Posts

mydiamo blog header

MyDiamo Expands Open Source Database Encryption Offerings to Include PostgreSQL

PostgreSQL will join existing supported platforms of MySQL, MariaDB and Percona as open source database adoption continues to grow. Alongside the expansion, Penta Security Systems Inc. has begun this year to offer NGOs free unlimited usage of the solution.

mydiamos new features including offering postgresql

Leading data encryption vendor Penta Security Systems Inc. announced on September 19 at Singapore International Cyber Week (SICW), that open source database encryption solution, MyDiamo, will now expand its offerings to include PostgreSQL. MyDiamo, the first ever open source database encryption solution, addresses the need to secure open source database management systems, but with minimal cost. The solution offers free licenses for those looking to encrypt databases for small or medium enterprises, and a commercial, minimal-cost license for enterprises seeking enhanced features. Earlier in 2017, it was announced that Penta Security would make the solution with full enhanced functions available to non-profit organizations free of charge, an initiative to encourage all organizations to empower themselves through proper security.

Since the advent of Web 2.0 and the rise in costs for security solutions, Penta Security has seen a dramatic increase in various audiences like individual clients, security administrators for enterprises, as well as non-profit organizations utilizing open source options to apply security to databases housing sensitive information. According to DB Engines, this has resulted in nearly half the market utilizing open source management systems, rather than commercial systems.

Commercial database options for enterprises typically involve vendor lock-in, which is why a compatible open source DBMS like PostgreSQL has recently soared in popularity. However, security is an often neglected area and with the rising adoption of open source databases, MyDiamo meets an urgent need to ensure data security remains at the enterprise level, no matter where data is located. With PostgreSQL’s 10th major release planned for this quarter, MyDiamo’s expanded offerings bring timely support as a security solution.

Regarding the new expansion, Chief Technology Officer of Penta Security Systems, Daniel ES Kim remarked,

“Open source database technologies have steadily matured, and these days, people are able to develop useful applications that benefit their community using tools available on the web. However, data leakage incidents have plagued even enterprises and not many are equipped to implement encryption. With PostgreSQL as part of MyDiamo’s supported DBMS offerings we’re hoping that through easing access to encryption solutions, prioritizing security becomes achievable for more people and organizations.”

PostgreSQL users will be able to enjoy MyDiamo’s comprehensive and accessible encryption solution, with the most up-to-date encryption algorithms, access control, and auditing functions. Differentiating itself from other encryption solutions or services, MyDiamo requires no code modifications because encryption operates at the engine-level within the database, making it an optimal solution even for those with minimal knowledge of IT-systems. The solution also utilizes Transparent Column Encryption, ensuring less than 4% system performance change before and after encryption with no application program or query modification.

With both noncommercial and commercial licenses, MyDiamo’s encryption solution supports MySQL, MariaDB, and Percona as well as the new offering of PostgreSQL.

Penta Security’s team will be unveiling MyDiamo for PostgreSQL along with market leading encryption solution D’Amo, in booth #R13 at this year’s GovWare during SICW. To find out more about MyDiamo, visit www.mydiamo.com.

About Penta Security
Penta Security Systems Inc. is a leader in web, IoT, and data security solutions and services. With 20 years of IT security expertise in powering secured connections, Penta Security is the top cyber security vendor in Asia, as recognized by Frost & Sullivan, and APAC market share leader in the WAF industry. Driving innovations across encryption, authentication, and signature-free firewall detection technology, Penta Security’s whole-system approach to security enables resilience in an era of hyper web integration and connectivity. For more information on Penta Security, visit www.pentasecurity.com. For partnership inquiries, email info@pentasecurity.com.

startup CEOs

3 Web Security Services for Startup CEOs

startup CEO

Startup CEOs should secure their business

In 2013, Target, a massive retailer in the US, suffered a major web hacking incident that stole thousands of customers’ credit card information. After the event, Target was negatively affected as news leaked and company shares dropped by 1.5% the following year. These kinds of web attacks prove that nobody is completely safe from web hacking.

Now, we know that web security is not a hot topic that drives a conversation every day. However, as a startup CEO, it is imperative to have a basic knowledge of what web security options are available, so that you can do your best to protect your clients’ private information. Here are 3 options to help you better protect your company’s sensitive data.

