AWS Key Management Service (KMS) makes it easy for you to create and manage keys and control the use of encryption across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs. FEATURES AWS Key Management Service (KMS) gives you centralized control over the encryption keys used to protect your data. AWS KMS is integrated with AWS services making it easy to encrypt data you store in these services and control access to the keys that decrypt it. AWS KMS is integrated with AWS CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when. AWS KMS also enables developers to easily add encryption functionality to their application code either directly through encrypt and decrypt service APIs or through its integration with the AWS Encryption SDK. Centralized Key Management AWS Key Management Service provides you with centralized control of your encryption keys. Customer master keys (CMKs) are used to control access to data encryption keys that encrypt and decrypt your data. You can create new master keys whenever you wish, and easily manage who has access to them and which services they can be used with. You can also import keys from your own key management infrastructure into AWS KMS or use keys stored in your AWS CloudHSM cluster and manage them from AWS KMS. You can manage your master keys and audit usage from the AWS Management Console or by using the AWS SDK or AWS Command Line Interface (CLI). The keys in AWS KMS, whether created within KMS, your CloudHSM cluster, or imported by you, are stored in highly durable storage in an encrypted format so that they can be used when needed. You can choose to have AWS KMS automatically rotate master keys created within KMS once per year without the need to re-encrypt data that has already been encrypted with your master key. You don’t need to keep track of older versions of your master keys as KMS keeps them available to decrypt previously encrypted data. AWS Service Integration AWS KMS is seamlessly integrated with most AWS services. This integration means that you can easily use KMS master keys to control the encryption of the data you store within these services. When deciding to encrypt data in a service, you can chose to use an AWS managed master key that is created in KMS for you automatically by that service. You can track the usage of the key but it is managed by the service on your behalf. If you need direct control over the lifecycle of a master key or wish to allow other accounts to use it, you can create and manage your own master keys that can be used on your behalf by AWS services. These customer managed master keys give you full control over the access permissions that determine who can use the key and under which conditions. Audit Capabilities If you have AWS CloudTrail enabled for your AWS account, each request you make to AWS KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled AWS CloudTrail. The information recorded includes details of the user, time, date, API action and, when relevant, the key used. Scalability, Durability, and High Availability AWS KMS is a fully managed service. As your use of encryption grows KMS automatically scales to meet your needs. AWS KMS enables you to manage thousands of master keys in your account and to use them whenever you want. AWS KMS defines default limits for number of keys and request rates, but you can request increased limits if necessary. The master keys you create in AWS KMS or ones that are created on your behalf by other AWS services cannot be exported from the serviced. Therefore KMS takes responsibility for their durability. To help ensure that your keys and your data is highly available, KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability. If you import keys into KMS, you maintain a secure copy of the master keys so that you can re-import them if they are not available when you need to use them. If you use the custom key store feature in KMS to create your master keys in an AWS CloudHSM cluster, encrypted copies of your keys are automatically backed up and you have full control over the recovery process. AWS KMS is designed to be a highly available service with a regional API endpoint. As most AWS services rely on AWS KMS for encryption and decryption, it is architected to provide a level of availability that supports the rest of AWS and is backed by the AWS KMS Service Level Agreement. Secure AWS KMS is designed so that no one, including AWS employees, can retrieve your plaintext keys from the service. The service uses FIPS 140-2 validated hardware security modules (HSMs) to protect the confidentiality and integrity of your keys regardless of whether you request KMS to create keys on your behalf, create them in an AWS CloudHSM cluster, or import them into the service. Your plaintext keys are never written to disk and only ever used in volatile memory of the HSMs for the time needed to perform your requested cryptographic operation. Keys created by KMS are never transmitted outside of the AWS region in which they were created and can only be used in the region in which they were created. Updates to the KMS HSM firmware is controlled by multi-party access control that is audited and reviewed by an independent group within Amazon as well as a NIST-certified lab in compliance with FIPS 140-2. Custom Key Store AWS KMS provides the option for you to create your own key store using HSMs that you control. Each custom key store is backed by an AWS CloudHSM cluster. When you create a KMS customer master key (CMK) in a custom key store, KMS generates and stores non-extractable key material for the CMK in an AWS CloudHSM cluster that you own and manage. When you use a CMK in a custom key store, the cryptographic operations under that key are performed in your CloudHSM cluster. Master keys that are stored in a custom key store rather than the default KMS key store are managed in the same way as any other master key in KMS and can be used by any AWS service that supports customer managed CMKs. The use of a custom key store involves the additional cost of the CloudHSM cluster and makes you responsible for the availability of the key material in that cluster. Key Storage Each customer master key (CMK) that you create in AWS Key Management Service (KMS), regardless of whether you use it with KMS-generated key material or key material imported by you, costs $1/month until you delete it. For a CMK with key material generated by KMS, if you opt-in to have the CMK automatically rotated each year, each newly rotated version will raise the cost of the CMK by $1/month. KMS retains and manages each previous version of the CMK to ensure you can decrypt older data. You are not charged for the following:

