Posts

MyDiamo_BI

Bringing Encryption to Healthcare, Penta Security Systems Partners with Eventi Telematici

MyDiamo, Penta Security Systems’ high performing column-level encryption solution, will be bundled together with Eventi Telematici’s software solutions to enhance the security of healthcare products and services across the globe.

bi_img_4

Penta Security Systems Inc., a leader in web, IoT, and data security solutions and services, has established a strategic partnership with Eventi Telematici, an Italian software solutions provider that provides cancer data analysis products and services to medical organizations across the globe. This partnership will combine MyDiamo’s column-level database encryption capabilities alongside their existing line of cloud and on-premise solutions. In the wake of recent hackings that affected major health organizations in various parts of Europe, there is a crucial lesson to be learned about safeguarding sensitive medical data. Because healthcare institutions hold databases storing medical records of millions of patients, a database encryption solution is necessary to protect this confidential data at all times.

Furthermore, regulatory laws now require corporations and organizations to strengthen data protection as is the case with the EU’s General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA). Addressing these requirements, Penta Security Systems offers database encryption solutions that work in various types of environments. With a large majority of organizations utilizing open source database management systems (DBMS), MyDiamo has been specifically designed to serve as a safe and reliable DBMS encryption solution for open source database environments.

This partnership will provide Eventi Telematici with the opportunity to bundle MyDiamo with its solutions to be sold to clients. The advantages to MyDiamo are many; as one of the few encryption solutions for open source DBMS such as MySQL, MariaDB, and PostgreSQL, MyDiamo offers column-level encryption, which allows end users to selectively encrypt columns in databases. It provides access control and separate encryption keys for each encrypted column. This partial encryption capability known as granular encryption enables user-specific control on encrypted column values rather than encrypting entire databases.

What this means for end users is a major performance advantage since encryption and decryption by column is possible, speeding up information retrieval. MyDiamo offers an efficient encryption solution with a seamless installation process without service interruption. “Healthcare institutions in particular should implement an encryption solution to ensure the confidentiality of sensitive patient data and to keep in line with existing regulations, especially when, with MyDiamo, there is no need to encrypt entire databases. For this reason, we anticipate other IT solution providers that handle private data to look into bundling their services with high quality encryption solutions,” said DS Kim, Chief Strategy Officer at Penta Security Systems.

This year Penta Security Systems celebrates two decades of IT expertise and will continue to serve the security needs of a global clientele with web application firewall, encryption, and single sign-on solutions.

 

format preserving encryption data security sample vendor

Cited by Gartner in 2016 Hype Cycle for Data Security

Listed as sample vendors for FPE and Database Encryption, Penta Security receives attention for its developments

format preserving encryption data security sample vendorSeoul, Korea: Penta Security Systems Inc., a leading Web and Data security provider in the Asian-Pacific region, announced that it has been listed as a sample vendor for two technologies, Format Preserving Encryption (FPE) and Database Encryption, in the Gartner 2016 Hype Cycle for Data Security.[1] Each year, Gartner, Inc. publishes visual representations of maturity and adoption of various technologies and applications. It cites vendors that are relevant to business development in the particular field. Within the last year, numerous corporations and entities worldwide have had their data breached. This further highlights the need for data security and encryption technologies.

Database Encryption

In 2016’s Hype Cycle for Data Security, Penta Security was cited as a sample vendor for Database Encryption. Database Encryption is in the early stages of mainstream in terms of maturity. Penta Security’s Head of Planning, Duk Soo Kim stated, “After research and development over the course of many years, we’re pleased to see the technology becoming increasingly prevalent in the market. As the industry continues to develop and mature, we will most certainly be keeping up with the latest in database encryption technology.”

FPE (Format Preserving Encryption)

Additionally, Penta Security was listed under Format Preserving Encryption as a sample vendor. Still largely a new field, FPE allows for encrypted data to maintain its structure with minimal modifications. While previously less utilized, its adoption has become more widespread due to NIST (National Institute of Standards and Technology) establishing secure FPE implementation standards. Regarding this listing in the Hype Cycle, Kim remarked, “Technology and security are constantly changing and being challenged. Therefore, being named as a sample vendor for a technology like FPE confirms that we are implementing technologies taken on by early adapters, not just traditionally utilized.”

Penta Security is a leading vendor for data security solutions, including its encryption solution, D’Amo. By using FPE technology, D’Amo allows for implementation of encryption technology to sensitive data fields without modification to schema in the database environment.  With businesses having their data become increasingly more complicated in their mission-critical applications (such as ERP, CRM, HRM), continued attention to data security practices is crucial.

