Archive for November, 2018

Will SMS OTP authentication methods be compliant with the upcoming PSD2 regulation?

Tuesday, November 27th, 2018

As PSD2 actual implementation deadline approaches (September 2019), the financial industry prepares to upgrade its authentication methods for PSD2-compliant ones.

In this context, SMS OTPs solutions, one of the most used ways to authenticate customers today, is challenged as per its compliance to PSD2.

The European Banking Authority published an “opinion paper” in June 2018, bringing several elements all intended to clarify that question. Those have led to the conclusion that SMS is not an appropriate method to deliver an OTP and that the complete SMS OTP approach should be replaced by more secure authentication methods such as biometric authentication.

Several press articles, especially in France, reflect this view point.

In parallel, professional organizations such as ECSG* are in discussions with the European Authorities, seeking relevant ways to make PSD2 effective.

We at Gemalto have been among the first to explain the SMS security weaknesses as a mechanism to deliver OTPs, and the risk of non-compliance with PSD2 and its RTS (Regulatory Technical Standards). We were first to develop and promote alternative authentication solutions that will satisfy these needs, such as mobile authentications and biometric methods.

Considering today’s wide usage of SMS OTPs, it is understandable that the banking sector expresses the wish to have more time to complete the migration from SMS OTP to other methods.

Gemalto is committed to helping its customers organize and optimize the move from todays to future technologies, and provide consumers with secure and convenient authentication tools that perfectly comply with the new European regulation.

Download our white papers about PSD2 at https://www.gemalto.com/financial/ebanking/psd2.

*ECSG: The European Cards Stakeholders Group is made up of PSPs, vendors, payment schemes, merchants and processors, and works on the harmonization of card-based operations in the Single Euro Payments Area (SEPA).

View the original article at Gemalto.com.

Declared Data Breaches Remain Steady Quarter-on-Quarter

Tuesday, November 27th, 2018

According to Gemalto’s Customer Loyalty research conducted by Vanson Bourne, 66% of consumers say they would be unlikely to do business with an organization that experienced a breach where their financial and sensitive information was stolen! This is a very scary statistic and one that will most certainly keep every C-level executive awake at night.

Around the world, there’s been heightened awareness of privacy, where citizens expect organizations and businesses to protect their personal information. They also expect regulators to ensure this by implementing regulations to prevent, detect and remedy any data privacy violations. Australia is no different, which is why the Office of the Australian Information Commissioner (OAIC) implemented the Notifiable Data Breaches (NDB) scheme on 22nd February 2018.

Since then, in 7 months (at the end of September) there have been 550 data breaches declared; an average of 80 data breaches every month. According to the OAIC’s Quarterly NDB Statistics Report the number of data breaches have remained the same over the last two quarters – 242 (March-June) vs 245 (July-September).

Of the 245 declared data breaches in July-September,

  • 57% were caused by malicious or criminal attacks and 37% attributed to human error
  • Contact information (85%) made up most of the stolen/lost personal information declared followed by financial details (45%) and identity information (35%)
  • The top five industries reporting data breaches were health service providers (18%), finance including superannuation (14%), legal, account & management services (14%), education (7%) and personal services (5%)
  • Compromised credentials (81% of total) were the main result of malicious or criminal attacks via Phishing (50%), unknown methods (19%) and brute-force attacks (12%)

According to Australian Information Commissioner and Privacy Commissioner Angelene Falk, “Everyone who handles personal information in their work needs to understand how data breaches can occur so we can work together to prevent them. Organizations and agencies need the right cyber security in place, but they also need to make sure work policies and processes support staff to protect personal information every day.”

The steady number of data breaches declared in the last 2 quarters shows that this problem isn’t going away any time soon. The good news is that there are some things that organisations can do to prevent data breaches and comply with the NDB:

  1. Identify a complete and accurate picture of where sensitive personal data resides
  2. Minimise the number of locations housing sensitive data where possible
  3. Protect data by leveraging encryption and encryption key management to establish data confidentiality and integrity
  4. Control access to sensitive data eg use multi-factor authentication, policy controls to establish strong dynamic credentials

How prepared is your organization to comply with the NDB? Take this simple online assessment tool and find out.

For additional insight on NDB and how organizations can comply with it check out these resources.

View the original report at Gemalto.com.

