Encryption and key management

August 30, 2010

Data security projects can be challenging if not managed appropriately

Abir Thakurta, CISSP
Senior Director, Worldwide Pre-Sales & Professional Services
nuBridges

Digital-universe During one of my recent customer conversations, I was asked what challenges customers typically experience in implementing data security. In our experience we find customers run into two types of challenges: process challenges and technology challenges. Here are some of the more common process challenges.

  1. Knowing your sensitive information footprint within the enterprise. Many organizations do not have a data classification program or know where their sensitive information resides. Absence of a holistic picture results in islands of data protection that can be challenging to manage and standardize. It also increases the cost of ongoing compliance and management of these solutions. To mitigate this situation, nuBridges Professional Services teams ensure that a sensitive information footprint is generated so an appropriate data protection strategy can be defined.

  2. Defining a data protection strategy. Traditionally, organizations have viewed security as network or perimeter security. With the proliferation of internal breaches, organizations are beginning to understand the need to protect data at the source.

    However, tactical fixes like encrypting data in one database without developing an enterprise data protection strategy can cause issues in the long run. To mitigate this situation, nuBridges Professional Services teams help in developing a data protection strategy that aligns with the business needs before implementations are conducted.

  3. Working with surrogate data. Studies have revealed that 60% to 70% of processes do not need to work with sensitive data.  Rather, surrogate data can be used. Introducing changes to existing processes and requesting business owners to work with surrogate data can be challenging. But working with format-preserving tokens generated by a tokenization solution like nuBridges Protect Token Manager can mitigate this situation

What kind of challenges do you encounter?

In my next blog, we’ll look at technology challenges.

Until next time,

Abir

Posted at 05:22 PM in Data security, Encryption and key management, tokenization | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , ,

| |

March 25, 2010

Hotels Achieve Unwanted Status as #1 Cybercrime Target

Gary Palgon
Vice President, Product Management
nuBridges

Credit-Card-blog We in the data protection industry are almost becoming immune to data breach alerts involving retailers and financial institutions. The alerts are not only frequent but expected. But when a recent alert from The Wall Street Journal flashed across my desktop “. . . Hotels are #1 Sector for Credit Card Data Breaches”, I must admit I was caught a bit off guard. I knew data breach incidents were growing in the overall hospitality industry, but #1?

The WSJ article relied on findings from a SpiderLabs report, which found that 38% of its data breach investigations in 2009 occurred at hotels, followed by 19% in the financial services industry. Perhaps a more astounding finding was that it took an average of 156 days for hotels to realize that a breach had occurred!

Upon reflection, there’s little doubt that hotels are particularly vulnerable to today’s savvy cybercriminal. Consider the number of payment channels used by hotels – mail order, telephone, card-present, web. And consider the number of reasons a merchant needs to store cardholder data for guests’ convenience -- recurring payments, loyalty programs and charge-backs – to name just a few examples. If the cardholder data is not protected via encryption within all applications and databases, data breaches will continue to occur at an alarming rate.

Were you also caught off guard by this news? I’d like to know your thoughts.

Look forward to hearing from you,

Gary

Posted at 09:21 AM in Data security, Encryption and key management, nuBridges, PCI DSS | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

| |

February 16, 2010

Don’t forget about scanned images for PCI DSS compliance

Gary Palgon
Vice President, Product Management
nuBridges

The Payment Card Industry’s Security Standards Council issued a clarification about audio recordings on January 22, 2010 noting that card validation codes and values must not be stored under usual circumstances to be considered PCI DSS compliant.  PANs in the recording, of course, must be encrypted following the current standards as well.

  • Much like audio recordings, scanned images that contain the PAN and card validation codes must be addressed as well.
  • Requirement 3.3 specifically states that “displays of PAN (for example, on screen, on paper receipts) … are masked when displayed ...”
  • Requirement 9.6 notes: “Physically secure all paper and electronic media that contain cardholder data.”
  • Like the audio recordings, track data should not be stored based on Requirement 3.2 : “Do not store sensitive authentication data after authorization (even if encrypted).”
  • Images containing credit cards will need to be encrypted as required by Requirement 3.4: “Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs).”