Disclaimer:

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About Penta Security:

With over 19 years of IT security expertise, Penta Security Systems Inc. (CEO/Founder Seokwoo Lee) is recognized by Frost & Sullivan as 2016’s Asian Cyber Security Vendor of the Year. For more information on Penta Security and its encryption technology, please visit www.pentasecurity.com. For partnership inquiries, please email info@pentasecurity.com.


[1] Gartner, Hype Cycle for Data Security, 2016 by Brian Lowans, July 13, 2016: https://www.gartner.com/doc/3371735/hype-cycle-data-security-

profile

Column-Level Encryption: What to Consider

There’s no single, magical, ultimate solution to keeping your information safe – if there was, the multitude of companies that have already invested millions of dollars into protecting their applications, systems, and networks would be much richer. The last couple of years has been difficult on companies and organizations that have suffered data breaches right and left. The reality is that no matter who you are or how well your company is doing, several measures of protection need to be taken to lessen the possibility of a database attack. One of those ways is column-level encryption.

I’m sure you’ve heard about encryption before – whether it is in the context of securing your database, or in the context of some thrilling movie where a code needs to be decrypted in order for the hero to make his way into a secret vault somewhere – but encryption, while a simple concept, has many variations to it as well.  Column-level encryption is one of them.

First things first, what is column-level encryption?

Assuming you understand the basics of encryption (if you don’t, not to worry – here’s a great Encryption 101 guide), let’s think about a basic database structure. A typical database will have columns and rows of data. Now, file-level encryption is a database encryption method where individual files are encrypted as a whole. There are benefits to this method as there is one master key for encryption. However, with column-level encryption, you can encrypt just individual columns – this also means that each column can have its own unique encryption key within the database.

The benefits?

Flexibility

Because you’re not encrypting the entire file, when choosing what data to encrypt, column-level encryption does allow for more flexibility. After all, why encrypt something that doesn’t need to be encrypted?

Additionally, column-level encryption is possible even when the database is active (Some types of encryption are only possible when data is “at rest” which means when it’s not being used, not when data is “in transit” or “in use” which refers to active data). This means maintenance of functionality, which when encrypting data that’s constantly being accessed or updated, is of significance.

Speed

Column-level encryption allows for efficiency because there’s less encrypted data. Overall, you’ll have better system performance because encryption for the whole file isn’t necessary. While it might not seem like a big deal, this becomes a huge benefit and efficient system when managing a significantly large database. Trying to encrypt a whole file can be overwhelming – for both you and the system.

For example, perhaps you’re in marketing and have a database of customer contacts. One of your fields might be the customer’s favorite color. Perhaps it’s their method of preferred contact. These aren’t fields that need to be encrypted, which could slow down the performance.

However, it’s important to mention here that faster performance isn’t always the case. If all individual columns are encrypted (with their own unique keys) within the whole file, that’s when database performance decreases. Even the act of indexing or searching for the contents within the database can take longer than necessary.

Security

I’ve already mentioned that different columns have unique keys, which means that this can give an added layer of security to your database. Just one key will not give access to the entire file. Decreasing the likelihood that data in your columns will be lost, column-level encryption also allows for delegation of keys to authorized users.

With its benefits, column-level encryption has been gaining in interest. But as we always say, it’s the user’s job to research and analyze each method before applying the solution, whatever the consequences may be. Hopefully this gives you a bit of an introduction into this encryption method. Think about what kinds of services may be right for you. What are some of your ideas?


For more information on MyDiamo, Penta Security’s security solution for open source DB (which utilizes column-level encryption), check out www.mydiamo.com

To find out more about Penta Security’s encryption solutions, head to the D’Amo Overview page, or contact us at info[at]pentasecurity[dot]com

car security using gps or navigation

Security in IoT

Since its first introduction 15 years ago, the Internet of Things (IoT) has now become one of the hottest topics. These days, thousands of new IoT products are launched into the market each year. Although the first IoT product was only a modified Coca Cola machine, IoT is now a part of our everyday lives. Now, we feel that this is a great change. Information security is often a neglected topic, but with IoT, it’s begun to turn heads.

Stories have been already published to show that security measures are needed for IoT products as IoT hacks are on the rise. With smart car hacks, baby monitors hacks, and children’s toys hacks running rampant, we have to ask about security. Technically speaking, not all IoT products need security. Children’s bracelets that only sense a child’s mood through body temperature do not need as many security measures compared to bracelets that track a child’s location. Security is often concerned only when data is evaluated as being valuable when compromised.

