Data security

August 30, 2010

Data security projects can be challenging if not managed appropriately

Abir Thakurta, CISSP
Senior Director, Worldwide Pre-Sales & Professional Services
nuBridges

Digital-universe During one of my recent customer conversations, I was asked what challenges customers typically experience in implementing data security. In our experience we find customers run into two types of challenges: process challenges and technology challenges. Here are some of the more common process challenges.

  1. Knowing your sensitive information footprint within the enterprise. Many organizations do not have a data classification program or know where their sensitive information resides. Absence of a holistic picture results in islands of data protection that can be challenging to manage and standardize. It also increases the cost of ongoing compliance and management of these solutions. To mitigate this situation, nuBridges Professional Services teams ensure that a sensitive information footprint is generated so an appropriate data protection strategy can be defined.

  2. Defining a data protection strategy. Traditionally, organizations have viewed security as network or perimeter security. With the proliferation of internal breaches, organizations are beginning to understand the need to protect data at the source.

    However, tactical fixes like encrypting data in one database without developing an enterprise data protection strategy can cause issues in the long run. To mitigate this situation, nuBridges Professional Services teams help in developing a data protection strategy that aligns with the business needs before implementations are conducted.

  3. Working with surrogate data. Studies have revealed that 60% to 70% of processes do not need to work with sensitive data.  Rather, surrogate data can be used. Introducing changes to existing processes and requesting business owners to work with surrogate data can be challenging. But working with format-preserving tokens generated by a tokenization solution like nuBridges Protect Token Manager can mitigate this situation

What kind of challenges do you encounter?

In my next blog, we’ll look at technology challenges.

Until next time,

Abir

Posted at 05:22 PM in Data security, Encryption and key management, tokenization | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , ,

| |

August 03, 2010

If only the bad guys would listen to the FBI too!

Gary Palgon
Vice President, Product Management
nuBridges

Data security is about protecting sensitive information. Whether it’s credit cardholder data, personally identifiable information (PII), protected health information (PHI) or intellectual property. Or any other sensitive or business-critical data.

When I read the recent Bloomberg Businessweek article entitled, “FBI rings organizers over Defcon contest”, I just had to laugh. Why? The article referred to a live contest (where contestants called 30 U.S. companies from a soundproof booth to glean data) that raised some hackles at the FBI’s Cyber Division. This was a contest. With rules! No sensitive data – no passwords, Social Security numbers and so on.

The FBI jumped on it and said that this was considered social engineering and is illegal.  While I agree that it is and should be illegal, the “bad guys” that we have to deal with on a daily basis - whether external hackers or internal employees, contractor or business partners - don’t play by these rules. 

We need to secure our environments so that when the social engineering does take place, there is no damage from it – no leakage of sensitive information or documents. Short of testing companies using social engineering, we better make sure the bad guys know not to do it too. Anyone know who won the contest?

Best wishes,

Gary

Posted at 12:16 PM in Data security, PHI, PII | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

| |

May 04, 2010

Data harvesting has a whole new meaning. And it’s not pretty!

Kyle Parris
Director of Product Management
nuBridges

Download-data When I was taking Marketing 101 in college, we learned all about the strategic value of data harvesting. By harvesting data – demographics, buying patterns, and the like – we would be able to learn about prospects; customer likes and dislikes; and what messages would best resonate with our targeted audiences. And all of this data was gleaned from public sources, one-on-one interviews, surveys or focus groups and so on. Consumer privacy was not breached under this definition of data harvesting.

The times, they are a changin’.

Today cybercriminals are seeing tremendous value in harvesting data, but we’re not talking about the same old type of data to which my professor was referring. We’re talking about payment card data, financial information, health care records, Social Security numbers and any other personally identifiable information that can be easily snatched in transit and sold on a thriving black market. 

A recent report from SpiderLabs – Global Security Report 2010 – found that cyber attackers “. . . have devised methods to obtain data  . . .  often harvesting data in transit.” How do we neutralize these threats? Yet keep the critical data that drives the world’s businesses flowing? 

Best practice calls for data encryption of all sensitive, regulated and business-critical information – whether it’s at rest in a database or application or in transit.  For data in transit, there’s a new generation of managed file transfer solutions that just may bring back that old definition of data harvesting! For the good of the consumer.

I’d like to hear what your business is doing to protect sensitive data while it’s in transit within and outside your organization.

Until next time,

Kyle

Posted at 03:30 PM in Data security, Managed File Transfer, nuBridges, PII | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

| |

April 30, 2010

Universal tokenization standards

Gary Palgon
Vice President, Product Management
nuBridges

The debate is over. It’s time to collaborate!

