RESEARCH AND REPORTS

Vormetric Resource Center

By Derek E.Brink, CISSP, Vice President and Research Fellow, IT Security and IT GRC

This report will provide you with explanations and actionable information that will help you secure your most crucial asset, your data.

The use of SaaS applications such as a salesforce.com, ServiceNow, Workday, Box, and others has become the standard for the way many organizations conduct business, resulting in corporate data being sent northbound to the cloud.

While native and third-party encryption options including bring your own key (BYOK) are now being offered for many cloud services, challenges remain, including operationalizing the management of the encryption key lifecycle and the compliance requirements of some industry regulations to store keys separately from the encrypted data.

The 451 Take

Managed infrastructure providers can and do help supply their customers with encryption tools if asked. That is not special. What makes this worthy of note is that the offering is in the ‘as a service’ model. The service itself is based on a partnership and reseller agreement with established security vendor Vormetric (Thales Group), and uses the Vormetric Data Security Manager (DSM) integrated into the Peak 10 user console. It is agent-based, multitenant (at the DSM appliance) and runs on Peak 10 equipment as a virtual appliance. It is file-level encryption (as opposed to whole disk), and features include policy-based controls, auditable records, key management and other standard features for encryption software.

According to the legend of Willie Sutton, the oft-misquoted bandit robbed banks because ‘that’s where the money is’. Thus it’s no surprise that the U.S. financial industry is among those that are most heavily targeted by cyber attacks, and like the broader global economy, has been subject to numerous and well-publicized data threats.

Hardly a week goes by without news of another damaging data breach incident - according to the Privacy Rights Clearinghouse, the number of records breached in 2015 was more than twice that of 2014 – despite the fact that collectively, we are spending billions each year on various forms of cybersecurity and venture capitalists are spending princely sums on startups touting the latest and greatest new security offerings.

The past few years have subjected the U.S. economy to a seemingly endless chain of well-publicized data breaches that have elevated concerns about protecting sensitive data beyond the technical realm and into the mainstream public consciousness, and left few Americans confident that U.S. organizations are doing enough to ensure the safety of their digitally stored personal information.

Hardly a week goes by without news of another damaging data breach incident - according to the Privacy Rights Clearinghouse, the number of records breached in 2015 was more than twice that of 2014 – despite the fact that collectively, we are spending billions each year on various forms of cybersecurity and venture capitalists are spending princely sums on startups touting the latest and greatest new security offerings.

The past few years have subjected the U.S. economy to a seemingly endless chain of well-publicized data breaches that have left few Americans confident that U.S. organizations are doing enough to ensure the safety of their digitally stored personal information.

The past few years have subjected the U.S. economy to a seemingly endless chain of well-publicized data breaches that have left few Americans confident that U.S. organizations are doing enough to ensure the safety of their digitally stored personal information. The Cybersecurity National Action Plan (CNAP) recently outlined by President Barack Obama acknowledges some of the current weaknesses in our national digital infrastructure and contains several proposals to help reduce our overall vulnerability to cyber threats, including $3bn in new funding, the creation of a federal CISO role, plans to recruit new cybersecurity talent and increased information sharing with the private sector. Regardless of the timing, appropriateness and ultimate effectiveness of the proposals outlined in CNAP, the plan highlights the growing awareness that as a nation, we need to do more to help increase our overall preparedness to meet the security threats presented by a new world order filled with cyber-criminals, nation-states, hacktivists and cyberterrorists.

The ‘triumvirate’ of cloud, big-data and the Internet of Things (IoT)1 can each offer substantial benefits via their ability to generate, collect and use data in novel ways that can both help improve decision making and allow for more agile and adaptive business models.

Unfortunately, as we have seen with historical patterns of IT evolution, security considerations typically take a back seat to establishing a market presence, and only get their due either as as a way to remove barriers to adoption or plug holes after the damage is done. Not surprisingly, then, we have observed a fairly strong positive correlation over time between the maturity of a specific computing model or resource, and the ability to secure that resource - and cloud, big-data and IoT have followed a similar pattern.

Analyst Report by Adrian Lane, CTO, Securosis

This research paper lays out a series of recommended security controls for Hadoop, along with the rationale for each. The analysis is based upon conversations with dozens of data scientists, developers, IT staff, project managers, and security folks from companies of all sizes; as well as decades of security experience the Securosis team brings. These recommendations reflect threats and regulatory requirements IT must address, along with a survey of available technologies which practitioners are successfully deploying to meet these challenges.

