The Increase of Data and Compliance Regulations – How Can Businesses Best Keep Pace?

Data flow is evolving from the ground up – quite literally – with Big Data, the Cloud and IoT changing the way we store, process and share information. But with the rapid growth of data – expected to reach 44ZB by 2020 according to IDC – comes an exponentially larger surface area for hacks, attacks, loss and theft.

As we are dealing with more and more data, penalty-enforced data privacy and security regulations are quickly emerging at local, national and multi-national levels of government. These regulations, designed to ensure that businesses are putting protections in place to safeguard client data, regardless of where it resides, have created increased accountability to defend against external and internal threats.  At the same time, these regulations present a complex and fragmented minefield for businesses to navigate.

What are some of these regulations?

Newer regulations, like EU GDPR and the EU-U.S. Privacy Shield (the replacement for the EU-U.S. Safe Harbor agreement) on a multi-national level, and the California Breach Notification Law and New York Financial Sector Cybersecurity Regulation at the state level, for example, include greater protections, notification guidelines and/or penalties for non-compliance.  Then there are existing yet evolving regulations, like PCI DSS 3.2 for companies handling card data and HIPAA in the healthcare sector, that relevant businesses need to appropriately address as well.  Adding to that, changes in the administration with the recent elections could add more complexity and requirements when it comes to protecting data.

What does this all mean?

Data privacy is more and more being considered a fundamental human right.   With stricter requirements for protection and increased monitoring and enforcement, businesses must be prepared.

To defend data against cyberattacks, the threats from within, and the vulnerabilities of Cloud services, as well as to protect your business from the fines that result from non-compliance to regulations, you should enforce encryption.  Encryption not only turns information or data into an unbreakable, unreadable code should someone unauthorized try to access it, but it is also often the only technology referenced in these evolving and escalating regulations as a reasonable and appropriate security measure.  Encryption is the last line of defense when a breach occurs, regardless of whatever action caused it, invader or accident.  And centralized encryption management, which ensures keys are controlled from one point, helps a company enforce both regulatory and governance requirements.   To learn more about encryption solutions, click here.

Why I Choose to Let our Employees work from Home

I once worked for a company who didn’t believe in Technical Support employees working from home, despite having all the technology in place to allow that to happen. Their reasoning? Technical Support employees couldn’t be effective if they were not in the office. I’ve always thought that thinking was flawed, and my experiences with the work from home policy that WinMagic has in place reinforces that belief.

 

BitLocker: Compliant or Practical? – Mixed Messages from Microsoft

On one hand, Microsoft says that BitLocker with pre-boot authentication (TPM + PIN) is the recommended best practice (See Here).  On the other, Microsoft admits that BitLocker with their pre-boot authentication “inconveniences users and increases IT management costs.” A mixed message for any IT pro responsible for keeping devices compliant and secure.

Read on to discover the compliance shortfalls of BitLocker and how to address them.

Is Microsoft claiming Pre-Boot Authentication for FDE is not necessary?

Is Microsoft really claiming pre-boot authentication (PBA) for Full Disk Encryption (FDE) is not necessary? One could certainly get that impression from recent articles (HERE and HERE) posted by the organization.  The first article on “Types of attacks for volume encryption keys” lists a few known historical attacks that “could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution”, and the second makes statements like “For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented.

WinMagic | Announcing our newly enhanced Customer Portal

Announcing our newly enhanced Customer Portal

Back in November of last year, I was part of a conference call with a European customer who needed some high level reassurance from us. As part of that request, they mentioned that our customer portal could not help them properly manage support tickets. Thus, I hijacked the call and started a GoToMeeting session from my desktop.  I gave them the opportunity to walk me through exactly what they found problematic about our customer portal. For the next 20 minutes they did a masterful job of highlighting what areas of the customer portal simply weren’t working for them.  And If put myself in their shoes, I could see that they were not only right, but it was likely that other customers felt this way and had never said anything to us.

With this knowledge, I did something radical, which was to hold many meetings over the next two months where I would bring a proof of concept to the table, and have the customer critique it. This helped us to get to where we are today. Which is, to announce the release of Phase One of our enhanced customer portal.

Tech Support With Headset IT

How Can I Help You?

