Security Boulevard

The post Patch Tuesday Update - January 2024 appeared first on Digital Defense.

The post Patch Tuesday Update – January 2024 appeared first on Security Boulevard.

Attacks on individual applications were down month to month in December 2024, but one of the most dangerous types of attacks was up significantly. That’s according to data Contrast Security publishes monthly about the detection and response of real-world application and application programming interface (API) attacks with Application Detection and Response (ADR). What you’re about to see is data that we gather from the attacks on our apps and those of our customers, anonymized and averaged. 

The post Unsafe Deserialization Attacks Surge | December Attack Data | Contrast Security appeared first on Security Boulevard.

Find out why unknown build assets is a growing problem and how Legit can help.

The post How to Prevent Risk From Unknown Build Assets appeared first on Security Boulevard.

Fortinet patched a zero day authentication bypass vulnerability in FortiOS and FortiProxy that has been actively exploited in the wild as a zero-day since November 2024.

Background

On January 14, Fortinet released a security advisory (FG-IR-24-535) addressing a critical severity vulnerability impacting FortiOS and FortiProxy.

CVE Description CVSSv3 CVE-2024-55591 FortiOS and FortiProxy Authentication Bypass Vulnerability 9.6 Analysis

CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a Node.js websocket module. Successful exploitation may grant an attacker super-admin privileges on a vulnerable device. According to the Fortinet advisory, this vulnerability has been exploited in the wild.

Zero Day Campaign May Have Been Active Since November

Researchers at Arctic Wolf published a blog post on January 10 detailing a campaign first observed in mid-November 2024 of suspicious activity related to the exploitation of a zero-day vulnerability, which is presumed to be CVE-2024-55591. Arctic Wolf Labs details four distinct phases of the campaign that were observed against Fortinet FortiGate firewall devices; scanning, reconnaissance, SSL VPN configuration and lateral movement. For more information on the observations of this campaign, we recommend reviewing its blog post.

At the time this blog was published, the Fortinet advisory did not credit Arctic Wolf with the discovery of CVE-2024-55591. However, the indicators of compromise (IoCs) listed in the Fortinet advisory overlap with the report from Arctic Wolf.

Historical exploitation of Fortinet FortiOS and FortiProxy

Fortinet FortiOS and FortiProxy have been targeted by threat actors previously, including targeting by advanced persistent threat (APT) actors. We’ve written about several noteworthy Fortinet flaws since 2019, including flaws impacting SSL VPNs from Fortinet and other vendors:

CVE Description Patched Tenable Blog CVE-2024-21762 Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpnd February 2024 CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability CVE-2023-27997 FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability June 2023 CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate) CVE-2022-42475 FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability December 2022

CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNs

AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

CVE-2022-40684 FortiOS and FortiProxy Authentication Bypass Vulnerability October 2022 CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxy CVE-2020-12812 FortiOS Improper Authentication Vulnerability July 2020 CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT Actors CVE-2019-5591 FortiOS Default Configuration Vulnerability July 2019 CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT Actors CVE-2018-13379 FortiOS Path Traversal/Arbitrary File Read Vulnerability August 2019 CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild Proof of concept

At the time this blog post was published, there were no public proof-of-concept exploits for CVE-2024-55591.

Solution

Fortinet published its security advisory (FG-IR-24-535) on January 14 to address this vulnerability. The advisory also contains IoCs and workaround steps that can be utilized if immediate patching is not feasible. Fortinet has released the following patches for FortiOS and FortiProxy.