Web Application Firewall (WAF)

Web Application Firewalls help monitor your incoming and outgoing HTTP/HTTPS traffic to your website. You can almost think of a WAF as a security scanner that we see at the airport. People with the right credentials will get past through the gates, but any visitor that may have malicious intents will be barred from entering your network. WAFs use specialized rules or patterns to help identify whether a web visitor or traffic is dangerous. WAFs can be the essential first line defense for any website owner to help protect your website from the network perimeter.

Malware Scanners

Having a WAF is a great way to protect for your web security. However, it won’t help your business much if you are already infected. Therefore, it will also be helpful to help you search for malicious programs already residing in your servers.

Infected sites can be a major turn off for customers, especially if it can infect their computers. This is a double edged sword because not only can you affect your customers, but once Google gets wind of this then you can also be SEO blacklisted. It can detect websites that have been infected by malware and warn customers away. So having a protected and clean website is not only good for the customer but also for business. Using a malware scanner for your internal network can help keep your website safe. For optimal security, one should always maintain a routine scan on servers. Better to be safe than sorry.

Database Encryption

Encryption is the process of transforming the data in a database into undecipherable data. An encryption program uses a series of complex algorithms and possesses a master key to turn the data back into its original form. Your database is where all the data of your business, such as specific customer banking information, is stored. It is one of the core elements of any online business; therefore, malicious hackers are always looking for a way to get their hands on it.

One of the world’s most popular database management systems called MySQL is open source, so it can be highly vulnerable to attacks. Many CMS frameworks like Drupal, Joomla, and WordPress all use MySQL as their default database. It is critical that you take every precaution to protect yourself from any would be attackers. One way to do this is to utilize a database encryption software. This can bring a third layer of protection in case any savvy web hackers get into your internal system.

The recent increasing number of startups has made these businesses attractive targets to hackers to exploit. Customers entrust their information to businesses and they should feel obligated to keep that information safe from hackers with malicious intents. One can’t be too careful when it comes to security. Get more in tune with your website and its security by installing these 3 great security solutions!

employee using laptop and coding injection

Web Vulnerabilities 101: What’s SQL Injection?

If you’re familiar with the digital or cyber world at all, you have probably seen the terms “SQL” or “SQL injection” thrown around. SQL is a simply put, a database language. In fact, SQL stands for Structured Query Language, and it was designed to operate database systems like the aptly named MySQL, Microsoft SQL Server, SQLite, or Oracle. SQL injection is an attack where SQL statements that were not meant to be there are inputted. This changes the code from what it was originally meant to do.

My name is Hold Please and I make a phone call to my credit card company to complain about my bill this month. When asked by an automated customer service system about what my name is, I say “Hold Please.”

The customer service rep holds…

This is SQL Injection, in a nutshell.

sql injection comic strip by xkcd

The injection could affect any website or web application that uses an SQL-based database (like MySQL or Oracle). Thus, the vulnerability is one of the most prevalent types of web application vulnerabilities. In fact, in 2013, SQL injections were ranked the #1 threat of the year by OWASP (Open Web Application Security Project).

SQL Injection consequences?

The above examples could be humorous. So perhaps your response is, “Well, it’s not really hurting anyone.” But let’s add on more to the story.

Instead of answering “Hold Please,” when the customer service representative asks for my name I say, “Hold Please, and throw away any record of my credit card bills.” If the customer service rep did exactly what I asked, they just lost out on my payment.

  • SQL could be used to delete important information. It could affect how a web application could function
  • Data could be altered, and could cause repudiation issues. It could even alter a balance on an account. This could compromise your company’s integrity.
  • SQL Injection can be used to get past authentication or even impersonate users and administrators

To take it one step further, let’s say I have a huge grudge against this company. So when asked my name I say, “Hold Please, and throw away any record of my credit card bills. Also, go ahead and throw out the rest of the company’s customer accounts.