Multi-gigabit solutions – why you should choose Ruckus Networks

Tuesday, November 27th, 2018

In this blog post, we’ll be taking a closer look at the Ruckus Networks multi-gigabit solutions portfolio. As we noted earlier in our series, next-generation wireless access points (APs) are playing a major role in driving the demand for multi-gigabit connectivity. We offer both 802.11ac (Wi-Fi 5) and 802.11ax (Wi-Fi 6) APs with multi-gigabit ports. The R720 802.11 ac Wave 2 (Wi-Fi 5) AP includes one 2.5 GbE port, plus another 1 GbE port. For ultra-high density wireless deployments, the R730 802.11ax (Wi-Fi 6) AP includes a port supporting 2.5 or 5 GbE, plus an additional 1 GbE port.

We also offer two switch families with multi-gigabit ports. The top-of-the-line ICX 7650 Z-Series features 24x 1/2.5/5/10G Multigigabit Ethernet ports, with the 24 GbE ports supporting 802.3bt (ready) PoE. These provide 90 watts of power per port to drive 802.11ax APs, high-end cameras, LED lighting and HDTV displays. The ICX 7650 Z-Series also features 2X 100 gigabit uplink ports, which are upgradable from 40 gigabits to 100 gigabits with a simple CLI command for top performance.

Meanwhile, the Ruckus ICX 7150 Z-Series delivers multi-gigabit connectivity in an entry-level switch. It features 16 2.5 GbE ports and provides up to 90 watts PoE. It offers up to 8, 10 GbE uplink ports which can be easily upgraded from 1 to 10 gigabits with a software license. Both switches offer redundant hot-swappable power supplies and fans and are stackable with other switches in the same family. Like all Ruckus network solutions, both our APs and switches leverage innovative technologies such as Campus Fabric, Advanced Stacking, BeamFlex, unified management for wireless switching, IoT and LTE.

Offering industry-leading performance, scalability, simplified management and lower total cost of ownership (TCO), Ruckus leads the way with the best multi-gigabit solutions. For example, the ICX 7650 Z-Series delivers top performance for 802.11ax APs – and is future-proofed for the next generation of Wi-Fi (7-10 years). The ICX 7150 Z-Series provides great value for the money, with the performance that organizations need for 802.11ac and 802.11ax for at least the next three to five years.

Interested in learning more about our multi-gigabit portfolio? Contact our team now.

Read the original post by Rick Freedman at The Ruckus Room.

Multi-Gigabit Use Cases

Friday, November 9th, 2018

These days, most access switches and end-user devices have 1 GbE ports, which are plentiful, highly competitive and affordable. Though currently a minority, the number of access points with 2.5 Gigabit Ethernet ports to support 802.11ac access points (APs) is increasing. Indeed, there is a range of devices – both on the market and those anticipated to launch – that support Ethernet switches with 2.5 GbE ports.

Unsurprisingly, switches with 2.5 GbE ports cost more than those with 1 GbE ports. Ruckus offers 2.5 GbE switches at a modest premium, although many other vendors sell 2.5 GbE, 5 GbE and 10 GbE ports that are more expensive and generally overkill for 802.11ac (Wi-Fi 5). Many 802.11ax (Wi-Fi 6) APs hitting the market will feature 5 GbE ports, although there are still few other devices expected to support 5 GbE.

When to use multi-gigabit connectivity

10 GbE Ethernet – which was part of the original 802.3bz standard – is primarily used for servers, storage and other devices in the data center. There are very few end-user devices that support 10GbE. However, more and more devices, such as laptops, point of sale units and video cameras are losing their tethers and moving to wireless connectivity. This increases the data load on wireless networks and drives the primary use case for 2.5 GbE and 5 GbE, as well as a new generation of access points. Multi-gigabit connectivity should be considered as organizations move to 802.11ac (Wi-Fi 5) and 802.11ax (Wi-Fi 6) and start implementing the next generation of Wi-Fi networks.

There are additional features to consider that go hand-in-hand with multigigabit connections, such as Power over Ethernet requirements (PoE) and future growth expectations. Indeed, it is important to understand the PoE power requirements for a new generation of access points equipped with multi-gigabit ports. Early APs routinely operated on PoE, consuming just 15 watts of power at the switch. However, more powerful radios consume more power. Even so, most APs today can still be powered by PoE or PoE+, the latter of which feeds 30 watts to the AP. However, while the latest 802.11ac (Wi-Fi 5) APs can operate on 30 watts of power, many need just a little more to achieve top performance – to drive all the radios and provide power to the USB port.