Affected Product Affected Version Fixed Version FortiOS 7.0 7.0.0 through 7.0.16 Upgrade to 7.0.17 or above FortiProxy 7.0 7.0.0 through 7.0.19 Upgrade to 7.0.20 or above FortiProxy 7.2 7.2.0 through 7.2.12 Upgrade to 7.2.13 or above

Fortinet also released several additional security advisories on January 14 for vulnerabilities affecting FortiOS and FortiProxy:

Affected Product(s) Vulnerability Description Security Advisory CVSSv3/Severity FortiOS, FortiProxy, FortiMail, FortiSwitch, FortiVoiceEnterprise, FortiNDR, FortiWLC, FortiADC, FortiAuthenticator, FortiRecorder, FortiDDoS-F, FortiDDoS, FortiSOAR and FortiTester An externally controlled reference to a resource may allow an unauthenticated attacker to poison web caches between an affected device and an attacker using crafted HTTP requests FG-IR-23-494 4.1 / Medium FortiAnalyzer, FortiAnalyzer Cloud, FortiAuthenticator, FortiManager, FortiManager Cloud, FortiOS, FortiProxy, FortiSASE An unauthenticated attacker with access to the Security Fabric protocol may be able to brute force an affected product to bypass authentication. FG-IR-24-221 8.0 / High FortiOS An authenticated, remote attacker may be able to prevent access to the GUI using specially crafted requests and causing a denial of service (DoS) condition. FG-IR-24-250 4.8 / Medium FortiOS An authenticated attacker may be able to cause a DoS condition due to a NULL pointer dereference vulnerability in the SSLVPN web portal. FG-IR-23-473 6.2 / Medium FortiManager, FortiOS, FortiProxy, FortiRecorder, FortiSASE, FortiVoice and FortiWeb A path traversal vulnerability may be exploited by a remote attacker with access to the security fabric interface, allowing the attacker to access and modify arbitrary files. FG-IR-24-259 7.1 / High FortiOS An unauthenticated attacker may be able to exploit an out-of-bounds write vulnerability to cause a DoS condition. FG-IR-24-373 3.5 / Low FortiOS An unauthenticated attacker may be able to exploit an out-of-bounds read vulnerability to cause a DoS condition. FG-IR-24-266 7.5 / High FortiOS An authenticated attacker with low privileges may be able to cause a DoS condition due to two NULL pointer dereference vulnerabilities. FG-IR-23-293 6.4 / Medium FortiOS An unauthenticated attacker may be able to exploit a resource allocation vulnerability to cause a DoS condition using multiple large file uploads. FG-IR-24-219 7.1 / High FortiOS An authenticated attacker may be able to exploit an integer overflow vulnerability to cause a DoS condition. FG-IR-24-267 3.2 / Low FortiOS An authenticated attacker may be able to exploit an improper access control vulnerability. FG-IR-23-407 4.7 / Medium FortiOS, FortiProxy and FortiSASE An unauthenticated attacker may be able to exploit a http response splitting vulnerability in FortiOS, FortiProxy and FortiSASE FG-IR-24-282 6.4 / Medium FortiOS An unauthenticated attacker may be able to exploit a man-in-the-middle vulnerability to intercept sensitive information. FG-IR-24-326 3.5 / Low Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-55591 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing Fortinet assets:

  Get more information

• Fortinet FG-IR-24-535 Security Advisory
• Arctic Wolf Blog - Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild appeared first on Security Boulevard.

Authors/Presenters: Emma Stewart

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Pick Your Poison: Navigating A Secure Clean Energy Transition appeared first on Security Boulevard.

SYMMETRY CUSTOMER CASE STUDY Leading Fintech Accelerates PCI DSS 4.0 Compliance with Symmetry Systems ABOUT Industry:Fintech Size:1K – 3K employees...

The post Leading Fintech Accelerates PCI DSS 4.0 Compliance with Symmetry Systems appeared first on Symmetry Systems.

The post Leading Fintech Accelerates PCI DSS 4.0 Compliance with Symmetry Systems appeared first on Security Boulevard.

1. 10Critical
2. 147Important
3. 0Moderate
4. 0Low

Microsoft addresses 157 CVEs in the first Patch Tuesday release of 2025 and the largest Patch Tuesday update ever with three CVEs exploited in the wild, and five CVEs publicly disclosed prior to patches being made available.