How Is Security Different for IoT Businesses?

Currently, there are three major types of security that businesses regularly use:

Physical Security

Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damages. Examples of physical security include CCTV surveillance, security guards, access control protocols, etc.

Information Security

The second type of security is information security. Information security is a set of business processes that protects information regardless of how the information is formatted or whether it is being processed, in transit or stored. The most common methods of information security are: encryption, malware detection, and digital signatures.

different security for IoT

Convergence Security

The third and newest type of security is convergence security. Although the quickest growing, convergence security is a new security concept. Its meaning is just what its name suggests—a convergence or combination of physical and information security. With convergence security, the security systems of a company are joined together with the company’s IT solutions. This allows the company’s physical security to play an integral role to IT. Perhaps it may become the ultimate solution to IoT security.

Many people are mistaken that convergence security is difficult to develop. However, it is just the action of incorporating information security technology to existing industry systems. Convergence security is just the act of customizing physical and information security to an industry’s protocol. It does not require a whole new concept of security algorithms. For example, if a manufacturing factory is transitioning into a smart factory, where all the equipment is automated, security is needed to ensure that hackers do not interfere with manufacturing schedules and output. The factory can then work with an information security firm to make sure previous physical security measures are updated with the newly implemented information security scheme, thereby maintaining their existing security measures while updating protocols to meet industry convergence security standards.

Top Five Industries of IoT Security Development

The development of IoT can be categorized into five different industries. Just as industries vary with the type of data or functions that they process, their actual security regulations also vary. For example, the automotive industries security regulations are much stricter than those of consumer electronics. Also, the extent of what security solutions have actually developed is based on the extent in which that industry has been developed. Because as the demand for the product or service skyrockets, so does the demand for its security. Because of these reasons, five industries have been identified as focal points in the demand for IoT security development.

1. Automotive

Probably the most pressing IoT security issues is smart car technology. Duk Soo Kim, the CTO of Penta Security Systems, said that “Security technology has been used to protect the assets of businesses and people, while smart car security protects those people’s lives.” It is clear that hacking smart cars or transportation system/traffic information systems can directly lead to serious physical damage and/or casualties. The US Department of Transportation has already taken key steps toward requiring security technology to be installed in every smart car in the U.S by proposing regulations for standard Vehicle-to-Vehicle (V2V) technology. Smart car security solutions such as AutoCrypt, CycurLIB, ArgusIDPS and Aerolink are already available in the market.

2. Consumer Electronics

Consumer electronics are the most common of IoT products. From major tech conferences, such as CES and the Internet of Things World Forum to television commercials, you can see that IoT is quickly becoming a part of our common lives. Although we have seen a surge in consumer electronic hacks in the past couple of years, the focus of smart consumer electronics remains to be “connectivity,” with little focus on security development. For example, home appliance manufacturers call its new refrigerator as “family hub” since items are more connected, but home appliance companies often don’t highlight how the data being collected is protected. Much to our surprise, reports of refrigerators containing spam began circulating starting in 2014, awakening the dangers of what is called thingbot.

3. Smart Office

Smart offices, also known as smart buildings or smart businesses, are a rising trend in companies. With the rising concern that smart offices are an easy target to hackers, it is imperative to develop smart office security as hackers can affect a business’ productivity when they access a building’s communications system. Security for standard buildings have been incorporated in the the past. However, smart offices now involve managing and restricting access that include physical, remote, network, and device level factors.

4. Smart Factory

A smart factory is a factory with a fully integrated automation solution in its facility. In smart factories, industrial control systems (ICS), which are computer based systems, are installed to monitor and control industrial processes such as power, oil, gas pipelines, water distribution and wastewater collection systems.

The most used type of ICS is Supervisory Control And Data Acquisition (SCADA), which allows factory workers to simplify their operational duties by only needing to use electronic communications instead of local documents. Despite its convenience, SCADA is not completely secure as it was proven during the huge malware attack in June 2014 in the European SCADA systems. A malware called Stuxnet was uploaded to European SCADA control systems and sabotaged major confidential projects as well as industrial control system software.

5. Smart Grid

A Smart Grid is when Information and Communications Technology (ICT) is incorporated with the existing electric grids so that the information about producing and consuming electricity is exchanged in real time. According to the U.S. Congressional Research Service, attacks on the U.S. power grid are continuing to increase. As countries’ economies, governments and securities rely on electricity, there is a need to build strong convergence security around smart grids’ industrial control systems.

