Significant money is at stake and in need of protection in the Payment Card Industry (PCI). The global payment card industry covers several sectors: banks and financial institutions (acquirers), issuers, processors, service providers, merchants carrying out transactions online and via point of sale terminals in bricks and mortar stores, large and small.

PCI SecurityThe PCI Security Organizations Data Security Standard (DSS) applies to your business if you store, process or transmit cardholder data (CHD). The PCI supply chain is not an isolated entity. It needs to protect itself well beyond its own

perimeter fences. This is because business entities also need to protect the billions of people every day that key in their Personal Identity Numbers (PINs) and other personal data as they trade or carry out transactions in store or over the Internet, from fixed and mobile devices using payment cards. Increasingly, commerce takes place via mobile devices over wireless networks, with the card itself rarely being physically present at the store.

As credit and debit cards are used more and more, checks are disappearing in many economies. In a mobile, electronic, global world, the payment card industry continues to grow. In May 2014, for example, 47.1 billion was spent in the United Kingdom on cards of all types (credit and debit), a 7.5% annual growth in spending rates over May 2013, at a time where the countrys economy is a long way from recovery.

Its not surprising therefore that the payment card industry attracts people of malicious intent.

PCI-DSS Encryption RequirementsIn this reality, if your business occupies any of the nodes in the payment card supply chain, you must comply with the 12 core requirements of PCI-DSS to keep perpetrators of payment card fraud at bay. You will need to ensure you have the same levels of protection, and thus of PCI-DSS compliance, in the cloud and in your data centers. In addition, you must make sure that all third-party service providers you use are fully PCI-compliant.

Several of the 12 PCI-DSS requirements are relevant for cloud security. However, on this occasion, well single out those sections of requirement number 3, which relate specifically to the protection of stored cardholder data. As youll see below, you can comply with these requirements by using Porticors data encryption and cloud key management system.

PCI-DSS Encryption: Requirement 3Requirement 3.4, for example, states that you must make sure that Primary Account Numbers (PANs) are unreadable, wherever they are stored. Our solution ensures your compliance here thanks to strong hashing (SHA-2) and AES-256 encryption, augmented by robust encryption key management.

You must not tie decryption keys to user accounts, regardless of whether you encrypt at the disk, file- or column-level of the database, nor must you allow access to the cryptographic key by native operating systems. Your compliance is assured on both points with Porticors key management algorithm, which by default splits the key. This keeps it independent of the OS, as well as administrators and service providers in your supply chain. In other words, access is limited to very few custodians and, always acting together, rather than any one on their own, ensures your compliance with requirements 3.5.1 and 3.5.2.

Continued here:
@CloudExpo | PCI-DSS Encryption Requirements

Reston, VA (PRWEB) September 08, 2014

SyncDog, Inc. an industry-leading provider of enterprise mobility solutions, today announced a technology partnership with SafeLogic, a provider of innovative encryption products for applications in servers, workstations, appliances, and mobile devices. SyncDog, known for its SentinelSecure mobile security solutions, will feature SafeLogics CryptoComply module at MobileCON, part of the Super Mobility Week expo in Las Vegas, September 9th-11th.

SyncDogs flagship product SentinelSecure provides mobile app containerization, active mobile server monitoring, mobile device provisioning and administration with end-to-end transaction monitoring. SyncDog has licensed SafeLogics CryptoComply module for deployment on iOS and Android platforms, to provide FIPS 140-2 validated encryption in SyncDogs SentinelSecure container product. SyncDog will be taking orders for SyncDog SentinelSecure featuring CryptoComply at MobileCON in Las Vegas, with full integration for the combined product offering slated for October 1, 2014.

FIPS 140 was established as a benchmark for encryption over 20 years ago, and it is now demanded by enterprise customers worldwide in addition to the government and military, said SafeLogic CEO Ray Potter. The SyncDog partnership now provides wider distribution of a defense-grade secure mobile container to public and private industry, as well as local, state and federal government. We are proud to be a piece of the SentinelSecure solution.

