Think of it as the seamy underside of the bad economy: Harsh market conditions, corporate cost-cutting and a downsized, disgruntled workforce create the perfect storm for systematic and sophisticated attacks by underworld enterprises on data systems in respected companies worldwide.
So here’s what we have today: record data breaches, heists of increasing intensity and scale, and a network of expert hackers buying and selling attack vectors and system vulnerability information. It’s not uncommon to read of tens of millions of dollars being siphoned from payment networks. In fact, we can assume that multiple criminals have the option of stealing our identities. Bottom line: billions of dollars in reparations, uncountable losses in brand and reputational damage, spiraling audit costs, and the sheer magnitude of headaches to be incurred in trying to get ahead of the problem.
This will take more than just complying with privacy regulations: The regulations are behind the threats, which evolve continuously to exploit any weakness available. Enterprises, payment processors, business process outsourcers and even nonprofits must take proactive countermeasures, and they must do it now.
Challenge 1: Protection Over Process
Data privacy compliance can’t just be about checking boxes. The best protection involves comprehensive security measures, although, until recently, this has been costly. However, there is a new model emerging to address data protection in the extended enterprise: a “data centric” approach that protects data from the moment of capture and throughout its lifecycle — truly end-to-end — without major disruption to existing systems. The upshot is that systems can be effectively protected from external and inside threats at a far reduced cost.
Traditional methods of protecting data often impose significant burdens and force change on applications and systems. For example, most enterprises or transaction processors have significant investments in existing systems, and a large quantity of regulated data may reside on legacy IT platforms and networks. There is inherent complexity and diversity of systems in the application environment, which means that traditional approaches to encryption, for example, require a major overhaul. Worse still, encryption focused on data at rest — where data is rarely at rest in live IT systems — will not prevent contemporary attacks like those we are witnessing with increasing frequency.
Take, for example, a financial-transaction-processing environment where encrypting data as simple as Social Security or credit card numbers in the traditional way affects every place where an SSN or credit card field is expected in the application workflow. Consequently, with changes all along the data flow to handle encrypted data, traditional approaches can affect the user experience, as well as transactional response times.
Other traditional approaches — such as tokenization or “data vaults” (where an alias of the original data points to real data or a secondary database from which the real data can be derived) — simply move the problem to another place and create additional burdens, such as the need for yet more storage of sensitive data and huge complexity in business continuity management. Again, this isn’t reality — especially in this tough market.
Now, for the good news: There are new methods available to minimize this impact. For example, technologies like AES Format-Preserving Encryption and Stateless Key Management can make the process of retrofitting encryption into legacy application environments a lot simpler and cost a lot less.
Of course, encrypting data can also have its flip side: Regulations bring legal and other challenges to handling encrypted data. For example, while there are regulations like PCI and some state laws (Nev., new Mass. laws for 2010) that require data to be specifically encrypted, there are also regulations that require data to be quickly recovered for processes like e-discovery (e.g., SEC 17A-4 rules).
That’s why data-centric protection approaches have to take into account the full information lifecycle; this includes business processes that may be imposed on data after its actual use, if not destroyed, as opposed to merely considering the day-to-day use of the data within a given transaction.
This can be acutely important in the data warehouse, for example. Again, the solution here within the data-centric model is Stateless Key Management. When coupled with strong authentication systems (e.g., Identity Management Infrastructure), electronic supervisory access is enabled as a natural process, not inhibited, bringing drastically increased complexity to the investigation process. Past keys can be requested on the fly and data recovered, all within the controls of highly audited access and authorization management policies.
Challenge 2: Foiling Criminals
Some approaches don’t protect data throughout the lifecycle, and this creates vulnerabilities. For example, approaches that focus only on data at rest, such as native database encryption, still allow attackers to gain access through a variety of a la carte methods, such as SQL injection. This involves exploiting weaknesses in database access layers and compromising database entry points like admin accounts. There have been many cases of such attacks in “compliant” organizations, and industry data breach reports like DatalossDB.org are filled with them.
This means re-examining the information protection lifecycle. After all, applications managing data like payment transactions or customer data used in billing systems have data in use very frequently, and it is rare to find databases full of transaction data “at rest.” In fact, data is always restless, with the exception of battery-powered devices or traditional non-powered media storage. In a world trending to “always on” network-based services, protection strategy has to be more comprehensive and truly “end-to-end.”
