Are you building your APIs the right way?

I keep telling my customers, it is not about what you think is important but it is about what your customers (internal, external or partners) see as important when it comes to building APIs and mobile apps, or APIs for mobile apps. This article from Intel explains the facets of WHO, WHAT and HOW very nicely. We instituted a new practice called Intel API Manager which does all of the above and more. It includes a strategy session to identify the audience (WHO) that can benefit from this, WHAT are the channels that can drive additional revenue, and HOW we can help you achieve that.

And, yes Intel does software!  – and very well too!

–          Andy Thurai (Twitter: @AndyThurai)

Are you PCI DSS compliant yet? What is stopping you?

The PCI tokenization solution show case at NRF was a grand success. I never would have believed the traffic through our booth and the interest. First of all, the show was huge!!! I am not kidding. Last year the attendance was 25,500 ( and I am pretty sure this year they surpassed that. (Last count puts it at 27,600)NRF show

Intel had a big booth there and predominantly displayed was our PCI tokenization solution. The reason why our solution gained much visibility is, as one customer put it, you provide compliance and risk mitigation in one place.

The most effective PCI tokenization solution MUST have:

  1. Have the ability to create a security story NOT just a compliance story (I will blog about this later). In other words, not only reduce PCI scope but helps you protect card holder data
  2. High speed, high performing tokenization solution that is a capable of producing 10s thousands of tokens in a second, if needed
  3. A hardware based true random token generator
  4. Capable of producing upwards of 2 B tokens to scale up
  5. Proxy tokenization method without a need to touch any of your existing systems
  6. Not only the solution should be able to “automagically” detect PAN numbers but also allows you  to preserve certain digits for routing, identification purposes on needs basis
  7. Allow you to use tokens as a surrogate for the original credit cards every time – “multi-use” tokens
  8. Allow you to either BYOD (Bring your own Database) or use an extra hardened, highly secure database provided for you
  9. Can handle data in any format and in any incoming channel
  10. Secure enough to do the tokenization in DMZ if needed
  11. Can work anywhere within enterprise, extended enterprise, including partner locations or virtual environments such as in the cloud

Checkout Intel’s Tokenization Buyers’ guide on how to do this the effective way.

How do you spell “Lightning Speed” API Manager?

Well, if you are a Star Wars junkie like I am and watched the Mel Brooks spoof movie Space Balls then you probably would spell this as ludicrous speed  🙂

One of the reasons why I want to write this is that I get asked this a lot by my customers. “Why is Intel in the API space” and “Why should we buy from you” but more importantly “What are your differentiators from ——— (you insert the name here of your choice).  While the first two are addressed in some of my other blogs (such as Intel Data center software strategy, etc.), I want to talk about specific aspect of our differentiator.

We all know Intel does chips very well. What you may not know is that Intel does software well too. (Refer to my blog Intel does software here). When you are combining the fastest breed of Intel processors and the software intelligence built on top with direct access to the Intel Core we are miles ahead of our competition. One such thing is outlined below.

Latest versions of our gateway products (Service Gateway, Security Gateway, API Gateway, Tokenization Gateway, and Cloud Encryption Gateway) all have one thing in common: Tied to the Intel chips at the hip and perform at highly elevated speeds. The latest such enhancement is an addition for the optimization for cryptographic acceleration using Intel processors. This enabled us to outperform ASIC cryptographic accelerator boards such as Tarrari and Cavium by a wide margin.

Read more of this post

Protected: Follow-up on Global Payments breach

This content is password protected. To view it please enter your password below:

You are Gazetted…

Recently the government of Singapore passed a bill (or “Gazetted” as they call it, which sounds a lot fancier) about protecting personal data of consumers:

Click to access Annex%20D_Draft%20PDP%20Bill%20for%20Consultation.pdf

“Protection of personal data

26. An organisation shall protect personal data in its custody or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal or similar risks.

Cross-border Transfers

The PDPA also permits an organisation to transfer personal data outside Singapore provided that it ensures a comparable standard of protection for the personal data as provided under the PDPA (Section 26(1)). This can be achieved through contractual arrangements.”

So what they are suggesting is that gone are the days that if a business loses its customers’ data, they tell the consumers, “Oops, sorry, we lost your data…………” and that is about it. Now, the governments are taking initiatives that can hold the companies responsible for being careless with consumer data and not protecting it with their life, if not face consequences.

This means, as a corporation, you need to protect not only the data in storage and in transit, but also given the cross-border restrictions (this is especially strictly enforced in Europe; read about them on above URL links) you need to figure out a way to keep the data and the risk to yourself instead of passing this on to third parties. The easiest way to achieve that would be to tokenize the sensitive data, keep the sensitive data in your secure vault and send only the tokens to the other end. Even if the other end is compromised, your sensitive data and your integrity will be intact, and it will be easy to prove in case of an audit that you went above and beyond not only to comply with requests/ laws such as this, but also you genuinely care for your customers’ sensitive personal data. Brand reputation is a lot more important than you think.

Check out some of my older blogs on this topic:

Who is more sensitive – you or your data?

Content/ Context / Device aware Cloud Data Protection

Part 2: Context aware Data Privacy

Also, keep in mind Intel Token Broker and Cloud Security Gateway solutions can help you solve this fairly easily without messing with your existing systems too much.

Check out more details on Intel cloud data privacy solutions.

Intel @ CES

If you were at CES, you might have noticed this, but Intel is making waves both in the software and hardware side of things. We won awards @ CES for tablets, Ultrabooks and mobile processors. In addition, we also released the most acclaimed and reviewed Intel API Manager, which is making waves in the software world. I will write soon about the gizmos and APIs that car and electronic vendors announced at CES and how Intel API Manager can help you in that front.

• Two new Windows 8 tablets built around the Intel® Atom™ Z2760 processor (formerly “Clover Trail”), Lenovo’s ThinkPad Tablet 2 and the ASUS Vivo Tab TF810C;
• Several Intel-powered Ultrabook devices, including the dual-screen ASUS Taichi, convertible Dell XPS 12, sliding Toshiba Satellite U925t, carbon fiber-built Lenovo ThinkPad X1 Carbon, and 0.47-inch slim Acer Aspire S7; and
• Intel® 3rd generation Core™ processors, cited for delivering “up to 20% microprocessor performance improvement with dramatic visual gains for gamers, media enthusiasts and mainstream users.”

Effective PCI tokenization methods

Recently a colleague and a friend of mine wrote a great article about different ways to be PCI 2.0 compliant by tokenizing PAN data. If in case you missed it I want to draw your attention to it.

Essentially, if you are looking to be PCI-DSS 2.0 compliant there are few ways you can achieve that. The most painful would be obviously a rip-and-replace strategy and the easiest would be to do it in an incremental, less intrusive method.

First approach, the Monolithic big bang approach, is the legacy way of doing things. Once you figure out the areas of your system that are non-compliant (that is either storing PAN data –encrypted or not, or processing PAN in clear), you decide whether you need that component to be PCI compliant. As the PCI audit is very extensive, time consuming and very methodical, in which every process, application, storage, database, and system will be looked at and thereby it becomes very expensive. Once you figure out which components need to be PCI compliant you can do the rip and replace approach in which you will touch every system component that needs to be modified and rewrite the system to become compliant. This might involve touching every component and change your entire architecture. This essentially will be the most expensive, painful and the slowest before you can be compliant. While this can be the most effective for spot solutions, this could be an issue if you have to do this every time when the PCI-DSS needs change (which seems to be every year).

Read more of this post

%d bloggers like this: