ISO 27799:2016

Regulation summary

Among the best practices called for in ISO 27799 are:

• Data access controls, including management of privileged access
• Cryptographic control of sensitive data
• Management and protection of encryption keys
• Recording and archiving “all significant events concerning the use and management of user identities and secret authentication information” and protecting those records from “tampering and unauthorised access”.

Compliance summary

Thales can help you meet the standards in ISO 27799:2016 through:

• Sensitive data discovery and classification
• Access controls that let only credentialled users retrieve data
• Encrypting or tokenising data so that if it is stolen, it is meaningless and therefore useless to cybercriminals
• Centrally managing and securely storing encryption keys from across your organisation
• Protected security intelligence logs to identify irregular access patterns and breaches in progress

Data discovery and classification

The first step in protecting sensitive data is finding the data wherever it is in the organisation, classifying it as sensitive and typing it (e.g. PII, financial, IP, HHI, customer-confidential, etc.) so you can apply the most appropriate data protection techniques. It is also important to monitor and assess data regularly to ensure new data isn’t overlooked and your organisation does not fall out of compliance.

Thales’s CipherTrust Data Discovery and Classification efficiently identifies structured as well as unstructured sensitive data on-premises and in the cloud. Supporting both agentless and agent-based deployment models, the solution provides built-in templates that enable rapid identification of regulated data, highlight security risks and help you uncover compliance gaps. A streamlined workflow exposes security blind spots and reduces remediation time. Detailed reporting supports compliance programs and facilitates executive communication.

Strong access management and authentication

Thales Access Management and Authentication solutions provide both the security mechanisms and reporting capabilities organisations need to comply with data security regulations. Our solutions protect sensitive data by enforcing the appropriate access controls when users log into applications that store sensitive data. By supporting a broad range of authentication methods and policy-driven role-based access, our solutions help enterprises mitigate the risk of data breach due to compromised or stolen credentials or through insider credential abuse.

Support for smart single sign on and step-up authentication allows organisations to optimise convenience for end users, ensuring they only need to authenticate when needed. Extensive reporting allows businesses to produce a detailed audit trail of all access and authentication events, so they can prove compliance with a broad range of regulations.

Protection of sensitive data at rest

The CipherTrust Data Security Platform is an integrated suite of data-centric security products and solutions that unify data discovery, protection, control, and access monitoring in one platform.

• Discover: An organisation must be able to discover data wherever it resides and classify it. This data can be in many forms: files, databases and big data, and it can rest across storage on premises, in clouds and across back-ups. Data security and compliance starts with finding exposed sensitive data before hackers and auditors. The CipherTrust Data Security Platform enables organisations to get complete visibility into sensitive data on-premises and in the cloud with efficient data discovery, classification and risk analysis.
• Protect: Once an organisation knows where its sensitive data is, protective measures such as encryption or tokenisation can be applied. For encryption and tokenisation to successfully secure sensitive data, the cryptographic keys themselves must be secured, managed and controlled by the organisation. The CipherTrust Data Security Platform provides comprehensive data security capabilities, including file-level encryption with access controls, application-layer encryption, database encryption, static data masking, vaultless tokenisation with policy-based dynamic data masking and vaulted tokenisation to support a wide range of data protection use cases.
• Control: The organisation needs to control access to its data and centralise key management. Every data security regulation and mandate requires organisations to be able to monitor, detect, control and report on authorised and unauthorised access to data and encryption keys. The CipherTrust Data Security Platform delivers robust enterprise key management across multiple cloud service providers (CSP) and hybrid cloud environments to centrally manage encryption keys and configure security policies so organisations can control and protect sensitive data in the cloud, on-premises and across hybrid environments.
• Monitor: Finally, the enterprise needs to monitor access to sensitive data to identify ongoing or recent attacks from malicious insiders, privileged users, APTs and other cyberthreats. CipherTrust Security Intelligence logs and reports streamline compliance reporting and speed threat detection using leading Security Information and Event Management (SIEM) systems. The solution allows immediate automated escalation and response to unauthorised access attempts and provides all the data needed to build behavioural patterns required to identify suspicious usage by authorised users.

Protection of sensitive data in motion

Thales High Speed Encryptors (HSEs) provide network independent data-in-motion encryption (Layers 2, 3, and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back. Our HSE solutions allow customers to better protect data, video, voice and metadata from eavesdropping, surveillance and overt and covert interception — all at an affordable cost and without performance compromise.

Protection of cryptographic keys

Luna HSMs from Thales provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more. Available in three FIPS 140-2 certified form factors, Luna HSMs support a variety of deployment scenarios.

In addition, Luna HSMs:

• Generate and protect root and certificate authority (CA) keys, providing support for PKIs across a variety of use cases
• Sign your application code so you can ensure that your software remains secure, unaltered and authentic
• Create digital certificates for credentialing and authenticating proprietary electronic devices for IoT applications and other network deployments