Recently, I was on the phone with a customer who asked me this question: “How can we better help you to help us?” That’s a question that I was not used to getting. But it made me think about what customers could do to get better tech support. I ended up taking a day or two for me to really think about it, but I came up with the following which I decided to share with you:

Cloud Physical Virtual VM Servers

Physical Servers to Hyper-Convergence – A Need for Encryption

In the past I have tried to make the case for encrypting physical servers on premise.   The argument for not needing to encrypt them is usually that these servers run for weeks, months or even years without being brought down, and that they are physically protected within a well-fortified data center.  The protection that FDE (Full Drive Encryption) brings only really applies to data at rest and it seldom is at rest on these servers.   I would counter that all drives eventually leave the data center for repair or disposal and having them encrypted protects you from having your old drives with your customer data on them show up on eBay.  An encrypted drive can be quickly and easily crypto-erased if it is still operational, and if not, the data is still not accessible without the encryption key.

Today with virtualization and especially with hyperconvergence infrastructure (HCI) the attack surface has greatly expanded and therefore the need for FDE has greatly increased. But before I make my case, here is some background on HCI:

A hyper-converged system is a pre-configured virtualized server platform that combines compute, storage, networking, and management software in a single appliance.  Hyper-convergence enables customers to simply and rapidly deploy mixed-workload and virtual desktop integrated infrastructure solutions across local or remote locations. i.e. it is a mini Cloud in a box that can be connected to other HCI boxes.

HCI boxes are still physical things kept on premise, and the argument above for protecting them with FDE still applies. However, the argument for not encrypting them doesn’t.   HCI workloads run in Virtual Machines (VM) on top of the hypervisor, not directly on the physical hardware.  It is the VM and its data that needs protecting.   In today’s fast moving environment the VMs come up and go down much more often than physical machines.  In some cases VMs come and go several times a day.   When an admin takes a snapshot of running machine or turns it off, the VM is at rest and a VM at rest is just a big file.   It can be copied onto a USB memory stick or over the network.  In fact one of the advantages of HCI is that workloads (or VMs) can be moved around easily from HCI node (box) to HCI node. Looking forward, HCI vendors are working with the public cloud providers, such as Google, to move workloads seamlessly back and forth between on premise and the public cloud.  So unlike physical servers VMs can move around a lot and often are in a data at rest state.    This is the perfect application of FDE, but not at the physical (hardware) level.  If we encrypt only at the physical level, the only protection we get is for the disposal or loss of the physical drive.  However, the VM, is easy to move around, and is still in plain text if copied even when using physical level FDE.  The answer then is to encrypt the VM itself, preferably with in-guest encryption that is independent of the hypervisor with the key under the control of the enterprise.  This way even if the VM is moved to another HCI box – perhaps in another country or even into a public cloud –  the customer keeps control of the data, because it can decide to provide the key or not to decrypt and unlock the VM.

Advantages of VM encryption for HCI include:

  • Scalability: VM-level Encryption is highly scalable. It is protection that actually resides with your data and scales with each new VM brought up.
  • Security: Physical level Encryption protects against lost or stolen physical drives.   VM-level Encryption protects against lost or stolen physical drives, unauthorized data movement, access, replication, etc.
  • Continuity: With physical level Encryption, workloads are decrypted (unprotected) in-transit – no continuity in security model. VM-level Encryption protects workloads continuously, persistently as they move, clone, snapshot across your infrastructure
  • Portability: Physical level Encryption is reliant on exactly that, your hardware – but what about hybrid IT and workloads in-transit.   VM-level Encryption eliminates lock-in to hardware, hypervisors or cloud providers – it’s completely portable protection
  • Flexibility: VM-level encryption allows you to encrypt sensitive workloads and run them securely alongside your non-sensitive workloads. Different keys and policies can apply to different VMs
  • Governance: VM-level Encryption enables boot-based policies so you can control, who can access your data, where your data resides and how it is protected
  • Termination: VM-level Encryption allows you to securely terminate individual workloads as you’re finished with them – it’s simple

To summarize, in the old world some can rationalize not encrypting their physical servers, because there are compensating physical controls such as locked doors and sturdy walls.   In today’s world with HCI and virtualization, workloads are virtual, dynamic, mobile, scalable and vulnerable.   The solution is to protect them with in-guest encryption with keys under the control of the VM owner.

Read our press release on our recent collaboration with Scale Computing