Report from the ISSA-UK Chapter Meeting

Gary Palgon
Vice President, Product Management
nuBridges

The ISSA-UK Chapter meeting was held last Thursday evening at the London offices of KPMG and attended by about 60 information security professionals.  There were three speakers covering an update from the Information Commissioner Office, the legal aspects of data security and how to reduce the scope of PCI DSS compliance using tokenization - the last one given by yours truly.

 

The topic was well received and much discussion with the group covered how tokenization applies to other data beyond credit card information and the industries that are a great fit for it – including health care, state and local government (e.g. law enforcement), hospitality, etc.

What was interesting about the other two talks is that the Information Commissioner’s Office noted that they have lots of laws and procedures to protect data but a limited ability to fine organizations for non-compliance, while the solicitor (lawyer for you and me) covered the power of both civil and criminal prosecution for breach of the very same laws.  The recommendation from both was to protect the data though!

I’m on vacation next week, spending my 13th year as a counselor to kids with cancer at Camp Sunshine.  Have a great week and go protect your data!

Gary

How much would you pay for your own company and consumer data?

Gary Palgon
Vice President, Product Management
nuBridges

Gone are the days when hackers broke into companies as a challenge to themselves to prove they can do it.  More fashionable in recent years has been to steal credit card and other personally identifiable information (PII) so that it could be resold on the black-market.  And now for the next wave, stealing the data so that it can be resold or ransomed back to the rightful owners!
As Dan Kaplan of SC Magazine reported on May 5th, “Hackers seek payment after break-in on state health care site.” Ccyber-thieves did just that demanding $10 million to return patient data to Virginia’s Department of Health.

This isn’t the first time it’s happened and surely it won’t be the last. 

I can think of a couple of solutions to solve it – take out insurance in case it happens (assuming someone’s willing to write you a policy) or follow the suggestion of the Payment Card Industry’s Data Security Standard (PCI DSS) and many regulatory laws like the State Breach Notification laws which suggest rendering the data useless if it ends up in the wrong hands.  In other words, get rid of it if you don’t need it, encrypt it if you do, or hash or tokenize it if you don’t need the original values all of the time but can work with “surrogate data.”

Do you have other suggestions?

“Aha” moments at COMMON 2009!

Kyle Parris
Director of Product Management
nuBridges

From time to time COMMON 2009 conference attendees swing by the nuBridges booth just to “get their passport stamped” or to grab a goodie.  They politely suffer through me probing them a little about their business, before I tell them what nuBridges has to offer.

I’d say around six times out of 10 they say “oh, we don’t need to protect our data,” or “we don’t store sensitive data,” or “we only have two people who can access the important stuff,” or (my favorite) “we handle access control and hashing ourselves.” 

The best part of user group conferences like COMMON is seeing people’s faces light up the moment they realize: “Wow. . . maybe I do need to protect my data with a product like this!” “I thought it was way too complicated – too costly.” Those “aha” moments are becoming more frequent. And that’s a good thing. Because the employees, customers and other stakeholders who entrust these companies with their personally identifiable information (social security numbers, credit card data, etc.) assume that data protection measures are in place. At all times, whether that sensitive data is being used for a transaction or stored for analysis at a later time.

What we’re finding at this year’s conference is that many of these COMMON patrons leave with a new appreciation for data protection, and hopefully have nuBridges on their mind when they raise these issues back at the office. Some even get excited about the “kudos” they’re expecting to receive by bringing this important topic to the attention of their superiors. 

Would love to hear about your “aha” moments at COMMON 2009!

Greetings from Reno,

Kyle

As I travel, so does all my personally identifiable information!

Gary Palgon

Vice President, Product Management

nuBridges

 

I check out of my hotel early this Friday morning and am now on an airplane headed home from the RSA Conference 2009.  It was nice that I could simply leave the hotel without checking out since they are going to simply just charge the bill to my credit card.  I’m hoping that my credit card number has been stored at the hotel in an encrypted state since I gave it to them on Monday.