• Creation and storage of AWS managed CMKs, which are automatically created on your behalf when you first attempt to encrypt a resource in a supported AWS service.
• CMKs that are scheduled for deletion. If you cancel the deletion during the waiting period, the CMK will incur charges as though it was never scheduled for deletion.
• Data keys, which are created by GenerateDataKey and GenerateDataKeyWithoutPlaintext API requests. You are charged for these API requests per the usage pricing discussed below whether you make these API requests directly or they are made on your behalf by an integrated AWS service. You are not charged an ongoing monthly fee for the data keys themselves as they are neither stored nor managed by KMS.

Custom Key Store You have the option of using a CloudHSM cluster to generate and store your AWS KMS keys. The use of a custom key store does not affect the KMS charges for storing and using a CMK. However, a custom key store does require you to maintain a CloudHSM cluster that contains at least two HSMs. More HSMs can be added for improved availability and performance. The standard CloudHSM charges apply. Free Tier AWS Key Management Service provides a free tier of 20,000 requests/month calculated across all regions that KMS is available. BENEFITS: Fully managed You control access to your encrypted data by defining permissions to use keys while AWS KMS enforces your permissions and handles the durability and physical security of your keys. Centralized key management AWS KMS presents a single control point to manage keys and define policies consistently across integrated AWS services and your own applications. You can easily create, import, rotate, delete, and manage permissions on keys from the AWS Management Console or by using the AWS SDK or CLI. Manage encryption for AWS services AWS KMS is integrated with AWS services to simplify using your keys to encrypt data across your AWS workloads. You choose the level of access control that you need, including the ability to share encrypted resources between accounts and services. KMS logs all use of keys to AWS CloudTrail to give you an independent view of who accessed your encrypted data, including AWS services using them on your behalf. Encrypt data in your applications AWS KMS is integrated with the AWS Encryption SDK to enable you to used KMS-protected data encryption keys to encrypt locally within your applications. Using simple APIs you can also build encryption and key management into your own applications wherever they run. Built-in auditing AWS KMS is integrated with AWS CloudTrail to record all API requests, including key management actions and usage of your keys. Logging API requests helps you manage risk, meet compliance requirements and conduct forensic analysis. Low cost There is no commitment and no upfront charges to use AWS KMS. You only pay US $1/month to store any key that you create. AWS managed keys that are created on your behalf by AWS services are free to store. You are charged per-request when you use or manage your keys beyond the free tier. Secure AWS KMS uses FIPS 140-2 validated hardware security modules (HSMs) to generate and protect keys. Your keys are only used inside these devices and can never leave them unencrypted. KMS keys are never shared outside the AWS region in which they were created. Compliance The security and quality controls in AWS KMS have been certified under multiple compliance schemes to simplify your own compliance obligations. AWS KMS provides the option to store your keys in single-tenant HSMs in AWS CloudHSM instances that you control.

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands. SQS offers two types of message queues. Standard queues offer maximum throughput, best-effort ordering, and at-least-once delivery. SQS FIFO queues are designed to guarantee that messages are processed exactly once, in the exact order that they are sent. FEATURES: Queue types Amazon SQS offers two queue types for different application requirements: Standard Queues Unlimited Throughput: Standard queues support a nearly unlimited number of transactions per second (TPS) per API action. At-Least-Once Delivery: A message is delivered at least once, but occasionally more than one copy of a message is delivered. Best-Effort Ordering: Occasionally, messages might be delivered in an order different from which they were sent. You can use standard message queues in many scenarios, as long as your application can process messages that arrive more than once and out of order, for example:

• Decouple live user requests from intensive background work: Let users upload media while resizing or encoding it.
• Allocate tasks to multiple worker nodes: Process a high number of credit card validation requests.
• Batch messages for future processing: Schedule multiple entries to be added to a database.

