Categories
News

NEC Server Software Enables Advanced and Secure Login to Websites in Compliance with FIDO2

NEC Corporation announced today the availability of its enhanced NC7000-3A server software, which will enable simple, secure and swift authentication of users for access to websites and mobile applications through biometric authentication.

In addition, NEC is also releasing SDK-based voice authentication that accurately identifies users by extracting the unique characteristics of their voices when they speak predetermined phrases. The FIDO2(1)-compliant server software and updated SDKs are scheduled to be available in July and August 2019 respectively.

NC7000-3A integrates with business/service provider user profiles and manages authentication activities for web services. This software is a FIDO-certified product that enables users to be authenticated without sending biometric information or any other personal information outside of a terminal, thereby reducing the risk of compromising biometric identities and passwords.

Following this update, NC7000-3A server software is now certified with the FIDO2 standards established by the FIDO Alliance(2), which promotes international standards for “password-less” online user verification.

Existing NC7000-3A server software is certified with FIDO UAF, which allows users to login with biometric authentication when using mobile applications, such as online banking. This latest update also supports FIDO2, which enables users of PCs and smartphones to use biometric authentication when logging in to websites as well. FIDO2 capability enables login using external authentication devices, such as security keys, through USB/NFC/Bluetooth communication standards.

In addition, SDK that support a variety of authentication options, including fingerprint, face and voice recognition, are available for Android OS and iOS, enabling customers to freely select and combine multimodal authentication.

This server software and SDK will improve the convenience of logging in and prevent spoofing, which will contribute to the security of web services that require identity authentication. Specifically, it will enable password-less authentication for e-commerce, digital banking, and web services provided by municipalities and government agencies.

Under NEC’s “Mid-term Management Plan 2020,” the company is actively promoting services in new fields that leverage network strengths. Through this software, NEC is flexibly leveraging its networks to accelerate the provision of NEC Smart Connectivity(3), which links data generated by people and industry to create new social value.

“The NC7000 series is at the core of the NEC Smart Connectivity program and has a solid record of installations for financial institutions and telecommunications carriers,” said Takashi Sato, General Manager, Digital Services Solution Division, NEC Corporation. “This enhancement strengthens the role of Bio-IDiom(4), NEC’s portfolio of biometric solutions, in the provision of highly secure and convenient user certification, which supports the realization of a society where people, goods and services are reliably linked.”

Andrew Shikiar, executive director and chief marketing officer, FIDO Alliance, added: “NEC’s consistent efforts as a FIDO Alliance sponsor member help to promote the evolution and globalization of simpler, stronger FIDO Authentication. We are pleased to see NEC introduce its FIDO2 Certified server today as part of the strong and continuously growing ecosystem aimed to reduce the world’s reliance on passwords.”

“I am very pleased to see NEC obtain FIDO2 certification and to reinforce its standing as a member of the FIDO Alliance, whose goal is to supplant reliance on passwords,” said Koichi Moriyama, a Member of the FIDO Alliance Executive Council, Chairman of the Japan Working Group, Senior Director of Product Innovation, Product Department, NTT DOCOMO, INC. “As one of Japan’s leading ICT companies, we look forward to working together to accelerate efforts to create a world without passwords through deployment of FIDO certified products.”

References:
(1) https://fidoalliance.org/fido2/
(2) https://www.fidoalliance.org
(3) This is a collective term for network services that leverage NEC’s expertise and track record in network technologies and related solutions. We will utilize 5G and LPWA to create new data distribution that connects previously untapped data in various fields, such as social infrastructures, manufacturing, and retail, and delivers it to the people and goods they need.
(4) “Bio-IDiom” is NEC’s portfolio of biometric identification solutions, including face, iris, fingerprint, palm print, finger vein, voice, and ear acoustic solutions.
https://www.nec.com/en/global/solutions/biometrics/index.html

READ NEXT: Defend your business from modern-day cyber attacks with these 3 tips

Categories
Cloud Newss

WinMagic now offers SecureDoc full drive encryption service for Linux users

Canadian data security solutions provider WinMagic is now delivering its SecureDoc encryption service for Linux users.