The newest generation of 802.11ax (Wi-Fi 6) APs is likely to require even more power than their predecessors. While 802.11ax (Wi-Fi 6) APs will operate on PoE+ power, they will demand more power to drive 8×8 radios and achieve peak performance. A new standard known as 802.3bt is expected to address the PoE requirements for 802.11ax (Wi-Fi 6) APs, as well as for devices such as LED lighting, pan-tilt-zoom (PTZ) cameras and HDTVs. 802.3bt – which incorporates both 60 watts and 90 watts of power per port – was ratified by the IEEE in September 2018. Organizations planning to deploy new switches with multi-gigabit connectivity should make sure they deliver sufficient PoE to support newer APs.

It should also be noted that there are detailed specifications for connections running at more than one gigabit per second over standard twisted-pair copper cabling. It is therefore important to understand the requirements and how they match existing cabling. The IEEE modified the 802.3bz standard in 2016 to add 2.5 gigabits and five gigabit Ethernet over twisted pair wiring. This was done specifically to support connecting new generations of Wi-Fi over copper without having to move to fiber optics.

The type of cabling that is required – both for one gigabit and 2.5 gigabit – can run over Cat 5e cabling for up to 100 meters. However, five gigabits per second requires Cat 6 cabling to run up to 100 meters and 10 gigabits per second requires Cat 6a. A significant number of buildings still only have Cat 5e cabling, in which case supporting faster speeds would require re-cabling a property. In practical terms, this means organizations should check the type of cabling currently installed in their buildings when considering an upgrade to multi-gigabit. If new cabling is required, organizations should be sure to calculate the upgrade costs and determine if moving to multi-gigabit is worth the expense.

Organizations should also be sure to understand the life-cycle of their infrastructure. More specifically, Wi-Fi standards, equipment, and gigabit usage are growing so rapidly that companies and organizations are refreshing their Wi-Fi access points approximately every three years. However, the switch lifecycle averages closer to five to seven years for commercial enterprises – and up to seven to ten years for the education market. So, organizations should ensure that new switch purchases will support current Wi-Fi networks and at least one more refresh cycle, if not more. During this period, they will see more users, more devices per users and a greater demand for throughput generated by streaming audio and video. Put simply, future-proofing switching is essential to protecting any network infrastructure investment.

View the original blog post by Rick Freedman at The Ruckus Room.

Cloud Security: How to Secure Your Sensitive Data in the Cloud

Friday, November 9th, 2018

In today’s always-connected world, an increasing number of organisations are moving their data to the cloud for operational efficiency, cost management, agility, scalability, etc.

As more data is produced, processed, and stored in the cloud – a prime target for cybercriminals who are always lurking around to lay their hands on organisations’ sensitive data – protecting the sensitive data that resides on the cloud becomes imperative.

While most Cloud Service Providers (CSPs) have already deployed strong front line defence systems like firewalls, anti-virus, anti-malware, cloud-security intrusion detection, etc. to thwart malicious attacks, sophisticated hackers are breaching them with surprising ease today. And once a hacker gains an inside entry by breaching the CSP’s perimeter defences, there is hardly anything that can be done to stop him from accessing an organisation’s sensitive data. Which is why more and more organisations are encrypting their cloud data today as a critical last line of defence against cyber attacks.

Data Encryption Is Not Enough

While data encryption definitely acts as a strong deterrence, merely encrypting the data is not enough in today’s perilous times where cyber attacks are getting more sophisticated with every passing day. Since the data physically resides with the CSP, it is out of the direct control of the organisations that own the data.

In a scenario like this where organisations encrypt their cloud data, storing the encryption keys securely and separately from the encrypted data is of paramount importance.

Enter BYOK

To ensure optimal protection of their data in the cloud, an increasing number of organisations are adopting a Bring Your Own Key (BYOK) approach that enables them to securely create and manage their own encryption keys, separate from the CSP’s where their sensitive data is being hosted.

However, as more encryption keys are created for an increasing number of cloud environments like Microsoft Azure, Amazon Web Services (AWS), Salesforce, etc., efficiently managing the encryption keys of individual cloud applications and securing the access, becomes very important. Which is why many organisations use External Key Management (EKM) solutions to cohesively manage all their encryption keys in a secure manner that is bereft of any unauthorised access.

Take the example of Office 365, Microsoft’s on-demand cloud application that is widely used by organisations across the globe to support employee mobility by facilitating anytime, anywhere access to Microsoft’s email application – MS Outlook and business utility applications like MS Word, Excel, PowerPoint, etc.

Gemalto’s BYOK solutions (SafeNet ProtectApp and SafeNet KeySecure) for Office 365 not only ensure that organisations have complete control over their encrypted cloud data but also seamlessly facilitate efficient management of the encryption keys of other cloud applications like Azure, AWS, Google Cloud and Salesforce.