When I checked in at the airport, I used a credit card at the airline kiosk to print my e-ticket.  They didn’t charge anything but they did use it to verify that I was who I said I was and compared my name on the ticket to my name on the credit card.  Do you suppose the airline is storing my name and credit card in an encrypted state?  I wonder how the airline verified that I’m not on the “no fly list” from the U.S. Federal government – did they send it clear ‘over the wire’ or do they have a secure pipe to transport my data?

As I was getting on the plane, they scanned my boarding card and I saw my seat number and name show up on the display screen – just great, the guy behind me knows not only where I’m sitting (no big deal) but also my name – which he doesn’t need to know.

Thinking ahead, I’m going to go through the same routine over the next couple of weeks – airlines, hotels, restaurants and stores on two continents.  I’m hopeful that everyone will take care in protecting not only my credit card data, but also my personal information.  Realistically though, the world has a long way to go before we get there!

Next stop London! Where I’ll be talking to you from Infosecurity Europe 2009.

Cheerio,

 Gary

The true value of data protection is to ‘let the good guys in!’

Abir Thakurta
Senior Director, Professional Services
nuBridges

With data protection as one of the key challenges facing enterprises around the world, and the need to comply with critical mandates like the PCI-DSS, encryption has become a de-facto strategic weapon in organizations’ data protection arsenals.

Encryption is a great way to protect data -- but it comes with some limitations. Limitations that pose real-world problems in implementing encryption technologies.

The three big barriers to implementation of traditional encryption technologies are:

1. Format preservation and data integrity of sensitive information when it is processed or analyzed by various business intelligence and analysis tools.
2. Application or database modifications to accommodate cipher text changes to the sensitive information.
3. Performance penalties with cryptography processes and algorithms that perform encryption.
   But data protection is not just about encryption technology. And it is not just about keeping the bad guys out (and sometimes the good guys too!).  The true value of data protection is its ability to ‘let the good guys in.’  This helps create a balance of appropriate data security and business continuity so enterprises can run their business while protecting their sensitive, business-critical and regulated data. 

Tokenization as a concept is simple yet powerful. How can we replace sensitive information with a surrogate token? A token that does not compromise the actual data, yet allows enterprises to go about doing their business with the applications that work with that sensitive information?

The key to tokenization is to produce a surrogate token that has a 1:1 relationship with the sensitive information. Not only for data integrity but also to ensure that no mathematical relationship exists that would be subject to dictionary or mathematical attacks. So if the token is ever accessed by a malicious user, it cannot be traced back to the original sensitive information. This, of course, requires a secure data vault where the relationships are stored, the sensitive information is protected and appropriate controls are exercised for limited access to users who can actually reveal a token.

Now think about a technology that can generate format-preserving tokens (so a 16 digit AMEX number still looks like one but isn’t one) and insert them in place of the sensitive data, then encrypts the original data and stores the cipher text in a central data vault.  This allows applications to work with the information and process it, eliminates cipher text instances throughout the enterprise (thereby de-scoping applications from PCI-DSS-type compliance requirements) and prevents malicious users from doing something with the data if they get their hands on it.

At the end, combining encryption with tokenization is a powerful data protection solution for many enterprises.  And as proven with many nuBridges’ enterprise implementations, working with a technology that supports encryption plus Format Preserving Tokenization provides unequalled data protection.

Let me know if you want to discuss more on how this technology works and how it can be implemented in your enterprise!

Look forward to hearing from you,

Abir

We’re Movin’ On Up: Day 1 at RSA Conference 2009

While many people have noted that attendance is slightly down at the RSA Conference 2009, it definitely should be noted that the trend of the conference is all about security moving on up the stack.  “Out” is the view of security only at the network and operating system (OS) layers. And “in” are the layers above - with the realization that applications must be secured as well. 

Security needs to be built into applications and they must be monitored to ensure that they are not being attacked or being used by individuals without proper authority.  That means securing the data itself (something nuBridges does a great of)!

Is your company’s security moving on up?

