bigstock-Isometric-Cloud-Computing-Conc-243793318-Converted-01

Setting Up Your Own Secure File Server: A Primer

by EncryptionFile Server

Take Your Files with You

Just as the world never stops turning, our operations remain in constant motion. They take us on the road, in the air, and over the sea. We bundle up our technology and bring it with us so we can continue working, and no matter which types of tech we take along, one thing is always needed: our files. A secure file server can make all the difference.

Of course, you could take a thumb drive with your files wherever you go, but everyone knows how risky that is. Misplace the drive and your documents will most likely find a new life in dark places on the Internet where all sorts of bad things can result. Or, at the very least, multiple versions of the documents will be created, leading to version control confusion (i.e., you won’t know which version is the most recently updated and accurate).

The only answer is to have an online file repository where you can access your files, without creating and carrying around multiple copies. But which method is the best to create a secure file server?

Host your own secure file server

Cloud Storage Thunderstorms

The fastest way to give your files the gift of remote access is to upload them to a cloud storage server operated by one company or another. We won’t name cloud storage companies because for many, they are viable options for file storage. However, we will mention some of the potential security risks these cloud storage companies, as a whole, represent.

  • Lack of Crypto-Key Control – In simplistic terms, when files are encrypted, keys are created to encrypt and decrypt the files. If you don’t have the key, you can’t see the file. The problem with some cloud storage providers is they maintain ownership of the encryption keys, which means if the service was hacked, the hackers would have control over the encryption keys to your files.
  • Lack of Any Security Control – When you sign up for a cloud storage provider, they have their own methods of cybersecurity in place. You don’t have a say in what encryption they use, for example, or any other security features. In short, you are trusting their cybersecurity team with all your data.
  • Data Sharing – Sometimes cloud storage providers have shared data (or, at least, metadata) with third parties. When security is a prime concern, the sharing of any data about your data or your organization is potentially very harmful.
  • Shared Server Storage – When you upload files to a cloud storage provider, your files are stored on a section of one of their massive servers. If the file server gets hacked via another customer’s account, once again, the hackers can gain access to your files since they reside on the same server.

Host your own secure file server

Host Your Own Secure File Server

The easiest way to take total control over your file server needs is to set up your own. Though that might sound daunting, it is actually pretty simple. Plus, there are multiple manners of file sharing you can use. Here are a few:

  • NAS (Network Attached Storage) – NAS is one of the easiest ways to build a secure server, but it is reliant on you having the proper type of router. Some routers have USB ports for storage. Plug in a thumb drive, configure a few settings, and you’re the proud owner of a private server!
  • FTP (File Transfer Protocol) – FTP has been around for almost as long as the Internet. While it’s not exactly what you imagine when you think of a cloud server, FTP servers can be used to easily transfer large files. You can even add security measures to FTP. Use SFTP (Secure File Transfer Protocol) and you’ll be using SSH to protect the transmission of your files. Or, use FTPS (File Transfer Protocol Secure) which give you TLS encryption for data transmission.
  • HFS (HTTP File Server) – HFS is another protocol which has been around for some time. It can be set up quickly which is great for inexperienced users yet has tons of customizable options for the more advanced users.

The most important part, after you’ve determined the type of private server you plan to run, is to explore security options. You’ll need to do it all yourself (as compared to a cloud storage provider) but, as previously stated, you’ll have full control over your security. You can make sure your security measures are always up to date, your software properly patched, and access to your files exactly as controlled as you desire.

To learn more how Fognigma, our leading-edge enterprise software solution, can take your protected, online-accessible file storage to the next level, contact us today.

malware to vdi

The Problem with Old Encryption Methods

by CybersecurityEncryptionFognigma

Encryption is Vital

Mission success depends on organizational data and communications staying protected. It behooves organizations, therefore, to shroud their comms and data with encryption. So why don’t they? Why don’t organizations and agencies rush out and implement at least some form of encryption? Why don’t they make encryption a top priority? Well, it’s not as easy as just pressing a button, but perhaps not for the reasons you think. Let’s examine encryption, some of the things that prevent organizations from adopting it, and some of the disasters that can occur without it.

 

Encryption is Nothing New

As soon as the first person had a secret they wanted to tell another, without the whole world knowing, encryption was born. (We’ve covered some of this before in our blog about Dual Encryption. Take a read for some extra background into the history of encryption.) Encryption of one form or another has been used to protect trade secrets, important communications, and military intelligence.

All encryption is based on ciphers — rules of reorganizing the information so its actual meaning is hidden from anyone who doesn’t know the rules. In a simplistic model, the ciphers work with special keys to lock up the data, and the same key (symmetric encryption) or a different key (asymmetric encryption) unlocks the data and allows it to be deciphered.

Since encryption was first born, however, others have been working hard at breaking encryption. And so, encryption methods have grown more and more complex. The current accepted standard of encryption is AES-256 encryption which creates digital keys 256 characters long. Brute force (i.e., guessing all random combinations) a number that size would take a billion times longer than the age of the universe.

So, encryption has been around a long time, which brings the question again: Why aren’t organizations adopting encryption for all their data and communications?

Encryption Costs Time

Encryption doesn’t just happen. A method must be chosen, procedures must be implemented, users must be trained, and then everyone actually needs to use the encryption. All this disruption to the current way of doing things takes time. Lots and lots of time, especially the “everyone actually using it” part.

Encryption adds extra steps to workflow and users are notorious for going around company policy if it slows down their work. A new report from Symphony Communication Services shows 24% report they are “aware of IT security guidelines yet are not following them;” “27% knowingly connect to an unsecure network;” and “25% share confidential information through [unsecure] collaboration platforms.”

