Privacera announced a technology partnership with StreamSets. This new integration ensures joint customers data is secured whether accessing it for data processing, or migrating it from on-premises data repositories to the cloud.

When moving to the cloud or preparing for ETL (extract, transform, and load) processing, data is often sourced from a myriad of applications and systems. These systems are often managed and operated by different employees across the organization who all require varying degrees of access to different datasets based on their roles, responsibilities, or analytical needs.

When data teams access data to build data integration pipelines, sensitive data within those disparate systems and files must be encrypted to protect it throughout all stages of the ETL process to prevent misuse by unauthorized users and to avoid privacy or compliance violations.

Privacera provides StreamSets users powerful column-level encryption to ensure sensitive data, such as personally identifiable information (PII), Payment Card Information (PCI), or Protected Health Information (PHI), is secured end-to-end throughout the ETL process. Whether data is at rest or in flight, Privacera enables customers to safeguard against unauthorized use and ensure compliance with stringent privacy regulations like CCPA, GDPR, LGPD, HIPAA, and more.

The combination of Privacera and StreamSets enables our customers to accelerate digital transformation by providing a centralized solution for data integration and governance across the open cloud no matter where data resides, said Vincent Goveas, Director of Product Management at Privacera.

Privacera Encryption Gateway (PEG) is a robust, scalable API gateway that extends Apache Rangers Key Management Services (KMS) and policy engine to offer precise policy-based encryption and decryption schemes for fine-grained, column-level data protection. StreamSets users can define how to encrypt sensitive data using various schemes, enabling them to encrypt whole elements or selected parts of a field. PEG automatically finds the scheme mappings and encrypts either entire elements in bulk, or encrypts all the relevant content from sensitive fields, as specified in the schemes.

As companies aim to deliver continuous data, StreamSets and Privacera keep pace with our joint customers needs by providing a seamless, centralized data integration and governance solution that secures data across multi- or hybrid-cloud architectures, said Mary Berg, VP of Worldwide Business Development at StreamSets.

The StreamSets DataOps platform is the multi-cloud DataOps platform for modern data integration, helping enterprises to manage data drift, frequent and unexpected changes to upstream data that break pipelines and damage data integrity.

With Privaceras integrated encryption and decryption capabilities, more data is made accessible to a greater number of StreamSets data engineers without risking exposure of sensitive elements. This accelerates secure, efficient data analysis and provides safe democratization of data across various business units, so enterprises can save time and resources when performing data analytics.

See the original post:
Privacera partners with StreamSets to strengthen data security for ETL processing in the cloud - Help Net Security

Dublin-based Evervault, a developer-focused security startup which sells encryption via API and is backed by a raft of big name investors including the likes of Sequoia, Kleiner Perkins and Index Ventures, is coming out of closed beta today announcing open access to its encryption engine.

The startup says some 3,000 developers are on its waitlist to kick the tyres of its encryption engine, which it calls E3.

Among dozens of companies in its closed preview are drone delivery firm Manna, fintech startup Okra and health tech company Vital. Evervault says its targeting its tools at developers at companies with a core business need to collect and process four types of data: identity & contact data; financial & transaction data; health & medical data; and intellectual property.

The first suite of products it offers on E3 are called Relay and Cages; the former providing a new way for developers to encrypt and decrypt data as it passes in and out of apps; the latter offering a secure method using trusted execution environments running on AWS to process encrypted data by isolating the code that processes plaintext data from the rest of the developer stack.

Evervault is the first company to get a product deployed on Amazon Web Services Nitro Enclaves, per founder Shane Curran.

Nitro Enclaves are basically environments where you can run code and prove that the code thats running in the data itself is the code that youre meant to be running, he tells TechCrunch.We were the first production deployment of a product on AWS Nitro Enclaves so in terms of the people actually taking that approach were the only ones.

It shouldnt be news to anyone to say that data breaches continue to be a serious problem online. And unfortunately its sloppy security practices by app makers or even a total lack of attention to securing user data thats frequently to blame when plaintext data leaks or is improperly accessed.

