures trust among users to install the software without worrying about anything. Although both the Code-signing methods are used in the industry to date, however, SolarWinds’ attack changed the code signing landscape in the industry a lot. Now, the client-side signing is a preferred choice considering the fact that it provides a significant advantage in terms of remote digital signature generation, reducing the overall bandwidth requirement due to only hash value upload, and avoiding the attacks of malicious code signed due to no code file movement within the environment.

      Resources: www.encryptionconsulting.com/education-center/what-is-code-signing/

      Free Downloads

      Datasheet of Code Signing Solution

      Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code.

      Download
      secure and flexible code signing solution

      About the Author

      Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

      Read Time: 7 min

      In today’s world, protecting your data is the most critical job at hand for any security expert. Once the data is protected with the help of some data protection tool and passphrases or passwords, then the next challenge is how to protect the passphrases or passwords or secrets itself. That’s when you need a software or hardware tool which can help you manage the secrets effectively and efficiently. AWS Secrets Manager is one such tool that can manage, retrieve, and rotate the passwords, database credentials, API keys, and other secrets throughout their lifecycle. It provides the central credential management with security at its best, resulting in avoidance of hard coding of credentials in the code.

      Today, we will discuss the AWS Secrets Manager and its role in credential management facilitating some of the critical security use cases.

      Characteristics of AWS Secrets Manager

      AWS Secrets Manager provides various characteristics with respect to credentials management, such as:

      1. Integration with AWS KMS: AWS Secrets Manager is fully integrated with AWS KMS service and encrypts secrets as data-at-rest encryption with the Customer managed KMS keys. While retrieving the secrets, it decrypts the secrets using the same CMK KMS keys used earlier for encryption and transmits the secrets to your local environment securely.
      2. Secret Rotation: AWS Secrets Manager enables you to meet security and compliance requirements as per your organization’s goal. It provides you the secret rotation functionality on-demand or on a scheduled basis through the AWS management console, AWS SDK, or AWS CLI.
      3. Integrating with AWS Database services: AWS Secrets Manager supports native AWS database services such as Amazon RDS, Amazon DocumentDB, and Amazon Redshift. It also provides you the capability to rotate other types of secrets such as API Keys, OAuth tokens, and other credentials with the help of customized lambda functions.
      4. Contains multiple versions of secrets: AWS Secrets Manager can contain multiple versions of secrets with the help of staging labels attached with the version while rotating the secrets. Each secrets’ version contains a copy of the encrypted secret value.
      5. Manage access with fine-grained policies:  AWS Secrets Manager provides you flexible access management using IAM policies and resource-based policies. For e.g., you can retrieve secrets from your custom application running on EC2 to connect to a specific database instance (on-prem or cloud).
      6. Secure and audit secrets centrally: AWS Secrets Manager is fully integrated with AWS CloudTrail service for logging and audit purposes. For e.g., AWS CloudTrail will show the API calls related to creating the secret, retrieving the secret, deleting the secret, etc.

      We have discussed some of the characteristics of the Secrets Manager. Now, below are the key points to be kept in mind while working with Secrets Manager:

      1. You can manage secrets for databases, resources in On-prem & AWS cloud, SaaS applications, third-party API keys, and SSH keys, etc.
      2. AWS Secrets Manager provides compliance with all the major industry standards such as HIPAAPCI-DSS, ISO, FedRAMP, SOC, etc.
      3. Secrets Manager doesn’t store the secrets in plaintext in persistent storage.
      4. Since the Secrets Manager provides the secrets over the secure channel, it doesn’t allow any request from any host in an unsecure fashion.
      5. Secrets Manager supports the AWS tags feature, so you can implement tag-based access control on secrets managed by the secrets manager.
      6. To keep the traffic secured and without passing through the open internet, you can configure a private endpoint within your VPC to allow communication between your VPC and Secrets Manager.
      7. Secrets Manager doesn’t delete the secrets immediately; rather, it schedules the deletion for a minimum period of 7 days. Within those 7 days, you may recover the secrets depending upon your requirements and post the scheduled period; the secrets are deleted permanently. However, through the AWS CLI, you may delete any secrets on an immediate basis.
      8. The AWS Secrets Manager offers a cost-effective pricing model where it charges $0.40 per secret per month or $0.05 per 10K API calls.

