Breach-Proof Your Data
QUICK FACTS
Breach-Proof Your Data Company and consumer information are compromised everyday. Here’s how to stop it.
While organizations like to think their data stores and transmission channels are secure, in reality, that’s not the case. Breaches happen almost daily. And the type of data targeted by hackers is changing. According to the “2012 Data Breach Investigations Report” by Verizon, although payment card information was still the most often cited at 48%, 42% of security rifts—and by far the largest number of records stolen—focused on authentication credentials that include names, email addresses, national identity numbers and other information collectively referred to as “personally-identifiable information” (PII). While only 4% of events included the loss of personal information, PII comprised 95% of the records lost, according to the report.
Baseline Protection Much of the change in the types of data stolen is the result of financial institutions taking more stringent protection to comply with payment card industry data security standard (PCI DSS) requirements. But since PCI DSS compliance only secures credit card information, not the associated identity data, the PII data is left vulnerable and a target for theft. From customer information to healthcare records to student files, PII theft is growing exponentially. That means organizations need to determine the best place to store their data and how to protect it. Compliance with PCI DSS, the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act and other regulations require data to be protected. Access controls are not enough, which then dictates the baseline protection organizations need to have in place.
System Advantages and Drawbacks Typically, the stronger the security, the greater the potential negative impact on performance, storage and transparency. And while, organizations have their pick from a range of data
security options, not all of them bring value to the business. This listing provides an overview of the various types of security currently available: Native database protection methods typically perform well, do not impact storage and have a high level of transparency. But since they are not protecting the actual data, security remains an issue. Relying solely on access controls, for example, will not prevent a disgruntled database administrator (DBA) from accessing the data. This option encompasses a number of complementary security controls that can include: • Authentication and authorization • Row, column- and role-based access control • Activity logging and monitoring • Discretionary and mandatory access controls • Network and physical security controls Hashing algorithms are one-way transformation functions that turn a message into a “fingerprint.” They typically secure data fields where there is no need to use the original data again. These algorithms are helpful for passwords, but not suitable for an environment that needs to reuse data.
QUICK FACTS
Format-preserving or datatype-preserving encryption generates cipher texts that are the same length and data type as the input and can simplify retrofitting encryption into legacy application environments. It’s slower than strong encryption and, like other encryption technologies, requires complex distributed key management. Strong encryption is more applicable to high-risk data than the format-preserving method and is the “gold standard” for encryption. It gives the encrypted text a different data type and length, which increases database size requirements and is unable to provide as much transparency as other methods. Vault-based tokenization provides a more manageable, less-intrusive solution than encryption while still meeting PCI requirements. Tokenization replaces sensitive data such as credit card information with fake data (tokens) that has no resale value. But the reliance on large look-up tables (vaults) has a major impact on scalability since the tables rapidly become unwieldy, negatively impacting performance, ease of deployment and total cost of ownership (TCO). Vaultless tokenization is much more manageable than the vaulted method. By eliminating the vault, businesses benefit from a high-performance, scalable, lightweight solution that delivers a much lower TCO while expanding security applicability beyond PCI. Vaultless tokenization virtually eliminates encryption’s key management drawbacks and delivers transparency with strong security. One company, Protegrity, is now developing new tokenization algorithms that go a step further: incorporating sufficient business intelligence (BI) that reduces the need for de-tokenization when the original data is required for analysis.
Full Spectrum of Protection Access and authentication controls, however complex, sophisticated or multi-layered, are often insufficient for protecting data. If these controls are breached, the data is open to misuse. Because PII can contain both structured and unstructured data that’s subject to demands for analysis and manipulation, neither encryption nor tokenization alone can deliver the full spectrum of business needs or security mandates. But combining the two can deliver the best attributes of both methods for reliable data protection.
TECHNOLOGY Protegrity delivers a risk-adjusted data protection methodology that gives organizations a choice of methods to best address the risks associated with their data.
by Raul Ortega, VP Business Development, Protegrity Raul Ortega is the vice president of business development for Protegrity. He has more than 30 years of software development industry experience, with extensive knowledge of all aspects of security research and development.
Protegrity provides high performance, infinitely scalable, end-to-end data security solutions that protect sensitive information across the enterprise from the point of acquisition to deletion. The company’s award-winning software products span a variety of data protection methods, including end-to-end encryption, vaultless tokenization, masking, and monitoring and are backed by several important data protection technology patents. Currently, more than 200 enterprise customers worldwide rely on Protegrity’s comprehensive data security solutions to enable compliance for PCI DSS, HIPAA and other data protection mandates while protecting sensitive data, brand, and business reputation. For more information, please visit www.protegrity.com or call 203.326.7200. Copyright© 2012 Protegrity Corporation. All rights reserved. Protegrity® is a registered trademark of Protegrity Corporation. All other trademarks are the property of their respective owners.12/2012
Breach-Proof Your Data Company and consumer information are compromised everyday. Here’s how to stop it.