Evervaults fix for this unfortunate feature of the app ecosystem is to make it super simple for developers to bake in encryption via an API taking the strain of tasks like managing encryption keys. (Integrate Evervault in 5 minutes by changing a DNS record and including our SDK, is the developer-enticing pitch on its website.)

At the high level what were doing is were really focusing on getting companies from [a position of] not approaching security and privacy from any perspective at all up and running with encryption so that they can actually, at the very least, start to implement the controls, says Curran.

One of the biggest problems that companies have these days is they basically collect data and the data sort of gets sprawled across both their implementation and their test sets as well. The benefit of encryption is that you know exactly when data was accessed and how it was accessed. So it just gives people a platform to see whats happening with the data and start implementing those controls themselves.

With C-suite executives paying increasing mind to the need to properly secure data thanks to years of horrific data breach scandals (andbreach dj vu), and also because of updated data protection laws like Europes General Data Protection Regulation (GDPR) which has beefed up penalties for lax security and data misuse a growing number of startups are now pitching services that promise to deliver data privacy, touting tools they claim will protect data while still enabling developers to extract useful intel.

Evervaults website also deploys the term data privacy which it tells us it defines to mean that no unauthorized party has access to plaintext user/customer data; users/customers and authorized developers have full control over who has access to data (including when and for what purpose); and, plaintext data breaches are ended. (So encrypted data could, in theory, still leak but the point is the information would remain protected as a result of still being robustly encrypted.)

Among a number of techniques being commercialized by startups in this space is homomorphic encryption a process that allows for analysis of encrypted data without the need to decrypt the data.

Evervaults first offering doesnt go that far although its encryption manifesto notes that its keeping a close eye on the technique. And Curran confirms it is likely to incorporate the approach in time. But he says its first focus has been to get E3 up and running with an offering that can help a broad swathe of developers.

Fully homomorphic [encryption] is great. The biggest challenge if youre targeting software developers who are building normal services its very hard to build general purpose applications on top of it. So we take another approach which is basically using trusted execution environments. And we worked with the Amazon Web Services team on being their first production deployment of their new product called Nitro Enclaves, he tells TechCrunch.

The bigger focus for us is less about the underlying technology itself and its more about taking what the best security practices are for companies that are already investing heavily in this and just making them accessible to average developers who dont even know how encryption works, Curran continues. Thats where we get the biggest nuance of Evervault versus some of these others privacy and security companies we build for developers who dont normally think about security when theyre building things and try to build a great experience around that so its really just about bridging the gap between the start of art and bringing it to average developers.

Over time fully homomorphic encryption is probably a no-brainer for us but both in terms of performance and flexibility for your average developer to get up and running it didnt really make sense for us to build on it in its current form. But its something were looking into. Were really looking at whats coming out of academia and if we can fit it in there. But in the meantime its all this trusted execution environment, he adds.

Curran suggests Evervaults main competitor at this point is open-source encryption libraries so basically developers opting to do the encryption piece themselves. Hence its zeroing in on the service aspect of its offering; taking on encryption management tasks so developers dont have to, while also reducing their security risk by ensuring they dont have to touch data in the clear.

When were looking at those sort of developers whore already starting to think about doing it themselves the biggest differentiator with Evervault is, firstly the speed of integration, but more importantly its the management of encrypted data itself, Curran suggests. With Evervault we manage the keys but we dont store any data and our customers store encrypted data but they dont store keys. So it means that even if they want to encrypt something with Evervault they never have all the data themselves in plaintext whereas with open-source encryption theyll have to have it at some point before they do the encryption. So thats really the base competitor that we see.

Obviously there are some other projects out there like Tim Berners-Lees Solid project and so on. But its not clear that theres anybody else taking the developer-experience focused approach to encryption specifically. Obviously theres a bunch of API security companies but encryption through an API is something we havent really come across in the past with customers, he adds.

While Evervaults current approach sees app makers data hosted in dedicated trusted execution environments running on AWS, the information still exists there as plaintext for now. But as encryption continues to evolve its possible to envisage a future where apps arent just encrypted by default (Evervaults stated mission is to encrypt the web) but where user data, once ingested and encrypted, never needs to be decrypted as all processing can be carried out on ciphertext.