We are excited to be able to offer encryption that has been certified to the FIPS 140 standard, said SyncDog President and CEO Jonas Gyllensvaan. We look forward to discussing this new development and other client work with our SentinelSecure product line at MobileCON in Las Vegas.

Gyllensvaan and Potter will be available to the media in the SyncDog booth (#7711) at MobileCON from 1:00-2:00 PM Pacific Time on Tuesday, September 9. A media advisory has been issued and can be accessed here for this editorial interview opportunity.

About SyncDog, Inc.

A mobile workforce fueled by BYOD is fast replacing traditional computing as the most complex work platform for IT professionals to manage. IT shops are now forced to support platforms running outside of their standard networks creating a nearly insurmountable dilemma for maintaining service quality and security.

SyncDog, Inc. offsets this burden in a comprehensive solution that manages pro-active mobile device monitoring, mobile device security, mobile application containerization, and compliance reporting. Our flagship product SyncDog Enterprise Mobility Platform solves the mobility service & security dilemma that keeps IT staff in the dark about service disruptions and security issues caused by malicious and careless users. With SyncDog Enterprise Mobility, IT administrators have the enterprise visibility to be proactive with application delivery and security giving them the freedom to focus on driving revenue to the organization.

The mobile workforce is the new enterprise norm and disruptions to mobile service delivery and system-wide security can be devastating to both revenue and reputation. SyncDog Enterprise Mobility is a powerful combination of low overhead and predictive intelligence for all of todays mobile platforms. Your network supports every transaction crossing it and SyncDog helps you understand it. More info: http://www.syncdog.com.

Read more here:
SyncDog Announces Partnership with SafeLogic, Integrating CryptoComply to SyncDog Sentinel Product for Compliant ...

2014 has been the year of Bring Your Own Encryption

This years steady drumbeat of major data breaches, Snowden disclosures, and other cyber-attacks are causing all sorts of businesses to look well beyond compliance requirements to what it will take to protect themselves and their customers from additional risks.As such, Bring-Your-Own-Encryption (BYOE) looks like a very strong trend cloud providers want an increasing amount of flexibility around implementing encryption and, at the very least, want the ability to enable their customers to maintain control of their own encryption keys.

The main drivers for BYOE

Before we look at the challenges and opportunities that BYOE affords cloud hosting providers, it is important to understand the main drivers for the heightened level of security (and reduced risk) that go with BYOE. These are: compliance with standards, risk of breaches, protection of intellectual property (IP), and, lastly, contractual requirements. In the first instance, any organisation that has compliance requirements such as PCI DSS will need to fully meet those requirements and ensure a segregation of roles by user type, or provide for what are called 'compensating controls' if allowed.Secondly, increasing reports of cyber-attacks, along with governments around the globe introducing harsher penalties for loss of personal information add further weight to the arguments for the encryption of cloud data.

> See also: Keys to the castle: encryption in the cloud

Organisations with critical information, the loss of which could fundamentally damage their business typically aerospace, defence, financial or manufacturing need the strongest data assurance solutions available. But, these solutions must not impede their ability to take advantage of the scalability and flexibility that the cloud model brings. For cloud providers whose customers are in one of the areas mentioned above, it is not unusual to be required to encrypt data to the same standards as that customer applies to their own data. Indeed, this stipulation is frequently passed through as a contractual requirement for doing business.

How it works

To understand how BYOE works, there are two typical implementation scenarios to consider from an end user perspective, the first is for the end user to manage their encryption keys within the cloud environment, and the second is managing encryption keys away from the cloud providers premises inthe end users own data centre or other environment.

In both cases, the cloud provider does not usually manage the keys or set the encryption and access policies, which means there is less possibility that a compromise of the cloud providers architecture or physical infrastructure by a third party could compromise data.That said, a compromise of a cloud providers account might be leveraged to access the key and policy management environment, and then used to get access to data.

> See also: Google adds encryption to its cloud storage service

Go here to see the original:
The intricacies of Bring Your Own Encryption (BYOE)

With a new device set to make unbreakable, quantum-based cryptographic security available for everyone for the very first time, ordinary people will be able to use cryptographic systems that until recently only existed as experiments in the most advanced physics laboratories.