Microsoft patched 157 CVEs in its January 2025 Patch Tuesday release, with 10 rated critical and 147 rated as important. Our counts omitted two vulnerabilities, one reported by GitHub and another reported by CERT/CC. To date, the January 2025 Patch Tuesday release is the largest ever from Microsoft.

This month’s update includes patches for:

• .NET
• .NET and Visual Studio
• .NET,.NET Framework, Visual Studio
• Active Directory Domain Services
• Active Directory Federation Services
• Azure Marketplace SaaS Resources
• BranchCache
• IP Helper
• Internet Explorer
• Line Printer Daemon Service (LPD)
• Microsoft AutoUpdate (MAU)
• Microsoft Azure Gateway Manager
• Microsoft Brokering File System
• Microsoft Digest Authentication
• Microsoft Graphics Component
• Microsoft Office
• Microsoft Office Access
• Microsoft Office Excel
• Microsoft Office OneNote
• Microsoft Office Outlook
• Microsoft Office Outlook for Mac
• Microsoft Office SharePoint
• Microsoft Office Visio
• Microsoft Office Word
• Microsoft Purview
• Microsoft Windows Search Component
• Power Automate
• Reliable Multicast Transport Driver (RMCAST)
• Visual Studio
• Windows BitLocker
• Windows Boot Loader
• Windows Boot Manager
• Windows COM
• Windows Client-Side Caching (CSC) Service
• Windows Cloud Files Mini Filter Driver
• Windows Connected Devices Platform Service
• Windows Cryptographic Services
• Windows DWM Core Library
• Windows Digital Media
• Windows Direct Show
• Windows Event Tracing
• Windows Geolocation Service
• Windows Hello
• Windows Hyper-V NT Kernel Integration VSP
• Windows Installer
• Windows Kerberos
• Windows Kernel Memory
• Windows MapUrlToZone
• Windows Mark of the Web (MOTW)
• Windows Message Queuing
• Windows NTLM
• Windows OLE
• Windows PrintWorkflowUserSvc
• Windows Recovery Environment Agent
• Windows Remote Desktop Services
• Windows SPNEGO Extended Negotiation
• Windows Security Account Manager
• Windows Smart Card
• Windows SmartScreen
• Windows Telephony Service
• Windows Themes
• Windows UPnP Device Host
• Windows Virtual Trusted Platform Module
• Windows Virtualization-Based Security (VBS) Enclave
• Windows WLAN Auto Config Service
• Windows Web Threat Defense User Service
• Windows Win32K - GRFX

Remote code execution (RCE) vulnerabilities accounted for 36.9% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 25.5%.

Important CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerabilities

CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335 are EoP vulnerabilities in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP). All three vulnerabilities were assigned a CVSSv3 score of 7.8 and rated important. An authenticated, local attacker could exploit this vulnerability to elevate privileges to SYSTEM. Two of the three vulnerabilities were unattributed, with CVE-2025-21333 being attributed to an Anonymous researcher.

According to Microsoft all three vulnerabilities were exploited in the wild as zero-days. No specific details about the in-the-wild exploitation were public at the time this blog post was released.

Important CVE-2025-21186, CVE-2025-21366, CVE-2025-21395 | Microsoft Access Remote Code Execution Vulnerability

CVE-2025-21186, CVE-2025-21366 and CVE-2025-21395 are RCE vulnerabilities in Microsoft Access, a database management system. All three vulnerabilities were assigned a CVSSv3 score of 7.8 and rated important. A remote, unauthenticated attacker could exploit this vulnerability by convincing a target through social engineering to download and open a malicious file. Successful exploitation would grant an attacker arbitrary code execution privileges on the vulnerable system. This update “blocks potentially malicious extensions from being sent in an email.”

