White Papers

This white-paper presents an architecture for building the next generation of web-applications. This architecture allows you to leverage emerging technologies such as cloud-computing, cloud-storage and enterprise key-management (EKM) to derive benefits such as lower costs, faster time-to-market and immense scalability with smaller investments – while proving compliance to PCI-DSS, HIPAA/HITECH and similar data-security regulations. We call this Regulatory Compliant Cloud Computing, or RC3.

The Payment Card Industry (PCI) Security Standards Council recently released the Data Security Standard (DSS) version 1.2 on October 01, 2008.  StrongAuth, Inc. analyzes the Encryption and Key Management requirements from the DSS and presents what covered entities must do in this white-paper.

In 2003, California passed Senate Bill 386, requiring companies to report reaches of computerized systems resulting in access to sensitive information about a California resident.  With the subsequent assage of similar laws in nearly 40 other U.S. states, it is now evident that our computer infrastructure is far more porous than we previously imagined.

Since the dawn of computing, operating systems and applications have used many schemes to identify and authenticate ntities accessing resources within computers. While the technologies and schemes have varied, there appears to have been little attempt to classify them based on their ability to resist attacks from unauthorized entities.  With the proliferation of identity management technologies in the market today, it is becoming increasingly difficult to assess and compare them with each other. As the threat level continues to rise on the internet, and regulations governing information technology continue to grow, risk managers need more objective mechanisms to assign risk to their systems so they may apply appropriate mitigating controls. This paper attempts to describe a classification scheme that will permit the comparison of seemingly different identification and authentication (I&A) technologies on the basis of their vulnerability to attacks. With a better understanding of related authentication technologies, companies can determine the appropriate technology to use for mitigatingauthentication risks .

Most security professionals are familiar with symmetric key-based cryptography when presented with terms such as Data Encryption Standard (DES), Triple DES (3DES) and the Advanced Encryption Standard (AES). Some are also familiar with Public Key Infrastructure (PKI) as an enterprise-level solution for managing the life-cycle of digital certificates used with asymmetric-key cryptography. However, the term Symmetric Key Management System (SKMS) – which refers to the discipline of securely generating, escrowing, managing, providing access to, and destroying symmetric encryption keys – will almost always draw blank stares.