How to secure your business from cybercrime: Latest trends in Cryptography

The cost of cybercrime can hit $10.5 trillion by 2025, predicts the 'Cybersecurity Almanac 2022' report by Cybersecurity Ventures. Another report from IBM indicates the average data breach cost increased by 2.6%, from USD 4.24 million in 2021 to USD 4.35 million in 2022.

Cybercrimes have increased following the COVID-19 pandemic. The global health crisis brought about significant changes in people's lives and work, with a substantial shift toward remote work, online communication, and increased reliance on digital platforms. This created new opportunities for cybercriminals to exploit vulnerabilities and target individuals, businesses, and organizations.

In such a context, implementing, enforcing, complying, and maintaining robust security arrangements becomes critical.

At the core of this digital world security, cryptography helps to establish the digital trust needed across the online world. Some promising technologies are fast being adopted by organizations to shield themselves against cybercrime and be more compliant, as below: 

1) Hardware Security Module (HSM) / HSM as a Service

2) Key Management System (KMS) / KMS as a Service

3) Tokenization.

1. HSM / HSM as a Service

Hardware Security Modules (HSM) are like bank lockers, fortified tamper-resistant hardware device that safeguards and manages your sensitive data like cryptographic keys, digital signatures, and certificates.

HSM adheres to FIPS 140-2 standard that acts as a benchmark for cryptographic hardware. HSMs are extremely difficult to hack and have highly regulated access. Various organizations deploy multiple HSMs to enhance and bolster their security stance.

Prime reasons to use HSM:

• Store and protect all your cryptographic keys throughout their lifecycle
• Generate the most cryptographically strong keys for your Public Key Infrastructure (PKI)
• Protect the security of your keys through “zeroization” – that is, they’re built to erase or destroy all stored cryptographic data to prevent compromise
• Ensure compliance with data security regulations and simplify audit processes
• Offload cryptographic processing from the application server
• Secure the keys for your development, testing, and production environment.

HSM use cases

Entrust’s 2022 Global Encryption Trends Study shows that HSM usage has been steadily increasing over the last ten years, from 26% in fiscal year 2013 to 49% in 2022.

Some common HSM use cases include:

• Generate, manage, and validate credit/debit card PIN
• Validate credit/debit card credentials during payment transaction processing
• Generate credentials (secure access keys) for cards and mobile applications
• Generate EMV certificates for chip-based cards
• Point-to-point encryption (P2PE) key management and secure data decryption
• Share keys securely with third parties to facilitate secure communications
• Public cloud encryption
• Database encryption
• Big data encryption
• PKI or credential management
• Key management root of trust
• IoT root of trust
• Document signing.

Primarily deployed on-premises, legacy HSMs require complex deployment, frequent maintenance, and upgrades. The overall cost of maintaining such a setup turns out to be an overhead for various businesses, but with HSM as a Service, one can still deploy the service with a much-reduced CAPEX.

HSM as a Service can be deployed on-prem (as dedicated hardware) or purely on cloud-managed service backed by the highest level of security. Cloud HSM comes with FIPS 140-2 level 3 compliance and a PCI HSM certificate. With no hardware to deploy and software to manage, the service is 100% remotely managed.

Examples of HSM (as a service on the cloud)

• Google Cloud HSM
• AWS CloudHSM
• Azure Dedicated HSM.

How to use HSM

Entrust’s 2022 Global Encryption Trends Study suggests that 44% of respondents own and operate HSMs on-premises for cloud-based applications, and 38% of respondents rent/use HSMs from a public cloud provider for the same purpose. In the next 12 months*, respondents predict a significant increase in the ownership and operation of HSMs on-premises and the integration with a Cloud Access Security Broker to manage keys and cryptographic operations.

*Data collection started in December 2021 and was completed in January 2022.