      Use cases for AWS Secrets Manager

      1.  Secrets Manager avoids the need for hard-coding the credentials or sensitive information in your application code. It serves the purpose of having an API call to the secrets manager to retrieve the secret programmatically. Having this mechanism in place restricts anyone from compromising sensitive information or credentials as secret information doesn’t exist in the plaintext in the code.
      2. Secrets Manager provides centralized credential management, which reduces the operational burden resulting in the active rotation of credentials at regular intervals to improve the security posture of the organization.

      Resources: https://aws.amazon.com/secrets-manager/pricing/

      Conclusion:

      Secret management plays a critical role in data protection for any organization in any environment (On-prem or Cloud). AWS Secrets Manager provides a rich feature set when it comes to secret management solutions. It supports a wide variety of secrets such as database credentials, credentials for On-prem resources, SaaS application credentials, API keys, and SSH keys, etc. In today’s security world, there are a number of secret management solutions available; however, considering the fact that AWS Secrets Manager works seamlessly in the AWS environment, it also provides great compatibility with other environments (On-prem) as well.

      Free Downloads

      Datasheet of Encryption Consulting Services

      Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

      Download
      Encryption Services

      About the Author

      Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

      Read time: 15 minutes

      Often the way personal data is handled and managed is not the way it is supposed to be, especially regarding its security. There are some grave concerns about how various forms of sensitive personal data, such as financial, health, etc., are secured fundamentally. Without having the appropriate security measures and processes in place, bad actors or cybercriminals would have access to vast amounts of sensitive personal data leading to complete chaos in data management. To handle this critical and massive amount of data, we need to understand the thin line between data security and data privacy often used interchangeably.

      Today, we will discuss differentiating factor between data security & data privacy and the various factors such as encryption, tokenization, & masking affecting both of them.

      Data Security Vs. Data Privacy

      The actual difference between data privacy and data security belongs to the fact that which data is protected and how it’s protected. Data Security is about protecting data from malicious threats and bad actors, whereas data privacy is about using data responsibly.

      Data security is related to securing sensitive and critical data. Data security is primarily focused on deterring unauthorized & illegitimate access to data, via compromises, breaches or leaks, regardless of who the unauthorized party is. Enterprises use IT tools and technology such as firewalls, access control, user authentication & identification, network access control, and internal security measures to prevent such access. This also includes latest security technologies such as encryption, tokenization and masking to further enhance the data protection by making it unreadable—which, in the event of a breach, can block cybercriminals from exposing the massive amount of sensitive data.

      On the other hand, data privacy is concerned with how sensitive personal data is consumed, ingested, transmitted, or processed compliantly with the data owner’s consent. Data privacy is always about informing individuals upfront that which type of data will be collected for what purpose, and with whom it will be shared under specific circumstances. Now, once the organization puts these disclaimers, the user has to agree to the terms of use, allowing the organization to use the data following the compliance standards for the stated purpose.

      Data privacy is more of responsible use of data with specific disclaimers to avoid being misused and less about protecting data itself from bad actors. The use case for data privacy is somewhat different from data security; however, privacy is complemented with the data security measures such as de-identification of personal data (linking of personal data to its original subject), obfuscation and many more.

      It is common to see that data security and data privacy words are used synonymously, although they are very much different in their application. Data security can be implemented on its own, whereas data privacy needs security as a pillar to stand on its own. In simple words, data privacy enables limited access, whereas data security employs various processes or methods to provide that limited access.

      Data Security and Data Privacy vs. Compliance

      Now that we have understood about the data security and data privacy, we need to deep dive further to understand how the various industry regulations help organizations transform their data protection landscape.

      1. PCI DSS

        The Payment Card Industry Data Security Standard (PCI DSS) provides a framework for protecting the payment card information and cardholder data. PCI DSS is fundamentally associated with standards provided for the security controls about the storage, processing, and transmission of payment data, including the personal data such as name, address, etc., This standard applies to merchants, banks, any third parties involved, and any other entity handling cardholder data.

      2. CCPA

        The California Consumer Privacy Act (CCPA) aims for the consumer to retain ownership, power, and security of your personal information if you are a citizen of the state of California by establishing the significant rights to consumers such as:

        1. The right to know what and where personal information is being collected, sold, and disclosed about them
        2. The ability to deny the sale of personal information.
        3. The right to have equal service and price if one decides to exercise their privacy rights.
        4. The right to be able to have personal information deleted
      3. HIPAA

        The Health Insurance Portability and Accountability Act (HIPAA) provides a set of standards to protect the sensitive data of patients across the US. This regulation standard is complex as it includes a vast amount of health care data of US citizens. Companies dealing with Protected Health Information (PHI) must have administrative, physical, and technical security measures to be HIPPA compliant. There are covered entities providing treatment, accepting payments, operating in healthcare, or business associates, including anyone who has patient information and provides support in treatment, payments, or operations. General Security Rules require covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI.

