Annual Atlanta ISSA Conference Update

First International ISSA Conference to be Held in Atlanta in 2010

Gary Palgon
Vice President, Product Management
nuBridges

The Metro Atlanta ISSA hosted its 5th annual information security conference on Veteran’s Day, November 11th, with the theme of "Magnify Your Security." It was great to see they took time out in the opening session to recognize the dozen or so Veterans among the attendees. Thanks to all of you have served and do serve our country!

It was formally announced that Atlanta will host the first international ISSA conference on September 15-17, 2010. This is great news for the ISSA community as well as for Atlanta, which has historically been the home for many security startups -- Internet Security Systems (now IBM ISS); SPIDynamics (now HP), PureWire (now Barracuda Networks), CipherTrust (now SecureComputing) and many more.

Also of interest at the annual Atlanta ISSA meeting was a presentation by Kevin Campbell of PriceWaterhouseCoopers, covering PWC’s Global State of Information Security Survey.  Lots of great and timely information about spending and security breaches.  Kevin summarized the executives’ views in the coming year as focused on looking at and placing their highest expectations on initiatives that:

• Protect data
• Address the big risks first
• Pull this portfolio of multi-year investments together (strategy)
• Reduce cost and increase efficiency
• Prepare for a wave of new regulations (e.g. State Breach Notification Laws)

To the last point, he noted that because of the effect of the economic downturn, regulations are on the rise – led perhaps by a new wave of privacy laws.

Until next time,
Gary

 

Enterprises Work Smarter, Faster with New Generation of MFT

Kyle Parris
Director of Product Management
nuBridges

In my blog last week, I promised that I’d share some specific, real-world examples of how enterprises are benefitting from the new generation of Managed File Transfer (MFT) solutions. And I will. But first I want to share some insights we’ve gained from speaking with a number of organizations recently.

We’ve learned that MFT solutions are significantly improving and streamlining the way these enterprises are exchanging critical information inside and outside their organization.  Several enterprises noted that they’re now able to more quickly and “intelligently” respond to business events and market conditions, helping them make smarter, faster decisions. We’ve also learned that top line and bottom line results are being positively impacted by improved order-to-fulfillment processes; reduced charge-backs and returns; and improved invoice-to-cash cycles.

As promised, here are a few real-world examples that illustrate how these benefits translate into business value:

• A regional hospital system is improving revenue cycle management by eliminating billing errors, creating clean claims and streamlining billing operations across its network.
• A multi-national pharmaceutical company is sharing clinical studies to speed up the FDA-approval process, providing faster product-to-market cycles and generating revenue faster.
• With its MFT solution, a large fulfillment operation is reducing inventory discrepancies, reducing costs associated with picking errors, improving invoice payment cycles and ensuring optimal distribution of manufactured products.
• A global computer retailer is driving efficiency in its customer order-to-fulfillment processes by effectively responding to bottlenecks through notifications that drive action and inform customers about order delays. In this case, a best-in-class MFT solution is helping the retailer drive more efficiency through real-time measuring and monitoring activities.
• One of the world’s largest retailers is exchanging purchase orders, invoices and other business-critical documents with more than 15,000 global suppliers to reduce the order-to-cash cycle.

Care to share how MFT helped your bottom line? We’d love to hear from you.

Until next week,

Kyle

PS... To help enterprises analyze the solutions that are currently available, nuBridges presents a discussion of the key best practices that define enterprise-class Managed File Transfer solutions.  Request a copy of the White Paper, "Best Practices in Managed File Transfer Solutions" today. 

Savvy Enterprises See MFT as a Strategic Requirement

Kyle Parris
Director of Product Management
nuBridges

We’re seeing Managed File Transfer (MFT) solutions being embraced by savvy global enterprises that recognize the business value of investing in what is increasingly being viewed as an infrastructure requirement. Today’s extended enterprise needs to share information internally across departments, divisions and acquisitions. It also needs to share information externally with customers, suppliers, business partners and with online collaborative communities.

These enterprises are telling us that the new generation of MFT solutions is providing numerous benefits on both sides of the business partner equation – supply and demand. For example, MFT is providing them with an opportunity to speed business cycles, improve responsiveness to market conditions and remove barriers to doing business electronically on a global scale.

