Report from the ISSA-UK Chapter Meeting

Gary Palgon
Vice President, Product Management
nuBridges

The ISSA-UK Chapter meeting was held last Thursday evening at the London offices of KPMG and attended by about 60 information security professionals.  There were three speakers covering an update from the Information Commissioner Office, the legal aspects of data security and how to reduce the scope of PCI DSS compliance using tokenization - the last one given by yours truly.

 

The topic was well received and much discussion with the group covered how tokenization applies to other data beyond credit card information and the industries that are a great fit for it – including health care, state and local government (e.g. law enforcement), hospitality, etc.

What was interesting about the other two talks is that the Information Commissioner’s Office noted that they have lots of laws and procedures to protect data but a limited ability to fine organizations for non-compliance, while the solicitor (lawyer for you and me) covered the power of both civil and criminal prosecution for breach of the very same laws.  The recommendation from both was to protect the data though!

I’m on vacation next week, spending my 13th year as a counselor to kids with cancer at Camp Sunshine.  Have a great week and go protect your data!

Gary

Subway strikes don’t stop PCI projects from moving forward!

Gary Palgon
Vice President, Product Management
nuBridges

London’s a great city and the London Underground subway - the “Tube” - makes it so easy to get around – except when the Tube workers decide to go on strike. That’s exactly what happened last week - Tuesday through Thursday night.  Expecting the worst in turnout of attendees for the Corporate IT Forum's Information Security Service’s PCI DSS Conference on Wednesday it was hardly that – the venue was packed with lots of business and information security professionals with a thirst to network and learn how to comply with the Payment Card Industry’s Data Security Standard (PCI DSS).

The following were key discussion points at the TIF Conference:

• There are inconsistencies between Qualified Security Assessors (QSAs) and individual QSAs; often companies and the enterprises they have been helping are left with little knowledge about where they are in the compliance process. 
• There’s a conflict of interest with some QSA firms because they are conducting the security review, performing the audit, and offering remediation software and hardware for compliance.
• Tap into your own employee talent pool to assist with security requirements – they are often glad to help, can apply their skills and will take an interest in your project.
• Use PCI DSS compliance as a way to get money for known security holes in your organization
• Security best practices meet PCI DSS requirements, but the reverse is not true.
• Compensating Controls must be reviewed annually as of the October 2008 update of the PCI DSS (Version 1.2).  Just because you passed last year doesn’t mean you’ll pass this year.
• Open source is a valid way to help comply with the PCI DSS; however, consider the scalability and customer support for the products since they may not be right for your enterprise.

And a few personal observations based on the discussions:

• PCI DSS compliance is not a “one-size fits all” – network with your peers inside and outside of your industry and compare how others have addressed like solutions
• There are multiple ways to “reduce scope” including network segmentation and tokenization – it’s important to consider how each can help your organization
• Collaboration and continued communication between QSAs, security consultants (different from a QSA), and solution vendors can help set a clear path and yield success with compliance
• Compliance doesn’t equal security – to stay ahead of the bad guys you must also consider areas where the PCI DSS falls short – e.g. data in transit within the enterprise
• It all boils down to risk in the end – how much risk is your organization willing to take with their customers’ credit cards and other personally identifiable information (PII)? Do you really want to be famous for a breach?

Just before I got on the plane to leave London I read the headline on the local newspaper, “We’ll go on strike again next week if we have to.”  Great city but they may have to take a lesson from the US when we up and fired the air traffic controllers when they went on strike!

Until next time… Gary

How much would you pay for your own company and consumer data?

Gary Palgon
Vice President, Product Management
nuBridges

Gone are the days when hackers broke into companies as a challenge to themselves to prove they can do it.  More fashionable in recent years has been to steal credit card and other personally identifiable information (PII) so that it could be resold on the black-market.  And now for the next wave, stealing the data so that it can be resold or ransomed back to the rightful owners!
As Dan Kaplan of SC Magazine reported on May 5th, “Hackers seek payment after break-in on state health care site.” Ccyber-thieves did just that demanding $10 million to return patient data to Virginia’s Department of Health.

This isn’t the first time it’s happened and surely it won’t be the last. 