While organizations like to think their data stores and transmission channels are secure, in reality, that’s not the case. Breaches happen almost daily. And the type of data targeted by hackers is changing. According to the “2012 Data Breach Investigations Report” by Verizon, although payment card information was still the most often cited at 48%, 42% of security rifts—and by far the largest number of records stolen—focused on authentication credentials that include names, email addresses, national identity numbers and other information collectively referred to as “personally-identifiable information” (PII). While only 4% of events included the loss of personal information, PII comprised 95% of the records lost, according to the report.
Baseline Protection Much of the change in the types of data stolen is the result of financial institutions taking more stringent protection to comply with payment card industry data security standard (PCI DSS) requirements. But since PCI DSS compliance only secures credit card information, not the associated identity data, the PII data is left vulnerable and a target for theft. From customer information to healthcare records to student files, PII theft is growing exponentially. That means organizations need to determine the best place to store their data and how to protect it. Compliance with PCI DSS, the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act and other regulations require data to be protected. Access controls are not enough, which then dictates the baseline protection organizations need to have in place.
System Advantages and Drawbacks Typically, the stronger the security, the greater the potential negative impact on performance, storage and transparency. And while, organizations have their pick from a range of data
security options, not all of them bring value to the business. This listing provides an overview of the various types of security currently available: Native database protection methods typically perform well, do not impact storage and have a high level of transparency. But since they are not protecting the actual data, security remains an issue. Relying solely on access controls, for example, will not prevent a disgruntled database administrator (DBA) from accessing the data. This option encompasses a number of complementary security controls that can include: • Authentication and authorization • Row, column- and role-based access control • Activity logging and monitoring • Discretionary and mandatory access controls • Network and physical security controls Hashing algorithms are one-way transformation functions that turn a message into a “fingerprint.” They typically secure data fields where there is no need to use the original data again. These algorithms are helpful for passwords, but not suitable for an environment that needs to reuse data.
QUICK FACTS
Format-preserving or datatype-preserving encryption generates cipher texts that are the same length and data type as the input and can simplify retrofitting encryption into legacy application environments. It’s slower than strong encryption and, like other encryption technologies, requires complex distributed key management. Strong encryption is more applicable to high-risk data than the format-preserving method and is the “gold standard” for encryption. It gives the encrypted text a different data type and length, which increases database size requirements and is unable to provide as much transparency as other methods. Vault-based tokenization provides a more manageable, less-intrusive solution than encryption while still meeting PCI requirements. Tokenization replaces sensitive data such as credit card information with fake data (tokens) that has no resale value. But the reliance on large look-up tables (vaults) has a major impact on scalability since the tables rapidly become unwieldy, negatively impacting performance, ease of deployment and total cost of ownership (TCO). Vaultless tokenization is much more manageable than the vaulted method. By eliminating the vault, businesses benefit from a high-performance, scalable, lightweight solution that delivers a much lower TCO while expanding security applicability beyond PCI. Vaultless tokenization virtually eliminates encryption’s key management drawbacks and delivers transparency with strong security. One company, Protegrity, is now developing new tokenization algorithms that go a step further: incorporating sufficient business intelligence (BI) that reduces the need for de-tokenization when the original data is required for analysis.
Full Spectrum of Protection Access and authentication controls, however complex, sophisticated or multi-layered, are often insufficient for protecting data. If these controls are breached, the data is open to misuse. Because PII can contain both structured and unstructured data that’s subject to demands for analysis and manipulation, neither encryption nor tokenization alone can deliver the full spectrum of business needs or security mandates. But combining the two can deliver the best attributes of both methods for reliable data protection.
TECHNOLOGY Protegrity delivers a risk-adjusted data protection methodology that gives organizations a choice of methods to best address the risks associated with their data.
by Raul Ortega, VP Business Development, Protegrity Raul Ortega is the vice president of business development for Protegrity. He has more than 30 years of software development industry experience, with extensive knowledge of all aspects of security research and development.
Protegrity provides high performance, infinitely scalable, end-to-end data security solutions that protect sensitive information across the enterprise from the point of acquisition to deletion. The company’s award-winning software products span a variety of data protection methods, including end-to-end encryption, vaultless tokenization, masking, and monitoring and are backed by several important data protection technology patents. Currently, more than 200 enterprise customers worldwide rely on Protegrity’s comprehensive data security solutions to enable compliance for PCI DSS, HIPAA and other data protection mandates while protecting sensitive data, brand, and business reputation. For more information, please visit www.protegrity.com or call 203.326.7200. Copyright© 2012 Protegrity Corporation. All rights reserved. Protegrity® is a registered trademark of Protegrity Corporation. All other trademarks are the property of their respective owners.12/2012