Drawbacks of HSM

Every service has its own pros and cons, and HSM is no exception. Some drawbacks are:

• Complex to deploy and manage.
• Maintaining HSM is costly, especially for organizations that need to deploy multiple HSMs due to scalability needs or geographical reasons.
• HSMs can cause latency issues due to the cryptographic operation involved, impacting application performance.

However, there are trade-offs with each service, and it is a matter of requirement and assessment to decide what solution suits the best.

If managing and maintaining an HSM seems challenging, then why not go for a cloud-based, fully managed Key Management Service (KMS)? Cloud KMS provides you with full control over the encryption keys and is often backed by an HSM for enhanced security and higher compliance need.

2. Key Management Service

In the banking landscape, whether it is credit/debit card information, login credentials, encryption keys, or any sensitive data, it must be stored securely. Data encryption is the solution. Encrypting data using “encryption keys” would solve the purpose, but how to ensure the security of “encryption keys”?

A key management System (KMS) is one such solution. KMS helps store the keys securely (backed up by an HSM, if needed) and provides a centralized way to manage encryption keys.

KMS use cases

A Key management system (KMS) is a tool used for generating and managing keys and ensuring their security. This system enables users to manage key life cycles:

• Generation
• Distribution
• Usage
• Storage
• Rotation
• Backup/recovery
• Revocation
• Destruction

The key management system (KMS) also maintains audit logs to keep track of the keys for security and compliance purposes.

A KMS is generally backed up by a Hardware Security Module (HSM) so that the keys managed by KMS are securely generated and protected.

In a heterogeneous environment, KMS should seamlessly integrate and communicate with external key stores, HSMs, etc., to effectively manage the key lifecycle for the systems/applications that use the keys.

According to the Ponemon Institute and Entrust ‘Global encryption report 2022’ study, 59% of respondents rate 'key management' as very painful, which suggests respondents view managing keys as a very challenging activity. No clear ownership and lack of skilled personnel are the primary reasons why key management is painful.

With increasing digital exposure, expanding businesses, and hybrid cloud adoption, the number of keys and certificates across applications increases – making it necessary to have a centralized view for better control and management.

A KMS system provides an interface for a streamlined key lifecycle governance per the specified compliance standards like PCI DSS, FIPS, and HIPAA. It enables monitoring and control of all the keys and certificates in a secure central location, preventing unauthorized access. One can create and enforce security policies and track the validity of keys and certificates.

Examples of KMS (as a service on the cloud)

• AWS Key Management Service (AWS KMS)
• Google Cloud Key management
• Azure Key Vault

Drawbacks of Cloud KMS

• Cloud KMS may not necessarily support all the required compliance requirements. It needs to be selected as per the compliance need of the organization. KMS complies with FIPS 140-2 Level 1. But to comply with FIPS 140-2 Level 3, it should be backed with HSM.
• It introduces latency issues due to cryptographic operations.
• Vendor lock-in: By using Cloud KMS, you are completely dependent on the cloud service provider.
• Cryptographic keys are only useful as far as they are in safe hands. Encrypting data with unsecured keys always leaves room for data hacks.
  
  

However, the pros outweigh the cons. The key is to engage a robust KMS for a solid encryption strategy, securing the organization's sensitive data.

3. Tokenization

Tokenization is a method to convert PANs (Primary Account Numbers), PHI (Protected Health Information), PII (Personally Identifiable Information), and other sensitive data elements to a non-sensitive output referred to as a ‘token.’ The output ‘token’ is of the same length and format as the original data element.

*Example data, not actual tokenized value 

Traditional encryption solutions enlarge the data, requiring increased storage and significant database and program schema changes. Tokens use the same data formats, require no additional storage, and can pass validation checks.

As per the 2021 PANscan data analysis report, a year-on-year comparative analysis of users storing unencrypted data is below:

In the banking industry, the Payment Card Industry Data Security Standard (PCI DSS) requirements usually command or recommend that credit card information, which is sensitive by nature, is tokenized or encrypted when stored in databases. Storing unencrypted card data violates the PCI DSS requirement and makes it easier for hackers to steal data.