451 Research Report

On October 19, 2015, Thales e-Security acquired Vormetric. 451 Research released this report on October 20, 2015, to share their analysis on the opportunities and competiveness of the new combined company. The report also covers both companies’ profiles, core products and competition.

The 451 Take

It is becoming increasing common for technology vendors – particularly those whose software or hardware represents a specialized, valuable component of an enterprise infrastructure environment – to view cloud service providers as an important market and channel. This especially true as hybrid cloud models continue to blur lines between public and private, internal and hosted infrastructure resources. Most service providers, outside the small set of hyperscale public clouds, view their role as being more closely tied to service delivery than infrastructure operations. Security and compliance are at the top of that list, and are strong objectives for managed services. 451 Research’s Voice of the Enterprise cloud computing study rates security and compliance as the two most significant barriers to the adoption of cloud. The opportunity for security technology vendors in the managed hosting marketing is strong – likewise, the opportunity for service providers in developing managed offerings around these specific facets of infrastructure operations. The success of Vormetric’s cloud partner program is a useful indicator of this.

Read this paper to learn why Frost and Sullivan honored Vormetric with this prestigious award.

By Dave Shackleford, IANS Faculty Member and SANS analyst

This report is a survey and offers analysts on creating an enterprise-wide encryption strategy and explores the growing “encrypt everything” philosophy.

By Derek E.Brink, CISSP, Vice President and Research Fellow, IT Security and IT GRC

This report will provide you with explanations and actionable information that will help you secure your most crucial asset, your data.

By Garrett Bekker, Senior Security Analyst

This research report analyzes Vormetric’s recent entry into the cloud encryption gateway market, tokenization, and explores Vormetric’s platform strategy. It includes a Strength, Weakness, Opportunity, and Threats (SWOT) analysis and competitive comparisons.

By Securosis analysts and industry experts, Rich Mogull, CEO and Adrian Lane, CTO.

This paper cuts through the confusion to help you pick the best encryption and tokenization options for your projects. The focus is on encrypting in the data center: applications, servers, databases, and storage. It also covers cloud computing (IaaS: Infrastructure as a Service).

High-profile cyber attacks spur stronger security and risk management

The results of SC Magazine's seventh annual survey, "Guarding against a data breach," suggests that a negative impact to a company’s reputation compels companies to improve their security against a data breach. Of course, Regulatory mandates is a very close second. That's what the majority of nearly 1,000 respondents in the U.S. and U.K. had to say when queried about the primary reasons they are bolstering the protection of their electronic corporate data. The fear of negative publicity and compliance is driving a fair amount of the efforts in security, and so is executive board and customer demand. It seems the highly-publicized data breach at Target in December and resignation of both CEO and CIO has resulted in a massive restructuring of its leadership and information security and compliance division. This article that originally appeared in the April issue of SC Magazine, discusses trends in IT security investments and supply chain vulnerabilities. What is clear from the survey: The C-suite is getting the message. Highly concerned by the increase and severity of attacks, executive management are strongly engaged in security programs and engaging security leaders to have a larger a voice in the boardroom. And in some cases there is a clear business benefit as many organizations increase security investment to provide a broader differentiated message to their customers.

By Phil Lee, Partner, Field Fisher

Updated for 2014, this document examines the global legal obligations to encrypt personal data – included both national and industry drivers. National focuses include the EU (the United Kingdom, France, Germany and Spain), the USA, Asia (Singapore, South Korea, Japan and Taiwan) and Australia. The industry focus is most strongly around financial services compliance requirements requiring encryption, particular obligations placed on the payments services industry, and the obligation to implement access controls and threat pattern recognition capabilities.

The 2014 Vormetric Insider Threat Report - European Edition represents the result of analysis of interviews with 537 IT and Security managers in major European enterprises around the question of insider threats. Insider threats have expanded from the traditional insiders to privileged users of systems and the compromise of internal accounts by the latest malware attacks. This infographic captures the key findings of the report, focusing on comparisons critical results around organizations insecurities, concerns, technology investments as well as comparisons against their US counterpart's responses.

