July 6, 2012 Leave a comment
Recently the State of Alaska DHSS was fined a hefty sum of $1.7 million for non-compliance. . This issue came to forefront when a USB drive containing PII (Personally Identifiable Information) data was lost (or stolen). This is not the first high profile incident in which stern action was taken by government agencies for someone losing or careless with consumer data.
Recently I blogged about how California declared zipcodes as PII and what you should do to protect the information you capture, regardless of whether it is credit card information, patient data, or Electronic health records. https://soacloudsecurityblog.wordpress.com/2012/04/02/perfection-series-how-do-you-definemeasure-perfection/
It is not just about tokenizing your data, you have to make sure your logs, storage, and monitoring systems are clean too. If you fail to do that you can be found non-compliant when a compliace/ forensic analysis is done, they look at all collateral repositories as well. I have previously blogged about being careful about leaving PII residue in your logs.
Remember the classic case of employees going after Starbucks about their personal data being carelessly handled. https://soacloudsecurityblog.wordpress.com/2012/04/09/you-too-seattle/
And we all know about FTC going after a data broker Spokeo for $800,000 to settle the FTC charges that it sold personal information it gathered from social media and other Internet-based sites to employers and job recruiters without taking steps to protect consumers required under the Fair Credit Reporting Act. http://www.networkworld.com/news/2012/061212-ftc-spokeo-260092.html?page=1
These are only a few examples of the revolution that is happening. For years we have had our data exposed, particularly personal information, and watched helplessly as our data was collected, sold, used, marketed to, abused and often stolen and circulated in black market. Finally, the government and related agencies are stepping in to make a statement.
The core of all these issues stem from the fact that it is hard to fix the holes across your enterprise eco system. While you can continue to encrypt the data in as many places as you can, still the human element wins most times. And there is also this issue of your encryption algorithim strengths or if there is a weaker link in your entire process flow. That is why the newer model “Tokenization” is becoming very popular. Especially when you move your Data, Applications and Processes to the cloud you lose a lot of control. Essentially when you lose control over the data trails, transport and storage i.e. – alerts, monitoring, logs, auditing, etc and compounding this being at the mercy of the cloud provider. This exponentially complicates your ability to figure out how vulnerable your data is and could be very dangerous. Then there is also this issue of where all your data is flowing (or leaking). Especially if your data flows to an application instance, which is controlled by export control laws with stronger encryption exception this would mess things up. While you have to worry about using a stronger encryption to protect your data, you also have to worry about complying with export regulation laws.
Intel Tokenization solutions would be a perfect fit in such situations. Our PCI and PII tokenization allows you to strike a balance between both issues. You can keep your Enterprise data encrypted and tokenize the sensitive data when it is sent over the wire to cloud locations, partners, etc. Given this fact, unless they are a whitelisted application, they won’t know where to go to get the original data. You can rest in peace knowing that while your sensitive data is sitting safe and secure, only your tokens are floating around everywhere.
If you are interested either in PAN tokenization or PII tokenization (such as SS#, DOB, etc) use the bottom link to check out our solution details and reach out to me if you need further details. http://cloudsecurity.intel.com/solutions/tokenization-broker-reduce-pci-scope
Also, check out this whitepaper by Walter Conway, QSA, who is an expert on this subject.