SecureDoc is an enterprise-grade managed full drive encryption solution. The new capability is aimed to help enterprises in managing encryption of Linux-based devices.

Enterprises rely on Linux-based tools like dm-crypt, cryptsetup, and Linux Unified Key Setup (LUKS) for encryption of devices. WinMagic’s SecureDoc for Linux can additionally provide encryption management solutions and help enterprises manage and unify encryption efforts across the organization.

Using the SecureDoc full disk encryption, enterprises can manage the Linux-based devices independently, reset passwords, lock down the devices, and efficiently control them.

“SecureDoc takes Linux encryption management to the next level, permitting online conversion which allows admins and users to log-in and work on the machine while encryption occurs, and removes the need to clear the disk and re-install the operating system before commencing encryption – saving enterprises valuable time and money,” explained Garry McCracken, vice president technology, CISSP at WinMagic, in a blog post.

SecureDoc also seeks to meet the compliance requirements for devices based on Linux and Windows. It offers a single console to see if all devices in the organization are encrypted and compliant with their encryption policy.

The devices share their encryption status for all disks to central console on a specified time interval. In case any device goes missing, the IT teams would have proof of encryption state for the auditors.

Additionally, WinMagic’s SecureDoc enables pre-boot network-based authentication for protection of data on drives during boot-up.

Also read: Jelastic PaaS evolves to support Go programming language

“Interestingly, the development of this full disk encryption for Linux laptops/desktops came after our launch of our cloud solution for Linux servers two years ago,” said Thi Nguyen-Huu, CEO of WinMagic.

“Originally an endpoint vendor, we traditionally ported our products to the cloud, but this time it is different. To our knowledge, the enterprise-class software-based encryption solution for Linux on top of dm-crypt is unique in the industry.”

Categories
News

ZNetLive rolls out Acronis Backup Cloud to provide businesses with constant data availability in changing threat landscape

ZNetLive, India’s leading web hosting and cloud services provider, today announced an expansion of its product portfolio to include Acronis Backup Cloud. The new service delivers reliable hybrid cloud backup to businesses of all sizes, enabling them to completely and efficiently protect critical data in any environment.

With ransomware attacks growing in frequency and complexity, business data is continuously at risk. Security experts and the FBI agree that with more cybercriminals trying to earn easy money, ransomware attacks will continue to be more frequent, especially among corporate and small business environments.

Backups are widely considered the ultimate defense.

“For any business, data is imminent for its survival. Data security is utmost as no successful business can afford a minute of downtime. With organizations tasked to protect increasingly heterogeneous and complex environments spanning across physical, virtual and cloud systems, choosing the right data protection mechanism becomes a herculean task.

Thus, we have rolled out the Acronis Backup Cloud solution – the most effective cloud backup that ensures business continuity by addressing all backup and recovery challenges of the enterprises across different infrastructures,” said Munesh Jadoun, Founder & CEO, ZNetLive.

Acronis Backup Cloud provides the most secure solution to fight the growing threat of ransomware. In addition to storing data in the cloud and out of the reach of hackers, the service includes Acronis Active Protection, a built-in anti-ransomware solution that:

  • Leverages advanced machine learning and artificial intelligence-based technology to monitor systems in real time to actively detect an attack.
  • Stops suspicious computer activities immediately to prevent unauthorized encryption, modification or alteration of files, applications, and systems.
  • Notifies users of potential threats and automatically restores any files affected in an attack.

The real-time protection from Acronis Active Protection helps businesses avoid costly downtime, which otherwise would be required to recover from a ransomware attack.

ZNetLive knows that modern IT pros need effective solutions that effectively address modern IT challenges,” said Lian Wee Loo, Acronis Senior Director of Cloud Business in APAC and Japan. “In the face of growing threats like ransomware, we’re proud to partner with a company that is equally committed to protecting their customers’ data. We look forward to a great relationship with ZNetLive.

For more information, visit https://www.znetlive.com/acronis-backup-cloud/.

For this rollout, ZNetLive has partnered with KMI Business Technologies, the primary distributor for Acronis on-premise and cloud backup solutions in India.