        1. Ensuring confidentiality, integrity, and availability of all PHI covered entities create, receive, maintain or transmit.
        2. Identify and protect against reasonably anticipated threats to the security or integrity of the information.
        3. Protect against reasonably anticipated, impermissible uses or disclosures.
        4. Ensure compliance by covered entities’ workforce.
      4. GDPR

        The General Data Protection Regulation (GDPR) is a digital data privacy standard for EU citizens. GDPR states the general guidelines for personal data, such as whose data should be protected, type of personal data, and how the data should be managed and protected. GDPR applies to all companies, which collect and process EU resident’s data. Non-EU companies would need to appoint a GDPR representative and be held liable for all fines and sanctions.

      5. NYDFS

        The New York Department of Financial Services (NYDFS) cybersecurity regulation is a set of rules applicable to the covered financial institutions. NYDFS applies to all the financial institutions operating under DFS licensure, registration, or charter or DFS regulated. The NYDFS Cybersecurity Regulation states the strict guidelines for cybersecurity rules and detailed cybersecurity plan designed by CISO, implementation of cybersecurity policy, and an ongoing maintenance and reporting system for cybersecurity incidents.

      6. HITECH

        The Health Information Technology for Economic and Clinical Health Act (HITECH) was mandated to embrace the purposeful usage of electronic health records (EHR) technology by U.S.-based healthcare providers and their business associates. HITECH means healthcare providers need to show that they are using certified EHR technology to avoid data breaches of unencrypted electronic health records.

        The HITECH Act also encouraged the stricter enforcement of the Privacy and Security Rules of HIPAA by making security audits of all healthcare providers compulsory. These audits are performed to investigate and determine whether health care providers meet minimum specified standards or not to conclude if they comply with the HIPAA’s Privacy Rule and Security Rule.

      Let’s discuss how Data Security and Data Privacy can be achieved with the help of the following security technologies:

      • Encryption
      • Tokenization
      • Masking
      • Encryption for Data Security and Data Privacy:

        Encryption provides data security for various forms of confidential data such as cardholder data, protected health information (PHI), personal identifiable information (PII), etc., by encrypting/decrypting with a mathematically derived key possessed by an authorized party. Data security becomes critical in the present environment when there are bad actors present everywhere on the internet. Many encryption applications protect personal data during data-at-rest and data-in-transit, however, leaving sensitive data unguarded in plain-text during processing.

        Although encryption became defacto standard for all data-in-transit and data-at-rest use cases, it still alone doesn’t provide the complete data privacy solution for sensitive data throughout its lifetime.

      • Tokenization for Data Security and Data Privacy:

        Tokenization plays an important and vital role while providing Data Security and Data Privacy as it has the capabilities to satisfy the requirements of both. Since the tokenization provides the functionality of pseudonymization, it can be treated as a redundant safeguarding mechanism to protect in the event of a security breach. With this technology’s help, even if the data in the organization’s system is compromised, it’s not much of use for bad actors as pseudonymization desensitizes the data by deidentifying it and making useless for cybercriminals.

        Since the data is desensitized in the organization’s system, the risk associated with data privacy is countered. So, it is clear that with the help of tokenization, our data security gets the needed strength, and on the other hand, data privacy also becomes robust because of the desensitization of personal data.

      • Masking for Data Security and Data Privacy:

        Data masking plays an instrumental role in data privacy by guarding the confidential information such as credit card information, PHI, PII etc., by replacing the actual data with the functional fictious data to be used in scenarios when the actual data is not needed. Gartner describes it as a technology that “can dynamically or statistically protect sensitive data by replacing it with fictitious data that looks realistic to prevent data loss in different use cases.” Data masking uses various mechanisms to alter the data using character or number substitution, character shuffling, or encryption algorithms. So, data masking, also known as data obfuscation or data pseudonymization, helps in handling data privacy issues for personal data to a great extent.

      Conclusion

      Data security and data privacy are two different approaches towards handling confidential personal data for individuals; however, often confused interchangeably. It is evident that data masking and tokenization have a deep focus on providing measures for data privacy, whereas encryption’s core focus is on data security. Considering the facts from all three security technologies, we can say that no single technology can completely secure personal information. All of them must work in conjunction to protect sensitive personal data from theft at different stages of their lifecycle.

