DFS Cybersecurity Regulation Compliance
Unbound significantly reduces the cost and complexity of complying with the New York State Department of Financial Services (DFS) Cybersecurity requirements.
The Challenges of DFS Compliance in a Perimeter-Free World
Financial institutions report that the most challenging regulations to meet are those that call for enhanced encryption of data of all nonpublic information (including data both “in-transit” and “at-rest”) in their multi-site, hybrid cloud environments.
Among the many challenges:
High-Trust Multi-Factor Authentication – User-owned devices (BYOD) are inherently insecure, so strong authentication usually requires cumbersome dedicated hardware tokens
Unbound helps organizations meet the following NYS DFS Cybersecurity Regulations
Requirements Addressed: Section 500.15 (a)
Data in Transit – Unbound Key Control (UKC) protects encryption keys of data at rest and data in motion. UKC also keeps track of crypto inventory (keys, partitions, usage, etc.) and performs key management actions like generation, import, distribution, refresh and revocation. UKC can be used to protect the keys for symmetric (e.g. IPsec with AES/3DES) and asymmetric (e.g. SSH/TLS protocols) encryption algorithms.
- The Unbound Key Control (UKC) Database Encryption Module is a software-only product that keeps the database encryption keys secured at all times by ensuring encryption keys are never in the clear. It includes all key management capabilities required throughout the key lifecycle, and includes a KMIP server that allows it to integrate with any existing key manager. TDE Integration is available for Microsoft SQL Server, Oracle and IBM DB2 on all platforms and CSPs. UKC also transparently integrates with MSSQL Always Encrypted, allowing you to securely protect and manage master keys to the entire database or just certain columns.
- The Unbound Key Control (UKC) Application-Level Encryption module is a fully-integrated module supports all standard crypto APIs (e.g. PKCS#11, Java JCE, Microsoft KSP). This simple, yet secure solution provides developers with an intuitive, easy-to-use crypto-agile API that is installed on the application server, and can be seamlessly integrated with your applications.
Requirements Addressed: Section 500.11 (2)
Unbound Key Control (UKC) lets organizations keep full control of their cryptographic keys in the public cloud. This solution, known as Control Your Own Key (CYOK), allows financial institutions utilizing SaaS and IaaS services to keep full control of their cryptographic keys, while maintaining full functionality of their applications and services in the cloud.
Requirements Addressed: Section 500.13
Unbound helps organizations satisfy the 23 NYCRR 500.13 requirement by allowing organizations to revoking/delete the encryption key that was used to encrypt nonpublic information, making the information unreadable. The revocation is fully audited and controlled by the enterprise, even on cloud-hosted workloads.
Requirements addressed: Section 500.12 (a), (b)
Role-Based Access Control (RBAC) – Unbound Key Control (UKC) enables organizations to control access to data decryption keys on a “need to know” basis
Customizable, Granular Admin and Access Management – Unbound Key Control (UKC) gives organizations the flexibility to set highly granular authorization and access management rules. For example, UKC’s Quorum (M-of-N) control policy allows orgs to define a minimum number of admins (M) out of a total number of admins (N) who must work together to perform high-security operations.
Digital Certificates – Unbound Key Control (UKC) enables organizations to go beyond password-grade security for authentication users and systems with additional cryptographic technologies, such as digital certificates.
Secure Authentication on BYOD – Unbound Crypto-of-Things (CoT) secures the private key or the OTP seed of device-centric biometric and FIDO-based authentication on insecure user-owned devices. A simple and easy-to-use SDK seamlessly integrates with any desktop or mobile application, including FIDO-based solutions, ensuring that device authentication keys are secured by protection that is built right into the application.
An NY-DFS Compliance Solution Made for Today’s Perimeter-Free World
Unbound is the world’s first automated, streamlined and software-defined encryption, key management and authentication platform built to address the challenges of meeting NY-DFS requirements in today’s hybrid cloud, perimeter-less world.
Unbound provides platform-agnostic software-only solutions that can be implemented on all public/private cloud and on-premises workloads, giving financial organizations secure, cost-effective and efficient means to comply with several aspects of NY-DFS, including those related to encryption, key management, authentication, access control, auditing and monitoring.
Transparent DB Encryption
Seamless integration with all popular DBs – protect keys at the DB or column level with a quick configuration update
Allows full control of encryption keys in the cloud (CYOK)
Supports tokenization and other operations on encrypted data using format, type and order-preserving encryption
Secure Authentication on BYOD
Tamper-proof and clone-resistant identity binding to any BYOD – immune to malware
Enables granular admin authorization, including M-of-N
Get an in-depth explanation of how Unbound uses MPC, a mathematically proven method to secure keys on any device.
How to Go Beyond BYOK with CYOK
Control Your Own Keys in the Cloud (CYOK) can ensure your sensitive assets remain secure even in the event of a breach.
Unbound Key Control
Learn how Unbound Key Control, the first secure-as-hardware key management system can protect your crypto keys anywhere.