Categories
Event

SSAE16 vs. SSAE18: What’s The Difference?

There’s a new SOC audit standard in town – and you need to know what it is and means if you’re to make an informed decision about your hosting company.

For years, SSAE16 has been the go-to standard for data centers and secure vendors.

It consists of three primary segments. SOC1 is tied to financial reporting – we won’t discuss that here, as it’s not really relevant to what we’re focused on. SOC2, meanwhile, is all about a business’s reporting as it pertains to information processing, system confidentiality, data integrity, and cybersecurity. Lastly, SOC3 covers the security controls in place with the aforementioned.

Though it’s not a certification as some hosts might have you believe, it’s still as good an auditing tool as there ever was to demonstrate that a vendor is serious about protecting client data. Recently, however, there’s been a new kid on the block. A new set of auditing guidelines has started making the rounds – and you should most definitely be aware of them.

SSAE16 vs. SSAE18 

Introduced in May 2017 and designed to replace its predecessor, SSAE18 differs in a few key areas from SSAE16:

  • It mandates that a service organization such as a cloud or colocation provider must disclose and identify all subservice organizations that operate in tandem with it. For example, if an IaaS provider works with a vendor that offers DDoS mitigation, it must disclose that relationship and include a description of what it relies on from the subservice vendor.
  • It requires service organizations to provide auditors with risk assessments highlighting their key internal risks, and demonstrating that there are controls in place to mitigate those risks.
  • It requires service organizations to constantly vet subservice organizations, and requires that they implement tools and systems to monitor the security controls at any subservice organizations they work with. The auditor must report the controls implemented to perform this monitoring, which can include:
    • Site visits
    • Security tests at the subservice organization
    • Monitoring of external communications
    • Review of the subservice organization’s SOC reports.
    • Regular review of output reports
  • It expands reporting to include compliance with certain laws and regulations, contractual arrangements, and outsourced services.

The changes made to the standard this time around will require companies to take more control and ownership of their own internal controls around the identification and classification of risk and appropriate management of third party vendor relationships,reads a blog post on the SSAE16 website.”These changes, while, not overly burdensome, will help close the loop on key areas that industry professionals noted gaps in many service organization’s reports.

In short, SSAE18 is designed to provide clients with more visibility into the operations of their vendors, and to make vendors better manage their business partners. Mind you, it’s not essential – a vendor that has undergone an SSAE16 audit is not necessarily less secure than one that was audited under SSAE18. Eventually, however, the former will replace the latter – and before that happens, it’s important that you understand what that means.

About Guest Author: 

Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.

Categories
News Uncategorized

Protecting Privacy and Personal Data Key to Digital Economy in Africa, says Internet Society

Internet Society and African Union Commission launch guidelines on Personal Data Protection

Today at the Africa Internet Summit (www.InternetSummit.africa) in Dakar, Senegal, the Internet Society and the African Union Commission unveiled a new set of Guidelines that highlight how privacy protection and the responsible use of personal data are critical factors in building greater trust online and in advancing the digital economy in Africa.

The Personal Data Protection Guidelines for Africa launched today were jointly developed by the Internet Society — a global non-profit organization that promotes the open development, evolution and use of the Internet — and the African Union Commission to facilitate the implementation of the AU’s Convention on Cyber Security and Data Protection (known as the Malabo Convention), adopted in 2014.

The Guidelines recommend a range of actions for governments, policy makers, citizens and other stakeholders to take at the regional, national, organizational and individual level. Among the key recommendations for governments is that they should respect and protect individuals’ rights to privacy online and offline.

Recent global events have showed us that the lack of appropriate protection for personal data can have a profound impact not just on individuals but also on society at large, to the point of endangering democratic systems,” said Dawit Bekele, African Regional Bureau Director for the Internet Society. “These Guidelines explain how people can take a more active role in the protection of their own data as well as the role that other stakeholders, including governments and legislators, have in ensuring the proper use of data.”

Two key principles of the Guidelines urge all AU Member States to: recognize privacy as a foundation for trust in the digital environment and prioritize the sustainable and responsible use of personal data in the digital economy.