Using technology developed at the Los Alamos National Laboratory (LANL) and incorporating the quantum mechanics of random photon polarization, the new device generates random numbers and creates cryptographic keys so fast and so securely that the technology is said to revolutionize high-speed cryptography and offer a completely new commercial platform for real-time encryption at high data rates.

This claimed breakthrough is made possible by taking advantage of the various spin states of photons. In line with quantum wave theory, a photon exists in all spin states at once. However, if a photon is passed through a polarizing filter that rejects given spin states, the photon can be made to exhibit just one of four possible states of spin vertical, horizontal, left, or right.

In this way, random filters may be applied to photons, which in turn, represent ones or zeroes of binary data, dependent on the state of spin selected and the binary notation attributed to it.

However, in accordance with Heisenberg's Uncertainty Principle, once the photon is polarized we can not then accurately measure it again, unless we apply a filter to it at the end of its journey just like the one it went through at the start to measure its spin state. This means that provided you know the filter sequence required to decode the incoming photon stream only the receiver can then read off the encoded data.

More importantly, anyone attempting to intercept the resulting data stream cannot eavesdrop on the transmission because any attempted observation of a quantum system also alters it, and the quantum state changes resulting from attempted unauthorized reading would be immediately detected.

LANL has partnered with Whitewood Encryption Systems to market this device which, when released, may well effectively render any other conventional random number generation system system obsolete. Current systems based on mathematical formulas that can be broken by a computer with sufficient speed and power will not be able to compete with a system that is built on a truly random system that cannot be second-guessed.

"Quantum systems represent the best hope for truly secure data encryption because they store or transmit information in ways that are unbreakable by conventional cryptographic methods," said Duncan McBranch, Chief Technology Officer at LANL. "This licensing agreement with Whitewood Encryption Systems, Inc. is historic in that it takes our groundbreaking technical work that was developed over two decades into commercial encryption applications."

Purported to be simple and small enough to be made into a USB key drive or similarly-sized unit, the LANL device is also claimed to be exceptionally inexpensive to manufacture, meaning that quantum-based random photon polarization encryption could be made available to anyone. Personal data transmission security would then become cheap, pervasive, and ubiquitous.

But more than this, if this device is successfully brought to market and implemented on a worldwide scale, quantum key distribution technology could one day guarantee truly secure commerce, banking, communications, and data transfer on an unprecedented scale.

Read the rest here:
Super-secure quantum-based data encryption for everyone

Porticor Adds Software-Defined Encryption Key Management to nScaleds Leading IT BCDR Platform for Complete Protection of Replicated Data in the Cloud

CAMPBELL, Calif., and SAN FRANCISCO Porticor and nScaled today announced the industrys first joint solution integrating software-defined homomorphic encryption key management to protect customers cloud information and applications replicated for IT Business Continuity and Disaster Recovery (BCDR).

Porticor is a leading cloud data security company delivering the only cloud-based key management and data encryption solution that infuses trust into the cloud and keeps cloud data confidential. nScaled is a provider of automated, integrated IT Business Continuity and Disaster Recovery (BCDR) solutions.

nScaleds Disaster Recovery as a Service (DRaaS) platform replicates data, servers, operating systems and applications to protect and deliver critical IT services to users in case of a man-made or natural disaster, equipment failure or data loss. nScaleds DRaaS hybrid cloud solution ensures that replicas are up to date at all times, including both the data and the virtual machine images of the code that runs the applications. Forrester Research, Inc., named nScaled a Leader in The Forrester Wave: Disaster-Recovery-As-A-Service Providers, Q1 2014.

Porticor adds key management and encryption to nScaleds solution. Integrated into nScaleds physical and virtual appliance, Porticor encrypts the data store of each application backed up by nScaleds solution seamlessly and transparently. Porticor is also implemented on nScaleds cloud, ensuring that any data replicated to the nScaled cloud is also encrypted. The result is multifaceted, data-at-rest and in-transmission encryption solution that protects information at the customers data center and in the cloud.