Homomorphic encryption has unsurprisingly been called the holy grail of security and privacy and startups like Duality are busy chasing it. But the reality on the ground, online and in app stores remains a whole lot more rudimentary. So Evervault sees plenty of value in getting on with trying to raise the encryption bar more generally.

Curran also points out that plenty of developers arent actually doing much processing of the data they gather arguing therefore that caging plaintext data inside a trusted execution environment can thus abstract away a large part of the risk related to these sort of data flows anyway. The reality is most developers who are building software these days arent necessarily processing data themselves, he suggests. Theyre actually just sort of collecting it from their users and then sharing it with third-party APIs.

If you look at a startup building something with Stripe the credit card flows through their systems but it always ends up being passed on somewhere else. I think thats generally the direction that most startups are going these days. So you can trust the execution depending on the security of the silicon in an Amazon data center kind of makes the most sense.

On the regulatory side, the data protection story is a little more nuanced than the typical security startup spin.

While Europes GDPR certainly bakes security requirements into law, the flagship data protection regime also provides citizens with a suite of access rights attached to their personal data a key element thats often overlooked in developer-first discussions of data privacy.

Evervault concedes that data access rights havent been front of mind yet, with the teams initial focus being squarely on encryption. But Curran tells us it plans over time to roll out products that will simplify access rights as well.

In the future, Evervault will provide the following functionality: Encrypted data tagging (to, for example, time-lock data usage); programmatic role-based access (to, for example, prevent an employee seeing data in plaintext in a UI); and, programmatic compliance (e.g. data localization), he further notes on that.

See original here:
Evervaults encryption as a service is now open access - TechCrunch

Image:Erick Reyes,Thales

Its hard to discuss digital fitness without examining the fundamentals that make it possible, and there's nothing more fundamental to digital success today than security.

But leaders face a conundrum: they need to deploy digital services quickly in response to changing market conditions and customer demands, in a way that doesnt open the door to cyber criminals.

Erick Reyes has worked with numerous organisations to keep their data safe. As the regional sales manager for Thales, Reyes does this by helping them adopt a new approach to data encryption that ensures their data is secure no matter where it is.

Why do you believe encryption is a fundamental part of an organisation's digital capability?

Encryption is one of the security tools that enables you to innovate with speed. It's like a high-performance car you wouldn't feel comfortable driving it fast safely it unless you knew that there's something you can leverage to stop you.

Organisations that we speak to today face previously unseen challenges brought on by disruptions in their markets and supply chains. Most of the time, these organisations have had to revisit and recalibrate some of their fundamental processes. More and more, to be successful means moving to the cloud, and all of a sudden you no longer have that safety net of a perimeter or a moat around where your crown jewels - your sensitive data - sits.

The way most organisations we speak to see that protection coming is through encryption. Being able to encrypt that data allows them to be more nimble in terms of innovation. But then the question is, how do I apply it without slowing my organisation down?

We've had encryption for decades though, so what's really changed to make it more important now?

Recently, we ran a data threat report that we compiled with 451 Research, which surveyed about 2,600 executives that highlighted an increase in adoption of cloud computing. But thats also introduced significant risks and security challenges. When organisations review what they're responsible for in the cloud shared security model, they find that they're ultimately responsible for the security of their data. But the challenge here is that their data resides outside their organisation's perimeter. So now they need to work out how to best protect this data, whilst ensuring that they maintain the performance needed by their organisation.

So how should an organisation go about embedding encryption into its innovation and development programs?

When we speak to organisations undertaking this security and digital journey, one of the key reasons why there is a lack of maturity with their data security approach is the complexity of managing legacy encryption technologies. Organisations typically employ five to 10 different management solutions. This is historical, as most technologies that they use include basic encryption mechanisms.

So what we're seeing with our discussions is a data security platform approach. Thales has a great tool called the CipherTrust Data Security Platform, which is allows organisations to reduce overhead, because you can manage all your encryption technologies from a single platform.

This ties into their existing infrastructure and in to native API calls. So this enables them to not only speed up, but to tie into the orchestration tools. And the developers are happy because suddenly security comes as they build. So the data security platform approach is fast evolving and provides organisations with a tool to enable their digital transformation with less complexity and without slowing down progress.