      Resources:

      www.gartner.com/en/documents/3153926

      Free Downloads

      Datasheet of Encryption Consulting Services

      Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

      Download
      Encryption Services

      About the Author

      Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

      Read time: 7 min

      Let’s briefly discuss Code signing.

      Code signing is a method of putting a digital signature on a file, document, software, or executable to test its authenticity and genuineness in regards to the functionality and features that it provides. This also ensures that the software entity (file, document, software, or executable) is not tampered with while in transit.
      Code signing has become a quintessential requirement for software developers, The reason is code signing ensures a trust among users for the software, and also provides confidence to users to avoid the warning messages which appear when a user downloads/installs the executable in their environment.

      What is Time Stamping?

      Time stamping is an optional part of the code signing process, which allows software to recognize whether an applied code signing signature is valid–even after a code signing certificate expires. In other words, we can say that time stamping preserves the signature applied to the software.
      Whenever the signed software’s executable is run/executed on any client machine/system, its digital signature is verified by the user’s operating system. Now, suppose the user has time stamped the software. The users’ computer will verify the signature based on the time it was digitally signed, rather than the current time of the system when the software is executed.

      Below is the work flow for a time stamping process:

      Time Stamping is provided by the Time Stamp Authority (TSA) which uses Public Key Infrastructure (PKI) principles and technology for applying timestamps.

      The following steps are performed to Time Stamp software:

      1. A hashed value is created and sent to the TSA by the requester for the software that needs to be time stamped.
      2. Hash value, authoritative time and other related information such as data and time of the digital signature are combined by the TSA and signed by its private key to create a new hash value.
      3. Next, the new hash and the software’s hash is bundled up and sent to the requester.
      4. A requester’s application then receives the bundle and verifies it. Once the verification is done, the time stamp becomes valid and embedded within the code signature of the software.

      Let’s try to understand this in terms of a real-world scenario.
      Let’s assume that you are the developer, you did the code signing of your software, and the certificate is valid from January 2021 to till January 2022. Now, a user who downloads your software on October 2021 forgets to install it due to his busy schedule. He tries to install the software in February 2022, but he gets an error.
      Let’s understand the same scenario with the only exception that you have time stamped the software in July 2021. Now, when the user tries to install the software in February 2022, he is able to install it and doesn’t get any error at all. This is the effect of Time Stamping!!

      Protocols used in Time Stamping

      The following protocols are used in Time Stamping software:

      RFC 3161

      RFC 3161 is updated and designated as RFC 5035 which additionally allows the use of ESSCertIDv2.

      Microsoft Authenticode

      Microsoft Authenticode can be utilized in various formats such as .cab, .exe, .ocx, and .dll

      Code Sign Time Stamping best practices

      The following best practices can be adapted while Code sign Time Stamping is done:

      1. Always make sure that the time stamping option is enabled in your signing tool, such as Microsoft Signtool. Also, choose a signing tool which supports the time stamping option as it’s an optional feature by default.
      2. Ensure that time stamping is included as part of your software development lifecycle process. This will avoid any unexpected issues occurring due to version mismatches.
      3. Document the complete process for your signing tool while using the time stamping option, as every sign tool has a different workflow for time stamping. Also, distribute this document to every stakeholder involved in the code signing process.
      4. Time stamping allows the client system to verify if the software was signed before or after the revocation of the code signing certificate. So, if you want to revoke the code signing certificate for any reason, such as private key compromise, you may do so. The client system will not have any difficulty while installing the software, as time stamping was done when the code signing certificate was valid.

      Conclusion

      Time stamping appears to be an optional step, whereas it is a vital component of the code signing ecosystem in your organization. Without time stamping, expiration/revocation of code signing certificates would lessen the confidence of customers in the same software product. Timestamps make sure that even if certificates lose their validity or are revoked for some reason, their signatures remain valid, secure and trusted.

      Free Downloads

      Datasheet of Public Key Infrastructure

      We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.

      Download
      Implementing & migrating PKI solutions for enterprises

      About the Author

      Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

      Read time: 5 min

      The present world sees more and more organizations migrating to Cloud Service Providers to get the advantages associated with cloud computing, such as cost saving, security, flexibility, mobility, and sustainability. Out of those, Security is a critical aspect of any Cloud Service model, as it is applicable to any Cloud Service offerings that involve sensitive data.

      Today we will discuss the Microsoft Azure’s Key Vault service in the above context.