We are in the insurance business so clients share personal and account information about their employees with us, said Aatash Patel, IT Director at Covala Group, a leading enroller and administrator of voluntary, supplemental individual disability benefits for large employers. With nScaled in place serving our disaster recovery needs, we needed a private cloud data encryption solution that was high performing and compatible with our VMware environment. Porticor has been our answer to protect clients confidential information, and help us meet their compliance requirements. We spun up Porticor with nScaled in our cloud without any technical training, and support has been very helpful at both companies. I am very happy with what both vendors are doing together so far.

For a white paper on the partnership and joint solution now available, see http://www.porticor.com/porticor-nscaled-secure-dr/.

Business continuity and disaster recovery have been one of the most successful services offered through the cloud model, and nScaled delivers the industrys leading automated and integrated solution, said Mark Jameson, VP of Worldwide Sales and Product Strategy at nScaled. Together with Porticor we are providing the most secure and reliable Disaster Recovery as a Service (DRaaS) to protect customers data and applications.

Cloud providers, including providers delivering DRaaS, offer a shared responsibility model for the security and protection of customer applications and data, said Gilad Parann-Nissany, Porticor founder and CEO. Now that we have teamed with nScaled, customers can be assured that their applications and information will be available and safe from loss due to disasters and cloud data security threats.

Cloud data encryption provides an effective layer of protection against new cloud security challenges, including internal cloud data center threats, information protection in a shared environment, and compliance requirements which mandate information to be secured both on premises and in the cloud. The challenge created is not in encrypting the data, but with managing the encryption keys. To provide secure cloud management of encryption keys for outsourced data center services to the nScaled cloud, Porticor uses a highly sophisticated and patented approach split key encryption and homomorphic key management.

Read the original:
Porticor and nScaled Partner to Deliver Secure and Compliant Business Continuity and Disaster ...

OPEN-XCHANGE, the German web based productivity service provider, has announced an encryption product called OX Guard.

OX Guard is described as a "fully integrated email security tool". It requires no technical knowledge to set up and works with one click.

Messages are sent with PGP encryption using RSA public/private key pairing designed to keep all data away from prying eyes.

"We are not trying to re-invent the encryption wheel," said Rafael Laguna, CEO of Open-Xchange. "Instead, what OX Guard delivers is a secure and usable solution for everyone, helping service providers to rebuild the trust that privacy issues have destroyed.

"Everyone has the right to protect their data and we are upholding that right by making encryption user-friendly."

The "baked in" web based offering includes email retraction and timeout, secondary passwording and encrypted file sharing with storage and multi-server scalability.

If a non-user receives an OX Guard message, they receive a clear text message with instructions on how to access and decrypt the message.

Email and files are protected with symmetric AES keys and then the encrypted data is encrypted further with RSA public/private keys. Files are stored on Open-Xchange servers, but the organisation has no way of decrypting the data.

This level of encryption also appears in the main Open-Xchange suite which we profiled in an interview with Mr Laguna earlier this year. Last weekend protesters lobbied GCHQ over its surveillance schemes and those of its American counterpart, the US National Security Agency (NSA).

Read the original here:
Open-Xchange announces OX Guard email encryption tool

Encryption Key Distribution Applying Steganography
The quondam problem of key distribution for symmetric ciphers has been, and still is, an essential element of secure information communications. In this proposed technique, we use ideas originated...

By: Magdy Saeb

Visit link:
Encryption Key Distribution Applying Steganography - Video

Traditionally, ciphers have used information contained in secret decoding keys to code and decode messages. The process of coding plaintext to create ciphertext is called encryption and the process of decoding ciphertext to produce the plaintext is called decryption. Modern systems of electronic cryptography use digital keys (bit strings) and mathematical algorithms ( encryption algorithms ) to encrypt and decrypt information.

There are two types of encryption: symmetric key encryption and public (asymmetric) key encryption. Symmetric key and public key encryption are used, often in conjunction, to provide a variety of security functions for network and information security.