According to Microsoft, these three vulnerabilities were publicly disclosed prior to a patch being available (zero-days). They are attributed to Unpatched.ai, which uses artificial intelligence (AI) to “help find and analyze” vulnerabilities.

Important CVE-2025-21308 | Windows Themes Spoofing Vulnerability

CVE-2025-21308 is a spoofing vulnerability affecting Windows Themes. This vulnerability received a CVSSv3 score of 6.5 and was publicly disclosed prior to a patch being made available. According to Microsoft, successful exploitation requires an attacker to convince a user to load a malicious file, then convince the user to “manipulate the specially crafted file.” Microsoft has provided a list of mitigations including disabling New Technology LAN Manager (NTLM) or using group policy to block NTLM hashes. For more information on the mitigation guidance, please refer to the Microsoft advisory.

Important CVE-2025-21275 | Windows App Package Installer Elevation of Privilege Vulnerability

CVE-2025-21275 is an EoP vulnerability in the Microsoft Windows App Package Installer. It was assigned a CVSSv3 score of 7.8 and is rated important. A local, authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges. These types of flaws are often associated with post-compromise activity, after an attacker has breached a system through other means.

According to Microsoft, this vulnerability was publicly disclosed prior to a patch being available. It is attributed to an Anonymous researcher.

Critical CVE-2025-21297, CVE-2025-21309 | Windows Remote Desktop Services Remote Code Execution Vulnerability

CVE-2025-21297 and CVE-2025-21309 are critical RCE vulnerabilities affecting Windows Remote Desktop Services. Both of these vulnerabilities were assigned CVSSv3 scores of 8.1, however CVE-2025-21309 was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index, while CVE-2025-21297 was assessed as “Exploitation Less Likely.”

According to Microsoft, successful exploitation of these flaws requires an attacker to connect to a system with the Remote Desktop Gateway role and trigger a race-condition that creates a use-after-free scenario which can be leveraged to execute arbitrary code.

Critical CVE-2025-21298 | Windows OLE Remote Code Execution Vulnerability

CVE-2025-21298 is a RCE vulnerability in Microsoft Windows Object Linking and Embedding (OLE). It was assigned a CVSSv3 score of 9.8 and is rated critical. It has been assessed as “Exploitation More Likely.” An attacker could exploit this vulnerability by sending a specially crafted email to a target. Successful exploitation would lead to remote code execution on the target system if the target opens this email using a vulnerable version of Microsoft Outlook or if their software is able to preview the email through a preview pane.

Microsoft’s advisory for this vulnerability recommends configuring Microsoft Outlook to read email messages “in plain text format” instead of a rich format that will display other types of content, such as photos, animations or specialized fonts. To configure Outlook in this way, please refer to the following article, Read email messages in plain text.

Tenable Solutions

A list of all the plugins released for Microsoft’s January 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

• Microsoft's January 2025 Security Updates
• Tenable plugins for Microsoft January 2025 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post Microsoft’s January 2025 Patch Tuesday Addresses 157 CVEs (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) appeared first on Security Boulevard.

As we stand on the threshold of 2025, the cybersecurity landscape is undergoing a dramatic transformation, largely driven by artificial intelligence and emerging threat vectors. Drawing from Nuspire’s recent cybersecurity outlook webinar, let’s explore the key trends and challenges that organizations will face in the coming year.   Looking Back to Move Forward  Before diving into 2025 predictions, it’s worth noting ... Read More

The post The AI Revolution: Navigating Cybersecurity Challenges in 2025 appeared first on Nuspire.

The post The AI Revolution: Navigating Cybersecurity Challenges in 2025 appeared first on Security Boulevard.

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Trimix’ appeared first on Security Boulevard.

The post Sanitizing Unstructured Data In Motion—and Why It’s Important appeared first on Votiro.

The post Sanitizing Unstructured Data In Motion—and Why It’s Important appeared first on Security Boulevard.

