nuBLOG

What will DLP do when we live in a tokenized world? That’s today’s conundrum.

nuBridges Blog — Mon, 08 Feb 2010 14:38:05 -0500

Gary Palgon
Vice President, Product Management
nuBridges

Data Loss Protection or Data Leak Prevention (DLP) applications are often used to discover credit card and other personally identifiable information in enterprises. If you don’t know where sensitive data exists, how can you protect it?

Imagine this. Your company has migrated to a security model where tokens, or surrogate values, are spread throughout the enterprise instead of the actual values, say for actual credit cards. If the tokens are format-preserving and therefore resemble credit cards but are actually tokens, how will the DLP systems know that they are tokens and not sensitive data?

While the latest indications on the next PCI DSS standard will only have minor changes in it (see No major PCI DSS revision expected in 2010), Walt Conway pointed out in StorefrontBacktalk that there’s a real possibility that the PCI DSS standard may eventually will mandate automated cardholder data discovery.

We better get creative quickly to solve this one! Any ideas?
Until next time,

Gary

HITECH Act Enforcement and Heightened Regulation Begins February 18th

nuBridges Blog — Tue, 26 Jan 2010 13:52:21 -0500

Kyle Parris
Director of Product Management
nuBridges

By extending HIPAA (Health Insurance Portability and Accountability Act) rules for secure transfer of protected health information (PHI), the 2009 HITECH ( Health Information Technology for Economic and Clinical Health) Act mandates that health care providers enforce encryption and audit controls over all business processes involved with data transfers. The provisions with the most significant impact for health care organizations are the mandatory breach notification requirements, combined with a new, punitive enforcement scheme. The risks for penalties, fines, brand damage and loss of business are great. So, what does that mean when it comes to the risk to your health care organization? It means that your organization can be heavily fined for data breaches. And you, your employees and business partners are even subject to criminal penalties.

What’s your best option for ensuring that you, your employees and business associates are in compliance with the spirit and letter of HITECH? The simple answer is secure all PHI according to HHS (Health and Human Services) guidelines. Make certain that all electronic PHI is encrypted. For PHI that is in transit within or outside your organization that means employing a Managed File Transfer solution that meets best practices for data encryption.

Are you ready for February 18th?

Until next time,
Kyle

Conundrum – My company wants me to share more data and at the same time secure more data!

nuBridges Blog — Wed, 20 Jan 2010 08:34:45 -0500

Gary Palgon
Vice President, Product Management
nuBridges

CIOs everywhere are being told by the business that they need to share more data, both internally and with business partners. And then they are being told to secure more data to limit its use to only authorized users.

Retailers, like many other industries, have been battling this during the past few years as they strive to comply with the PCI Data Security Standard to protect credit card information but the battle is only getting more complex. Key to many organizations is their customer information, often part of loyalty and/or credit programs which require them to store for future use information considered to be personally identifiable information or PII.

In a recent article by Walt Conway about what he heard at last week’s National Retail Federation (NRF) conference, he noted “While in New York, I heard a lot of CIOs talk about balancing the pressure to open systems and databases to more internal users with the need to protect the data. This balancing act will get more interesting as the volume of customer data expands.” This is exactly the dilemma I hear all of the time.

And while that’s from a retail perspective, it’s no different in Healthcare. Look at the US Health Information Technology for Economic and Clinical Health Act (HITECH) which as part of the American Recovery and Reinvestment Act (ARRA) has a goal to implement electronic medical records (EMR), secure protected health information (PHI) and share patient data security through out the ‘medical supply chain’. Once again, the theme mirrors that above, share the electronic data but also secure it.

There are no silver bullet answers here, but it is important to take a strategic look at how PCI, PII and PHI is created, used, shared, archived and destroyed in order to properly ensure it is only used by authorized individuals, secure at all times and destroyed when it is no longer needed.

What are the challenges related to locking down data and sharing more data in your organization?

Until next time,

Gary

PS...Later this week, nuBridges is releasing a new White Paper, "The Power of Integrated Protection." This White Paper explores the emerging issues that are driving enterprises to seek an enterprise-class encryption, tokenization, key management and compliance solution to protect sensitive PCI, PII and PHI data. I am offering early access to my loyal blog readers. Click here to download the new White Paper, "The Power of Integrated Protection."