Let’s look at some specific benefits:

• Real-time business partner collaboration and business application integration
• System-to-system and person-to-person file transfers
• Visibility into all file transfers
• Integration of critical back-end business applications with file transfers
• Best practices in governance, risk management and compliance
• Real-time issue/problem detection, resulting in speedy resolutions and avoidance of supply chain disruptions
• Timely decision making, reporting and analytics

We’d really like to hear about the benefits your enterprise is reaping from MFT.

You’ll want to read next week’s nuBlog, where we’ll tell you about several real-world examples of how extended enterprises are translating these benefits into bottom-line business results.

Until next week,

Kyle

More about Why Enterprises are Investing in a New Generation of Managed File Transfer

Kyle Parris
Director of Product Management
nuBridges

We received a number of emails in response to last week’s blog. Thanks to all of you who responded. Having said that, we’d really like you to use the comment feature of nuBlog, so all of our readers can share in your insights!

Your emails pointed out several other challenges that you’re facing with current file transfer solutions. Challenges that you’re asking the MFT vendors you’re considering to address. Let’s take a look at these:

“We’re looking for a strategic partner; a partner that can bring new functionality to the MFT solution as we grow. In fact, as we research vendors, we see the strategic partnership relationship every bit as important as the software itself.”

“Managing our trading community is a headache. Is there an MFT solution that could help us push partner provisioning out to the community?”

“The IT folks that handle our company’s file transfers have been turned into de facto shipping and receiving clerks, spending lots of time each day manually processing files for delivery. Constantly checking on file deliveries. Help!”

Thanks for your emails. Next week we’ll move away from the challenges and discuss how best-in-class MFT solutions can solve your file transfer headaches.

Until next week,

Kyle

Why are enterprises investing in a new generation of managed file transfer?

Kyle Parris
Director of Product Management
nuBridges

The answers to this question can be as varied as the global enterprises that are investing in managed file transfer (MFT) solutions.  But what we’ve found over the last six months in researching the market and speaking with dozens of global enterprises that are planning to replace a jumble of file transfer solutions with MFT, is that the answers can be grouped into three broad categories:

√   “We’ve outgrown our current solution(s).” In asking for specific examples, we found a number of trends:

• We are starting to move too many files, or files are becoming too large to transfer quickly, reliably and securely
• As our business expands, we need to collaborate with more business partners; each requesting a different protocol, or encryption method
• Our current solution doesn’t track or monitor file movements, so it doesn’t help at audit time
• We need scheduled, event-triggered and ad hoc file transfer capabilities that our point solution just doesn’t offer
• We have multiple platforms, but our current solution only supports <enter your favorite platform here>
• We need to integrate ERP applications into our file transfer solution, but our current solution doesn’t handle this

√  “The costs of managing and supporting multiple file transfer applications are staggering.”  Common themes were that enterprises are incurring major costs due to:

• Keeping the administrative and support teams trained on multiple solutions
• Lack of economies of scale in licensing and maintenance costs
• File transfer workflow inefficiencies resulting in wasted time, expense and errors associated with manual file transfers

√ “The risks associated with lack of control over file transfers keeps me up at night.” What we learned is that enterprises are equally concerned about data breaches, non-compliance with applicable regulations and laws and loss of critical business documents.

All three seem to be top of mind with the folks we’ve been talking with recently.

How about you? Are you considering a move to the new generation in managed file transfer? If so, please let our readers know what’s driving your decision making.

Until next week,

Kyle

PCI SSC Community Meeting 2009: “The Feedback Year”

Gary Palgon
Vice President, Product Management
nuBridges

Onsite in Las Vegas – The Payment Card Industry’s Security Standards Council (PCI SSC) is on a 24-month cycle of reviewing and editing the PCI Data Security Standard (PCI DSS).  Version 1.2 was issued in October 2008 and the next major release is expected around the same time in 2010.  While last years’ theme seemed to be around “Compliance does not equal security” and “Network Segmentation”, this year’s theme was very much about submitting feedback on the current standard and reviewing new technologies for reducing the scope (and burden) for initial and ongoing PCI DSS compliance.