Around the year 1900, an author (Rudyard Kipling) wrote a poem called “The Elephant’s Child.” In it, he writes: “I keep six honest serving men They taught me all I knew Their names are What and Why and When And How and Where and Who.”  Little did Kipling know that these six friends would someday […]

The post Six Friends Every Security Team Needs appeared first on Security Boulevard.

Microsoft is suing 10 unknown people involved in a sophisticated scheme to exploit users credentials to access the vendor's Azure OpenAI AI services, bypass security guardrails, and post harmful images using its cloud systems.

The post Microsoft Sues Group for Creating Tools to Bypass Azure AI Security appeared first on Security Boulevard.

Commvault today added an ability to automatically recover the instances of Microsoft Active Directory (AD) that have become primary targets of cybersecurity attacks.

The post Commvault Adds Ability to Recover Entire Instances of Active Directory appeared first on Security Boulevard.

In this episode, host Peter dives into the challenges of the tech job market in 2023 and 2024 and introduces us to Julia, a dynamic writer and content strategist with a fascinating background in computational cognitive neuroscience. Julia shares insights on: The art of connecting products and services with customers in meaningful ways. A unique […]

The post Reemployment Project: Meet Julia High appeared first on Security Boulevard.

CISA in two years has seen the number of critical infrastructure organizations signing up for its CPG services double, which has improved the overall security in most sectors, but more needs to be done to strengthen what has become a target adversarial state-sponsored threat groups.

The post Critical Infrastructure Seeing Benefits of Government Program, CISA Says appeared first on Security Boulevard.

Explore key trends in the BSIMM15 report, such as securing AI and the software supply chain, plus recommendations for enhancing your software security program.

The post BSIMM15: New focus on securing AI and the software supply chain appeared first on Blog.

The post BSIMM15: New focus on securing AI and the software supply chain appeared first on Security Boulevard.

On January 7, we published a press release to share our five predictions for cybersecurity in 2025. Over the next few weeks, we’ll publish a blog series that provides additional commentary on each prediction. This is the second blog in the series. Check out the first and second blogs here.    Prediction Key Takeaways: We […]

The post 2025 Prediction 3: Digital Security Will Expand Beyond Privacy Concerns To Include Holistic, Integrated Cyber and Physical Protection appeared first on BlackCloak | Protect Your Digital Life™.

The post 2025 Prediction 3: Digital Security Will Expand Beyond Privacy Concerns To Include Holistic, Integrated Cyber and Physical Protection appeared first on Security Boulevard.

Nisos
The Insider Threat Digital Recruitment Marketplace

Nisos routinely monitors mainstream and alternative social media platforms, as well as cloud-based messaging applications and dark web forums...

The post The Insider Threat Digital Recruitment Marketplace appeared first on Nisos by Nisos

The post The Insider Threat Digital Recruitment Marketplace appeared first on Security Boulevard.

In this article, we touch on the trends and predictions that in the year 2025 and beyond will fashion cloud security.

The post Future-Proofing Cloud Security: Trends and Predictions for 2025 and Beyond  appeared first on Security Boulevard.

Fifteen Best Practices to Navigate the Data Sovereignty Waters
josh.pearson@t…
Tue, 01/14/2025 - 08:04

Data sovereignty—the idea that data is subject to the laws and regulations of the country it is collected or stored in—is a fundamental consideration for businesses attempting to balance harnessing the power of data analytics, ensuring compliance with increasingly stringent regulations, and protecting the privacy of their users. 

At Thales, we believe that data sovereignty doesn’t obstruct innovation; it enables it. With the right tools and expertise, businesses can navigate the murky waters of data sovereignty, taking advantage of data’s huge potential while securely processing and storing data wherever it is. So, to help you along the way, here are our 15 best practices for navigating the data sovereignty water.

