Gemalto Safenet Solution for Data Compliance
 

EU Compliance: General Data Protection Regulation (GDPR)

EU Compliance Evolves

General Data Protection Regulation (GDPR) proposed by the European Commission will strengthen and unify data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU.

The announcement of an agreement to finalize GDPR was made in December 2015 and following a vote by the EU parliament, the compliance deadline for GDPR was set for May 2018. The GDPR requirements as well as the amount of internal collaboration that will be needed to address them means organizations need to plan for compliance now.

The primary objective of the GDPR is to give citizens back control of their personal data. Once GDPR takes effect it will harmonize previous and other data protection regulations throughout the EU.

GDPR Compliance Requirements

This EU compliance regulation will have a far reaching impact for organizations throughout the world.

With the demise of Safe Harbor, U.S. companies that export and handle the personal data of European citizens will also need to comply with the new requirements put forth or be subject to the same consequences.

If your organization suffers a data breach, under the new EU compliance standard, the following may apply depending on the severity of the breach:

• Your organization must notify the local data protection authority and potentially the owners of the breached records
• Your organization could be fined up to 4% of global turnover or €20 million

However, GDPR does provide exceptions based on whether the appropriate security controls are deployed within the organizations. For example a breached organization that has rendered the data unintelligible through encryption to any person who is not authorized to access the data, is not mandated to notify the affected record owners.

The chances of being fined are also reduced if the organization is able to demonstrate a “ Secure Breach” has taken place.

To address the GDPR compliance requirements, organizations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:

• Servers, including via file, application, database, and full disk virtual machine encryption.
• Storage, including through network-attached storage and storage area network encryption.
• Media, through disk encryption.
• Networks, for example through high-speed network encryption.

In addition, strong key management is required to not only protect the encrypted data, but to ensure the deletion of files and comply with a user’s right to be forgotten.

Organizations will also need a way to verify the legitimacy of user identities and transactions, and to prove compliance. It is critical that the security controls in place be demonstrable and auditable.

Gemalto offers the only complete data protection portfolio that works together to provide persistent protection and management of sensitive data, which can be mapped to the GDPR framework.

CJIS Compliance Solutions

Criminal Justice Information Services (CJIS) Security Policy

A joint program of the FBI, State Identification Bureaus, and CJIS Systems Agency, the Criminal Justice Information Services (CJIS) Security Policy outlines the security precautions that must be taken to protect sensitive information like fingerprints and criminal backgrounds gathered by local, state, and federal criminal justice and law enforcement agencies.

The CJIS Security Policy contains specific requirements for wireless networking, remote access, encryption, certification of cryptographic modules, and minimum key lengths.

Criminal justice and law enforcement agencies should become familiar with the requirements set by the CJIS policy prior to procurement and deployment of affected systems.

Gemalto delivers remote access, multi-factor authentication, and encryption capabilities that ensure security of data throughout an organization, whether data is at rest, in transit, or in use.

Gemalto's SafeNet Products for CJIS Compliance:

Multi-Factor Authentication
Multi-factor authentication serves a vital function within any organization – securing access to corporate networks, protecting the identities of users, and ensuring that a user is who he claims to be. Our authentication-as-a-service, authentication management, and wide variety of authentication form factors enable organizations to establish and easily administer reliable access control policies, all while following strong authentication best practices.

Data-in-Motion Encryption
SafeNet High Speed Encryptors deliver certified Layer 2 network encryption, ensuring the most secure data-in-motion protection, maximum performance, near-zero overhead with “set and forget” management, and lowest total cost of ownership. CJIS-SP requires that data be encrypted when it is transmitted outside a secure facility, even within the same agency. SafeNet High Speed Encryptors can help provide control to protect the full life cycle of CJI in transit.

Data at Rest Encryption Products
In addition to SafeNet High Speed Encryptors, there are a broad range of SafeNet data encryption solutions that enable organizations to move past silo-constrained encryption and to centrally, uniformly deployed encryption in a scalable manner that spans the enterprise, and effectively control their CJI security policies. These solutions deliver unmatched coverage – securing databases, applications, personal identifiable information (PII), and storage in the physical and virtual data center and the cloud.

eIDAS Regulation

What is eIDAS?

eIDAS is the European Regulation for the electronic identification and trust services for electronic transactions. The new Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (referred to as the eIDAS - electronic IDentification and Authentication Services) was published as Regulation (EU) No 910/2014 on 28 August 2014. Most of its provisions took effect July 1, 2016, and repeals the existing eSignatures Directive.

Because it is a regulation and not merely a directive (as was predecessor eSignatures), eIDAS is not open to interpretation and represents European Union law. eIDAS was developed to ensure the ability to safely conduct electronic transactions online when dealing with businesses or public services, allowing both the signatory and the recipient a higher level of convenience and security.

What is regulated?

eIDAS mandates two primary codes of practice

Interoperability of government issued ID: this section of the eIDAS mandates EU Member States to mutually recognize each other’s electronic identification (eID) systems when accessing online services. This cross-border recognition makes eID from any EU Member State interoperable between all other Member States. Although this is a mandate for the public sector, the private sector will follow suit if it indeed proves to make business transactions easier, faster and cheaper and truly opens up business opportunities across borders.