In this context, tokenization helps reduce PCI scope as card information is not stored in its original format but rather as tokens that are useless for hackers. Any breach of a tokenized environment will not compromise the original sensitive data.

How tokenization works

Below is the step-by-step process during the payment:

1.  A credit card is presented at a POS machine or entered at an e-commerce platform.
2.  The POS machine (or e-commerce site) passes the Primary Account Numbers (PAN) to the credit card tokenization system.
3.  The tokenization system generates a token mapped to the PAN or retrieves the associated token (if it has already been created) and records the correlation in the data vault.
4.  The tokenization system returns the token to the POS terminal (or e-commerce site) and is used to represent the customer’s credit card in the system.
5.  If the business is using a payment processor’s tokenization solution, the token is sent to the payment processor that can de-tokenize and view the original credit card number and process the payment.
6.  If the organization is using a third-party tokenization solution, the token is sent to the third party, who then de-tokenizes it and sends it to the payment processor for credit card processing.

There is no key or algorithm that can be used to derive the original data for a token. Instead, tokenization uses a token vault database, which stores the relationship between the sensitive value and the token. The real data in the vault is then secured, often via encryption.

Examples of tokenization

Cloud services like AWS Comprehend and AWS Macie allow users to identify PII and other sensitive data, and provide flexibility to take the required action for protection (like tokenization, encryption, etc.) or utilize the data for further analysis (legal briefs, financial statements. etc.).

Another example is Google DLP (Data Loss prevention service), which helps scan, classify, and protect sensitive data by masking or tokenizing.

Limitations of tokenization

In the case of tokenization, there are a few points to highlight:

• In high-volume operations, if the tokenization algorithm is not applied properly, then it may lead to a token collision. Token collision is caused when tokenization solutions assign the same token to two separate pieces of data.
• Tokenization may not be effective for unstructured text data, such as social media posts or product reviews.
• Tokenization alone can’t ensure security; protecting and safeguarding tokenized data is equally crucial. Tokenization requires the storage of both tokens and their corresponding sensitive information in secure databases. With the increasing volume of data, it becomes difficult to manage the token database.
• Integration with third-party systems supporting tokenization can also be challenging.

Reserve Bank of India (RBI), India's central bank and regulatory body responsible for regulating the Indian banking system, directed authorized card payment networks to enable and offer card tokenization services by 30th Sep 2022. Since then, the tokenization facility has been available across all the payment platforms in India. Users still have the option to skip tokenization — in this case, their card details are not stored, and they must manually enter card details during each payment transaction.

Tokenization can replace data of all credit and debit cards used online, at point-of-sales, and in-app transactions, with unique tokens. This layer of security is expected to enhance the digital payment experience of users.

The rise of quantum computing

Can a quantum computer crack the current cryptographic defense?

Quantum computing has come a long way from being a mere theoretical concept to working models with tremendous computing capabilities. There's an ongoing discussion that the computing power offered by a quantum computer poses a threat to current cryptography algorithms.

Well, with the current quantum computers – this seems highly unlikely. Scientists are working on what is called Post Quantum Cryptography (PQC). It is aimed not just at developing new standards that can secure against the unforeseen quantum threat but also at providing a pathway for implementation of PQC standards supporting the current digital setup.

End note

We have touched on just a few topics under the cryptography domain, there is still much more to be explored. Cloud service providers extend options and flexibility to search, select, and implement suitable data security/encryption services with a click of a button.

With data being the new gold and ever-evolving digital threats, it becomes necessary to adapt, implement and upgrade to stringent security protocols. Agility is the key, and being agile with data security advancement is the need of the hour.

Do you want to implement and strengthen your security needs but are not sure how?

Nagarro can help identify vulnerabilities and suggest appropriate measures to counter digital threats. Let’s connect!