November 2020

This month:

  • Cloud KMS offerings from the 'big 3' CSPs
  • Capital One hit with an $80M fine
  • FedRAMP audits made easier
  • PCI-DSS V4.0 is coming

Cloud KMS - Comparing the 'big 3' CSPs
In a recent webinar series, we took a closer look at the KMSs offered by Google, AWS and Azure, investigating how the services differ and what impact that might have on someone wishing to deploy a multi-cloud solution. But what if you don't want to (or can't) use the CSP's KMS? Alternative solutions abound including cloud HSMs and other third-party cryptography services. In Part 2 of the series we focussed on why you might consider using a KMS alternative in your cloud deployment, how to choose one, and how to adopt it securely. Both of these webinars are available to rewatch on-demand.  

On a related subject we asked our CEO Dr. Graham Steel to answer one of your most frequently asked questions: Are my encryption keys in the cloud really secure?

Capital One - Another $80M to pay for the 2019 Breach
The Office of the Comptroller of the Currency have hit Capital One with an $80M fine as a result of last year's cloud data protection failure. Capital One’s internal auditors reportedly “failed to identify numerous control weaknesses and gaps in the cloud operating environment” in the years after the bank began migrating data to the cloud in 2015.

FedRAMP Audits Made Easier
FedRAMP requires that you have to use FIPS 140-2 validated modules wherever cryptography is needed. This can be difficult to demonstrate to auditors. Fortunately you don’t have to do this by hand any more since Cryptosense Analyzer can now detect whether your FIPS-validated module has been used in the right mode. It produces reports that enable you to export issues to developers or vendors for fixes, or submit to an auditor to show you are complying with the requirement.

PCI-DSS v4.0 is coming

The second RFC regarding the update to the PCI-DSS standard ends on Friday 13th November. The word on the street is that requirements on cryptography will be tightened, in particular you'll have to show you have no self-signed certificates in use, and you'll need to show you have a key inventory. Version 4.0 is due to be released Q2 2021. To prepare, we have been improving key inventory capabilities inside Cryptosense Analyzer. If you'd like a pre-release demo, let us know.

That's all for this month, if we missed anything noteworthy please let us know.

Best,
Graham and the Cryptosense Team