Customers didn’t ask a lot of questions about security and encryption when David Petersen started working at O.C. Tanner seven years ago. The company develops cloud-based tools to help other companies design employee recognition and rewards programs. Petersen is director of infrastructure and systems at the 93-year-old firm, which started out making class rings and pins.
The company’s changed a lot as it nears its centennial, and the security landscape has shifted significantly in the time that Peterson’s been with O.C. Tanner.
“Clients have become more conscious of security and more aware of the threats, and they ask us for those protections including encryption,” Petersen said, adding that his customers’ sophistication around encryption technologies has also increased. “It used to be just: do you encrypt data? Check the box, yes or no. Not it’s what standard are you using? Are you using FIPS [Federal Information Processing Standard]-certified devices? The general trend is people are becoming more conscious and aware, and they have a real understanding of encryption.”
This is also a big part of the reason why O.C. Tanner uses Fortanix’s encryption technology, Petersen said.
O.C. Tanner’s Customers
Working with companies to develop employee rewards programs means O.C. Tanner regularly touches human resources data for millions of employees globally. This is sensitive, personal information, and “there’s nothing more important to us than making sure that data stays private and secure and doesn’t get used to hurt you in any way,” Petersen said.
Plus, O.C. Tanner works with financial institutions, health care organizations, and other multi-national corporations that are subject to strict regulations and data privacy rules. “We have to meet these same standards of security and data protection that our clients are required by law to meet,” Petersen said.
This used to mean that O.C. Tanner couldn’t use the public cloud and had to store everything in its own data centers. “There, the data is easy to secure and encrypt because we can manage everything at the hardware layer,” he said. But, the company also wanted to be able to take advantage of the scalability and flexibility of public cloud as well as put some of its services and applications closer to customers in regions where O.C. Tanner didn’t have a physical data center presence.
How to Secure Data in the Cloud?
“We started looking for a key management system to use in our own data centers, and that we could encrypt if we put that data in a public cloud,” Petersen said, adding that his company also needed a product that ensured the data would remain portable and not locked in to a single cloud provider.
O.C. Tanner considered encryption and key management products from Gemalto, Thales, and other legacy vendors, but “we weren’t finding good solutions with the existing market leaders,” Petersen said. “It just wasn’t a good fit for how we wanted to run our infrastructure, neither from a technical perspective or a licensing perspective, and it became very cost prohibitive for us.”
Then he came across Fortanix and “it looked like a really good fit,” he said. “We had a working PoC [proof of concept] within a month.”
Fortanix’s Encryption Technology
Fortanix’s technology helps solve the problem of protecting data both in the cloud and on premises by decoupling security from the infrastructure. Its Self-Defending Key Management Service (SDKMS) provides both key management and hardware security model (HSM) capabilities via software, running on top of Intel’s processor-hardened enclaves called Intel Software Guard Extensions (SGX).
The cloud-based service also ensures untrusted operating systems, root users, and cloud providers don’t have access to the encrypted data. Equinix, IBM Cloud, and Alibaba Cloud use Fortanix’s security software.
Additionally, SDKMS recently achieved Level 1 certification of the Federal Information Processing Standard (FIPS) Publication 140-2, a U.S. government computer security standard used to approve cryptographic modules. Some components of SDKMS are already FIPS Level 3 certified, while Level 3 certification for the Fortanix hardware is currently underway. In addition to giving users confidence in the cryptographic security measures of SDKMS, the certification also helps some customers meet certain regulatory compliance measures, including those in the federal, financial services, and health care sectors.
Getting Sophisticated About Security
This is also becoming increasingly important to O.C. Tanner because its customers are starting to ask for FIPS certification. Petersen attributes this to growing awareness about security breaches, and how much they cost companies both in terms of dollars spent mitigating them but also damage to reputations.
“Everybody is very aware of the attacks, they are more public now than they used to be, and the stakes get higher every time,” he said. “I think all of us have been part of some breach of some sort, and to have your employer be the source of that breach — that makes for uncomfortable relations between employee and employer. Our clients ask for these protections, and how do we protect the privacy of that data and limited access to it so that if it were to be compromised, it still couldn’t be accessed because of encryption. The business community as a whole has become more aware of that and I see that continuing.”