Single Digital Market: While the eSignatures directive guaranteed the admissibility of electronic signatures, eIDAS will go a step further in defining and providing requirements associated with Trust Services to ensure the security of electronic transactions. With eIDAS, Electronic Trust Services (eTS), including electronic signatures, electronic seals, time stamps, electronic registered delivery service and website authentication, will work across borders and will have the same legal status as paper-based processes. The goal here is to increase confidence in the safety and reliability of digital transactions, which will lead to growing adoption and usage.

eIDAS and Electronic Signature

eIDAS recognizes electronic signatures as legally binding and identifies different levels of electronic signature.

• Electronic Signatures—are basic signatures in electronic form. With eIDAS, eSignatures are recognized legally and can’t be denied legal acceptance because they are digital.
• Advanced Electronic Signatures (AdES)—require a higher level of security typically met with certificate-based digital IDs. AdES must be uniquely linked to the signatory, can authenticate the signer and the document, and enable the verification of the integrity of the signed agreement.
• Qualified Electronic Signatures (QES)—also must be uniquely linked to the signatory, but are further required to be based on qualified certificates. Qualified certificates can only be issued by a certificate authority (CA) accredited and supervised by authorities designated by EU Member States. Qualified certificates must also be stored on a qualified signature creation device (QSCD), such as a USB token, smart card or a cloud-based hardware security module (HSM). In order to provide qualified eSignature services, a trust service provider must be granted qualified status.

How to Prove Digital Signature Compliance with eIDAS

Common Criteria is an international set of guidelines and specifications for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments. Common Criteria (CC) certification is a pre-requisite for qualified digital signatures under the eIDAS Regulation.

• Gemalto’s IDPrime MD 840 and IDPrime MD 3840 smart cards are both CC EAL5+ / PP Java Card certified for the Java platform and CC EAL5+ / PP QSCD certified for the combination of Java platform plus PKI applet. The CC EAL5+ / PP QSCD certification is based on the Protection Profiles EN 419211 part 1 to 6, as mandated by eIDAS Regulation.

SOX Compliance Solutions

Sarbanes-Oxley Act

The Sarbanes-Oxley Act (SOX) regulates financial reporting and auditing of publicly traded companies. The law establishes strict requirements for reporting, disclosure, and internal controls, and defines penalties for non-compliance.

The SOX Act forms a structure for corporate governance, establishing higher levels of fiscal accountability for U.S. businesses. Company officers could face criminal litigation and penalties if found in non-compliance.

SafeNet Solutions for SOX Compliance

Gemalto offers authentication, encryption, and cryptographic key management solutions companies can leverage to address SOX compliance requirements and avoid the costly penalties.

Network Encryption

SafeNet’s field-level encryption capabilities secures critical data inside from internal and external threats. By implementing this solution, organizations significantly enhance internal controls, gain more sophisticated visibility of how and when sensitive data is accessed, and mitigate the threat of internal fraud.

Hardware Security Modules

SafeNet hardware security modules (HSMs) provide reliable protection for transactions, identities, and applications by securing cryptographic keys and provisioning encryption, decryption, authentication, and digital signing services.

Multi-Factor Authentication

SafeNet offers sophisticated controls over what financial data can be accessed, and by whom. Products offer detailed logging capabilities so that organizations can both understand and report how sensitive financial data is used and managed.

PCI DSS Compliance Solutions

For today’s security teams, addressing Payment Card Industry Data Security Standard (PCI DSS) compliance requirements can represent a massive effort—and the work’s never done. Industry-leading businesses around the world rely on Gemalto to effectively and efficiently address these requirements.

The Challenge: PCI DSS Continues to Change

Since Visa first rolled out its Cardholder Information Security Program (CISP) in 2001, organizations that manage cardholder data have been given detailed guidelines for securing their infrastructure and ultimately the payment data they manage.

While the PCI DSS requirements aren’t new, organizations’ technological environments and the threats that have to be combatted have changed dramatically in recent years. Further, the industry's guidelines continue to evolve, with the most recent release of PCI DSS, version 3.2, taking effect in July 2018.

While the PCI DSS features rules on everything from changing employee passwords regularly to deploying firewalls, many rules focus on the security of cardholder data and the systems used to manage it.

Encryption, Key Management and Strong Authentication for PCI Compliance

Gemalto can help address many of the critical challenges of addressing these PCI DSS standards.

Our SafeNet solutions help organizations take a comprehensive, data-centric approach to security that not only helps address near-term compliance objectives but ensures the security of sensitive assets in the long term.

Specific PCI DSS compliance requirements we can help you address:

PCI DSS Goal: Build and Maintain a Secure Network

To establish secure networks, it is critical to institute strong, granular controls around such aspects as administrative access, server functions, virtual machines, and so on.

