*By Marco Zanini
Corporations are increasingly aware of the damage caused by information leakage or theft and are very concerned about its protection. Two main factors contributed to this growing attention to the subject: the explosion of data stored in digital systems and the increase in available options for using this data in electronic transactions.
Databases are the most significant repositories of information relevant to a business such as credit card data, competitive/confidential information and intellectual property. Within this scenario, encryption is known to be the most efficient strategy for protecting stored data. However, encryption is of no use if the security keys used in these processes are generated, used or even stored in an insecure manner. And this is the biggest failure committed by corporate managers today, for lack of knowledge or even for neglecting the risks involved.
This month, more than 40 apps with more than 100 million installs were found to leak information. These had private keys of an important market player, encoded in them. Thus, thousands of data from your internal networks and your users at risk susceptible to cyber attacks. Keys encoded in mobile app source code, for example, could have been a big issue, especially if the role (identity and access management) had wide scope and permissions. The possibilities for misuse are endless as attacks can be chained together and the attacker has the possibility of gaining more access to the entire infrastructure, even the code base and configurations. Many instances are misconfigured and accessible from the Internet, which makes it possible to cause many data breaches worldwide.
Thus, operations involving security keys must occur in a highly secure environment, that is, in a Hardware Security Module (HSM). Server equipment is designed for general use and does not provide the necessary protection. Furthermore, cryptographic operations demand a great deal of processing power and can consume precious computational resources competing with business rules, if performed on application servers.
The use of HSM guarantees security, through the separation between encrypted data and security keys. Provides dual custody of keys, segregation of roles, audit trails, performance and compliance with security regulations across all industry segments. Its management, availability and performance characteristics provide the lowest cost of ownership on the market. In addition, HSM cryptography APIs are increasingly used by the market. Because they are simple and easy to use, they will connect to other company applications, easily integrating with Microsoft SQL Server.
These cryptography APIs make available more and more high-level functions to developers, saving time and resources, and it is already part of the organizations' daily lives. If your company wants to avoid data leakage and information theft, these are important tips, which can prevent a lot of financial and image damage to the business. Key protection must be done in HSM.
*Marco Zanini is an expert engineer in digital identity security and CEO of DINAMO Networks.
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
EN 
PT 