Can you give me an example of an organisation that's used encryption to accelerate its digital program?

Sure, we're currently working with a financial institution, where we've gone on the journey to leverage the CipherTrust platform as the foundation of their digital transformation strategy. The question was, how do we help secure their data without slowing down their digital strategy?

The challenges in their environment that we found were around reliability and performance. There were multiple encryption tools, which were negatively impacting the end users, developers and old applications. They had insufficient security controls and the native encryption tools in the databases were inadequate to meet compliance requirements and didn't give them the non-repudiation that they needed.

So when we started talking about designing and deploying a solution, the customer chose the CipherTrust Data Security Platform to secure sensitive data across the enterprise. This allowed them to lower overhead and simplify management, as the platforms console allowed them to apply more granular policies to provide that non-repudiation control they needed.

So how should security professionals go about convincing their colleagues to take this approach?

The conversation typically starts with compliance. When you start there, you're able to look at what their business really wants. This approach can help meet compliance requirements and build trust with customers. So start talking about how this platform approach can actually assist to meet business goals and ensure that security is on that critical path to compliance.

So how do you know when you have the right capabilities in your organisation?

When you start seeing that security is no longer holding you back from the objectives of your digital project you might find that your organisation doesnt have the necessary encryption experts. However you can always ask us we'll be happy to point you to the right direction. Ultimately, when you start seeing digital transformation accelerating or working without security hampering it, then you know you've got the right skill sets in place.

View original post here:
Why encryption is the key to digital fitness, according to Thales - iTnews

Trending

Last week, Apple took a cue from Australia and backflipped on protecting its users privacy.

The worlds most popular phone maker shared plans to begin scanning for child pornography or sexually explicit material in messages sent by users over iMessage or uploaded to iCloud storage.

End-to-end encryption guarantees privacy because only the sender and recipient can read the information. It protects people from overbearing governments, nefarious hackers and companies who want to siphon every piece of data from their customers.

Boiled down, what Apple has proposed is a sophisticated way of seeing whats inside even end-to-end encrypted messages. And if this all sounds familiar, thats because Australia did it first.

Sign up to WebCam, Cam's fortnightly newsletter for FREE.

In 2018, the Morrison government passed world-first anti-encryption legislation that would force companies and individuals to break any protection they gave their users. Some cited the need to combat child sex abuse material as a reason for these powers.

At the time, my colleague Bernard Keane called these powers bureaucrat-designed malware. Early analysis suggests the law is costing us billions.

The critique of Australias law and Apples proposal is the same: even if your digital backdoor is used judiciously, its easy to ratchet it wider and for someone else to stroll on through.

Apple has to take the position of Im Not Like Those Other Tech Companies, Im A Cool Tech Company, billing itself as the anti-Google, anti-Facebook, pro-privacy company.

Famously, Apple rejected pressure from the FBI to unlock a phone belonging to one of the two perpetrators of the 2015 San Bernardino shooting. (Theres a link to Australia in this story: it was a small Australian firm that ended up unlocking the phone in 2016.) Apple argued at the time that it would be a slippery slope.

Critics of Apples decision are applying this same argument today: if Apple scans messages and uploads for child sex abuse material, why not for terrorist material? OK, maybe that argument is fine to you. What about when China tells Apple it has to scan certain political images, or prevent citizens from sending them?

Apple says it wont its policy only allows for child sex abuse material flagged in two countries to set off their systems but given its compromises with authoritarian China in the past, the idea of Apple conceding in some way to the regime isnt out of the question.

Others have taken note of this disregard for encryption too. A similar anti-encryption bill proposed in the US last year appears to have stalled, but a statement from the Five Eyes nations along with Japan and India shows that such powers are on their wanted lists as well.

While the world is catching up, Australia continues to set the pace. As part of the controversial Online Safety Act which comes into effect early 2022, the government has created a set of Basic Online Safety Expectations.

A draft of expectations outlines a requirement for large tech companies to take reasonable steps to develop and implement processes to detect and address material or activity on the service that is or may be unlawful or harmful, even for encrypted platforms. The eSafety Commissioner can fine companies more than $500,000 for failing to meet these expectations.