Gotta get back to the exhibit hall but if you have a chance, check out our nuBridges Protect Token Manager product launch and coverage in the press at: http://nubridges.com/presscenter/.

Until tomorrow,

Gary

Conversations about data security abound! From Austin to Minneapolis. From a flourishing retailer to a respected former Minnesota Senator.

Abir Thakurta
Senior Director, Professional Services
nuBridges

Earlier this week some nuBridges’ colleagues and I flew from Austin, Texas to Minneapolis, Minnesota.   Within a matter of four hours we had gone from the hot ‘temperate’ zone where it was 87° F to a frozen (-6 °F) ‘tundra’ zone (as put forward by one of my esteemed colleagues).  With obvious apologies to the Minnesotans who were going about their daily life with no chagrin, driving in the snow storm was a spine-chilling experience. However, it was not any more dispiriting than the local evening news carrying the story of a data security breach involving former Minnesota Senator Norm Coleman.

Turns out that personal information on approximately 51,000 supporters and donors of Coleman’s was breached because the campaign Web site was not properly secured. Seems the former Senator’s campaign collected detailed information on every supporter and Web site visitor and retained unencrypted credit card information from donors, including their security codes, on the campaign's Web site. All that sensitive information was stored in a database file sitting in a directory exposed as plain text. Coleman's legal counsel cited a federal crime had been committed. Personally identifiable information and credit card numbers had been compromised. Needless to say, the senator’s supporters and donors are not happy.

A lot of political bickering and finger pointing is going on regarding this data security breach. But the underlying issue around data security is universal. Data security is increasingly becoming the topic of a majority of security conversations. But data security is also becoming the topic of conversation in the general public; for example, a fellow hotel guest of mine in Minneapolis was not very happy with the news because she had donated to Coleman’s campaign. Not just mandate-impacted businesses or security pundits, but individuals and consumers are also realizing the need for data security and they’re demanding it.

If sensitive data is compromised in today’s world, businesses will pay a much heavier price than the cost of investing in data protection strategies. Yes, we have indeed gone beyond data security for compliance and moved to data security for good corporate citizenship. Very soon the ‘it can’t happen to us’ mentality will also transform into ‘let’s get better at keeping our data secure.’

As an advocate for data security, I couldn’t feel more positive -- I may have experienced a drastic change in climate in four hours. But the commitment to invest in data security was the same whether in hot Austin or cold Minneapolis. The flourishing retailer in Austin is thinking about it; the booming home shopping cataloger in Minneapolis is figuring out how to implement it; the respected former Minnesota Senator is experiencing the aftermath of not thinking about it.

Data security can’t be ignored . . . and very soon our fellow citizens will mandate it . . .

What are you doing about this issue? I’d love to hear from you.

Thanks for reading,

Abir

Journal from the InfoSec World Conference and Expo 2009

Gary Palgon
Vice President, Product Management
nuBridges

If the variety of topics and interactive dialog around information security at InfoSec World is an indicator of need for companies and organizations to get better, then there’s plenty of room for growth.  While many companies seem to be making progress, most are just embarking upon implementing best practices in security and often are just assessing the risk off different threats within their company.

One presentation of interest included “Taming the Beast(s): Securing Major Enterprise Applications” by Rich Mogull, which discussed how security must be considered throughout the entire software development lifecycle as well as the differences in addressing security in enterprise applications, application servers and legacy solutions.  Data de-identification and data masking in the test environment and security options in Oracle and SAP were also discussed.

And Whitfield Diffie, a pioneer in public key encryption, spoke about where we are headed in security.  He reflected on past milestones including initial cryptography, the advent of computer processors for calculations and the problem of encryption key management, the latter in which he’s heavily involved.

As Diffie looks forward, the security of cloud computing is of concern and the privacy issues that go along with it.  He wonders, for example, if I offload information to a 3rd party, how can we ensure they don’t have full access to information?  And if they do, who has access to it? All valid concerns and no doubt  coming from his background in public key encryption brought forward!
Here’s my picture with him!

Until next time,

Gary