nuBLOG

Data security projects can be challenging if not managed appropriately

nuBridges Blog — Mon, 30 Aug 2010 17:22:44 -0400

Abir Thakurta, CISSP
Senior Director, Worldwide Pre-Sales & Professional Services
nuBridges

During one of my recent customer conversations, I was asked what challenges customers typically experience in implementing data security. In our experience we find customers run into two types of challenges: process challenges and technology challenges. Here are some of the more common process challenges.

Knowing your sensitive information footprint within the enterprise. Many organizations do not have a data classification program or know where their sensitive information resides. Absence of a holistic picture results in islands of data protection that can be challenging to manage and standardize. It also increases the cost of ongoing compliance and management of these solutions. To mitigate this situation, nuBridges Professional Services teams ensure that a sensitive information footprint is generated so an appropriate data protection strategy can be defined.
Defining a data protection strategy. Traditionally, organizations have viewed security as network or perimeter security. With the proliferation of internal breaches, organizations are beginning to understand the need to protect data at the source.

However, tactical fixes like encrypting data in one database without developing an enterprise data protection strategy can cause issues in the long run. To mitigate this situation, nuBridges Professional Services teams help in developing a data protection strategy that aligns with the business needs before implementations are conducted.
Working with surrogate data. Studies have revealed that 60% to 70% of processes do not need to work with sensitive data. Rather, surrogate data can be used. Introducing changes to existing processes and requesting business owners to work with surrogate data can be challenging. But working with format-preserving tokens generated by a tokenization solution like nuBridges Protect Token Manager can mitigate this situation

What kind of challenges do you encounter?

In my next blog, we’ll look at technology challenges.

Until next time,

Abir

PCI-DSS and PA-DSS Maturing, But More Needs to Be Done

nuBridges Blog — Thu, 12 Aug 2010 14:52:16 -0400

Gary Palgon, CISSP
Vice President, Product Management
nuBridges

The PCI Security Standards Council (PCI SSC) has just released highlights of expected changes to be introduced with the long-awaited 2.0 versions of the PCI DSS and PA-DSS coming out later this year. In doing so, the Council is helping to quench the thirst for information among the merchant and service provider community so that it can more easily align security programs and offerings with the updated standards. nuBridges commends the PCI SSC for its efforts and transparency in this process.

However, while the upcoming changes will help to clarify many compliancy requirements, there still needs to be more specific guidance around key emerging technologies - particularly encryption and tokenization - to help companies further enhance security and reduce the scope of PCI audits. As the lead chair for the PCI SSC Scoping Special Interest Group’s Tokenization Working Group, I am helping drive efforts to ensure that guidance on these important security technologies will be forthcoming. Just as the industry’s needs with regard to protecting enterprise data are evolving rapidly, such guiding standards need to be put into place more quickly, as well.

One critical area hindering industry-wide standards adoption lies with the card brands themselves, as some continue to issue their own, independent standards for PCI compliance instead of conforming exclusively to PCI SSC-derived standards. Having a universal, singular standards set is paramount for easing compliancy requirements and reducing complexity for merchants and service providers alike.

Overall, the industry is heading in the right direction, as the soon-to-be-released 2.0 versions of PCI DSS and PA-DSS demonstrate, but a more cooperative, aggressive approach is required for ensuring enterprise security standards in a timely manner.

Until next time,

Gary

If only the bad guys would listen to the FBI too!

nuBridges Blog — Tue, 03 Aug 2010 12:16:20 -0400

Gary Palgon
Vice President, Product Management
nuBridges

Data security is about protecting sensitive information. Whether it’s credit cardholder data, personally identifiable information (PII), protected health information (PHI) or intellectual property. Or any other sensitive or business-critical data.

When I read the recent Bloomberg Businessweek article entitled, “FBI rings organizers over Defcon contest”, I just had to laugh. Why? The article referred to a live contest (where contestants called 30 U.S. companies from a soundproof booth to glean data) that raised some hackles at the FBI’s Cyber Division. This was a contest. With rules! No sensitive data – no passwords, Social Security numbers and so on.

The FBI jumped on it and said that this was considered social engineering and is illegal. While I agree that it is and should be illegal, the “bad guys” that we have to deal with on a daily basis - whether external hackers or internal employees, contractor or business partners - don’t play by these rules.

We need to secure our environments so that when the social engineering does take place, there is no damage from it – no leakage of sensitive information or documents. Short of testing companies using social engineering, we better make sure the bad guys know not to do it too. Anyone know who won the contest?