Challenge 3: ‘Need to Know’ Sensitive Data Access
Data flows within the application environment need to be analyzed effectively to determine just how the data is used and where it is truly needed. It is then possible to build a risk profile and begin to systematically address high-risk data flows first, such as databases and applications handling SSNs or payment card data. Identity management systems with data-centric approaches can be tied in to permit role-based access to data. This brings the best of both worlds: roles and permissions that may be in existing systems like directory infrastructure, or more sophisticated IDM platforms and federated authentication systems.
With this approach, data is systematically protected from hackers and criminals over its lifecycle under an auditable and controllable process. At the same time, this technique solves the challenge of separating duties from employees and administrators who need to manage data but perhaps don’t always need to see live data like SSNs. PCI is a good example of a regulation that specifically calls for this kind of separation of duties.
Challenge 4: Downstream Dangers
Best practices stress the need for persistent protection of data in and out of the enterprise, and we’ve seen cases where data has been exposed at points in the network where it’s in clear form or leaked from a third-party system. In the case of Hannaford supermarkets, there was PCI compliance, but data was stolen anyway because it was in the clear at different points in the network.
What if the data were being captured on a mobile device off the network? What about data used for nonproduction purposes such as third-party marketing analysis, or in test and engineering environments? It’s not uncommon for organizations to invest in protecting production systems and data centers — yet have live data sitting unprotected on the systems of application developers and other outsourced parties.
With the emergence of popular platforms like the iPhone, there is more and more interest in exploring mobile platforms to perform new business tasks. However, the issue of data privacy always holds organizations back from embracing these kinds of new business models. Fortunately, this is an area where, again, the data-centric model is ideal. For example, it’s now possible to protect data on mobile platforms using combinations of technologies like Format-Preserving Encryption (FPE) and advanced public key technologies like Identity-Based Encryption (IBE).
One case might be that we need to use the iPhone as a device for capturing new customer data to open an account. In the past, this came with a risk: We would need to store a key for encrypted data offline. Now, that problem goes away with the FPE and IBE combination approach and transforms a device like the iPhone into a secure device at all times. This technique can also be applied to Point of Sale (POS) systems to enable end-to-end protection from the moment the cardholder data is captured.
As we continue examining the application environment, and where data goes over its lifecycle, one area that’s under more scrutiny is the test and QA (quality assurance) side. Enterprises obviously need to be able to respond fast to changing market conditions and maintain high quality, but if they’re using live production data in a less controlled environment, there has to be attention paid to regulatory compliance and security threats. What we see here is the need for data de-identification in test and QA while not impacting data quality and integrity, as well as the protection of data in production systems. Here, too, technologies like Format-Preserving Encryption can help.
Challenge 5: Brand Equity
Fines are one thing, but brand damage, customer impatience and investor churn are much bigger problems, especially in this difficult market. Disclosure laws ensure that customers are aware of breaches, and customer or business partner loss is a top-of-mind issue for executives. So how do you protect a brand in this environment?
One trend among forward-thinking companies is the proactive use of security technology. A few years ago, some banks and ISPs (Internet service providers) took the lead in providing antivirus technologies to their customers. Now, we’re seeing the emergence of encryption and protection technologies at the forefront of customer programs — again, not data at rest but on an end-to-end basis — and in some cases we are seeing the industry itself calling for exactly this approach. The data-centric model offers a platform approach, so that the benefits of comprehensive protection can be a public-facing tool to enhance customer trust while protecting the organization from data attacks.
The new bottom line is that organizations need to think more carefully and more creatively about managing and protecting data. However, it’s going to take more than checking off compliance boxes.
End-to-end data protection doesn’t have to be difficult, even in complex legacy application environments, mobile systems or business applications. It can start with a critical line of business and can quickly extend along the lines of an enterprise data protection strategy. The risk of not addressing contemporary threats is too great. Every organization needs to take a proactive stance in managing risk, and broadcast the message that this kind of security is a management priority. It’s good security, it’s good business, and it’s good PR.
Mark Bower is responsible for information protection solutions at Voltage Security. He can be reached at Mark_Bower@voltage.com.