I can think of a couple of solutions to solve it – take out insurance in case it happens (assuming someone’s willing to write you a policy) or follow the suggestion of the Payment Card Industry’s Data Security Standard (PCI DSS) and many regulatory laws like the State Breach Notification laws which suggest rendering the data useless if it ends up in the wrong hands.  In other words, get rid of it if you don’t need it, encrypt it if you do, or hash or tokenize it if you don’t need the original values all of the time but can work with “surrogate data.”

Do you have other suggestions?

Token Manager Product Launch Continues

Gary Palgon
Vice President, Product Management
nuBridges

Global Campaign Makes Stop at ISSA ^UK

The whirlwind global launch of nuBridges Protect™ Token Manager didn’t slow down after InfoSec.  It just moved around the European continent!

More meetings with the three “P”s  -  press, partners and prospects (I would have mentioned analysts, but it didn’t start with a “p”), all wanting to know about how format-preserving tokenization is not only significantly reducing the scope of PCI DSS compliance.  But also protects personally identifiable information such as social security numbers, National Insurance Numbers, and business-critical information such as customer lists, financial statements, payroll data and so on.

A little fun was had over the weekend in Brussels and Bruges and then back to work in Amsterdam for a day, three cities and two countries where I had not traveled.  What a wonderful invention the train was – and so fast now, clocking in at 186 mph on the Nuvi GPS navigator.

As I sit in the airport waiting for my plane to leave (yet again), I’m looking at the pictures from last night’s Information Systems Security Association – United Kingdom (ISSA^UK) annual black tie dinner.  It was held at Armourers’ Hall (Armourers & Brasiers), a building much older than America and containing armor and weapons dating back to the 1500s, again much older than America (I say this twice because I was often reminded of this point:-)).  

There was much discussion from all angles of information technology with the realization (and several speakers noting) that companies and government organizations must take responsibility in caring for sensitive information.  Richard Stanes, the former president of ISSA UK (who lives in Kentucky now) and Sir Edmund Burton, formerly of the British Army and current Chairman of the Information Assurance Advisory Council (IAAC) spoke.

Bobby Conway (right), nuBridges’ EMEA Regional
Sales Manager and I at Armourers’ Hall, London, UK.

Time to board – until next time from the comfort of my office - which I haven’t seen for several weeks …

Cheers,

Gary 

Across many borders and time zones. Greetings from InfoSecurity Europe 2009!

I send you greetings from the UK.  At least I think that’s where I am!  With just 24 hours at home between the RSA Conference in San Francisco and InfoSecurity Europe in London, I’m not sure what time zone I’m in --  PST, EST, GMT!  All kidding aside, yesterday’s InfoSecurity Europe 2009 kickoff was great.  Whilst (that’s how they say it here) the conference is not as big as RSA, there’s a lot more glitz and glamour in the exhibition hall  -  game shows, in-booth bars and any number of costumed people to get folks to stop by their booths.

I presented “How to Reduce the Scope of PCI DSS Audits by Tokenising
Payment Card Data”, with a special focus on trans-border privacy
(that’s privacy with the “i” as in “if”, not “eye”)!

Given there are many more privacy laws in Europe about sending consumer or employee data across country borders, even within the same company, the use of tokens rather than encrypted sensitive data is another great advantage for the use of a tokenization (or tokenisation) solution. Passing tokens instead of production data for testing, also called data masking, would make life easier for many IT and security people.

Do you have examples where tokenization will help you with privacy or data protection mandates?

More to follow in the coming days.

Cheers,
Gary

 

 

 

 

“Aha” moments at COMMON 2009!

Kyle Parris
Director of Product Management
nuBridges

From time to time COMMON 2009 conference attendees swing by the nuBridges booth just to “get their passport stamped” or to grab a goodie.  They politely suffer through me probing them a little about their business, before I tell them what nuBridges has to offer.

I’d say around six times out of 10 they say “oh, we don’t need to protect our data,” or “we don’t store sensitive data,” or “we only have two people who can access the important stuff,” or (my favorite) “we handle access control and hashing ourselves.” 

The best part of user group conferences like COMMON is seeing people’s faces light up the moment they realize: “Wow. . . maybe I do need to protect my data with a product like this!” “I thought it was way too complicated – too costly.” Those “aha” moments are becoming more frequent. And that’s a good thing. Because the employees, customers and other stakeholders who entrust these companies with their personally identifiable information (social security numbers, credit card data, etc.) assume that data protection measures are in place. At all times, whether that sensitive data is being used for a transaction or stored for analysis at a later time.