Pricewaterhouse Coopers (PwC) was contracted by the PCI SSC to “look at technologies out there that have the potential to reduce scope for PCI DSS” and PwC presented their preliminary findings at the meeting this week.  They interviewed more than 160 individuals from 125 companies across 10 countries and evaluated 12 technologies. They narrowed their focus down to four, which they drilled into to understand the impact of implementation and affect in reducing scope of the PCI DSS audit: end-to-end encryption, magnetic stripe imaging, tokenization and virtual terminals. The report will be forthcoming; however, it serves as “feedback” to the PCI SSC as they review the standard and recommendations in the coming year(s).

As funny as it sounds, one “aha!” from the meeting was “What is considered cardholder data?”  Believe it or not there was no easy answer.  The Scoping Special Interest Group (SIG) will take that under review in the coming year. 

And finally, the annual meeting is a time where many people express the difficulty in understanding, implementing and changing the standards.  Much of that was put into perspective when former Congressman Tom Davis explained how the U.S. government works to create laws!  He was the co-author of the Federal Information Security Management Act (FISMA), so standards are near and dear to his heart.  I have to remind myself when I submit questions to the PCI SSC and months go by without an answer that it could be worse – I could be in politics!

Until next time,

Gary

Conference Season’s Upon Us: First up PCI SSC Community Meeting

Gary Palgon
Vice President, Product Management
nuBridges

While you can attend a conference any week or weekend throughout the year, most of us can’t afford the time away from the office, even when we’re on the vendor side of the business equation like I am.  And given summer is a time when many people travel, it turns out that March through June and September through December are prime times for the “conference tours.”  Surely not as glorious as a “band tour,” but exciting nonetheless.  For me it’s an opportunity to meet customers, prospects, business partners and other people I’ve connected with during the year who I may have or have never met.  And for them, the same – an opportunity to put a face with the name.

First up is the Payment Card Industry’s Security Standards Council (PCI SSC) Community Meeting which will be held September 22nd - 24th in Las Vegas.  This is the third one, with the previous ones having been held in Toronto and Orlando.  The surroundings will surely be better than the prior cities (no offense to them – heck, I have to visit them during other conferences in the coming months too) and I would expect a bigger crowd than ever as each year it has grown since it started in 2007.

There’s always some interesting topics, discussions and debates (and this year we’ll add gambling to that).  Last year there was a focus on the quality of Qualified Security Auditors (QSAs) and network segmentation while this year all indications are there will be lots of discussion about virtualization, PCI scope, tokenization, end-to-end encryption, and chip and pin.

If you’re planning on being there, drop me an email at gpalgon AT nubridges DOT com.  I’d love to meet or catch up with you.

Gary

130 Million Credit Cards Stolen?

Gary Palgon
Vice President, Product Management
nuBridges

That just may be the tip of the iceberg as the details of this latest cybercrime unravel.

On Tuesday, Albert Gonzalez and two others were indicted on charges of stealing more than 130 million payment card numbers, the largest hacking and identity theft case ever prosecuted in the U.S. Ironically, he is accused of breaching several retailer’s networks, which were already compliant with the Payment Card Industry’s Data Security Standard (PCI DSS) – a set of comprehensive requirements put into place in 2006 by American Express, MasterCard, Visa and other credit card companies to force businesses to better protect credit and debit card information from thefts like those committed by Gonzalez and other hackers over the years. Then, yesterday, Radisson reported that some of the computers at several hotels were breached between November 2008 and May 2009, possibly exposing guest information and credit card numbers.

This is BIG, but it’s only the latest in a long series of avoidable data breaches. Cybercriminals are opportunists. They steal information from wherever it’s easiest to reach. In the last couple of years they’ve methodically climbed the technology stack. In this case, Gonzalez and his band of global thieves started at the top breaching the web application interface and then went deep down to gather the internal credit card data in transit, the latter a problem that has yet to be enforced by the PCI DSS as a requirement.

Regardless of all of the ways that criminals get into systems to access data, the only sure method of protecting it is to actually ensure that the data is always encrypted, whether at rest or in transit.  And there are methods to do this including encryption, key management and tokenization which you’ve probably read in articles that I’ve published recently or presented.  http://www.nubridges.com/presscenter/articles-2009.php

Until next time,
Gary