FIFO Queues High Throughput: By default, FIFO queues support up to 300 messages per second (300 send, receive, or delete operations per second). When you batch 10 messages per operation (maximum), FIFO queues can support up to 3,000 messages per second. Exactly-Once Processing: A message is delivered once and remains available until a consumer processes and deletes it. Duplicates aren't introduced into the queue. First-In-First-Out Delivery: The order in which messages are sent and received is strictly preserved (i.e. First-In-First-Out). FIFO queues are designed to enhance messaging between applications when the order of operations and events is critical, or where duplicates can't be tolerated, for example:

• Ensure that user-entered commands are executed in the right order.
• Display the correct product price by sending price modifications in the right order.
• Prevent a student from enrolling in a course before registering for an account.

Functionality

• Unlimited queues and messages: Create unlimited Amazon SQS queues with an unlimited number of message in any region
• Payload Size: Message payloads can contain up to 256KB of text in any format. Each 64KB ‘chunk’ of payload is billed as 1 request. For example, a single API call with a 256KB payload will be billed as four requests. To send messages larger than 256KB, you can use the Amazon SQS Extended Client Library for Java, which uses Amazon S3 to store the message payload. A reference to the message payload is sent using SQS.
• Batches: Send, receive, or delete messages in batches of up to 10 messages or 256KB. Batches cost the same amount as single messages, meaning SQS can be even more cost effective for customers that use batching.
• Long polling: Reduce extraneous polling to minimize cost while receiving new messages as quickly as possible. When your queue is empty, long-poll requests wait up to 20 seconds for the next message to arrive. Long poll requests cost the same amount as regular requests.
• Retain messages in queues for up to 14 days.
• Send and read messages simultaneously.
• Message locking: When a message is received, it becomes “locked” while being processed. This keeps other computers from processing the message simultaneously. If the message processing fails, the lock will expire and the message will be available again.
• Queue sharing: Securely share Amazon SQS queues anonymously or with specific AWS accounts. Queue sharing can also be restricted by IP address and time-of-day.
• Server-side encryption (SSE): Protect the contents of messages in Amazon SQS queues using keys managed in the AWS Key Management Service (AWS KMS). SSE encrypts messages as soon as Amazon SQS receives them. The messages are stored in encrypted form and Amazon SQS decrypts messages only when they are sent to an authorized consumer.
• Dead Letter Queues (DLQ): Handle messages that have not been successfully processed by a consumer with Dead Letter Queues. When the maximum receive count is exceeded for a message it will be moved to the DLQ associated with the original queue. Set up separate consumer processes for DLQs which can help analyze and understand why messages are getting stuck. DLQs must be of the same type as the source queue (standard or FIFO).

Using Amazon SQS with other AWS infrastructure web services Amazon SQS message queuing can be used with other AWS Services such as Redshift, DynamoDB, RDS, EC2, ECS, Lambda, and S3, to make distributed applications more scalable and reliable. Below are some common design patterns:

• Work Queues: Decouple components of a distributed application that may not all process the same amount of work simultaneously.
• Buffer and Batch Operations: Add scalability and reliability to your architecture, and smooth out temporary volume spikes without losing messages or increasing latency.
• Request Offloading: Move slow operations off of interactive request paths by enqueing the request.
• Fanout: Combine SQS with Simple Notification Service (SNS) to send identical copies of a message to multiple queues in parallel.
• Priority: Use separate queues to provide prioritization of work.
• Scalability: Because message queues decouple your processes, it’s easy to scale up the send or receive rate of messages - simply add another process.
• Resiliency: When part of your system fails, it doesn’t need to take the entire system down. Message queues decouple components of your system, so if a process that is reading messages from the queue fails, messages can still be added to the queue to be processed when the system recovers.

PRICING:

• Pay only for what you use
• No minimum fee

Amazon SQS Free Tier You can get started with Amazon SQS for free. All customers can make 1 million Amazon SQS requests for free each month. Some applications might be able to operate within this Free Tier limit. How are Amazon SQS requests priced? The first 1 million monthly requests are free. After that, the pricing is as follows for all regions: Price per 1 Million Requests after Free Tier (Monthly)

• Standard Queue $0.40 ($0.00000040 per request)
• FIFO Queue $0.50 ($0.00000050 per request)

