As we know the financial industry is among the most regulated in the world. There are strong data security requirements for banking and financial industries due to the sensitive and private data that they deal with. While GLBA/FFIEC are specific to these industries, compliance regulations such as PCI DSS, SOX, and state privacy laws can also apply. One thing that they all have in common though, is that encryption, along with proper key management, can mean the difference between a public breach notification and having a safe harbor.
The Gramm-Leach-Bliley Act (GLBA) specifically requires that institutions doing business in the US establish appropriate standards for protecting the security and confidentiality of customers’ NPI. The objectives are to:
- Ensure the security and confidentiality of customer records and information
- Protect against any anticipated threats or hazards to the security or integrity of such records
- Protect against unauthorized access to information that could result in substantial harm or inconvenience to any customer
“Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.”
Between FFIEC and GLBA, banks and financial institutions should encrypt:
- Any sensitive information an individual gives you to get a financial product or service (such as name, address, income, Social Security number, or other information on an application)
- Any information you get about an individual from a transaction involving your financial products or services (for example, the fact that an individual is your customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases)
- Any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report)
Encryption Key Management
Encryption – A specific requirement is that encryption and decryption operations must be carried out locally. Not by remote service, because both keys and data must remain in the power of the data owner if any privacy is to be achieved (ENISA 2014). To achieve this in practice, firms are likely to consider increasing the use of pseudonymization (practice: encryption) techniques. (Slaughter and May 2016).
Encryption is only as secure as your encryption keys.
Active Cypher Solution:
Instead of believing everything behind the corporate firewall is safe, the Active Cypher data loss prevention security model assumes breach and verifies each request as though it originates from an uncontrolled network. Regardless of where the request originates or what resource it accesses, based on the Zero Trust teachings of “never trust, always verify.”
The Active Cypher solutions are crypto-agile in data protection providing AES-256 symmetric key data encryption; or one of the many other symmetric key algorithms.
Active Cypher protects the symmetric keys with Key-Encryption-Key (KEK) asymmetric, PKI-based distribution and protection mechanism that is tied to the X.509 RSA 2048, permissioned device network topology.
All Key Creation, Wrapping, Distribution, and Session Life is automated and running within the Azure Tenant of the customer. Attribute Based Access Control is tied to key usage with repeated Identity and authorization verifications performed dynamically; based on device, user identity, and the Microsoft Graph Security API, in an information exchange process that is not dependent on inputs from the user, or external application.
This ensures safe storage and access to decryption keys, as the symmetric keys, are encrypted with AES-256 and wrapped in RSA-2048 PKI, X.509 Machine Certificate exchange, and can only be “unwrapped” on a unique device, for unique user identity, given acceptable threat determination from the Attribute Based Access Control Policy Engine.
All key access and management are governed within your Azure Tenant. No third party has access to your keys, not Microsoft, not even us. During deployment, Active Cypher creates a secured Private Cloud for each client. Once the installation completes, we have no other access or connection to the client’s cloud. The owner of the Azure subscription is the only entity to hold the keys.