These five categories vary in terms of their services and information processed, but it is imperative any company that deals with people’s safety (both physical and digitally) must invest in security. For products that are integrated with IoT, physical or information security is no longer safe enough. As the demand for IoT products and services increase, these companies need to commit to creating convergence security systems that completely secure customers’ products and private information.


This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

DB Encryption 101: How to Implement

Recently, as information security needs have increased rapidly, various security techniques and strategies have drawn attention. Encryption is one approach that’s attracted the most attention. Penta Security was Korea’s first to develop a DB encryption product so we often get these types of questions:

I think a lot of these questions come out of fear or confusion about encryption. The reality is that these questions might be an issue if you’re not implementing encryption properly – but when you follow the correct procedures, then a lot of your concerns will dissipate.

For any implementation of database encryption, the pre-evaluation process is crucial. After all, there are hundreds of solutions out there, but which one do you pick? Especially if you’re implementing encryption for a corporate environment, you need to be detailed to get the most bang for your buck.

Applying a DB encryption solution should follow this process:

  • Product Selection
  • Policymaking
  • Impact analysis
  • Application
  • Testing
  • Query optimization

Product Selection for DB Encryption Solutions

Choosing the appropriate product or solution can be crucial. There are a variety of domestic or international encryption products, but the important part is to research the capabilities of the solution to ensure that it’s able to match the compliance laws.

Think of it this way – You walk into a store, ask for a pair of black shoes, the clerk hands you a box that has the label “COLOR: Black”, you give them money and walk out with the box. Realistic? Of course not. Not every pair of black shoes is going to match your environment. Maybe you’re going to play a sport, or maybe a black-tie wedding. Just like that, not all DB encryption methods are compatible with any given DB environment.  It’s important to consider which server and DB management environment you choose to use.

Policy-making for DB Security

Establishing a structure for your encryption/decryption privileges and accessing control authorities for users once the product has been implemented is the next step. Which users will be able to view the data? Which can perform the functions? Specify separate roles between administrators as well – either the server administrator or the database manager should be the sole person in charge of managing the encryption solution.

Having clearly outlined authority roles isn’t just important in the corporate world, it matters also for safe data management.

Analyzing DB Environment Impact

So what’s the impact of the DB system once it’s been implemented? You need to take into consideration the type of data, which data needs encryption, and in which format it should be organized. Once evaluated, the next step is to assess the impact of the business system servers that will require encrypted query requests. If the necessary queries to be sent from the business system servers to the DB server are researched in advance, this process doesn’t have to be complicated. But if not, query optimization could be long and arduous.

Fully understanding which requests are going to originate from the systems’ applications will likely require cooperation from a business systems developer.  Even with the cooperation of a systems developer, it may not always be possible to analyze complex business system expressions. In that case, you may need to analyze the queries travelling to and from the business servers and DB server and discover their nature by using an induction formula. Induction formula analysis tools are included in many encryption solutions, and separate stand-alone products exist as well. Purchasing an encryption solution already equipped with the tools to collect and analyze these expressions will assist in this step.

Application to Pre-existing Data

Most encryption solutions come equipped with tools for encrypting pre-existing data on the DB server. These solutions let stored data become encrypted.

Testing and Optimization of DB Encryption

By utilizing the queries which access saved data within your database, you can test the potential results. This checks whether the data has been properly encrypted and whether that data will be decryupted properly if it’s needed during a search request. As you test, you can alter the query slightly to access the information – this can cause slight to moderate processing degradation, but it’s possible to reduce the effect of degradation through query optimization.

Qutomatic query optimization tools exist which analyze the interaction between the DB server and business system application. These tools can detect which queries are needed and by automatically identifying where changes are necessary, the optimization process is simplified and performance degradation is largely avoided.

Monitoring

After the solution implementation is completed, you can monitor whether the encryption and decryption process is operating correctly, the interaction between the business system and DB server is running smoothly, and whether access policies are working properly. If the service experiences degradation, then it might be necessary to implement query optimization again.


There we go – safely store your personal data

Using the process mentioned above takes into consideration the necessary elements of a DB server environment. But following this process is the most comprehensive way to make sure that your personal data will be safely stored.


Disclaimer: Parts of this blog post were published on this website in 2013. The original posts have been combined and added onto this blog post in March 2016.