The value of tokenization is indisputable. We’re seeing, for example, that tokenization is helping a global online retailer reduce its PCI DSS audit scope by more than 90%, with like cost and resource savings!  Tokenization isn’t just for the big guys. Even medium-sized retailers are reducing the complexity and costs associated with PCI DSS – thanks to tokenization.

Token-png Tokenization is also bringing tremendous value to organizations in other industries as well – particularly hospitality, financial services and health care. Any organization that wants to meet best practice in risk management can greatly benefit from tokenization. Not just tokenization of credit cards, but any personally identifiable information (PII) or protected health information (PHI). And that’s everything from data included in employment records to medical files to insurance claims and so on. Can you think of any organization that doesn’t store or transmit one of these types of information? I can’t.

That’s the good news. The not-so-good news is that as the value of tokenization is recognized, the race is on to develop tokenization wannabes and even home-grown versions. Are these tokenization solutions being tested against any standards? No.

According to John Pescatore, vice president at Gartner, since standards aren’t in place for tokenization (as they are for encryption), there is nothing against which to compare it to ensure it’s done correctly. And Ramon Krikken, also an analyst at Gartner, had a great deal to say on this topic at the recent RSA Conference. For example, he called for a standards group similar to the PCI SSC to lead the effort.

And at the recent Electronic Transactions Association (ETA) Conference, Paul Garcia, chairman, president and CEO of Global Payments, called for the ETA to create a committee to explore tokenization standards.

So it seems we all agree that we need a tokenization standard, but we need to make sure that it is a universal standard that extends across geographic , corporate, industry and data boundaries.  But it already appears that we’re following the pattern of many standards before whereby there are “multiple, competing standards” (yes, the oxymoron) and lots of wasted time and energy working towards a winner.

  • The Accredited Standards Committee X9 is has begun working on a standard to define tokenization requirements related to credit card data in the financial services industry. 
  • The Hospitality Technology Next Generation Payments Workgroup just issued a tokenization standard for credit card data for use within the hospitality industry.  They use the term DataProxy for a token and require it to be MOD-10 compliant.
  • The Payment Industry Security Standards Council’s (PCI SSC) Scoping Special Interest Group (SIG) is working on definitions and the application of tokens as it relates to the PCI Data Security Standard (DSS). 

So we’re off and running in the direction of standards, multiple ones just as history has taught us.  Though we need to join together now to establish them for not only credit card data, but also look towards the future to address other data, globally, such as PII.  That’s why we proposed a Tokenization Standards Organization at last month’s RSA Conference.  We’re calling on all vendors in this space to collaborate (yes, competitors do collaborate!) to develop a set of global specifications on tokenization.

I encourage you to share your thoughts on how best to get a universal tokenization standard accepted around the globe. You can comment below or contact me at gpalgon@nubridges.com.

For a secure, tokenized world,

Gary

Posted at 04:04 PM in Data security, nuBridges, tokenization | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , ,

| |

March 29, 2010

UK Data Protection Act (DPA) – New Penalties Go Into Effect April 6th

Gary Palgon
Vice President, Product Management
nuBridges

I’m writing to you from the banks of the Thames River, where data controllers are on high alert. Why? It’s countdown time to April 6th.

April-2010-120 April 6th is the date when the Information Commissioners’ Office (ICO), the UK’s privacy watchdog, will have the power to fine organizations up to 500,000 pounds ($744K US) – up from 5,000 pounds previously – for serious data leaks or losses. What’s more, the ICO will be able to audit government departments suspected of having poor data security controls. There’s fear among data controllers that the ICO’s audit powers will soon extend to the private sector.

Indeed, in the introduction to the ICO’s Code of Practice for Assessment Notices, Information Commissioner Christopher Graham wrote: “The scope of our extended powers is at the moment relatively modest, as they only apply to government departments. However, moving forward it is entirely reasonable to expect that, where the evidence supports it, I will seek to extend my powers to undertake compulsory audits in both the public and private sectors.”

In meeting with our UK customers this week, we found a great deal of discussion about how the upcoming elections may have a direct effect on the state of data protection. Many opined that if the conservatives win the next election, the ICO’s powers will become even more punitive. Data protection a political issue? Yes indeed.

We plan to follow this situation carefully and will report any news to you in this blog.