Regulation and compliance Compliance Encryption

Thales | Cloud Protection & Licensing Solutions
More About This Author >

Data sovereignty—the idea that data is subject to the laws and regulations of the country it is collected or stored in—is a fundamental consideration for businesses attempting to balance harnessing the power of data analytics, ensuring compliance with increasingly stringent regulations, and protecting the privacy of their users.

At Thales, we believe that data sovereignty doesn’t obstruct innovation; it enables it. With the right tools and expertise, businesses can navigate the murky waters of data sovereignty, taking advantage of data’s huge potential while securely processing and storing data wherever it is. So, to help you along the way, here are our 15 best practices for navigating the data sovereignty water.

360-degree Data Protection Mechanism

Navigating data sovereignty requires comprehensive data security and resilience, which 360-degree data protection mechanisms provide. A 360-degree data protection mechanism is a holistic approach to data security encompassing all data management aspects. It ensures that data is protected throughout its lifecycle, from creation to deletion, across all environments—on-premises, cloud, hybrid, and multi-cloud.

Automation in Security Management

Organizations often use multiple cloud environments to meet data sovereignty requirements. This approach provides geographic flexibility, helping to ensure compliance with local regulations in various regions. Similarly, some jurisdictions may require a different cloud environment from others.

However, achieving scalability and adequate security across multiple cloud services can take time and effort. The more cloud environments an organization has, the more work a security team must do to secure them. By automating security tasks and processes, organizations allow security teams to secure multiple cloud environments while minimizing manual effort.

Data Classification

Data classification and governance ensure compliance with data sovereignty by categorizing data based on sensitivity and applying appropriate security measures. They enforce localized data storage, automated compliance, and consistent security controls, facilitate auditing and regulatory reporting, and manage cross-border data transfers to adhere to local and international laws.

Transparency and Control Over Data

Transparency and control over data are crucial for data sovereignty as they ensure organizations can track, manage, and secure data in compliance with local laws. This visibility helps maintain regulatory compliance, enforce data localization policies, and swiftly address security issues, safeguarding sensitive information within jurisdictional boundaries.

Understand the Nature of Data in Cloud Migration

As noted, to meet data sovereignty requirements, organizations will often have to set up cloud data centers in multiple jurisdictions and, as such, carry out cloud migration. Understanding the nature of data in cloud migration is crucial for successful cloud migration and handling of sensitive information. It ensures appropriate security measures, compliance with regulatory requirements, and effective data management strategies, preventing data breaches and maintaining data integrity during the transition to the cloud environment.

Robust Data Management and Governance

Robust data management and governance are critical parts of any data protection legislation. To implement robust data management and governance, organizations should establish clear policies and procedures for data classification, access control, and lifecycle management, use automated tools for monitoring, auditing, and enforcing compliance, and regularly update policies to reflect regulatory changes and ensure consistent data protection across all systems and environments.

Robust Encryption Strategies and Pseudonymization

Robust encryption strategies and pseudonymization are crucial for protecting sensitive data and meeting data sovereignty requirements. Encryption ensures data is securely stored and transmitted, safeguarding it from unauthorized access or breaches. Pseudonymization further anonymizes data, reducing the risk of identification if data is compromised. These measures protect sensitive information and help organizations comply with data residency laws by ensuring data is stored and processed within required geographic boundaries.

Effective Key Management to Map Data Sensitivity

However, poor key management can render even the most robust encryption algorithms ineffective. Effective key management is foundational to data sovereignty: while cryptographic algorithms are public, the associated keys must remain secret. Critical management practices such as classification, key assignment, access controls, rotation and revocation, and auditing and monitoring ensure that sensitive data is protected according to its level of sensitivity.

Crypto Agility and Quantum-Resistant Algorithms Awareness

Crypto agility and awareness of quantum-resistant algorithms are crucial for preparing organizations for future technological shifts and ensuring long-term data security.

Crypto agility enables organizations to adopt and integrate new cryptographic standards and algorithms as they evolve. This flexibility ensures that data remains protected against emerging threats and vulnerabilities.