What we’re finding at this year’s conference is that many of these COMMON patrons leave with a new appreciation for data protection, and hopefully have nuBridges on their mind when they raise these issues back at the office. Some even get excited about the “kudos” they’re expecting to receive by bringing this important topic to the attention of their superiors. 

Would love to hear about your “aha” moments at COMMON 2009!

Greetings from Reno,

Kyle

As I travel, so does all my personally identifiable information!

Gary Palgon

Vice President, Product Management

nuBridges

 

I check out of my hotel early this Friday morning and am now on an airplane headed home from the RSA Conference 2009.  It was nice that I could simply leave the hotel without checking out since they are going to simply just charge the bill to my credit card.  I’m hoping that my credit card number has been stored at the hotel in an encrypted state since I gave it to them on Monday.

When I checked in at the airport, I used a credit card at the airline kiosk to print my e-ticket.  They didn’t charge anything but they did use it to verify that I was who I said I was and compared my name on the ticket to my name on the credit card.  Do you suppose the airline is storing my name and credit card in an encrypted state?  I wonder how the airline verified that I’m not on the “no fly list” from the U.S. Federal government – did they send it clear ‘over the wire’ or do they have a secure pipe to transport my data?

As I was getting on the plane, they scanned my boarding card and I saw my seat number and name show up on the display screen – just great, the guy behind me knows not only where I’m sitting (no big deal) but also my name – which he doesn’t need to know.

Thinking ahead, I’m going to go through the same routine over the next couple of weeks – airlines, hotels, restaurants and stores on two continents.  I’m hopeful that everyone will take care in protecting not only my credit card data, but also my personal information.  Realistically though, the world has a long way to go before we get there!

Next stop London! Where I’ll be talking to you from Infosecurity Europe 2009.

Cheerio,

 Gary

The true value of data protection is to ‘let the good guys in!’

Abir Thakurta
Senior Director, Professional Services
nuBridges

With data protection as one of the key challenges facing enterprises around the world, and the need to comply with critical mandates like the PCI-DSS, encryption has become a de-facto strategic weapon in organizations’ data protection arsenals.

Encryption is a great way to protect data -- but it comes with some limitations. Limitations that pose real-world problems in implementing encryption technologies.

The three big barriers to implementation of traditional encryption technologies are:

1. Format preservation and data integrity of sensitive information when it is processed or analyzed by various business intelligence and analysis tools.
2. Application or database modifications to accommodate cipher text changes to the sensitive information.
3. Performance penalties with cryptography processes and algorithms that perform encryption.
   But data protection is not just about encryption technology. And it is not just about keeping the bad guys out (and sometimes the good guys too!).  The true value of data protection is its ability to ‘let the good guys in.’  This helps create a balance of appropriate data security and business continuity so enterprises can run their business while protecting their sensitive, business-critical and regulated data. 

Tokenization as a concept is simple yet powerful. How can we replace sensitive information with a surrogate token? A token that does not compromise the actual data, yet allows enterprises to go about doing their business with the applications that work with that sensitive information?

The key to tokenization is to produce a surrogate token that has a 1:1 relationship with the sensitive information. Not only for data integrity but also to ensure that no mathematical relationship exists that would be subject to dictionary or mathematical attacks. So if the token is ever accessed by a malicious user, it cannot be traced back to the original sensitive information. This, of course, requires a secure data vault where the relationships are stored, the sensitive information is protected and appropriate controls are exercised for limited access to users who can actually reveal a token.

Now think about a technology that can generate format-preserving tokens (so a 16 digit AMEX number still looks like one but isn’t one) and insert them in place of the sensitive data, then encrypts the original data and stores the cipher text in a central data vault.  This allows applications to work with the information and process it, eliminates cipher text instances throughout the enterprise (thereby de-scoping applications from PCI-DSS-type compliance requirements) and prevents malicious users from doing something with the data if they get their hands on it.

At the end, combining encryption with tokenization is a powerful data protection solution for many enterprises.  And as proven with many nuBridges’ enterprise implementations, working with a technology that supports encryption plus Format Preserving Tokenization provides unequalled data protection.

Let me know if you want to discuss more on how this technology works and how it can be implemented in your enterprise!

Look forward to hearing from you,

Abir