This is very troublesome when incorporating encryption into your organization. For encryption to protect properly, everyone needs to be using it instead of finding ways around it. A report by the Government Business Council showed that of those Defense employees who admit to using their personal devices to conduct agency work, 94% say their devices have not been approved by the agency. Once again, more evidence that users are choosing convenience over security—choosing to save time over protecting the organization. Time, then, is the true cost (and problem) with old encryption methods.

Automated Encryption is the Future

In the future, encryption will be easier for organizations to adopt because it will all be handled behind the scenes. You’ll simply log in to a program (which will handle all the key exchanges and encryption/decryption) and let it run in the background. You will then be able to send encrypted messages as easy as sending a regular chat message—no extra steps needed. You’ll be able to encrypt files that only the specific users you selected will be able to open (even if the user is just yourself). And this encryption will be available on desktop and mobile devices, all working together to ensure your organization’s encryption.

Think that sounds like a pipe dream? Too good to be true? Too far out in the future? What if we told you the future was in the final stage of development and testing, and will be ready for release very soon? It has a name: Conclave. It has a purpose: to make sure you use encryption and protect your organization without all the extra steps. To learn how our automated encryption solutions can help secure your data, users, and organization, please contact us today!

Dual Encryption Methods

Dual Encryption Matters

by Encryption

Why Encryption?

Encryption is, quite simply, a means of ensuring your information remains your (and only your) information. It disrupts the “mind your own business” adage by attempting to make it impossible for others to mind your business. Tracing the trail of encryption (or cryptography, as they were almost synonyms until more recently as encryption has become digital) back through time, some of the very earliest encryption was used to protect military orders. This isn’t surprising, as an effective military must keep its movements secret from the enemy. The Arabs, Greeks, Romans—almost all the cultures of the ancient world, in fact—used encryption in some form, though the Arabs are thought to be the first to document the subject. Military secrets needed to remain secret.

In his history of cryptography and encryption, The Codebreakers, David Kahn describes a 3″ x 2″ tablet from around 1500 B.C. This Mesopotamian tablet described the earliest known formula for making pottery glazes, protected with a cipher to safeguard trade secrets. Information was protected with encryption.

Fast-forward through time. More people in the world meant more secrets. Religions split and collided. Sciences grew, hid, grew more, and blossomed. And during all these changes and growth spurts, information about many topics had to be kept hidden from some group or another.

Today, information is just as valuable as ever and, since there is more of it and it is more accessible, protecting information has become a job in itself. Therefore, we encrypt to protect our organizations, our intellectual property, our families, our country, and, most importantly, our security.

 

But Really, Why Encryption?

We know there is information we need to protect, but is that the only reason we encrypt things? Nope! The tree of encryption bears three other fruits: authentication, integrity, and nonrepudiation.

Authentication refers to proving the sender is who they say they are. This is simple to picture. If you receive an encrypted message from someone and it’s using the encryption you both previously decided on, then you know the person sending you the message is the person you think it is. By using encryption, the sender has provided some proof of their identity or, at least, their authority to send an encrypted message.

Dual Encryption Methods

Integrity provides assurance that the information hasn’t been altered. Again, this is simple to picture: if you take a piece of data, encrypt it, and then decrypt it, you will have the same piece of data. If anything happens to that data, it won’t decrypt properly, and you’ll have a mess of random characters. If you have a mess, you know the integrity of the information has been compromised.

Nonrepudiation is a fun word that means the sender can’t say they didn’t send the information. If only two people have the encryption keys and information is encrypted using those keys (and assuming the receiver didn’t send it to themselves), then the sender is the sender. If the sender says they didn’t send it, the fact that the encryption was used proves they did. That is, the sender is unable to repudiate (or disavow) they sent the information.

 

Dual Encryption Matters

So, your information is protected with encryption, which is great. But what if someone breaks that encryption? One virtual lock picked, and your information is now in peril. Perhaps the easiest way to visualize this is a door with both a door lock and deadbolt. Any attempted intrusion has to bypass both locks before the door can be opened. By using two levels of encryption, information is safeguarded against a single point of failure.

encryption methods to protect devices

Encryption should ensure the amount of time required to defeat the encryption is longer than the amount of time the data is of value and required to be secure. With AES-256 encryption, the current accepted standard, block lengths support 256 bits from which to create a key. Imagine guessing an ATM pin that was 256 characters long and the variations that it could contain. That’s a lot of really long numbers.

To put this in another context, breaking a symmetric 256-bit key by brute force would theoretically take longer than our universe has existed—multiplied by a billion. Now imagine two layers of AES-256 encryption and you can see why dual encryption matters: having to brute force through two layers of such a tough encryption standard borders on statistically impossible.

 

Two Heads are Better than One

Most cryptographic solutions make use of a single software library to provide encryption and decryption of data. A single software library does give you encryption, true, but also comes with the risk that in the event of a zero-day compromise of the library, the entire encryption fails.

To combat this single point of compromise, Fognigma (our enterprise software solution which gives organizations the power to build encrypted, invisible, and anonymized cloud-based networks, thus securing your communications and online activities) offers the ability to add in a completely separate secondary software library to dual layers of encryption. In the event of a zero-day exploit or other compromise of one library, the second library remains uncompromised and your data remains safe.

In addition to the standard versions of these libraries (OpenSSL and wolfSSL), Fognigma also offer a FIPS 140-2 validated version of each library (OpenSSL – Certificate #3284; wolfSSL’s wolfCrypt – Certificate #2425).  By using one or both of these FIPS-certified cryptographic libraries, Fognigma can comply with the most rigorous regulatory requirements.

Dual layers of encryption. Dual software libraries. Fognigma is ready to give you the power to protect everything your organization holds dear. Contact us today to learn more or to schedule a demo.