US English Download

UK English Download

183 Completed Telephone Interviews with IT and Security managers In Australian enterprises Organizations feel highly vulnerable due to the constantly change nature of the Insider Threat Landscape Insider threats today have shifted to include both traditional insiders with access to critical data as part of their work, privileged users and the compromise of both groups' credentials by sophisticated malware and Advanced Persistent Threats (APTs). Focused on enterprises, the report details concerns, the status of protection today, and organizations plans to offset these threats. Details report the responses of European organizations as well as comparisons against their US counterparts.

While all industries face an increasingly dangerous threat landscape, health care organizations are not defining new requirements, implementing new controls, or adapting security processes as quickly as those from other industries. Based upon the findings of this research project, health care organizations:

Remain more concerned with regulatory compliance than sound risk and threat management.

The 451 Take

The move makes plenty of sense for Vormetric. As its enterprise customers move workloads into cloud environments, it is important for the company to focus part of its energy on making it simple for those customers to move licenses to the cloud, or to acquire the same kind of protection from their cloud providers. Demand is increasing for data encryption among existing cloud users because unwanted access to data is in the public spotlight. Vormetric also stands to benefit in the long term from the recurring revenue associated with subscription-based sales of its tools (through service providers). A formal channel program is a valuable tool here. Infrastructure service providers, regardless of technical complexity or in-house expertise, tend to look to their technology vendors for specific and prescriptive direction around how to go to market with a given technology, pricing and support.

Financial services firms enjoy a few advantages over organizations in other industries. Banks and investment firms tend to have larger IT/security budgets and highly experienced security staff members. Large metropolitan banks also have more lucrative salary structures, and so they also have the luxury of recruiting the best and brightest security talent.

In spite of these advantages, financial services firms remain nearly as vulnerable to insider threats—41% of financial firms believe they are extremely vulnerable or vulnerable to insider threats—as compared with 47% of organizations from other industries. Just as with other organizations, they don’t feel secure.

Cybersecurity continues to be a top priority for agency decision makers, as recent news headlines have amply demonstrated. Government system vulnerabilities, if exposed because of relentless cyber assaults, could result in national security breaches and have costly and devastating effects on agency data and other technology assets. Four out of five execs agree that their cybersecurity worries have grown over the past two years. As a result, executives are under pressure to make sure they protect their agencies from these attacks, and thus are more focused than ever before on countering and surmounting these threats.

The 2013 Vormetric Insider Threat report was created with the goal of providing timely, relevant information about issues surrounding Insider Threats and Privileged Users. Based on the detailed survey responses of over 700 IT decision makers, the report found that organizations feel increasingly vulnerable to insider threats, and that there are major gaps between existing security processes and the technologies needed to address them. Results also highlight.

Topics: Insider Threats, APTs, Access Control, Encryption

This study highlights recent changes in how organizations feel about their vulnerability to insider threats and details of the technology trends driving changes in the risk from insiders. Even versus two years ago organizations are feeling significantly more threatened with 54% feeling that insider threats are more difficult to protect than in 2011. Read the full brief for greater details.

Topics: Insider Threats, APTs, Access Control, Encryption

By: Coalfire Systems, Inc.

Created by leading PCI-qualified security assessor and independent IT audit firm Coalfire®, this Solution Guide details how the Vormetric Data Security Platform helps support and manage Payment Card Industry Data Security Standard (PCI DSS) requirements 3, 7, 8, 10 & 11 within VMware environments. This solution mapping and guidance allows Vormetric and VMware customers to maintaining confidence in the safe handling of sensitive information while meeting even the most stringent audit requirements.

Topics: PCI DSS compliance, VMware environments, Encryption, Access Control

By Jon Oltsik, Enterprise Strategy Group (ESG)

When it comes to information security, large organizations tend to focus on fire fighting rather than long-term strategy. Unfortunately, this short-sighted approach has its limits. Ultimately a tactical approach to security results in high costs, disparate independent technology controls and increased risk.

An enterprise encryption and key management strategy will require money and resources, but smart CISOs will recognize the business value and sell it to their peers. An enterprise encryption and key management strategy will enable organizations to control and share information while managing risk.

Customer and Partner Success

  • Rackspace Cloud Partners
  • McKesson
  • AWS
  • Google Compute Engine
  • Microsoft
  • IBM
  • CenturyLink
  • QTS
  • Teleperformance Secures
  • Delta Dental