How Gemalto can help:

• SafeNet encryption solutions from Gemalto enable multi-tenancy and separation of duties to ensure that only authorized users can access secure data.
• SafeNet HSMs enable partitioning that establishes effective isolation of critical cryptographic keys.
• SafeNet ProtectV can encrypt virtual machines, and establish persistent controls against such threats as unauthorized copying, administrator abuse, and more.
• SafeNet High Speed Encryptors (HSE) encrypt all data that traverses an open network, enabling teams to address critical network vulnerabilities.

Requirements addressed:

• 2.2.1
• 2.2.3
• 2.3
• 2.6

PCI DSS Goal: Protect Cardholder Data

Encryption represents a vital requirement for safeguarding cardholder data. To address PCI DSS requirements, organizations need to leverage encryption of cardholder data in storage and transit.

How Gemalto can help:

• Gemalto offers a portfolio of solutions that offer capabilities for encrypting unstructured files, columns in databases, virtual machines, applications, and more, so organizations can granularly protect PCI DSS-regulated records and files.
• Gemalto also offers a tokenization solution that addresses PCI DSS requirements by converting the PAN (primary account number) to a token in the same format, which means associated applications can continue to operate seamlessly.
• Encrypted data is only as secure as the keys used to encrypt it. SafeNet KeySecure offers the strong, certified controls that address many requirements for key creation, administration, and retirement.
• SafeNet High Speed Encryptors delivers the Layer 2 network encryption capabilities that are essential in addressing requirements for safeguarding sensitive cardholder data transmitted over open network.

Requirements addressed:

• 3
• 3.4
• 3.5.1
• 3.5.2
• 3.5.3
• 3.5.4
• 3.6
• 4.1

PCI DSS Goal: Maintain a Vulnerability Management Program

An essential part of addressing this goal is through the development and maintenance of secure systems and applications. To achieve these objectives, organizations need to incorporate information security throughout the software development lifecycle.

How Gemalto can help:

Digital signatures are an essential aspect to establishing the validity of applications. SafeNet HSMs provide maximum security of signing material, storing this sensitive information in robust, tamper-resistant appliances, helping ensure the authenticity and integrity of code files.

Requirements addressed:

• 6
• 6.3

PCI DSS Goal: Implement Strong Access Control Measures

To achieve and sustain compliance, it is essential to establish strong controls around who can access sensitive resources, and under what circumstances.

How Gemalto can help:

• Gemalto's SafeNet authentication solutions offer comprehensive capabilities for managing user access. With these solutions, organizations can ensure individuals are assigned unique credentials, establish operational role segregation, log and report on user access, and automatically apply policies.
• With Gemalto's SafeNet encryption solutions, organizations can establish granular controls over who can access cardholder data. For example, by encrypting at the application level with SafeNet ProtectApp, your security teams can ensure that unauthorized users, even those with administrative permissions for an underlying server, cannot access sensitive data in the application.
• SafeNet KeySecure provides centralized key management throughout the data lifecycle. Once the encryption keys are destroyed, the data cannot be accessed in clear text.

Requirements addressed:

• 7
• 7.1.2
• 8.1.1
• 8.1.2
• 8.13-8
• 8.2
• 8.2.1
• 8.2.3
• 8.2.4
• 8.2.5
• 8.2.6
• 8.3
• 8.7
• 9
• 9.8.2

PCI DSS Goal: Regularly Monitor and Test Networks

Effective capabilities for tracking user activities are essential in enabling security teams to prevent and detect compromises, and to minimize their impact should a breach occur.

How Gemalto can help:

• By leveraging SafeNet KeySecure, organizations can leverage a central repository for all cryptographic activity data, which significantly steamlines auditing and logging efforts. SafeNet KeySecure maintains an extensive set of log files for tracking administrator and user activities. Further, the solution digitally signs log files to ensure their integrity.
• By leveraging Gemalto encryption offerings, such as SafeNet ProtectFile, SafeNet ProtectDB, SafeNet ProtectV, and SafeNet ProtectApp, organizations can gain an effective means for auditing and logging access to encrypted cardholder data.

Requirements addressed:

• 10
• 10.2
• 10.2.1-7
• 10.5
• 10.5.1-5

Why You’ll Love Our PCI Compliance Solutions:

One of the key challenges merchants, banks, and payment processors face is the implementation of data encryption, key management, and strong authentication to comply with the PCI security requirements—and to do so in an efficient and cost-effective manner.

SafeNet Solutions Help Organizations:

• Reduce the cost and complexity of PCI compliance with the most complete and easy-to-manage data protection solution.
• Protect sensitive data at rest, in use and in transit to meet the most challenging PCI security requirements.
• Implement the industry's only comprehensive end-to-end solution that encrypts and controls access to sensitive data from clients, to databases, to endpoint devices
• Streamline implementation, ensuring that PCI compliance deadlines are met and fines avoided

In short, SafeNet data protection solutions address PCI compliance challenges without impacting your ability to leverage the data or deliver on the bottom line.

But don't just take our word for it:

"In developing the Solve DataShield offering, it was vital that we effectively comply with all the relevant PCI P2PE standards, including robust key management policies. Gemalto SafeNet Luna EFT HSMs delivered all the security capabilities that were required, while providing a platform that we could deploy quickly and manage efficiently."

- Nick Stacey
Dir. of Business & Market Operations
The Logic Group