Don’t be caught off guard as you make your way though a PCI DSS compliance audit – trace all input sources of credit cards and follow the card “information supply chain” to make sure you’ve addressed all occurrences of this sensitive data.

Are there any other areas of input that you’ve seen frequently missed during audits?


Regards,
Gary


PS... If you have not already registered, I am co-presenter for live webinar being held February 24, 2010 at 2pm EST.  Brian Grafsgaard of QBS and I will discuss "Applying PCI Best Practices to Protect PII"  Click here to register:  https://www1.gotomeeting.com/register/314351497 

Posted at 08:41 AM in Data security, Encryption and key management, nuBridges, PCI DSS, PII | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

| |

November 11, 2009

Annual Atlanta ISSA Conference Update

First International ISSA Conference to be Held in Atlanta in 2010

Gary Palgon
Vice President, Product Management
nuBridges

The Metro Atlanta ISSA hosted its 5th annual information security conference on Veteran’s Day, November 11th, with the theme of "Magnify Your Security." It was great to see they took time out in the opening session to recognize the dozen or so Veterans among the attendees. Thanks to all of you have served and do serve our country!

It was formally announced that Atlanta will host the first international ISSA conference on September 15-17, 2010. This is great news for the ISSA community as well as for Atlanta, which has historically been the home for many security startups -- Internet Security Systems (now IBM ISS); SPIDynamics (now HP), PureWire (now Barracuda Networks), CipherTrust (now SecureComputing) and many more.

Also of interest at the annual Atlanta ISSA meeting was a presentation by Kevin Campbell of PriceWaterhouseCoopers, covering PWC’s Global State of Information Security Survey.  Lots of great and timely information about spending and security breaches.  Kevin summarized the executives’ views in the coming year as focused on looking at and placing their highest expectations on initiatives that:

  • Protect data
  • Address the big risks first
  • Pull this portfolio of multi-year investments together (strategy)
  • Reduce cost and increase efficiency
  • Prepare for a wave of new regulations (e.g. State Breach Notification Laws)

To the last point, he noted that because of the effect of the economic downturn, regulations are on the rise – led perhaps by a new wave of privacy laws.

Until next time,
Gary

nuBridges

 

Posted at 03:45 PM in Data security, Encryption and key management, nuBridges | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

| |

April 23, 2009

The true value of data protection is to ‘let the good guys in!’

Abir Thakurta
Senior Director, Professional Services
nuBridges

With data protection as one of the key challenges facing enterprises around the world, and the need to comply with critical mandates like the PCI-DSS, encryption has become a de-facto strategic weapon in organizations’ data protection arsenals.

Encryption is a great way to protect data -- but it comes with some limitations. Limitations that pose real-world problems in implementing encryption technologies.

The three big barriers to implementation of traditional encryption technologies are:

  1. Format preservation and data integrity of sensitive information when it is processed or analyzed by various business intelligence and analysis tools.
  2. Application or database modifications to accommodate cipher text changes to the sensitive information.
  3. Performance penalties with cryptography processes and algorithms that perform encryption.
    But data protection is not just about encryption technology. And it is not just about keeping the bad guys out (and sometimes the good guys too!).  The true value of data protection is its ability to ‘let the good guys in.’  This helps create a balance of appropriate data security and business continuity so enterprises can run their business while protecting their sensitive, business-critical and regulated data. 

Tokenization as a concept is simple yet powerful. How can we replace sensitive information with a surrogate token? A token that does not compromise the actual data, yet allows enterprises to go about doing their business with the applications that work with that sensitive information?

The key to tokenization is to produce a surrogate token that has a 1:1 relationship with the sensitive information. Not only for data integrity but also to ensure that no mathematical relationship exists that would be subject to dictionary or mathematical attacks. So if the token is ever accessed by a malicious user, it cannot be traced back to the original sensitive information. This, of course, requires a secure data vault where the relationships are stored, the sensitive information is protected and appropriate controls are exercised for limited access to users who can actually reveal a token.

