IT-Security

IT-Security

In order to protect confidentiality, integrity and availability of information, the following aspects must be taken into account:

  • Authentication and access control
  • Encryption
  • Firewalls and IDS/IPS
  • Security policies and training
  • Patching and regular updates
  • Disaster recovery and business continuity planning
  • Physical security

We support you in designing suitable security measures and in selecting and integrating the optimal solution.

Post Quantum Cryptography (PQC)

Classic cryptographic algorithms could become insecure once quantum computers become available. To be prepared, post-quantum algorithms have been developed and standardised by NIST.

Threat model: Harvest & Decrypt attack

The attack consists of two phases:

  • Phase 1: Collect large amounts of encrypted data that are relevant for a long-term attack.
  • Phase 2: Decrypt the collected data as soon as the technology, i.e. the development of quantum computers on a large scale, is sufficiently advanced.

Currently recommended measures:

  • Crypto Agility: Preparation for the flexible replacement of crypto algorithms, including PQC.
  • Crypto Inventory: Inventory and prioritisation of use cases in terms of protection requirements, encryption methods used and network environments.

We analyse needs and business requirements and coordinate workshops with decision-makers. Using agile methods and tools such as Jira and Confluence, we document results to optimally prepare companies for PQC.

Selected IT-Security Projects

 Set-up and ISO Certification of a Secure Email System

By default, emails are not designed for confidential communication. In order to achieve that, a genuine end-to-end encryption without access by the platform operator is required as well as ensuring the identity of all communication partners.

Steps taken:

  1. Analysis of IT security policies and creation of project documentation (ISMS, instructions, training documents).
  2. Conducting awareness training and reviewing the security requirements.
  3. Analysis of requirements for ISO 27001 certification based BSI Grundschutz.
  4. Identification and elimination of gaps.
  5. Creation of missing security concepts.
  6. Modelling of the information network.
  7. Answering the self-assessment and coordinating interviews .
  8. Accompanying official audits as a security architect.

In addition to a holistic view of all security aspects, ISO certification as "certified security" offers marketing and competitive advantages.

 Selection of Vendor for Secrets Management System

Numerous user credentials (database passwords, SSH keys, certificates, etc.) are hardcoded in source code, configuration files and documentation systems, even for production environments (on-premise or in the cloud). These are accessible to all users of the internal network, provided they have access to source code repositories or the cloud infrastructure. This poses a significant security risk that should be reduced by a centralised secrets management system.

Our contribution:

  • Support and evaluation of an RfP for product selection.
  • Design and implementation of a PoC.
  • Checking the implementation of the security requirements.
  • Supporting the customer in product selection.
  • Creation of project documentation, e.g
    • Architecture design
    • Business case
    • Vendor risk management process documentation

A holistic Secrets Management System reduces both risks for the company and effort on the developer side.

 Exception Management for Data Loss Prevention

Data Loss Prevention (DLP) protects against data loss through unauthorised copies or unintentional forwarding of emails. With business justification, employees can apply for exceptions so that their work is not impaired.

Our contribution:

  • Recording and categorisation of all DLP exceptions.
  • Analysis and removal of irrelevant exceptions in coordination with the customer.
  • Documentation of permitted exceptions in collaboration with business units and divisional CISOs.
  • Permission to copy important data to USB sticks in the absence of alternatives.
  • Extension of positive lists for web uploads in the event of regulatory requirements.

Data Loss Prevention prevention in the company has been strengthened without risking critical outages for the company.

„The whole is more than the sum of its parts.”

Aristotle

Further IT-Security Services

 HSM Administration

We configure and administer Hardware Security Modules (HSM) for PKI infrastructures in case you want to keep your key management on-prem.

  • Configuration and administration of network HSMs including role concept.
  • Creation of HSM-protected key material for PKI infrastructures.
  • Connection of PKI software to HSMs.
  • Experience with both nCipher and SafeNet Luna (Thales) HSMs.

 Crypto Consulting

As security architects, we support software teams integrating IT security throughout the entire development process - from design to go-live.

  • Analysing complex IT architectures and evaluating them from the perspective of a security architect.
  • Support and advice for development teams on application security issues.
  • Expertise in the field of applied cryptography: TLS, key and certificate management, authentication, identity and access management.
  • Creation of blueprints and best practices as a reference for development teams.
  • Support in the selection of vendor products: Evaluation of software products at architecture level in the field of applied cryptography.