Are you ready for some polling?

Guys & Gals,

I want to get a sense of where our customers stand in relation to tokenization, data privacy, PCI compliance, cloud data, sensitive data masking, etc. Please help me answer the questions below. User info is not tracked (so we won’t know who is answering what). I will post the results to the group so you can compare your situation to the collective group (of 1000+) to see how you rank. Pick what resonates the most so that our results will truly reflect everyone’s opinion. I made the question multiple choice and you don’t have to pick just one. This will help me change/adjust our product vision and strategy going into next year based on your needs.

I “tweaked” my hammy just reading this

Recently, I was reading about the Format Preserving Encryption (FPE)* variation that we implemented in our cloud data privacy/ tokenization gateway solution and realized that they had used a tweak to make it much stronger.

I am proud of our guys who burned some extra midnight oil to get this out on time to save our customer sensitive data moving to the cloud. This allowed us to work with some major cloud providers to help with their data storage in a highly secure manner. Watch out for my next blog on how FPE can help you preserve your data fairly easily. You can also read my blog about protecting sensitive data that is sent to the cloud here.
Essentially a tweak is…………..
a cross between a salt and a nonce (thank god it is not crossed with pepper!). For format preserving encryption (FPE), it can be used to significantly enhance the encryption security.

Here is how:
If you use a deterministic/tweakless scheme, it is possible that an attacker could create by non-cryptographic means a useful dictionary of plaintext/ciphertext pairs. For example, assume that you are encrypting the middle 6-digits of a 16-digit Credit Card Number (CCN or PAN data). Out of a possible 100 million entries, there would be 100 CCNs with the same 6 digits (It is fairly common to keep the first 5 digits preserved for routing purposes and the last 4 digits for validation purposes, thus leaving only the middle 6 digits to be encrypted). Every plaintext/ciphertext pair that an attacker identified would allow the attacker to decrypt every CCN that happens to have those same middle 6 digits. Utilizing a different tweak for these different encryptions would eliminate this information leakage. In this case, the tweak could be:
• The other ten digits of the CCN. (Perfect seed of using what is already there).
• A string that is unique to the specific document in which the encryption is occurring.
• A randomly generate string that is used for a much smaller subset of the encryptions than the specific key is being used for.
As the first two possible sources of tweaks indicated, a tweak value does not need to be secret. It just needs to be large enough to uniquely differentiate related encryptions in the same or different documents.
Summary: a tweak is just a mechanism to add entropy between encryption that could leak information. Using a tweak can significantly enhance security and is therefore strongly recommended.
*Format Preserving Encryption (FPE) is a process that deterministically encrypts plaintext into ciphertext that has the same character set and same number of logical radix characters. This allows the encrypted data to be stored and transmitted by the same programs and databases that handled the plaintext data without modifying the service storing and transmitting the data. For example, a credit card number can be a 16 byte decimal string. If FPE is applied to the number, the ciphertext is also a 16 byte decimal string. Another example is encrypting an alphanumeric address, where the ciphertext must also be an alphanumeric string of same length.

Who is more sensitive – you or your data?

Sooner or later the following (not so hypothetical quandary) will undoubtedly arise: When moving your data to the cloud, you’ll be faced with an array of decisions that will need to be made. What considerations will you make for the protection of your data? In the not-so-distant past, you most likely invested a lot of time and resources into building “enterprise Ft. Knox” – a state-of-the-art, highly advanced and very expensive solution replete with several sophisticated gadgets, strategically positioned around the enterprise perimeter. You had a moment to breathe a sigh of relief, taking solace in knowing that no one could penetrate the fortress you built. You even went so far as to give yourself a pat on the shoulder, enjoying the moment.

Alas, the respite ended with a tap on the shoulder! The King, also known as the CIO, has informed you that the rules have changed! Apparently, when you were working hard building this impenetrable boundary around the edge fixing the exposure, he made a deal for the kingdom (in this case, your company), that expanded its territory. As a result, the short but life-changing edict is to move processing to a third-world country (in other words to the cloud). Gulp.

Medieval comparisons aside, the matter of fact is that your IT systems have been moved to the cloud – public, private, or hosted. With the stroke of a quill (or pen), the circumscribed limits of your perimeter have changed. Unfortunately, protecting your databases, processes, applications, app servers, web servers, systems, middleware, and back-end systems won’t work anymore, and as in most similar scenarios, you’ll have absolutely no control over them in a cloud environment. It’s highly likely that you won’t even know where things are even running most of the time.

The advantages of moving to the cloud cannot be denied, but the new paradigm-shift is not without headaches and real concerns that come with data privacy, security, auditing, compliance, residency (at certain times you can’t let the data leave certain countries for example), in addition to having to worry about being exposed to hackers on a 24×7 basis.

Now what? Well, there is an easy way to solve this problem. Instead of protecting all of the above, you can simply just protect your data instead. This is exactly where Intel cloud encryption/ data privacy gateways shine. We created these gateways a few years ago, keeping the ever-changing landscape in mind.

So how do we do it? Well, for starters, the Intel cloud encryption gateway is the ONLY solution that is available in multiple form factors – as an appliance, software and virtual. It can also be available as a hosted solution, through our partners if you should choose that option. Our appliances are not “virtual appliances” unlike competing vendors in the market. We provide a “true” appliance. This is imperative in the security field, especially when you need FIPS 140-2 Level 3 compliance in the government (or other highly secure environments like the healthcare) space. (As a side note, I recently read a competitors spec where that company claimed to “enable” you — so you could plug in and use FIPS 140-2 if needed. It’s not certain what they exactly meant or how to parse the finely nuanced language used in their advertisements. In contrast, we are completely straight-forward about our enterprise class capabilities. And, yes, we have that feature built in already.)

In addition, our appliance has a unique set of features that include: tokenization, encryption, Format Preserving Encryption (FPE), as well as others that will help ensure the authenticity, integrity, and validity of your data. That’s not all. What makes us unique is that our cloud encryption gateways are built to fit your current eco-system. This means that regardless of the protocol, identity system, logging system, monitoring system, or data/message type, we can encrypt/tokenize the data that is flowing in and out of your organization.

Let’s think about that for a second. You get these appliances, drop them in the line of traffic, do a few configurations, and you are done. Either you keep the sensitive data and send the tokens to the cloud, or alternatively, send the protected (encrypted) data to the cloud and keep the keys to yourself. This allows you to be compliant and mitigate your risk. There are no more long drawn-out IT engagements, nor nightmare filled sleepless nights trying to figure out what will happen when moving your sensitive data to the cloud.

This is really important where time to market (TTM) is the key. We can have you up and running and poised for being production-ready, in a matter of days (or even in a matter of hours as most cases call for). When making a decision, It’s also essential for your calculus to include ROI and TCO. When you buy a similar solution from someone else, make sure to ask yourself these questions: Will I have to spend hundreds of hours building this? How long will it take me to integrate this within my eco-system? We can get you connected with most existing enterprise systems such as logging, monitoring, auditing, middleware, identity systems, database, (web) services, and SIEM systems such as Arcsight/Nitro quickly. And you get the added advantage of having mobile enablement already built-in.

There’s one last note of chuckle I want to share. I saw a competitor’s blog suggesting that they are rated by Gartner, for tokenization and encryption gateways, and are rated “close enough”, to Intel & McAfee in this area. I just want to close this out by saying we are Intel-McAfee, and we thankfully don’t feel compelled to make similar associations with someone, just to bolster our viability or engender notions of greater stability. We genuinely care for our customers and know that we will be here for many years to come.

Please contact me if you need more information. I’m more than happy to send you any additional information that you may need.