How are Amazon SQS charges metered? API Actions. Every Amazon SQS action counts as a request. FIFO Requests. API actions for sending, receiving, deleting, and changing visibility of messages from FIFO queues are charged at FIFO rates.  All other API requests are charged at standard rates. Contents of Requests. A single request can have from 1 to 10 messages, up to a maximum total payload of 256 KB. Size of Payloads. Each 64 KB chunk of a payload is billed as 1 request (for example, an API action with a 256 KB payload is billed as 4 requests). Interaction with Amazon S3. When using the Amazon SQS Extended Client Library to send payloads using Amazon S3, you incur Amazon S3 charges for any Amazon S3 storage you use to send message payloads.
Interaction with AWS KMS. When using the AWS Key Management Service to manage keys for SQS server-side encryption, you incur charges for calls from Amazon SQS to AWS KMS. BENEFITS: Eliminate Administrative Overhead AWS manages all ongoing operations and underlying infrastructure needed to provide a highly available and scalable message queuing service. With SQS, there is no upfront cost, no need to acquire, install, and configure messaging software, and no time-consuming build-out and maintenance of supporting infrastructure. SQS queues are dynamically created and scale automatically so you can build and grow applications quickly and efficiently. Reliably Deliver Messages Use Amazon SQS to transmit any volume of data, at any level of throughput, without losing messages or requiring other services to be available. SQS lets you decouple application components so that they run and fail independently, increasing the overall fault tolerance of the system. Multiple copies of every message are stored redundantly across multiple availability zones so that they are available whenever needed. Keep Sensitive Data Secure You can use Amazon SQS to exchange sensitive data between applications using server-side encryption (SSE) to encrypt each message body. Amazon SQS SSE integration with AWS Key Management Service (KMS) allows you to centrally manage the keys that protect SQS messages along with keys that protect your other AWS resources. AWS KMS logs every use of your encryption keys to AWS CloudTrail to help meet your regulatory and compliance needs. Scale Elastically and Cost-Effectively Amazon SQS leverages the AWS cloud to dynamically scale based on demand. SQS scales elastically with your application so you don’t have to worry about capacity planning and pre-provisioning. There is no limit to the number of messages per queue, and standard queues provide nearly unlimited throughput. Costs are based on usage which provides significant cost saving versus the “always-on” model of self-managed messaging middleware.

The ARIA SDS platform is a radically different approach to comprehensive network and data security as it employs capabilities normally only found in carrier-class or military-grade architectures. When deployed on available optional hardware offerings it provides the high-availability and fast failover and service-level assurance features demanded in a carrier-class infrastructure. It also uses military communication techniques to protect from penetration and administrative eavesdropping from set-up through operation. Yet, even with this added layer of functionality, the deployment and overall platform management is simple as it is handled through advanced zero-touch provisioning techniques. How It Works The ARIA Software-Defined Security (SDS) platform can secure and encrypt containers and/or VMs as they spawn on-premise, private data centers or public cloud instances. The ARIA software automatically applies the organization’s appropriate contextually aware security policies. Additionally, the ARIA Orchestrator automatically discovers the SDSi and manages the application of the appropriate type and level of security services upon deployment. The central execution, across an entire organization, using a single pane of glass, ensures the desired access controls, micro-segmentation, encryption service types and levels, and other service techniques are correctly applied – no matter where the applications are running – whether it’s on premises, in the public cloud, or anywhere in between. Benefits: Achieve SecDevOps Balance the InfoSec requirement to maintain the consistent application of security policies and data protection with the desire of application developers for more agile and flexible DevOps practices. With ARIA, developers can simply select and connect to their applications for complete encryption. Gain a Cost-effective, End-to-End Security Solution The ARIA software defined security solution works with any enterprise infrastructure, is easy to deploy, and costs up to ten times less than other server host-based encryption solutions. Organizations that run critical security functions on the Myricom ARC Series SIA (versus the server processor) can expect cost savings in the need for fewer server upgrades and lower power consumption, while also achieving increased application performance. Secure Data at Rest, in Motion and in Use It’s not good enough to protect stored data. You must also have a solution for when it moves across the network, when it is accessed and used. ARIA applies the appropriate encryption policies by application, device, or data type – under any use and at any time. Improve Application and Server Performance Advanced security functions like encryption, micro-segmentation, or tokenization are CPU-intensive and, if run through local servers, may cause an unacceptable delay in application performance. The ARIA platform runs seamlessly with the Myricom ARC Series SIA, making it the ideal choice for server off-load. In addition the SIA serves as a zone of trust for keys, making them impenetrable to breaches.