  • Hence, worst case scenario: SQL Injection could be used to wipe out entire databases

As you can see, while you might say that SQL injection is a rather simple concept, it can bring with it an unending variety of dangerous consequences. Important information could be lost, data could be released, website defacement could occur, and your whole system could slow down or even cease to exist because of this injection.

Prevention of SQLi

Then how do you prevent it? SQL Injection is a common vulnerability and very widespread. But that does come with a silver lining: there are various ways to prevent the vulnerability and ensuing attacks. Here are just a few to get you started.

  • Update regularly: vulnerabilities are being found each and every day. It’s essential to have updates regularly patched.
  • Use parameterized queries: This means that your variables aren’t query strings that would accept arbitrary SQL inputs. Set parameters of given types are necessary. Parameterized queries require the developer to define all the code. It distinguishes between code and data. For example, let’s say that I would need to input a username into a field. Without parameterized queries, I could input any kind of SQL code into the field, and perhaps have the database erased, but if the parameters were set to ‘@username’ then I would only be able to put in a username without any kind of code.

Instead of saying “Hold Please” int0 the automated system, the system now requires that I input my 16-digit credit card number and then press #. This means the parameters are set to a certain number of digits and then the pound key only.

  • Web Application Firewall: This is by far one of the best things you can do in order to protect your applications. Coming in many forms (appliance, software, cloud-based), a WAF can help to filter and find malicious data. The one thing you should concentrate on, however, is what kind of method the WAF uses to detect the vulnerabilities. For example, while many companies use a pattern-based WAF that can have many false positives, Penta Security’s WAF, WAPPLES, uses a logic based engine rather than looking for a pattern. This logic-analysis engine will use 26 different search parameters to accurately analyze traffic, resulting in very low false positives.

Conclusion?

SQL injections are common, but that doesn’t mean that you shouldn’t take any precautions against it. Overall, it’s a simple concept but with an unending variety of dangerous consequences. Important information could be lost, data could be released, website defacement could occur, and your whole system could slow down because of this injection. If you run a business on a website or hold a valuable amount of data, SQL injection could spell disaster.

Make sure to protect yourself from potential loss by investing your time in these solutions to further the benefits in your future!

profile

Security Solution Goes Global

A Korean solution provider is now the talk of the town by entering its security solution into 60 countries through its new ‘Dual Licensing’ security solution sales strategy.

Data encryption and web security provider Penta Security Systems Inc. (CEO/Founder Seokwoo Lee, www.pentasecurity.com) announced that MyDiamo, Penta Security’s encryption solution for MySQL and MariaDB, has successfully entered into 60 countries with its dual license (free for personal use but not for commercial use) policy since its release in March last year.

security solution mydiamo

Most Korean IT security companies export to other countries with a sole distributor or an overseas branch office. Penta Security broke this established business model and tried a new sales strategy to reach its customers. Now, the security solution MyDiamo has entered 60 countries, including the United States, China, Russia, Germany, Sweden, Norway, Denmark, and many more in just little over one year.

MyDiamo has been sold to the countries in which Penta Security has not expanded its sales network, and the number of countries that have adopted the encryption solution is the largest among all Penta Security’s products. It also has reached the largest number of countries for Korea’s formidable domestic IT security industry. In all, more than 3,600 total licenses have been downloaded.

MyDiamo, the security solution

MyDiamo is an encryption solution for MySQL and MariaDB, which are the most popular databases with the top market shares. MariaDB is a database developed by Michael Monty Widenius, the founder of MySQL. The number of MariaDB user has rapidly increased due to its improved performance over other open-source DB environments.

MyDiamo secures these popular databases with technology from Penta Security’s data encryption platform D’Amo. MyDiamo provides one-way encryption, index-column partial encryption and column-level encryption using trusted international standard encryption algorithms, such as AES. It complies with PCI-DSS and provides masking features for credit card numbers.

Duksoo Kim, CTO of Penta Security, stated “We could not remain in the small domestic market, so we had to go global. However, it was not easy to export IT security products because there were differences in distribution channels and cultures.” He continued, “Last year, the dual licensing policy we chose instead of existing sales policy has brought us this wonderful and unexpected outcome.” He added, “We are not settling for this, however, and we are preparing various strategies, including cloud computing and on-demand services, to enter the global market.”