With quantum computing advancements threatening current encryption methods, awareness and adoption of quantum-resistant algorithms are essential. These algorithms are designed to withstand attacks from quantum computers, safeguarding data integrity and confidentiality in the future.

Backup and Disaster Recovery Strategies

All data protection regulations will require organizations to have backup and disaster recovery strategies to be resilient against security incidents such as ransomware attacks.

Zero Trust Network Access (ZTNA)

ZTNA ensures that only necessary and authenticated individuals and machines can access a network, thus preventing unauthorized access and potential data breaches. Most jurisdictions require ZTNA in their data protection regulations.

Digital Identity and Access Management

Similarly, digital identity and access management (IAM) is crucial for data sovereignty and security, as it ensures that only authorized users access sensitive data. IAM, particularly in zero-trust models, verifies identities and enforces least privilege access, preventing unauthorized access across cloud environments, safeguarding data integrity, and compliance with regulatory requirements.

Regular Audits and Compliance Checks

Regular audits and compliance checks ensure the effectiveness of data protection and control strategies over time while confirming compliance with different jurisdictions’ data protection regulations.

Keep Abreast with Emerging Technologies

Technologies for cybersecurity defenders and attackers are evolving at an unprecedented speed. To keep up with data sovereignty, it’s crucial to be aware of developments on either side of the battle. By doing so, organizations can adapt to new challenges and ensure up-to-date security measures.

Data Residency Awareness in Different Jurisdictions

Most importantly, it’s crucial to understand data protection laws in different jurisdictions. By practicing data residency awareness, organizations ensure they store and process data according to local laws, respect privacy rights, and prevent legal violations. This awareness helps organizations navigate complex regulatory landscapes and avoid penalties related to data sovereignty and privacy breaches.

Transforming data sovereignty from a risk to an opportunity

Implementing the above best practices using this checklist will help organizations navigate data sovereignty’s murky waters. New data protection regulations are coming thick and fast, particularly in the US, so there’s no better time to get on top of your data sovereignty requirements.

For more information on data sovereignty, how it will affect businesses, and how to thrive in the digital economy while upholding the highest standards of data security and privacy, check out the 2024 Thales Data Security Directions Council Report, Data Sovereignty: Who Owns Your Data and Can You Control It?

Schema {
"@context": "https://schema.org",
"@type": "BlogPosting",
"mainEntityOfPage": {
"@type": "WebPage",
"@id": "https://cpl.thalesgroup.com/blog/encryption/15-best-practices-data-sovereignty"
},
"headline": "15 Best Practices for Data Sovereignty Success",
"description": "Learn 15 best practices for navigating data sovereignty, from encryption to compliance, and transform risks into opportunities with Thales expertise.",
"image": "",
"author": {
"@type": "Person",
"name": "",
"url": ""
},
"publisher": {
"@type": "Organization",
"name": "Thales Group",
"description": "The world relies on Thales to protect and secure access to your most sensitive data and software wherever it is created, shared, or stored. Whether building an encryption strategy, licensing software, providing trusted access to the cloud, or meeting compliance mandates, you can rely on Thales to secure your digital transformation.",
"url": "https://cpl.thalesgroup.com",
"logo": "https://cpl.thalesgroup.com/sites/default/files/content/footer/thaleslogo-white.png",
"sameAs": [
"https://www.facebook.com/ThalesCloudSec",
"https://www.twitter.com/ThalesCloudSec",
"https://www.linkedin.com/company/thalescloudsec",
"https://www.youtube.com/ThalesCloudSec"
]
},
"datePublished": "2025-01-13",
"dateModified": "2025-01-13"
} studio THALES BLOG Fifteen Best Practices to Navigate the Data Sovereignty Waters

January 14, 2025

The post Fifteen Best Practices to Navigate the Data Sovereignty Waters appeared first on Security Boulevard.