If data is lost due to theft, negligence or accident, great damage can be done. It can ruin businesses and reputations. The most vulnerable points of attack are our devices, e.g. computers, smartphones, laptops, etc., which are operated by people – and people are fallible. Anti-virus protection and a firewall are not enough to protect data. Data is the life-blood of every organization and for more than 10 years, we have been innovating and leading the way in the field of data protection. To date, more than 2,100 customers from every industry and of all sizes, are benefiting from EgoSecure Data Protection. We do more than just blindly protecting your data. Firstly, our unique solution determines the data protection situation of your network. It then gives you accurate information, specific to your network, with guidance on how to protect yourself via our 20+ protection modules. This process can even be automated. We call this a simply beautiful solution; making complicated things simple is what makes us so very attractive to our customers.

Gemalto’s TSH enables seamless and secure over-the-air deployment of the digital keys to any type of phone that supports the solution. With the key safely downloaded to a secure element via Gemalto’s TSH, drivers can lock/unlock their cars by simply placing the smartphone against the door handle. The engine can also be turned on with the phone in the charging tray of the dashboard and pressing the start button. Capable of operating even if the phone battery is drained, the need to carry a conventional key is eliminated. As an integral part of the ‘Mercedes me connect’ program, the digital vehicle key will connect seamlessly with services that meet the demands of modern mobility and digital lifestyles. Source: Gemalto

AgileScan is a cryptographic security management solution that quickly, easily, and automatically generates an inventory of certificates, keys and cryptographic mechanisms found in software and systems across the enterprise. It pro-actively hunts for hidden risks and vulnerabilities. AgileScan accelerates cryptographic compliance and post-quantum readiness for Enterprises, Governments, and Technology Providers. Features: Certificates | Analysis AgileScan inventories and analyses certificates embedded within applications, infrastructure, servers and network to:

• Prevent downtime of an infrastructure by detecting expiring certificates

 

• Prevent data breach by detecting in-secure or fraudulent certificates

 

• Prevent compliance breach by detecting non-compliant certificate

 

Keys | Analysis AgileScan inventories and analyses cryptographic keys embedded within applications, infrastructure, servers and network to:

• Prevent data breach by detecting insecure or weak private keys

 

• Prevent key disclosure by detecting insecure key storage

 

• Prevent compliance breach by detecting use of noncompliant private keys

 

Cryptographic | Analysis AgileScan inventories and analyses cryptographic mechanisms present within applications, infrastructure, servers and network to:

• Prevent data breach by detecting vulnerable cryptographic libraries

 

• Prevent compliance breach by detecting non-compliant algorithms (e.g. SHA1)

 

• Support quantum-safe transition by detecting quantum vulnerable algorithms

 

Key benefits: Deliver Unique Information AgileScan delivers unique information about certificates, keys and cryptography present within a digital infrastructure or embedded within applications. Enhance Cyber Resilience AgileScan detects hidden certificates, keys and cryptographic vulnerabilities that leave companies at risk and that can be exploited by attackers. Prevent Infrastructure Downtime AgileScan detects embedded certificates that are expiring and that can lead to unanticipated downtime of sensitive infrastructure or services. Verify Compliance with Standards AgileScan automates compliance controls required by industry specific regulations and continuously verifies usage of state-of-the-art mechanisms. Prepare for Quantum Transition AgileScan enables organizations to prepare their transition to new cryptographic standards (e.g. Post-Quantum) by mapping presence of cryptography Leverage Leading-Edge Detection AgileScan has unique capabilities to detect certificates, keys and cryptography within byte code independently from coding language and without source code. Integrate Infrastructure AgileScan integrates with different enterprise systems including Continuous Integration (CI), SIEM and any other system via API and webservices. Ensure Minimal Operational Impact AgileScan uses a lightweight scanning approach to minimize impact on operations and ensure seamless deployment through standard automation tools.