Off to Gatwick!
Gary

Posted at 10:23 AM in Data security | | Comments (0) | TrackBack (0)

| |

March 25, 2010

Hotels Achieve Unwanted Status as #1 Cybercrime Target

Gary Palgon
Vice President, Product Management
nuBridges

Credit-Card-blog We in the data protection industry are almost becoming immune to data breach alerts involving retailers and financial institutions. The alerts are not only frequent but expected. But when a recent alert from The Wall Street Journal flashed across my desktop “. . . Hotels are #1 Sector for Credit Card Data Breaches”, I must admit I was caught a bit off guard. I knew data breach incidents were growing in the overall hospitality industry, but #1?

The WSJ article relied on findings from a SpiderLabs report, which found that 38% of its data breach investigations in 2009 occurred at hotels, followed by 19% in the financial services industry. Perhaps a more astounding finding was that it took an average of 156 days for hotels to realize that a breach had occurred!

Upon reflection, there’s little doubt that hotels are particularly vulnerable to today’s savvy cybercriminal. Consider the number of payment channels used by hotels – mail order, telephone, card-present, web. And consider the number of reasons a merchant needs to store cardholder data for guests’ convenience -- recurring payments, loyalty programs and charge-backs – to name just a few examples. If the cardholder data is not protected via encryption within all applications and databases, data breaches will continue to occur at an alarming rate.

Were you also caught off guard by this news? I’d like to know your thoughts.

Look forward to hearing from you,

Gary

Posted at 09:21 AM in Data security, Encryption and key management, nuBridges, PCI DSS | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

| |

February 26, 2010

Call centers and PCI DSS compliance. Let the purging begin!

Gary Palgon
Vice President, Product Management
nuBridges

Yes, indeed. Just six weeks into the year, and the Payment Card Industry Security Standards Council  (PCI SSC) has issued three clarifications regarding the storage of cardholder data on digital audio recordings. Now the PCI SSC has formally clarified that storing payment card data in digital call records is forbidden. 

Color-call-center-small The issue is recordings that include card security codes –CAV2, CVC2, CVV2 or CID codes by the payment card brands. On January 22 the PCI SSC issued a revised FAQ on call center recordings.

Digital audio recordings have always been in PCI DSS scope, but if they weren’t searchable you could still store the security codes.  But don’t just rely on that because they have already changed that policy since then.  Evan Schuman reported in StorefrontBackTalk on February 18th that they added the phrase, “if that data can be queried;” however, there is still confusion as to what that actually means.

So, what does this mean for your call center? You need to purge all your existing digital voice recordings of security codes, discontinue storing these codes on all new recordings and encrypt any recordings that maintain the PAN.

As always, keep checking back with the PCI SSC web site for updates. Are you finding this easy or difficult to accomplish and why?


Until next time,

Gary

Posted at 11:31 AM in Data security, PCI DSS | | Comments (2) | TrackBack (0)

Technorati Tags: , , ,

| |

February 16, 2010

Don’t forget about scanned images for PCI DSS compliance

Gary Palgon
Vice President, Product Management
nuBridges

The Payment Card Industry’s Security Standards Council issued a clarification about audio recordings on January 22, 2010 noting that card validation codes and values must not be stored under usual circumstances to be considered PCI DSS compliant.  PANs in the recording, of course, must be encrypted following the current standards as well.

  • Much like audio recordings, scanned images that contain the PAN and card validation codes must be addressed as well.
  • Requirement 3.3 specifically states that “displays of PAN (for example, on screen, on paper receipts) … are masked when displayed ...”
  • Requirement 9.6 notes: “Physically secure all paper and electronic media that contain cardholder data.”
  • Like the audio recordings, track data should not be stored based on Requirement 3.2 : “Do not store sensitive authentication data after authorization (even if encrypted).”
  • Images containing credit cards will need to be encrypted as required by Requirement 3.4: “Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs).”

Don’t be caught off guard as you make your way though a PCI DSS compliance audit – trace all input sources of credit cards and follow the card “information supply chain” to make sure you’ve addressed all occurrences of this sensitive data.

Are there any other areas of input that you’ve seen frequently missed during audits?


Regards,
Gary


PS... If you have not already registered, I am co-presenter for live webinar being held February 24, 2010 at 2pm EST.  Brian Grafsgaard of QBS and I will discuss "Applying PCI Best Practices to Protect PII"  Click here to register:  https://www1.gotomeeting.com/register/314351497 

Posted at 08:41 AM in Data security, Encryption and key management, nuBridges, PCI DSS, PII | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

| |

Next »

Recent Posts

Recent Comments

Categories

Archives

More...

Subscribe to this blog's feed

About

nuBridges Web sites

Twitter Updates

    follow me on Twitter