Also Read: Microsoft and Red Hat bring OpenShift to Azure as a jointly managed service

In addition, there are recommendations for citizens who are concerned about their data and privacy including:

  • Using the Internet and other sources to inform themselves about the risks and benefits of the digital economy or their online activities. This includes being aware of agreements they make when they sign up for “free” services or use social media platforms that may profit off their data.
  • Understand and exercise their rights, and act, when needed. There is a corresponding role for governments to empower individuals to do so by ensuring citizens know how to exercise their rights under privacy and personal data protection laws.
  • Develop their capabilities to protect their interests online. Supervisory authorities and governments should take steps to ensure that service-providers and product vendors are transparent about their business models and product capabilities, so consumers can make informed choices about the privacy implications of products and services.

The Malabo Convention is the first step towards developing national legislative frameworks for cybersecurity and data protection in Africa. The guidelines launched today provide a path forward for the member states that have signed the convention, and hopefully encourage more countries to join,” says Moctar Yedaly, Head of Information Society Division, African Union Commission.

For more information, visit: www.InternetSociety.org

Categories
News

Secura Partners with HyTrust to Offer Robust Virtual Machine Level Data Encryption as a Service

Secura is delighted to announce a partnership with workload security specialist HyTrust, to offer HyTrust DataControl virtual machine level encryption to customers as a service, on flexible, monthly terms.

Fully managed by Secura, HyTrust DataControl can be delivered as either a stand-alone solution or as part of Secura’s comprehensive Web Protect online security suite.

Many data encryption technologies will only encrypt on a platform level, or premium license editions of software would need to be purchased to access encryption, making them expensive options to implement, with lengthy minimum contract terms.

DataControl allows encryption at rest to be applied on a per virtual machine basis, so only those specific parts of a platform that hold sensitive or regulated data need to be encrypted, making it incredibly cost-effective for businesses to implement and protect their data.

DataControl also works with very little of the performance impact that is traditionally associated with data encryption. It offloads AES encryption operations to the AES-NI extensions integrated into the Intel Xeon CPUs in Secura’s hypervisor hosts, minimising the overhead of encryption operations on platform performance.

Secura CEO, Oliver Beaton, commented, “With the introduction of GDPR legislation looming, encryption of sensitive data is a very sensible security measure to introduce and has become a priority for many of our customers, who are looking to safeguard their business data. Our managed DataControl solution makes it simple for companies of any size to access data encryption in a cost-effective way that does not require significant upfront investment or long-term commitment.”

Secura CTO, Dan Nichols, commented, “We’re delighted to have partnered with HyTrust to offer DataControl encryption to our customers. It’s an incredibly effective, flexible technology that delivers robust, PCI compliant data encryption with a granularity that makes it tremendously accessible.”

HyTrust, Director, Cloud Service Provider Business, EMEA, Stuart Simmons, commented, “We are proud to welcome Secura into our Trusted Cloud Partner Program. The combination of Secura’s highly skilled team and the HyTrust DataControl product means customers can have a high degree of confidence in Secura’s secure cloud services. With the increase in data breaches and numerous compliance and regulatory frameworks customers can adopt Secura’s secure cloud services with confidence.”

For more details visit https://secura.cloud/

Categories
News

Google ramps up G Suite security console

Google recently announced a new security feature – OAuth apps whitelisting, for its G Suite customers.

The feature will provide better visibility and power in hands of the customers, allowing them to define how their data is being used by third-party apps.

Google added the feature into its G Suite security controls with an effort to improve the data access permissions and protect user data from any phishing attacks.

Credit: Google

A few months back, Gmail users were hit by a phishing scam, consisting an email claiming to be an invite for Google Docs. Though actually, it was a hideous act to prompt users to give access permissions to the third-party apps to use their personal data.

With the new feature, Google tries to prevent such phishing attacks in future by ensuring better security level for the users’ data.

The G Suite admin can whitelist apps and let the users decide whether they want to give permission to the third-party app to access organization data or not. With this, users can be saved from getting tricked into accidentally giving permission to the apps.

Users will get clearer visibility into the app – like app name, app ID, app type, what data they can access and it is currently being used by how many users.

