StratoKey is a security gateway designed to Protect, Analyze, Monitor and Defend your applications. Sitting between you and your cloud, SaaS and Web apps, StratoKey automatically acts to defeat threats without fatiguing administrators.
StratoKey provides the infrastructure to ensure the most stringent Data Residency mandates are met.
What is Data Residency?
Data Residency requirements generally state that sensitive data must not be stored on remote servers outside the country or state of residency. This can be problematic for users of cloud services or even more generally web applications. Remote hosting is almost always part of the deal in all external cloud or web applications. StratoKey provides a solution to ensure that organizations meet stringent Data Residency requirements.
StratoKey Data Residency Compliance
Encryption: Data level encryption is performed seamlessly by StratoKey. This encryption ensures that your data is protected before it ever reaches remote applications or cloud infrastructure. When data is encrypted with strong encryption, data residency concerns are erased. It is not uncommon for Data Residency laws or standards to have an exception, permitting encrypted data to be stored on non-resident servers.
Encrypting Data at Rest in Cloud Databases
Currently, popular database as a service offerings do not feature encryption of data at rest. Data in transit is supported through SSL, encryption of data at rest is however not part of the offering. StratoKey provides this crucial layer of encryption for data at rest. Relevant data passing through the StratoKey encryption gateway is encrypted prior to reaching any remote application or database. When using StratoKey, the only data that resides unencrypted in a "data at rest" state is data you deem non-confidential.
Cloud Encryption Solution
Cloud Encryption Solution
StratoKey provides a complete cloud encryption solution for organizations looking to utilize or move services and applications into the cloud. Using industry standard encryption such as Advanced Encryption Standard (AES), StratoKey offers unparalleled data security. Standard Encryption (AES & Twofish) and Format Preserving Encryption are utilized by StratoKey to secure data in the cloud.
Flexible Encryption Model
StratoKey provides flexibility in configuring how information will be encrypted in your cloud or SaaS application. This flexible approach allows organizations to select and match encryption strength to data confidentiality. This model allows for a mixed encryption strategy which has significant benefits in terms of preserving application functionality whilst utilizing strong encryption where appropriate. For detailed information on how StratoKey works please see How StratoKey Works.
Encryption Strategies Utilized by StratoKey
High strength Encryption: StratoKey supports multiple high-strength encryption algorithms such as AES with a choice of 128bit or 256bit keys. AES provided in StratoKey utilizes a FIPS 140-2 certified module. Twofish is also supported in StratoKey as an alternative to AES.
Format Preserving Encryption (FPE): Format Preserving Encryption is an encryption mechanism utilized to preserve the format of information as it is encrypted. Generally speaking FPE is a lower strength encryption when compared to standard AES. However, FPE is a crucial mechanism for encrypting data whilst keeping the data searchable. FPE ensures that when data is encrypted, application functionality is not lost. StratoKey has no less than four different FPE implementations for administrators to choose from. These options include BPS and CSPEM which conform with the proposed NIST standard.
Secure Socket Layer (SSL): StratoKey communicates with users over SSL. SSL provides a secure layer for users communicating sensitive data to StratoKey to be encrypted (or decrypted). By utilizing SSL StratoKey secures the communication channel with users, preventing man-in-the-middle attacks.
Securing Data at Rest
Securing Data at Rest
When considering overall application protection, serious thought must go towards data at rest. Many applications make use of database encryption to secure the database. The unfortunate Achilles' heel of database encryption is not what one would expect, it is that it's rare for a physical databases to be stolen.
Data Breaches in Action.
When data breaches occur, the usual theft target is the data stored within the database, not the physical database. Data breaches generally stem from vulnerabilities in weak or stolen user credentials, insecure web applications, server mis-configurations and other vulnerabilities. These vulnerabilities can open the door for unfettered queries against a database. The database generally cannot distinguish between a legitimate query from the web application, and an illegitimate query as a result of a security breach. The database is therefore none the wiser and provides rogue queries and requests with freshly unencrypted data. StratoKey however offers distinct protection against these types of attack.
Layering Encryption to Secure Data at Rest
Whilst a database may provide data content to a rogue SQL query, StratoKey will still offer critical protection as the contents of the database will be encrypted. The database content can only be decrypted by passing back through the StratoKey gateway. The database itself, has no mechanism to decrypt data encrypted by StratoKey. Essentially there are multiple layers of encryption in play. The database's own encryption (if configured) and StratoKey's separate encryption mechanism. This layering of encryption adds a significant level of security as more than one individual system must be compromised to gain unencrypted data.
Some Data-in-Transit coverage
Because StratoKey acts as a Security Gateway, there are some flow on benefits for data-in-transit. When data travels from your web or cloud application to your users, content that is configured as "sensitive" will be encrypted by StratoKey. What this means is that from the point of your remote application to StratoKey, the sensitive content will be encrypted. If StratoKey is deployed behind your corporate firewall, then this may well provide sufficient data in transit coverage for sensitive data stored in the cloud and web applications. For complete coverage you can use StratoKey with your remote application via SSL (Secure Socket Layer) to have complete data-in-transit encryption.
Data Breach Prevention
Data Breach Prevention
StratoKey is a powerful front-line defender against data breaches. StratoKey encrypts your confidential data before it ever reaches the cloud. StratoKey does not stop at merely encrypting your data. A complete security interface is provided to monitor, notify and act in the event of nefarious activity. This crucial management interface is very important in identifying threats and taking preventative action to thwart attacks. StratoKey peers into usage, and monitors the security of your overall web application.
What is a Data Breach?
A data breach involves the release of secure/confidential data, whether intentional or otherwise. A recent study by the Ponemon Institute revealed 76% of data breaches were caused due to weak user access credentials (username/password).
StratoKey Strategies to Thwart Data Breaches
Encryption: StratoKey encrypts all sensitive data before it ever reaches remote web or cloud applications. By encrypting data, if the end application is ever compromised, the data revealed is encrypted and therefore worthless.
Strong user authentication: User authentication is typically the weak point of web and cloud applications. The issue with user authentication is the trade-off between strong security and ease of use (passwords one can remember). Most business application users have opted for ease of use and hence weaker user credentials have been allowed to thrive in the name of productivity. StratoKey counters weak user credentials through the layering of StratoKey user credential management and "machine keying". Machine keying is the term we use for understanding a user's individual digital foot print. This helps administrators take control of user access security and also provides an automated back-stop in the event that the user's account is compromised.
Intelligent threat identification: StratoKey understands web and cloud application users better than any human. Using an array of techniques to understand users and their patterns on an individual level provides an incredibly powerful data-driven engine to identify threats. All user logging happens in the background and requires no user interaction or interference in user workflow. Understanding users is key to identifying threats and thwarting without delay.
Active Countermeasures: When things go wrong, which evidently they do from time to time, StratoKey is there on the front foot, taking action. StratoKey is pre-configured (and customizable) to act in a determined manner to counter, monitor and notify of in-bound threats. The active countermeasures engine is key in actioning against threats without delay. Active countermeasures are more than an application radar. Countermeasures are the defensive actions StratoKey implements without delay. This may mean locking a user account through to expelling all users and closing application access. Severity of response is entirely configurable and customizable.
Real-time Threat Interface: Whilst StratoKey works in an automated manner, we also provide a Real-time Threat Interface. This interface is a cutting edge user interface that provides administrators with a direct management and monitoring interface. Administrators can monitor threats in real-time and also activate countermeasures and moderated responses to user events. The Real-time Threat Interface provides key insights into the activities in one's web or cloud applications.