Best wishes,

Gary

MFT. Lessons Learned from the Tortoise and the Hare.

nuBridges Blog — Fri, 14 May 2010 13:00:57 -0400

Kyle Parris
Director of Product Management
nuBridges

Despite my best efforts to remain a casual jogger, I find myself getting up earlier and earlier, running further and further. I have now become … dare I say it … “a runner.” And I’m a regular on the “race circuit.”

I’ve learned an invaluable lesson on the circuit, one that even businesses can apply. I quickly learned that my early childhood teachers weren’t being entirely forthcoming when they shared Aesop’s fable of The Tortoise and the Hare.

We all know the fable, right? During the race, the Hare becomes complacent; stops off for a nap and some nourishment, maybe another nap; then is beaten by the “slow and steady Tortoise.” Well, there must be more to the story…

Have you ever tried to win a race running slowly and steadily? It doesn’t work. You have to imagine that during the next race, the Hare learned his lesson and wasn’t complacent again. In the next race, he went faster the WHOLE time and he beat the Tortoise. Now imagine that Hare is a big hulking beast of a rabbit. He can run fast -- even with a load on his back. But what if there are spectators along the course who are not fans of the Hare and attack him the whole time? Well now the Hare can pick up the Tortoise (shell & all) and carry him on his back.

Fast… strong… secure… THAT is how you win the race every time.

Is your MFT solution fast, strong and secure enough to beat your competition?

Now you know THE REST of the story.

Kyle

Data harvesting has a whole new meaning. And it’s not pretty!

nuBridges Blog — Tue, 04 May 2010 15:30:23 -0400

Kyle Parris
Director of Product Management
nuBridges

When I was taking Marketing 101 in college, we learned all about the strategic value of data harvesting. By harvesting data – demographics, buying patterns, and the like – we would be able to learn about prospects; customer likes and dislikes; and what messages would best resonate with our targeted audiences. And all of this data was gleaned from public sources, one-on-one interviews, surveys or focus groups and so on. Consumer privacy was not breached under this definition of data harvesting.

The times, they are a changin’.

Today cybercriminals are seeing tremendous value in harvesting data, but we’re not talking about the same old type of data to which my professor was referring. We’re talking about payment card data, financial information, health care records, Social Security numbers and any other personally identifiable information that can be easily snatched in transit and sold on a thriving black market.

A recent report from SpiderLabs – Global Security Report 2010 – found that cyber attackers “. . . have devised methods to obtain data . . . often harvesting data in transit.” How do we neutralize these threats? Yet keep the critical data that drives the world’s businesses flowing?

Best practice calls for data encryption of all sensitive, regulated and business-critical information – whether it’s at rest in a database or application or in transit. For data in transit, there’s a new generation of managed file transfer solutions that just may bring back that old definition of data harvesting! For the good of the consumer.

I’d like to hear what your business is doing to protect sensitive data while it’s in transit within and outside your organization.

Until next time,

Kyle

Universal tokenization standards

nuBridges Blog — Fri, 30 Apr 2010 16:04:55 -0400

Gary Palgon
Vice President, Product Management
nuBridges

The debate is over. It’s time to collaborate!

The value of tokenization is indisputable. We’re seeing, for example, that tokenization is helping a global online retailer reduce its PCI DSS audit scope by more than 90%, with like cost and resource savings! Tokenization isn’t just for the big guys. Even medium-sized retailers are reducing the complexity and costs associated with PCI DSS – thanks to tokenization.

Tokenization is also bringing tremendous value to organizations in other industries as well – particularly hospitality, financial services and health care. Any organization that wants to meet best practice in risk management can greatly benefit from tokenization. Not just tokenization of credit cards, but any personally identifiable information (PII) or protected health information (PHI). And that’s everything from data included in employment records to medical files to insurance claims and so on. Can you think of any organization that doesn’t store or transmit one of these types of information? I can’t.

That’s the good news. The not-so-good news is that as the value of tokenization is recognized, the race is on to develop tokenization wannabes and even home-grown versions. Are these tokenization solutions being tested against any standards? No.

According to John Pescatore, vice president at Gartner, since standards aren’t in place for tokenization (as they are for encryption), there is nothing against which to compare it to ensure it’s done correctly. And Ramon Krikken, also an analyst at Gartner, had a great deal to say on this topic at the recent RSA Conference. For example, he called for a standards group similar to the PCI SSC to lead the effort.