      Now, let us understand the actual meaning of vault – it is a treasury, which is used to store your valuable items. When we comprehend this meaning in reference to the Azure Cloud world, it gives the correct impression i.e. a treasury of my keys and secrets. It acts as central storage for all sensitive information that can be stored secretly via encryption and can be retrieved/used based on permissions.
      To elaborate further, the Microsoft Azure Key Vault service focuses on the security of the below subjects:

      1. Secret ManagementThe Azure Key Vault service can be used to securely store and control access of secrets, such as authentication keys, storage account keys, passwords, tokens, API keys, .pfx files, and other secrets.
      2. Key ManagementThe Azure Key Vault service can be used to manage the encryption keys for data encryption.
      3. Certificate ManagementThe Azure Key Vault service enables you to provision, manage, and deploy SSL/TLS certificates seamlessly for use with Azure integrated services.

      Security being the primary driving force of Azure Key Vault’s existence, Microsoft offers the following tiers based on key protection:

      1. Standard TierUses Software vaults for storing and managing cryptographic keys, secrets, certificates and storage account keys. This is compliant with FIPS 140-2 level 2 (vaults).
      2. Premium TierUses a Managed HSM Pool for storing and managing HSM-backed cryptographic keys. This is compliant with FIPS 140-2 level 3 (managed HSM pools).

      Terminology used in Azure Key Vault:

      Secret

      A Secret is a small data blob (up to 10 KB in size) used in the authorization of users/applications with the help of a Key Vault. In a nutshell, Key Vault helps in mitigating the risk associated with the storage of secrets in a non-secure location.

      Keys

      Keys are also used in the authorization of users/applications to perform any operation while invoking the cryptographic functions of the Key Vault. Unlike secrets, Keys doesn’t leave the secure boundaries of the Key Vault.

      Key Vault Owner

      An administrator who creates the Key Vault and authorizes the users/applications for various authentication specific operations.

      Key Owner/Secret Owner/Vault Consumer

      An administrator who owns the Key/Secret for the specific user/application and is responsible for Key/Secret creation in the Key Vault.Kindly note that Key Vault owner and Key/Secret owner roles might be handled by the same administrator, but it’s not necessary.

      Service Principal

      Identity created (user group/application) for use with applications to access Azure resources.

      Application Owner

      An administrator who handles the application configuration, including authentication against the Azure Active Directory in the form of URI using Key Vault.

      Application

      An application authenticates itself from the Key Vault with the help of Keys/Secrets.

      Access Policy

      Statements that grant access to service principal permissions to perform various operations on keys/secrets in Key Vault.

      Ways to access Keys and Secrets in a Key Vault:

      1. To access the keys/secrets, users/applications must have the valid Azure Active Directory token representing the Security Principal with the appropriate permissions of the target Key Vault.
      2. Users/applications can use REST-based APIs or Windows PowerShell to retrieve secrets and Keys (public keys only) from the Key Vault.

      Steps to authenticate an application with the Key Vault:

      1. The application which needs authentication is registered with Azure Active Directory as a Service Principal.
      2. The key Vault Owner/Administrator will then create a Key Vault and then attaches the ACLs (Access Control Lists) to the Vault so that the Application can access it.
      3. The application initiates the connection and authenticates itself against the Azure Active Directory to get the token successfully.
      4. The application then presents this token to the Key Vault to get access.
      5. The Vault validates the token and grants access to the application based on successful token verification.


      At last, let’s discuss some of the benefits of using Azure Key Vault.

      Benefits of using Azure Key Vault:

      1. As the keys saved in vault will be served via URIs, this avoids the risk of accidental exposure and storage of keys in non-secure locations.
      2. By design, even the vendor (Microsoft) can’t extract or see customer keys, hence, its fully protected at the vendor level too.
      3. If your organization needs security compliance while requiring the Key Vault, Azure Key Vault is a good option, as the Key Vault service is FIPS 140-2 Level 2 (Vault) / FIPS 140-2 Level 3 (Managed HSM Pools) compliant.
      4. Key usage details are logged, so the log data can be used for audit purpose in case of any key compromise situation.

      Conclusion

      Azure Key Vault streamlines the secret, key, and certificate management process and enables you to maintain strict control over secrets/keys that access and encrypt your data. This expedites the overall project delivery by having developers create keys quickly for development and testing, and then seamlessly migrate them to production keys.

      Free Downloads

      Datasheet of Encryption Consulting Services

      Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

      Download
      Encryption Services

      About the Author

      Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

      Let's talk