Will Federal Legislation Eliminate Complicated Data Breach Notification Legal Patchwork?

nuBridges Blog — Mon, 14 Dec 2009 11:14:10 -0500

Gary Palgon
Vice President, Product Management
nuBridges

We’ve had a close eye on D.C., as two retooled data breach notification bills have been wending their way through Congress. While we had our eye off the ball recently (guess we were lulled into thinking this newest round of legislation would go the way of the past several bills), on December 9th the House of Representatives passed, for the first time ever, a data breach notification bill. While that’s great news, we’re wondering that if the bill makes it through the Senate and becomes the law of the land, will it replace the patchwork of state laws – 45 as of today – that exist? Right now, breach alert mandates are handled at the state level. Will this legislation rationalize data protection legislation across the US? Doubtful, but more realistically it will provide a consistent baseline from which states, and companies looking to comply with data protection notification laws, can use as a starting point.

The Data Accountability and Trust Act (DATA) will indeed standardize data protection across the US at a Federal level. It requires companies, defined as data brokers, that hold sensitive personal information – everything from Social Security numbers to driver’s license numbers to credit card information -- to secure that data and provide notice to affected consumers that their data has been compromised. What’s more, the bill allows consumers to have access to files about them and request that errors be corrected.

The bill directs the Federal Trade Commission (FTC) to create rules for destroying obsolete non-electronic data in addition to requiring data brokers to submit their security policies to the FTC in conjunction with a security breach notification or on FTC request. If a breach does occur, the FTC is ordered to conduct a security audit of the data broker.

As with many state laws, the DATA has a safe harbor provision. According to the legislation, data encryption establishes a presumption that no reasonable risk of identity theft, fraud or other unlawful conduct exists following a data breach. Here’s the actual language of the legislation relating to data encryption:

“…Encryption – The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been, or is reasonably likely to be compromised…”

It’s not great news that it takes Federal legislation to push companies along to protect consumer data in the first place, but I’m hopeful that a Federal law will lead to making data protection easier for all of us – what do you think?

Best wishes for a happy holiday,
Gary

PS...nuBridges can help you take advantage of “safe harbors” and minimize the risk of a breach. nuBridges Protect™ is an integrated encryption, tokenization, key management and audit logging solution that is already proven in business-critical production environments – for example, it encrypts billions of credit card numbers every day around the world.

Retailers See an Encouraging Start to Holiday Shopping Season

nuBridges Blog — Thu, 10 Dec 2009 16:03:35 -0500

Kyle Parris
Director of Product Management
nuBridges

November 30th was the strongest Cyber Monday since the term was coined five years ago, matching the heaviest online spending day on record – December 9, 2008. And ShopperTrak reports that bricks-and-mortar retailers had a 1.6% increase in sales over last year during the Thanksgiving holiday weekend.

While we’re all keeping an eye on holiday sales (they are, after all, one indication of how our economy is or isn’t recovering from recent woes), many retailers are taking a longer view. Beyond just short-term revenue numbers to longer-term strategic goals of cutting costs, streamlining back-office operations and improving their brand. These savvy retailers are adopting a number of best-in-class technologies to make their strategic goals a reality. Among them – managed file transfer solutions (MFT).

Here are a handful of real-world examples of how retailers are reaping the rewards of MFT:

“We’ve eliminated any risk associated with the transfer of credit card data to our processer. And we’re now in compliance with the PCI DSS -- our latest audit was a piece of cake.”
“Previously two people had to spend more than six hours each per day manually transferring customer orders from our web site and telephone orders. Our business volume has grown, and so has our workload. With our new managed file transfer solution, it takes about five minutes a day. We’re spending more time selling, less time chasing down customer orders.”
“We use it to manage the exchange of electronic files between more than 1,000 retail outlets and our corporate order processing and accounting systems.”
“We’re now able to meet the file exchange requirements for our retailer network without having to change our business processes. Now we’re extending our MFT solution into our global supplier community.”
“MFT provides us with a simple, straightforward, secure file transfer solution, one that we put on auto-pilot to automatically transfer financial transactions between our back office applications in different banks on a daily basis.”

We’d love to hear how you’re retail business is doing this holiday season!

Happy holidays!

