By
You’ve built a thriving business, earned a powerful brand in the marketplace, and deliver goods and services around the globe with world-class speed and efficiency. As a Global 2000 leader, you naturally have the best interests of your employees and your customers at heart, have painstakingly earned their trust, and would never willfully do anything to put them at risk. You’re confident that you provide a secure and trusted online presence, employ rigorous information security safeguards, and do everything necessary to protect the valuable data in your charge. You’ve invested heavily in people, processes, and technology, and truly believe that you’re doing all the right things. Don’t look now, but you might be deluding yourself.
Since industry-specific data security and privacy regulations now apply to most sectors of the economy in the United States, you probably find yourself falling under one or more of the following regulatory categories:
You take your compliance obligations seriously and devote great amounts of time and energy to ensure that your business meets all applicable legal and regulatory requirements. Despite best efforts and intentions, disturbing questions still gnaw at you. You ask yourself, “Does compliance standing alone truly make things sufficiently secure and keep sensitive data away from theft or exploitation?” Then you wonder, “How much more should I be doing?” Well, what if I told you that by focusing on compliance you’re really only doing the minimum necessary to keep the government regulators off your back and that compliance bears but a slim relationship to true data security?
You passed an audit—hooray! But don’t pop the champagne corks quite yet. Just because you, or your auditors, certify that your business has met narrowly-defined, industry-specific information systems management requirements for the applicable reporting period doesn’t necessarily mean that all of your enterprise data or internal systems are safe from attack by outside interests or misuse from inside sources. How can this be? Don’t government regulations exist to ensure our safety? If only it were this simple. In reality, it all comes down to the ways in which rules are made, namely through legislation and through regulations.
Legislative processes in a democracy are messy, slow, and fraught with political compromise, often resulting in watered-down laws designed to obtain just enough votes to pass the chamber. Even good, noncontroversial bills are routinely held up, delayed, or filibustered for months—or entire congressional sessions—by legislators seeking publicity or near-term political gain. Lawmakers frequently trade their support for one bill in exchange for another legislator’s vote on a different matter in an age-old congressional process known as “logrolling.” Finally, obscure or unpopular legislative “riders” with slim prospects of passing on their own merits are frequently attached to popular or “must pass” bills covering completely different legal subjects, leading to the passage of convoluted Frankenlaws consisting of multiple unrelated parts.
Regulatory processes are no better. Under authority granted to them by Congress in broad, general terms, the responsible agency typically conducts a months-long study, promulgates new proposed regulations based on the study findings, and then opens an often-lengthy public comment period. After reviewing the initial comments, the agency then revises the regulations, waits again for public comments, and then ultimately publishes the final version of the requirements in the Federal Register—regulations which take effect at a future date, often the following January 1 or July 1. Businesses need time to absorb and adapt to these new regulations, and then a year later, an audit tells them whether or not they have successfully interpreted the changes.
Wow! All through this extended time period, technology steadily advances and human ingenuity methodically progresses, including the actions of threat actors on a worldwide stage. New data security and privacy perils steadily emerge, while existing dangers morph or retreat across the ever-changing threatscape. Legislation and regulation are also highly mutable over time, as they are subject to shifting political trade winds. As a result, they can change course or even reverse themselves as presidential administrations come and go. Ultimately, legislation and regulations often significantly lag behind, and poorly reflect, the actual threats they are intended to address.
To truly protect your critical data and server infrastructure, you must look beyond parochial compliance requirements and take a broader view of your overall information security practices, specifically in relation to protecting information assets against trust-based attacks. First, conduct a full and complete inventory of all encryption keys and digital certificates, plus all authentication keys used within the enterprise. Use the strongest mainstream cryptography possible to secure these digital assets and then enforce robust security policies across your enterprise without exception. Understand trust relationships between users, keys, and the systems and servers they properly access. Replace weak signing algorithms and short key lengths, use trustworthy certificate authorities, and shorten key and certificate validity periods to one year. Monitor authentication and encryption usage patterns and alert when anomalies are detected. Finally, ensure that you have the ability to rotate all keys and certificates if a security breach is ever detected or suspected.
No CEO or CISO wants to tell stakeholders that he or she is doing just the minimum required by compliance requirements—and not everything possible—to protect the enterprise and its customers against trust attacks.
If you strive to achieve strong security practices for their own sake, you will invariably find yourself exceeding the compliance requirements of the applicable laws and regulations in your industry. If you strive primarily for compliance, however, you will likely fall short of minimum practices necessary to achieve true data security and leave yourself vulnerable to trust-based attacks on the keys and certificates that enable enterprises to secure critical information systems.
Learn how Venafi can help protect your encryption and authentication assets against trust-based attacks to achieve both industry compliance and strong data security practices across the enterprise.
Lorem ipsum dolor sit amet, consectetur elit.
Thank you for subscription
Scroll to the bottom to accept
VENAFI CLOUD SERVICE
*** IMPORTANT ***
PLEASE READ CAREFULLY BEFORE CONTINUING WITH REGISTRATION AND/OR ACTIVATION OF THE VENAFI CLOUD SERVICE (“SERVICE”).
This is a legal agreement between the end user (“You”) and Venafi, Inc. ("Venafi" or “our”). BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE AND/OR ACTIVATING AND USING THE VENAFI CLOUD SERVICE FOR WHICH YOU HAVE REGISTERED, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICE.
You shall not access the Service if You are Our competitor or if you are acting as a representative or agent of a competitor, except with Our prior written consent. In addition, You shall not access the Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes, and you shall not perform security vulnerability assessments or penetration tests without the express written consent of Venafi.
This Agreement was last updated on April 12, 2017. It is effective between You and Venafi as of the date of Your accepting this Agreement.
The Venafi Cloud Service includes two separate services that are operated by Venafi as software as a service, each of which is separately licensed pursuant to the terms and conditions of this Agreement and each of which is considered a Service under this Agreement: the Venafi Cloud Risk Assessment Service or the Venafi Cloud for DevOps Service. Your right to use either Service is dependent on the Service for which You have registered with Venafi to use.
This License is effective until terminated as set forth herein or the License Term expires and is not otherwise renewed by the parties. Venafi may terminate this Agreement and/or the License at any time with or without written notice to You if You fail to comply with any term or condition of this Agreement or if Venafi ceases to make the Service available to end users. You may terminate this Agreement at any time on written notice to Venafi. Upon any termination or expiration of this Agreement or the License, You agree to cease all use of the Service if the License is not otherwise renewed or reinstated. Upon termination, Venafi may also enforce any rights provided by law. The provisions of this Agreement that protect the proprietary rights of Venafi will continue in force after termination.
This Agreement shall be governed by, and any arbitration hereunder shall apply, the laws of the State of Utah, excluding (a) its conflicts of laws principles; (b) the United Nations Convention on Contracts for the International Sale of Goods; (c) the 1974 Convention on the Limitation Period in the International Sale of Goods; and (d) the Protocol amending the 1974 Convention, done at Vienna April 11, 1980.
In the meantime, please explore more of our solutions
In the meantime, please explore more of our solutions
This site uses cookies to offer you a better experience. If you do not want us to use cookies, please update your browser settings accordingly. Find out more on how we use cookies.