Welcome!

News Feed Item

i-Sprint’s Insights on ‘How to Avoid Heartbleed or Similar SSL Related Vulnerabilities’

i-Sprint Innovations (“i-Sprint”), a leading Identity, Credential and Access Management Solutions provider across Asia Pacific, provides insights on the latest disclosure of Heartbleed, an OpenSSL encryption bug, and how to avoid it and other similar SSL related vulnerabilities.

The emergence of the Heartbleed bug is yet another reminder of the security threats we continue to face. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names, passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and impersonate them.

This bug has resided in production software for more than two years and is described as "catastrophic" by leading security experts. The immediate solution is to identify affected systems, apply the fix and update the SSL certificates. Users also need to be informed to change their passwords and track misuse of the exposed information.

Even if the bug is patched today, there is no guarantee that a similar type of bug will not resurface or stay hidden in software undiscovered. Such vulnerability with similar impact could arise in the future from another SSL library or application product.

It also leads to the question of whether Secure Socket Layer (SSL) is sufficient to protect data confidentiality and the integrity of online transactions. How can enterprises manage the risk of data leakages in future through web services and convince their customers that their data is safe from eavesdroppers? Would it have been possible to have done something to mitigate the risk of such an event?

To prevent exposure of sensitive data even if SSL encryption is broken, enterprises need a strong data protection solution such as End-to-End Encryption (E2EE) to protect passwords and sensitive transaction of data. E2EE ensures that sensitive data stays encrypted even within the memory of vulnerable web or application servers. It offers protection to the Heartbleed type of bug as well as prevents insiders such as software developers or DBAs from leaking sensitive data accidentally or deliberately. In fact, both Monetary Authority of Singapore (MAS) and Hong Kong Monetary Authority (HKMA) have mandated financial institutions to adopt E2EE for protection of passwords as well as critical transaction data in the e-banking sites.

Like many financial institutions, organizations should adopt the same best practices to encrypt and send encrypted passwords and sensitive data over a communication channel in addition to the SSL protection. This can be done by using an encryption library and key data for data encryption at the point of entry (user desktop/smartphone) before submission to the server side. This data remains encrypted all the way to the web server and even the application server. The data may be decrypted at the application server, however in the case of passwords, they remain encrypted and are verified inside a Hardware Security Module (HSM). HSMs are cryptographic devices using tamper resistant hardware built to meet the FIPS standards. Thus, the passwords are encrypted from the point of entry to the point of comparison. Apart from mitigating against Heartbleed type of vulnerabilities, this ensures that nobody in the intranet has access to the password in clear during transit and storage, as well as protecting against internal fraud.

In summary, effective data protection requires a combination of layered security solutions and the right processes. Instead of relying only on SSL protection, organizations should look into implementing E2EE solutions at the application layer to protect their confidential information against the next web server vulnerability.

For questions on Heartbleed or how to be protected against it, please visit www.i-sprint.com or contact i-Sprint at [email protected].

i-Sprint’s Solutions

i-Sprint has its own unique brand of security products, intellectual properties and patents that are designed to exceed global financial services regulatory requirements. In order to capitalize the fast growing Identity, Credential and Access Management (ICAM) market, i-Sprint proactively delivers innovative product features via our product offerings in Identity Protection, Cloud Protection, Mobile Protection and Data Protection.

i-Sprint’s world leading security solutions include a proven and secure E2EE Authentication and Data Protection for convenient (Single Sign-On) and secure access to internet banking applications. i-Sprint’s solutions meets Internet Banking Security Guidelines from regulatory agencies in multiple countries; overcoming the security challenges of most internet and mobile banking solutions. i-Sprint delivers bank-grade versatile strong authentication (biometrics, multi-factor authentication and more) and token management platform to secure multiple application delivery environments (web, mobile and cloud) based on a common security platform.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
With more than 30 Kubernetes solutions in the marketplace, it's tempting to think Kubernetes and the vendor ecosystem has solved the problem of operationalizing containers at scale or of automatically managing the elasticity of the underlying infrastructure that these solutions need to be truly scalable. Far from it. There are at least six major pain points that companies experience when they try to deploy and run Kubernetes in their complex environments. In this presentation, the speaker will d...
While DevOps most critically and famously fosters collaboration, communication, and integration through cultural change, culture is more of an output than an input. In order to actively drive cultural evolution, organizations must make substantial organizational and process changes, and adopt new technologies, to encourage a DevOps culture. Moderated by Andi Mann, panelists discussed how to balance these three pillars of DevOps, where to focus attention (and resources), where organizations might...
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
When building large, cloud-based applications that operate at a high scale, it's important to maintain a high availability and resilience to failures. In order to do that, you must be tolerant of failures, even in light of failures in other areas of your application. "Fly two mistakes high" is an old adage in the radio control airplane hobby. It means, fly high enough so that if you make a mistake, you can continue flying with room to still make mistakes. In his session at 18th Cloud Expo, Le...
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...
As Cybric's Chief Technology Officer, Mike D. Kail is responsible for the strategic vision and technical direction of the platform. Prior to founding Cybric, Mike was Yahoo's CIO and SVP of Infrastructure, where he led the IT and Data Center functions for the company. He has more than 24 years of IT Operations experience with a focus on highly-scalable architectures.
CI/CD is conceptually straightforward, yet often technically intricate to implement since it requires time and opportunities to develop intimate understanding on not only DevOps processes and operations, but likely product integrations with multiple platforms. This session intends to bridge the gap by offering an intense learning experience while witnessing the processes and operations to build from zero to a simple, yet functional CI/CD pipeline integrated with Jenkins, Github, Docker and Azure...
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Dhiraj Sehgal works in Delphix's product and solution organization. His focus has been DevOps, DataOps, private cloud and datacenters customers, technologies and products. He has wealth of experience in cloud focused and virtualized technologies ranging from compute, networking to storage. He has spoken at Cloud Expo for last 3 years now in New York and Santa Clara.
Enterprises are striving to become digital businesses for differentiated innovation and customer-centricity. Traditionally, they focused on digitizing processes and paper workflow. To be a disruptor and compete against new players, they need to gain insight into business data and innovate at scale. Cloud and cognitive technologies can help them leverage hidden data in SAP/ERP systems to fuel their businesses to accelerate digital transformation success.
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure ...
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.