Below is a quick snapshot of how SafeNet ProtectApp and SafeNet KeySecure seamlessly work with Azure BYOK:

To elaborate, below is the step-by-step process of how this works:

  1. SafeNet ProtectApp and KeySecure are used to generate a RSA Key Pair or required Key size using the FIPS 140-2 certified RNG of KeySecure.
  2. A Self-SignedCertificateUtility.jar (which is a Java-based application) then interacts with KeySecure using a TLS-protected NAE service to fetch the Key Pair and create a Self-signed Certificate.
  3. The Key Pair and Self-signed Certificate are stored securely in a PFX or P12 container that encrypts the contents using a Password-based Encryption (PBE) Key.
  4. The PFX file (which is an encrypted container using a PBE Key) is then uploaded on Azure Key Vault using Azure Web API / Rest.
  5. The transmission of the PFX file to the Azure Key Vault is protected using security mechanisms implemented by Azure on their Web API (TLS / SSL, etc.).
  6. Since the PFX files will be located on the same system on which the SelfSignedCertificateUtility.jar utility will be executed, industry-best security practices like ensuring pre-boot approval, enabling two-factor authentication (2FA), etc. should be followed.
  7. Once the Keys are loaded on Azure Key Vault, all encryption operations happen on Azure platform itself.

Continue to find out what to consider when choosing a Key Management solution, as well as how Gemalto can support organisations to make their BYOK journey easier.

To Sum It Up

As technology evolves, so do cybercriminals, and merely encrypting data no longer guarantees foolproof data protection today. While encrypting their sensitive cloud data, organisations must bear in mind that securing and managing the encryption keys is as important as the encryption itself.

To prevent unauthorized access and ensure that the encryption keys don’t fall in the wrong hands, cybersecurity experts unanimously recommend the use of Hardware Security Module (HSM) devices to securely store the encryption keys.

Since encryption keys pass through multiple phases during their lifetime – like generation, storage, distribution, backup, rotation and destruction, efficiently managing these keys at each and every stage of their lifecycle becomes important. A secure and centralized key management solution is critical.

Gemalto’s SafeNet KeySecure offers organisations a robust centralized platform that seamlessly manages all encryption keys. Below are some key benefits that make SafeNet KeySecure a preferred choice for organisations across the globe:

  1. Heterogeneous key management – helps in seamlessly managing multiple encryption keys at each stage of their lifecycle.
  2. Logging and auditing – helps in storing audit trails that can be analyzed by using any leading SIEM tools.
  3. Centralized management console – helps in assigning administrator roles according to the scope of their responsibilities.
  4. High Interoperability – supports a broad ecosystem of respected technology partners using the OASIS KMIP standard
  5. Reduces the overall cost of data security by offering automated operations.

Learn more about how Gemalto’s suite of cloud security solutions can help your organisation fully secure your data in the cloud.

View the original article at Gemalto.com.

Take a number, we’ll be right with you: Wi-Fi connections and capacity

Wednesday, November 7th, 2018

Wi-Fi connects the world, one device at a time. Literally. One. Device. At. A. Time. Wi-Fi is a half-duplex technology. This means only one device gets to transmit. All other devices sharing that channel have to wait their turn to make wi-fi connections. Yet we talk about high capacity and how many devices an AP can support. What does that mean if the answer is always one?

When more than one device is connected to an AP, they must share the air. All other things being equal, the devices and the AP (it counts as a device too!) will take turns transmitting. You could easily have 10, 50, 100, or more devices connected to an AP. But each still has to wait for its turn to talk.

If you want to sound like a Wi-Fi pro, you’ll need to understand a few things about capacity: how many Wi-Fi connections an AP can keep track of, how devices are trying to talk simultaneously, and how fast each can talk.

You might have 100 devices connected to an AP, but if only 10 need to transmit at a given time, you don’t have to wait long for your turn. The other 90 devices stay connected and hang out until they have something to say.

Now, imagine you’ve got 500 devices connected and 250 want to talk simultaneously. That’s like being stuck in line at the restroom during a concert and there are 249 people ahead of you. Yikes.

If all of the devices are fast, your turn will come much more quickly: think of your 802.11ac smartphone versus Grandma’s old 802.11g laptop. No matter what you do, the phone will be capable of going faster than the laptop. But that doesn’t mean they will get the same performance on all APs.

Ruckus helps you wring every last bit of speed out of any device with innovations like BeamFlex+, transient client management, auto RF cell sizing, airtime decongestion, and much more. When you’ve got a network with lots of Wi-Fi devices (why, hello, IoT), any extra performance boosts can make a big difference.

Read the original report at The Ruckus Room.