So to recap: three years ago, Australians could expect that messages sent to others would stay between them and the recipients. Today, were set to have a system that requires companies to create backdoors in every platform; a flaw just waiting to be abused.

The inside story: how homegrown true patriots sharing conspiracies on a Zoom call sparked police raids across three statesI wrote about how a plot was hatched over Telegram to overthrow the Australian government by a group that had declared themselves as the alternate Australian Federal Police. (Crikey)

Inside Racism HQ: How home-grown neo-Nazis are plotting a white revolutionNines Nick McKenzie and Joel Tozer deliver a blockbuster investigation into Australias most active neo-Nazi group. A must-read for seeing how hate continues to bubble on the fringes of Australian society. (Nine)

Journalist trolled by anti-vaxxers after promoting vaccine despite developing rare side effectDaily Telegraph journalist Georgia Clark suffered a rare side effect from a COVID-19 vaccine. When she restated her faith in vaccines, she was attacked by anti-vaxxers and conservatives from around the world. (SBS)

George Christensen is launching a patriotic news website modelled on the Drudge ReportWith the maverick MP set to retire from Parliament before the next election, a draft website discovered by The New Dailys Josh Butler shows one of the many irons that George Christensen has in the fire. Will it last longer than his abandoned website, newsletter and YouTube show? Time will tell. (The New Daily)

Australian conspiracy theorists and anti-lockdown groups share fake COVID check-in appsAnti-vaxxers have found a clever way to circumvent QR check ins: a fake app that actually sends their details to Russia. What could go wrong? (The Guardian)

Emojipedia, the internets encyclopedia for emojis, just got acquired by phone software company ZedgeI was not aware that the online encyclopedia for emojis was run by a company based in Australia! Its just been sold to phone software company Zedge (Business Insider).

This month marks the tenth anniversary of the death of Zyzz, a young man from Sydneys south west who found fame as a muscle-bound, meme-making online legend.

Zyzz real name Aziz Sergeyevich Shavershian first drew attention by sharing images of his transformation from a gangly teen into a shredded, jacked and tanned young man flexing at music festivals and goading other users on 4Chans fitness message board and the forum BodyBuilding.com. (Bodybuilders have long attracted the internets attention because of the natural magnetism of their extreme physiques.)

What Zyzz did with that attention cemented his status: he posted his way into creating a philosophy.

University of Canberra Professor Glen Fuller, who has written about Zyzz in the past, told me that Shavershian showed a preternatural understanding of memetic culture and an ability to perform as an online character.

Zyzz understood Zyzz wasnt a person or a quality. It was a trajectory, aspiring to transform the self. It resonated with blokes from south-western Sydney who didnt align with the dominant white male identity, he told me.

In a way, he was the proto-influencer and shitposter: before Instagram was even invented, he was posting photos and videos as if he was a celebrity caught by the paparazzi. He coined now-ubiquitous phrases u mirin, u jelly, aesthetic and poses. He performed different sides of himself for different formats: alpha male in his poses, self-aware joker winking at his audience in videos.

His tragic death from a heart attack aged just 22 while on holiday in Thailand cemented his status as a larger-than-life figure who was the patron saint of skinny boys who spent too long online.

A decade on from his death, there are literally dozens of Facebook pages, Instagram profiles and TikTok accounts around the world still actively sharing Zyzz content, ranging from grainy looking footage of his workouts to repurposing his iconic photos as meme templates a testament to the enduring quality of the Zyzz philosophy.

The admin of one such group, @thezyzzlegacy, is a 17-year-old from Italy named Alfonso. Despite being just seven years old when Zyzz died, Alonso says Zyzz inspired him to start bodybuilding at age 14.

When I asked him over WhatsApp why he was so fascinated with a long-dead Australian bodybuilder, Alfonso sent me a 500-word screed that quoted Zyzz liberally and waxed lyrically about his intelligence, self-awareness and dance moves.

Zyzz is not a person, Zyzz is a way of life, he said.

Read more:
WebCam: How Australia paved the way for Apple's encryption backflip - Crikey