Joe Sandbox Detect continuously monitors browsers and e-Mail clients for suspicious files. If suspicious files are opened or created, Joe Sandbox Detect uploads them immediately and fully automatically to Joe Sandbox for deep analysis. Once the analysis is finished, Joe Sandbox alerts the security team as well as the end user, and provides detailed information such as the verdict (malicious, suspicious, clean) and IOCs. Key Features: Monitoring of Browsers and e-Mail clients Joe Sandbox Detect monitors most common browsers and e-Mail clients including Internet Explorer, Edge, Chrome, Firefox, Microsoft Outlook and Thunderbird. If any of these programs creates a suspicious file, Joe Sandbox Detect automatically analyzes it with Joe Sandbox. Analysis of suspicious e-Mails and Files Joe Sandbox Detect enables users to analyze suspicious e-Mails and files with the help of Joe Sandbox Desktop, Joe Sandbox Complete, Joe Sandbox Ultimate and Joe Sandbox Cloud. Being specialized in Deep Malware Analysis, Joe Sandbox detects even the most advanced cyber threats. Joe Sandbox Detect has the ability to analyze any type of files. Joe Sandbox Detect also analyzes URLs to detect Phishing attacks or malicious webpages. File and IOC Encryption Any file including Office documents analyzed by Joe Sandbox Detect are fully private and encrypted with AES. Only the user has access to the decryption password. Shared encryption keys can be used to get access to the analyses of several users. Configurable Alerts Detailed alerts about the detection can be configured by Joe Sandbox through Joe Sandbox Detect. Alerts are sent via SYSLOG or e-Mail to one or mo receivers. Easy Deployment Joe Sandbox Detect can be easily deployed in enterprises. It comes with an installer with command line switch to configure the install. Apart from .Net Joe Sandbox Detect does not require any other third party software. Complementary to other security products Joe Sandbox Detect is fully complementary to other security products such as Antivirus, Firewalls and Endpoint Protection. Joe Sandbox Detect does not impact your current existing security settings or products. Zero Performance Impact Joe Sandbox Detect has a zero performenace impact to your end points. All analysis is done in the cloud or on your on-premise instance. With Joe Sandbox Detect you do not fear to have a laggy end point. Simple User Interface Joe Sandbox Detect was designed for the average computer user, and gives them the possibility to analyze e-mails with a single drag and drop action. The bar nicely integrates into the ribbon bar of Microsoft Windows Desktop. The notification screens are simple and easy to understand. Seamless Integration Joe Sandbox Detect integrates with Joe Sandbox Desktop, Joe Sandbox Complete, Joe Sandbox Ultimate and Joe Sandbox Cloud. The integration is done in seconds and offers the possibility to download the detailed analysis results for each analyzed attachment. SOCs, CERTs and CIRTS can fully access the analysis and the detailed reports.

Secure your confidential data with an enterprise-grade security solution that is FIPS 140-2 and Common Criteria EAL2+ certified, and accelerated with the Intel® Advanced Encryption Standard—New Instructions (Intel AES-NI) set. McAfee Complete Data Protection uses drive encryption combined with strong access control via two-factor pre-boot authentication to prevent unauthorized access to confidential data on endpoints, including desktops, virtual desktop infrastructure (VDI) workstations, laptops, Microsoft Windows tablets, USB drives, and more.
Key Features
■    Drive encryption
■    File and removable media protection
■    Management of native encryption

Key Advantages
■    Stop data loss initiated by sophisticated malware that hijacks sensitive and personal information.
■    Secure data when it’s stored on desktops, laptops, tablets, and cloud storage.
■    Manage Apple FileVault and Microsoft BitLocker native encryption on endpoints directly from McAfee ePO software.
■    Communicate with and take control of your endpoints at the hardware level, whether  they are powered off, disabled, or encrypted to halt desk-side visits and endless helpdesk calls due to security incidents, outbreaks, or forgotten encryption passwords.
■    Prove compliance with advanced reporting and auditing capabilities and monitor events and generate detailed reports that show auditors and other stakeholders your compliance with internal and regulatory privacy requirements.

Why Quantum-resistant?

Post-Quantum enables organisations to protect their data against code-breaking quantum computers. We offer a unique, patented quantum-resistant encryption algorithm that can be applied to existing products and networks. It can be deployed as stand-alone encryption, replacing today’s vulnerable crypto-systems, or in conjunction with current standards, to provide compliance in the present as well as future security.

Never-The-Same

Our encryption is known as ‘Never-The-Same’, or NTS. This comes from the fact that the algorithm never generates the same ciphertext twice, even when the plaintext and encryption keys remain constant. Independent security analysis by Royal Holloway, University of London concluded that NTS is secure against chosen-ciphertext attack (CCA). Since our algorithm produces varying outputs, our encryption is considered semantically secure. This means that the ciphertext reveals nothing about the plaintext that can be feasibly extracted by computational means. NTS is based on the McEliece cryptosystem, which relies on injecting random noise into a message. This noise is removed on decryption using error correcting techniques derived from the field of digital and satellite communication. Our co-founder Professor Martin Tomlinson is an expert in this area, having co-invented Tomlinson-Harashima Pre-coding, a data protocol used in many forms of satellite communication. Post-Quantum has resolved the challenge of large key sizes that made the McEliece system impractical for many use cases. Both public key size and ciphertext size are smaller in NTS than in the standard McEliece cryptosystem. The public key size is reduced by 50% or more, and the ciphertext size is reduced by at least 10%.