Credit: Google

This prevents malicious apps from tricking users into accidentally granting access to their corporate data,” Google explained.

If the feature is enabled by the admins, then the third-party access will be based upon the defined policy.

Google will roll out the feature to the admin console in coming days and has also prepared a tutorial to help admins understand the process.

Since the beginning of the year, Google has been putting efforts to protect customer data by introducing multiple security features like DLP (Data Loss Prevention), phishing detection and S/MIME encryption.

Amidst increasing cyber-attacks, such security features will ensure better protection for user and organization data.

Categories
Event News Technology Web Security

Peak 10 and StillSecure To Host Webinar On 2013 PCI DSS Compliance Standards on April 24th

Peak 10 Inc., an IT infrastructure and cloud solutions provider will host a gratis webinar on how to best protect sensitive data in the cloud to meet new Payment Card Industry Data Security Standards (PCI DSS). The online event will be held Wednesday, April 24, 2013 at 11:30 a.m. EDT. The registration for the webinar can be done here.

Experts from Peak 10, a leading cloud solutions provider, and StillSecure®, a managed security services firm, will look at how recent updates to PCI DSS address the challenges of virtualized infrastructure, rogue wireless access detection, mobile payments and other issues.

Topics will include:

  • An overview of PCI compliance requirements
  • PCI compliance responsibilities (of the business and the cloud provider)
  • Compliance challenges posed by new technologies, governance, disaster recovery and other issues
  • February 2013 updates to PCI DSS
  • What to look for in cloud solutions providers and managed security services

Webinar On New 2013 PCI DSS Compliance Standards
About StillSecure
StillSecure designs and delivers managed network security solutions and certified compliance solutions for IT executives facing escalating security threats and evolving compliance requirements, as well as data centers looking to cement long-term customer relationships. For more information, visit stillsecure.com.

About Peak 10 Inc.
Peak 10 provides reliable, tailored cloud computing, data center and other information technology (IT) infrastructure solutions, primarily for mid-market businesses. Peak 10 is SSAE 16 audited and helps companies meet the requirements of various regulatory compliance acts such as Sarbanes-Oxley (SOX), HIPAA/HITECH, PCI DSS and Gramm-Leach-Bliley (GLBA). For more information, visit www.peak10.com.

Categories
News

Hackers Taking Advantage of Lack of Encrypting Knowledge

DAILYHOSTNEWS, October 23, 2011 – Despite encrypting databases, small businesses are leaving customer data open to hackers. Research has shown that even long passwords can be cracked in a few seconds.

Testing by hosting specialist UKFast has revealed that  using  industry-standard hashing algorithm MD5 to protect data still allows for a seven character password (of lower alphabet and numbers) to be cracked in 7 seconds. If a more secure encryption method such as SHA 256, it would take up to seven times longer to brute force crack the same password.

The tests call into question the security of customer data stored by SMEs, who often do not have the luxury of in-house IT teams or the technical knowledge to properly secure their customer databases.

In his remarks, Neil Lathwood, technical director at UKFast, explained: “Many small companies are trying to protect their customer data on their own or outsourcing their IT and relying on the skills of another company to secure their customer data. What these companies may not be aware of is that some methods of encryption are significantly less secure than others.”

“With the emergence of brute force password cracking using Graphics Processing Units (GPUs) for extra fire power, the need for strong encryption algorithms has become more important than ever.  The MD5 algorithm is so weak that no one should be using it as their only encryption method – a normal PC without the extra GPU fire power could even crack the MD5 code.”

Also read: Colocation Data Center Singapore

Lathwood further explained that “Using an encryption method like SHA256 rather than MD5 would still allow the hacker to decrypt the information but it takes significantly longer. For example, a seven character password (of any digit, letter or symbol) would take 1 hour, 40 minutes to crack when encrypted with MD5 but would take 12 hours, 53 minutes when encrypted with the S/HA256 method.”

About UKFast
Founded in 1999 by Lawrence Jones and his wife and business partner Gail, UKFast is now a major player in the UK hosting solutions arena.
Website: http://www.ukfast.co.uk