And at the recent Electronic Transactions Association (ETA) Conference, Paul Garcia, chairman, president and CEO of Global Payments, called for the ETA to create a committee to explore tokenization standards.

So it seems we all agree that we need a tokenization standard, but we need to make sure that it is a universal standard that extends across geographic , corporate, industry and data boundaries. But it already appears that we’re following the pattern of many standards before whereby there are “multiple, competing standards” (yes, the oxymoron) and lots of wasted time and energy working towards a winner.

The Accredited Standards Committee X9 is has begun working on a standard to define tokenization requirements related to credit card data in the financial services industry.
The Hospitality Technology Next Generation Payments Workgroup just issued a tokenization standard for credit card data for use within the hospitality industry. They use the term DataProxy for a token and require it to be MOD-10 compliant.
The Payment Industry Security Standards Council’s (PCI SSC) Scoping Special Interest Group (SIG) is working on definitions and the application of tokens as it relates to the PCI Data Security Standard (DSS).

So we’re off and running in the direction of standards, multiple ones just as history has taught us. Though we need to join together now to establish them for not only credit card data, but also look towards the future to address other data, globally, such as PII. That’s why we proposed a Tokenization Standards Organization at last month’s RSA Conference. We’re calling on all vendors in this space to collaborate (yes, competitors do collaborate!) to develop a set of global specifications on tokenization.

I encourage you to share your thoughts on how best to get a universal tokenization standard accepted around the globe. You can comment below or contact me at gpalgon@nubridges.com.

For a secure, tokenized world,

Gary

UK Data Protection Act (DPA) – New Penalties Go Into Effect April 6th

nuBridges Blog — Mon, 29 Mar 2010 10:23:12 -0400

Gary Palgon
Vice President, Product Management
nuBridges

I’m writing to you from the banks of the Thames River, where data controllers are on high alert. Why? It’s countdown time to April 6th.

April 6th is the date when the Information Commissioners’ Office (ICO), the UK’s privacy watchdog, will have the power to fine organizations up to 500,000 pounds ($744K US) – up from 5,000 pounds previously – for serious data leaks or losses. What’s more, the ICO will be able to audit government departments suspected of having poor data security controls. There’s fear among data controllers that the ICO’s audit powers will soon extend to the private sector.

Indeed, in the introduction to the ICO’s Code of Practice for Assessment Notices, Information Commissioner Christopher Graham wrote: “The scope of our extended powers is at the moment relatively modest, as they only apply to government departments. However, moving forward it is entirely reasonable to expect that, where the evidence supports it, I will seek to extend my powers to undertake compulsory audits in both the public and private sectors.”

In meeting with our UK customers this week, we found a great deal of discussion about how the upcoming elections may have a direct effect on the state of data protection. Many opined that if the conservatives win the next election, the ICO’s powers will become even more punitive. Data protection a political issue? Yes indeed.

We plan to follow this situation carefully and will report any news to you in this blog.

Off to Gatwick!
Gary

How are Drug Manufacturers and Distributors Streamlining Controlled Substance Ordering Processes?

nuBridges Blog — Fri, 26 Mar 2010 10:31:15 -0400

Kyle Parris
Director of Product Management
nuBridges

While exhibiting at HDMA recently, we were heartened to learn that drug manufacturers and distributors are either embracing or planning to implement electronic controlled substance ordering systems (CSOS). Those that already have electronic CSOS in place are achieving cost savings of 90% over paper-based ordering.

Several small pharmaceutical manufacturers were chomping at the bit to move to an e222. Unfortunately for them, the ROI just isn’t there until the big three distributors go electronic too. Most seem to think that a new phase of adoption is 12 or even 16 months away! The smaller players would obviously like to be slightly ahead of that curve so that they can take advantage earlier rather than latear.

What do you think is causing the delayed adoption? The ROI is obvious and expeditious for many but there are other important benefits to an e222 system:

Most important, electronic orders can be received by a supplier almost instantly and shipped the same day – speeding medication to the people who need it
A single electronic order can include a mixture of Schedule I, II, III, IV and V controlled substances
A single electronic order can also include non-controlled substances, so you don’t have to place multiple orders with a supplier
Electronic orders don’t have the 10-item limit that the paper form imposed
No more filing cabinets storing two years of controlled substance orders – records can be maintained electronically
Unlike the rules for paper forms, electronic orders don’t need to be segregated from other records
No need to continually re-order paper forms from the DEA

Are you considering adopting an electronic CSOS?
If so, we’d like to hear from you.

Until next time,
Kyle