VPN

The VPN is an essential tool for organisations’ staff, but it provides a route into an organisation’s systems for attackers. The key vulnerabilities are weaknesses in the cryptography securing the connection, and the user login and authentication process. The current VPN standard, the Diffie-Hellman-based Internet Key Exchange Protocol, is vulnerable to attacks by quantum computers. Organisations need to introduce a quantum-resistant process, while maintaining compatibility with existing systems. Post-Quantum’s system enables quantum-safe key exchange, used if both sides of the connection are compatible with it, with the current standard (IKEv2) available if not. Complete replacement of current key exchange systems would not offer the necessary assurance in the encryption system, so introducing an additional quantum-safe key exchange gives greater confidence. Our system aligns with NIST’s approach, recognising hybrid modes in which quantum-resistant algorithms are a component of an overall system that is FIPS compliant. We have developed our system in line with Gartner’s recommendation of crypto-agility (‘Better Safe Than Sorry: Preparing for Crypto-Agility’, Gartner ID: G00323350), to help organisations end dependence on a single protocol. We can ensure a simple transition to the post-quantum era. Post-Quantum can also enhance the login process, with user-friendly biometrics-based identity verification that cryptographically binds the user’s identity to their session.

Anti-theft encryption For a company, the damages associated with the theft or loss of a laptop amount to far more than just the value of the hardware. Losing the information stored on a laptop’s hard disk or the mere communication of that information to a third party can generate all sorts of serious problems: recovery of sensitive information by the competition, damage to brand image, etc., to say nothing of the possible legal and regulatory implications in the event of a breach or an offence. Full-disk encryption The Cryhod full-disk encryption solution shields your company from these risks. Cryhod is a modern encryption software offering full-disk encryption of all your company’s mobile workstations. With Cryhod, data can only be accessed by users who are authorized and duly authenticated at pre-boot. Features: Encryption

• Encryption of entire disks and/or partitions (including system partition)
• Encryption on-the-fly, transparent for users
• Transparent initial encryption of disk/partitions
• Secure initial encryption, with automatic recovery in case of a service interruption (power outage, workstation shutdown, etc.)

Administration

• Pre-boot authentication (before start-up)
• Free choice of authentication mode: password or certificate
• SSO with Windows session opening
• Secure hibernation
• Single-user or multiple-access workstation

User Authentication

• Flexible and easy to deploy
• Simple to operate and supervise (scheduling via GPO)
• Integrated user recovery and troubleshooting
• Compatibility and cooperation with ZoneCentral for «Right-to-Know» management

What is National Public Key Directory (NPKD)? Many countries have implemented Biometric Passports (or e-Passports), allowing their citizens to travel more securely and efficiently. All efforts in standardization of travel documents are done under the umbrella of the International Civil Aviation Organization (ICAO). This makes travellers’ documents easy to recognize, read and validate by the foreign countries people visit. ICAO is in charge and operates a directory of certificates used to issue passports; each of the associated countries has its own certificate. The directory is called the Public Key Directory (PKD). A National Public Key Directory with security and efficiency Each sovereign nation handles the Public Key Directory (PKD) list on its own, as it finds appropriate and secure. The PrimeKey National Public Key Directory (NPKD) addresses the needs of a country to have an efficient, secure and robust system of importing other nations’ certificates from the PKD, as well as exporting its own certificates to the PKD. PrimeKey NPKD makes it easy to manage the imported top-level certificates from other countries – to decide if and how much they trust these certificates – to be able to swiftly revoke a certificate in case of need. PrimeKey NPKD works seamlessly with EJBCA Enterprise or SignServer Enterprise and is used by several nations to issue their citizen passports. In fact, we have built in some of the security features used by EJBCA to the NPKD. As we are committed to open standards, one of them being ICAOs specifications, our PrimeKey NPKD is designed and works well even for those nations who have not yet migrated to EJBCA Enterprise. PrimeKey NPKD The PrimeKey NPKD solution is designed to exchange digital certificates and other security data with ICAO Public Key Directory, and make them available for inspection systems. The ICAO PKD works as a hub for exchanging information required to authenticate ePassports. Our NPKD includes configurable schedulers. This makes the application server automatically run all the necessary tasks to keep valid PKD object published and available for inspection systems. NPKD can connect to ICAO PKD and upload, download, or store passive authentication security data such as certificates, master lists, and CRLs. National Public Key Directory setup “Country A” represents a country using PrimeKey National Public Key Directory (NPKD) and “Country X” represents all other countries either using PrimeKey NPKD or another solution. Included Use Cases in PrimeKey NPKD

• Downloading Master Lists from a specific country
• Extracting Master Lists and inspecting their certificates
• Running ICAO checks on Master List CSCA certificates
• Storing Master Lists in databases for later use
• Publishing CSCA certificates to an NPKD LDAP server
• Downloading all Master Lists from ICAO Public Key Directory (PKD)
• Downloading all DS certificates and CRLs from ICAO PKD
• Uploading Master Lists to ICAO PKD
• Finding the CSCA that has signed DS certificates
• Finding Master Lists that contain CSCA certificates
• Auditing all access control and integritychange logs

The ProtonMail mobile apps are now available worldwide.