Kyle

Retailers are Gaining Business Value with MFT

nuBridges Blog — Fri, 04 Dec 2009 10:32:16 -0500

Kyle Parris
Director of Product Management
nuBridges

As retailers wait out the holiday shopping numbers, they’re continuing to enjoy lots of business value from their managed file transfer solutions. Retailers are early adopters of MFT for numerous reasons, but the top two are the need to:

Exchange exploding volumes of information – online catalogs, product images, price quotes, invoices and so forth; and
Comply (and prove compliance) with the Payment Card Industry Data Security Standard (PCI DSS)

The new generation of MFT solutions meets these challenges and many more. Other benefits that retailers tell us they’re reaping include:

Streamlined global order and fulfillment
Improved order-to-cash and days-sales-outstanding
Enhanced competitive sourcing capabilities
Improved demand forecasting
Eliminated order and invoice errors
Reduced costs and headaches associated with PCI DSS compliance
Met audit and governance requirements
Reduced transaction costs
Improved customer loyalty

Until next week,

Kyle

MFT Vendor Due Diligence is Complete. Software is Installed. What Benefits are You Reaping?

nuBridges Blog — Fri, 20 Nov 2009 11:42:41 -0500

Kyle Parris
Director of Product Management
nuBridges

Last week I talked about things to consider when looking for a Managed File Transfer solution. You have done your due diligence. You’ve chosen your vendor based on your business requirements. And all went swimmingly with implementation.

So, now you have a single solution, and it’s integrated with your internal systems and with all of your trading partners. You can send files of any type via any protocol from one centralized place.

Your data is secure. Whether or not the files you send contain sensitive data, they can be secured using whatever protocols your suppliers, customers or other business partners require. You can also prove they were secure when they were sent using industry and regulatory compliance standards in audit logging. In addition to secure protocols, your data is also secured by other means as it travels around your enterprise using best practices technologies on the back-end.

Though your data is safe, you can still do business quickly and easily; more quickly and with less effort than ever before. You have protected your data, and you have used the centralized console to administer a fine level of detail regarding who can and should access the sensitive data.

You have reduced your administrative costs in several ways, including: reducing the number of point solutions being supported and administered; removing script processes and disparate end point clients; and (perhaps best of all) you’re pushing business partner administration out to the business partner! Your business processes are now poised to react based on whatever turn the market takes.

You can now scale on demand -- hopefully UP!

Until next week,

Kyle

Not All MFT Solutions Are Created Equal

nuBridges Blog — Fri, 13 Nov 2009 14:25:22 -0500

Kyle Parris
Director of Product Management
nuBridges

There are, of course, a number of standouts in the new generation of managed file transfer (MFT) solutions. But there are also a number that may not meet the file transfer needs of organizations that require secure, reliable and integrated communication gateways.

Some of the things you should consider when vetting prospective MFT providers about an enterprise-class MFT are:

The MFT must be pervasive. Ask providers what platforms they support (Hardware, OS, DB, etc); ask what protocols they support; what encryption algorithms, etc.
Partner management can be difficult and time consuming. Understand the vendor’s capabilities around the set-up and maintenance of trading partners, customers, suppliers and other business partners. If you trade with numerous partners, consider a solution that allows them to manage themselves; taking the administrative burden off of your organization.
A key component of MFT is centrality. Integration of a single solution to all of your back-end office systems and with your strategic partners is critical. Make sure you understand the provider’s integration capabilities. Are they web interface enabled? Do they require separate client applications at each end point, or can they integrate to existing applications?
There are several considerations where sensitive data is being moved . . .
- In addition to the supported secure protocols and encryption methods, what other security features does the solution offer? This can be related to user authentication and authorization; as well as to the back-end protocols once the files have made it inside your enterprise. Consider every angle of security and ask the vendor how they address each concern.
- Proving compliance is a necessity. Dig into the provider’s reporting, alerting and notification capabilities. Make sure the solution meets requirements for compliance audits and risk management.
Speaking of reporting, make sure you have visibility to vital transaction information as it happens. This can be delivered via a management console or dashboard.
Some solutions, such as secure e-mail, have file size limitations. It is important to understand how these file size limitations can affect your ability to do business.

To help enterprises analyze the solutions that are currently available, nuBridges offers a white paper that explores the key best practices that define enterprise-class MFT solutions.

Download your free copy of “Best Practices in Enterprise File Transfer.” Once you read the white paper, we’d really like to hear from you! We’ll respond to your comments in our next blog.

Until next week,

Kyle