Encryption algorithms that use the same key for encrypting and for decrypting information are called symmetric-key algorithms. The symmetric key is also called a secret key because it is kept as a shared secret between the sender and receiver of information. Otherwise, the confidentiality of the encrypted information is compromised. Figure14.1 shows basic symmetric key encryption and decryption.

Figure14.1 Encryption and Decryption with a Symmetric Key

Symmetric key encryption is much faster than public key encryption, often by 100 to 1,000 times. Because public key encryption places a much heavier computational load on computer processors than symmetric key encryption, symmetric key technology is generally used to provide secrecy for the bulk encryption and decryption of information.

Symmetric keys are commonly used by security protocols as session keys for confidential online communications. For example, the Transport Layer Security (TLS) and Internet Protocol security (IPSec) protocols use symmetric session keys with standard encryption algorithms to encrypt and decrypt confidential communications between parties. Different session keys are used for each confidential communication session and session keys are sometimes renewed at specified intervals.

Symmetric keys also are commonly used by technologies that provide bulk encryption of persistent data, such as e-mail messages and document files. For example, Secure/Multipurpose Internet Mail Extensions (S/MIME) uses symmetric keys to encrypt messages for confidential mail, and Encrypting File System (EFS) uses symmetric keys to encrypt files for confidentiality.

Cryptography-based security technologies use a variety of symmetric key encryption algorithms to provide confidentiality. For more information about the specific encryption algorithms that are used by security technologies, see the applicable documentation for each technology. For more information about how the various symmetric key algorithms differ, see the cryptography literature that is referenced under "Additional Resources" at the end of this chapter.

Encryption algorithms that use different keys for encrypting and decrypting information are most often called public-key algorithms but are sometimes also called asymmetric key algorithms . Public key encryption requires the use of both a private key (a key that is known only to its owner) and a public key (a key that is available to and known to other entities on the network). A user's public key, for example, can be published in the directory so that it is accessible to other people in the organization. The two keys are different but complementary in function. Information that is encrypted with the public key can be decrypted only with the corresponding private key of the set. Figure14.2 shows basic encryption and decryption with asymmetric keys.

Figure14.2 Encryption and Decryption with Asymmetric Keys

Originally posted here:
Microsoft TechNet: Encryption

Data security used to be primarily about physically controlling where information was stored. But over the last few years the move towards greater use of mobile devices and increasing reliance on email for business communication has made securing information much more of a challenge.

The solution many organizations have turned to is encryption, particularly for emails, but is this the answer? Cloud collaboration specialist Open-Xchange is launching OX Guard, a fully integrated email security and encryption add-on to its OX App Suite.

OX Guard works inside the browser, with no need for special plugins or prior knowledge of encryption. Users of the OX environment will automatically receive decrypted emails, while external addresses can read encrypted content via a secure link.

We spoke to Open-Xchange CEO Rafael Laguna to find out about the role encryption has to play in ensuring security and privacy.

BN: How can encryption be used as part of a broader security strategy?

RL: Encryption adds another layer of security and complexity. Encrypted data at rest is pretty safe from prying eyes when stolen -- someone with malicious intent may be able to get to it, but it will make no sense, so it is worthless. Unfortunately the same applies when the legit consumer of the data wants to access them, some additional secure process to make it consumable again needs to be run, adding another cumbersome step.

BN: Doesnt encryption just add an extra layer of complexity making information harder to access and meaning people won't use it?

RL: Yes, indeed. This is why encryption hasn't been widely adopted in the mainstream. Encryption only gets user acceptance when it is easy to use. So encrypt as much as you can but keep the usability high.

BN: How can you overcome the problem of exchanging information with third-parties who arent using the same encryption system?

Read this article:
Open-Xchange launches in-browser encryption to combine security with ease of use [Q&A]

VMworld 2014 Steve Pate Everything you need to know about encryption at rest

By: vBrownBag

See original here:
VMworld 2014 Steve Pate Everything you need to know about encryption at rest - Video