Now think about a technology that can generate format-preserving tokens (so a 16 digit AMEX number still looks like one but isn’t one) and insert them in place of the sensitive data, then encrypts the original data and stores the cipher text in a central data vault.  This allows applications to work with the information and process it, eliminates cipher text instances throughout the enterprise (thereby de-scoping applications from PCI-DSS-type compliance requirements) and prevents malicious users from doing something with the data if they get their hands on it.

At the end, combining encryption with tokenization is a powerful data protection solution for many enterprises.  And as proven with many nuBridges’ enterprise implementations, working with a technology that supports encryption plus Format Preserving Tokenization provides unequalled data protection.

Let me know if you want to discuss more on how this technology works and how it can be implemented in your enterprise!

Look forward to hearing from you,

Abir

Posted at 12:09 PM in Data security, Encryption and key management, PCI DSS | | Comments (1) | TrackBack (0)

| |

December 30, 2008

Situation: New Year’s Party 2008 – “Now tell me what you do again”

Gary Palgon

Vice President, Product Management

nuBridges

Being in the software industry for more than 18 years, I’ve rarely been successful at explaining what I do to family and friends. They know I do something with computers but it stops there. They have no idea what B2B, MFT, ERP, SCM, or any of the other TLAs (three letter acronyms) that I refer to means.

But that’s all changing now. I’ve figured it all out. A good friend of mine, Robert, who is in the same industry as me told me years ago that he “just wanted a job where when he said it, everyone knew what it was.” Like a painter. Or an electrician. Or a mail delivery person. Or President of the United States.

With nuBridges being The Secure eBusiness Authority, it’s real obvious that we deal with security and eBusiness, with the latter explained as electronic business within a company or with business partners. However, given the onslaught over the last four years of data breaches involving credit card information and other personally identifiable information (PII ) – see there’s a TLA again – everyone knows that credit card numbers must be protected by retailers and other companies.

So, since nuBridges Protect solutions do secure credit card information for numerous major retailers worldwide, in 2009 my explanation of what I do will be greatly simplified and widely understood. Though I’m starting in 2008. When I’m at a New Year’s Party on December 31st, 2008, and someone asks me what I do, I’m going to simply say, “My company secures credit card information so it does not get stolen.” Simple, yet understandable.

And then I’ll go on to tell them that we deal with business-to-business data security, helping companies secure data at rest, and in transit, within the company’s four walls as well as with their business partners – up and down the supply chain! Now, tell me what YOU do again!

Happy New Year!

Gary

Posted at 12:09 PM in Encryption and key management, nuBridges, PCI DSS | | Comments (0) | TrackBack (0)

| |

August 14, 2008

Cybercrooks and the Olympics. Think before you click.

Kim Addington
Chief Marketing Officer
nuBridges

Cybercrooks and spammers are having a field day during the Olympics. According to BBC News, the volume of junk email messages with an Olympic theme spiked prior to the opening ceremony. These messages try to trick people into visiting fake sites or opening booby-trapped attachments. The games these crooks and hackers play– phishing, spam, malware and data hijacking -- don’t have any rules.

News reports of the past week have spotlighted a number of instances where malicious cybercrooks are luring unsuspecting Internet users to click on compromised Web sites and handing over their personal information. There has even been a campaign that used emails crafted to look like they had been written by the International Olympic Committee.  Think before you click!

Even with millions of dollars spent by Olympic games organizers on building a robust and secure IT infrastructure, athletes, fans, officials and foreign visitors can remain vulnerable to data loss and theft.  Thousands of handheld devices and laptop computers are traveling with the athletes, fans, games officials and foreign visitors – subject to theft or loss. Any sensitive data stored without robust data protection software is fair game to these cybercrooks. There will always be hackers and spammers and they’ll always grasp opportunities like the Olympics to do their mischief, so it’s up to the individuals and businesses that transmit or store sensitive data to make absolutely certain that it’s protected.  One winning way to guarantee that protection is through encryption of the sensitive data right at its source.

Do you have an example of Olympic-related data loss? We’d love to hear about it.


Talk soon,

Kim

Posted at 03:38 PM in Encryption and key management | | Comments (1) | TrackBack (0)

| |

Recent Posts

Recent Comments

Categories

Archives

More...

Subscribe to this blog's feed

About

nuBridges Web sites

Twitter Updates

    follow me on Twitter