Swiss Privacy ProtonMail is incorporated in Switzerland and all our servers are located in Switzerland. This means all user data is protected by strict Swiss privacy laws. End-to-End Encryption We use end-to-end encryption and zero access encryption to secure emails. This means even we cannot decrypt and read your emails. As a result, your encrypted emails cannot be shared with third parties. Anonymous Email No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first. Open Source We believe email privacy should be available to all. That's why our code is open source and basic ProtonMail accounts are always free. You can support the project by donating or upgrading to a paid account. Easy to Use ProtonMail can be used on any device without software install. ProtonMail secure email accounts are fully compatible with other email providers. You can send and receive emails normally. Modern Inbox Design The ProtonMail inbox is optimized for productivity. Each detail within our secure email service is optimized to help you better read, organize, and send email.

ReddFort App-Protect consists of a basic protection that protects all programs installed on the client against compromise by means of a secure and encrypted database. This protection starts before the operating system starts. This means that changes to the installation base are no longer possible. All programs and processes that are not in the database, no matter how they got to the client (e-mail, internet, network, drives), are recognized before the upload and are not executed. ReddFort App-Protect also includes a "GuardedDesktop". This creates a secure application environment in the form of a second desktop. This creates an isolated - non-virtual / sandbox - environment within which previously registered applications are executed. During the runtime, it is ensured that active applications only use permitted and genuine system components. Any deviation in the applications is noticed and prevented.

• Current malware, which is not yet known to the AV system laboratories, is not executed when ReddFort is used.
• Real protection against the start of the operating system, therefore no changes to the installation base are possible.
• All programs installed on the client are protected against compromise by a secure and encrypted database.
• Any attack on program files (by email, internet, network drives) is prevented.
• Security gaps in programs used by hackers are covered by the ReddFort App-Protect solution.
• Secured security desktop against key logger and picture viewer.

Keyhub is a cloud platform to automatically discover, organize, and track all SSL/TLS certificates across the enterprise.

• SSL/TLS auto detection
• Inventory and Dashboard
• Reports and alerts
• Subdomains scanning
• CT Logs monitoring
• CSR decoder and generator

Get rid of the guesswork

• Real-time automatic discovery
• Private and public certificates management
• Expiration dates tracking and alerting
• Holistic view of certificates from multiple issuers
• Identification of issues and vulnerabilities
• Corporate policy compliance check

Power up your workflow Built on design thinking principles, Keyhub simplifies routine operations, reduces adoption time and streamlines digital transformation. Detect Identify every certificate, known and unknown, with a permanent auto scan of your external and internal environments.

• Scan by a single domain, domain list, or IP range including up to 10,000 targets in one scan profile
• Find even more certificates by including subdomains
• Perform an internal scan by installing a Windows or Linux agent in just two clicks

Organize Get enhanced visibility in one place. Filter, group and sort all your certificates to get the list exactly the way you want it.

• Auto update feature always keeps your inventory up-to-date.
• Nine conditional filters help you organize the data according to your needs
• Create custom certificate groups for further tracking to save you time

Analyze Drill down through the system health from “general overview” to the “detailed card” on each digital certificate regardless of the issuer.

• Evaluate the entire landscape with seven interactive charts, and see the full picture, all on one screen
• Make informed decisions based on customized system health reports delivered right to your inbox
• Schedule report start date and frequency, and then add more recipients if needed

CryptoComply is a family of standards-based “Drop-in Compliance” cryptographic engines designed for use in servers, workstations, Cloud, appliances, and mobile devices. SafeLogic’s modules deliver core cryptographic functions to these platforms and feature robust algorithm support, including Suite B algorithms. CryptoComply modules offload secure key management, data integrity, data at rest encryption, and secure communications to a trusted implementation. As a FIPS 140-2 validated module, CryptoComply can be deployed quickly to meet various needs and requirements. ... Learn more