Enterprise IOT: Mixed Model Architecture

– By Andy Thurai (@andythurai)

This article was originally published on VentureBeat.

Recently, there has been a lot of debate about how IoT (Internet of Things) affects your architecture, security model and your corporate liability issues. Many companies seem to think they can solve these problems by centralizing the solution, and thus collectively enforcing it in the hub, moving as far away from the data collection centers (not to be confused with data centers). There is also a lot of talk about hub-and-spoke model winning this battle. Recently, Sanjay Sarma of MIT, a pioneer in the IoT space, spoke on this very topic at MassTLC (where I was fortunate enough to present as well). But based on what I am seeing in the field, based on how the actual implementations work, I disagree with this one size fits all notion.

Read more of this post

The Façade Proxy

KuppingerCole analyst Craig Burton (of Burton Group originally) wrote a recent article about Façade proxies. You can read the article here: http://blogs.kuppingercole.com/burton/2013/03/18/the-faade-proxy/

As Craig notes,

“A Façade is an object that provides simple access to complex – or external – functionality. It might be used to group together several methods into a single one, to abstract a very complex method into several simple calls or, more generically, to decouple two pieces of code where there’s a strong dependency of one over the other. By writing a Façade with the single responsibility of interacting with the external Web service, you can defend your code from external changes. Now, whenever the API changes, all you have to do is update your Façade. Your internal application code will remain untouched.”

I call this “Touchless Proxy”. We have been doing the touchless gateway for over a decade, and now using the same underlying concept, we provide touchless API gateway or a façade proxy.

While Intel is highlighted as a strong solution in this analyst note by KuppingerCole, Craig raises the following point:

“When data leaves any school, healthcare provider, financial services or government office, the presence of sensitive data is always a concern.”

This is especially timely as the healthcare providers, financial institutions, and educational institutions rush to expose their data using APIs to their partners.

Read more of this post

Another classic case of Data Loss that could have been easily prevented

I was catching up on my reading from my security forums and this caught my attention. In a hack of the SC state tax department there were about 3.6 million tax returns stolen. The stolen information included SS#, CC numbers, names, addresses, etc. But the one that caught my attention the most was this:

The hacked personal income tax returns included Social Security numbers and about 387,000 credit and debit card numbers, 16,000 of which were not encrypted.

Why would anyone choose to encrypt partial data? It looks like there is a policy and/or workflow flaw. I hope they didn’t do this based on identities. Were red customers encrypted and not the blue? Check out my blog on context/ identity aware data protection to implement this the right way (link here). There is a reason why I am not paying my taxes using a Credit Card. Atleast not until they use Intel ETB (Token Broker) to protect that data :). If they had used our solution this wouldn’t have happened to begin with. We could have encrypted the sensitive data (PII), while preserving the format, and tokenized the credit card (PCI) information.

Your personal data is now yours….. maybe?

Recently the State of Alaska DHSS was fined a hefty sum of $1.7 million for non-compliance. . This issue came to forefront when a USB drive containing PII (Personally Identifiable Information) data was lost (or stolen). This is not the first high profile incident in which stern action was taken by government agencies for someone losing or careless with consumer data.

Recently I blogged about how California declared zipcodes as PII and what you should do to protect the information you capture, regardless of whether it is credit card information, patient data, or Electronic health records.  https://soacloudsecurityblog.wordpress.com/2012/04/02/perfection-series-how-do-you-definemeasure-perfection/

It is not just about tokenizing your data, you have to make sure your logs, storage, and monitoring systems are clean too. If you fail to do that you can be found non-compliant when a compliace/ forensic analysis is done, they look at all collateral repositories as well. I have previously blogged about being careful about leaving PII residue in your logs.
https://soacloudsecurityblog.wordpress.com/2012/04/23/perfection-series-forgotten-data-in-your-logs-log-redaction-service/

Remember the classic case of employees going after Starbucks about their personal data being carelessly handled.  https://soacloudsecurityblog.wordpress.com/2012/04/09/you-too-seattle/

And we all know about FTC going after a data broker Spokeo for $800,000 to settle the FTC charges that it sold personal information it gathered from social media and other Internet-based sites to employers and job recruiters without taking steps to protect consumers required under the Fair Credit Reporting Act.  http://www.networkworld.com/news/2012/061212-ftc-spokeo-260092.html?page=1

These are only a few examples of the revolution that is happening. For years we have had our data exposed, particularly personal information, and watched helplessly as our data was collected, sold, used, marketed to, abused and often stolen and circulated in black market. Finally, the government and related agencies are stepping in to make a statement.

The core of all these issues stem from the fact that it is hard to fix the holes across your enterprise eco system. While you can continue to encrypt the data in as many places as you can, still the human element wins most times. And there is also this issue of your encryption algorithim strengths or if there is a weaker link in your entire process flow. That is why the newer model “Tokenization” is becoming very popular. Especially when you move your Data, Applications and Processes to the cloud you lose a lot of control. Essentially when you lose control over the data trails, transport and storage i.e. – alerts, monitoring, logs, auditing, etc and compounding this being at the mercy of the cloud provider. This exponentially complicates your ability to figure out how vulnerable your data is and could be very dangerous. Then there is also this issue of where all your data is flowing (or leaking). Especially if your data flows to an application instance, which is controlled by export control laws with stronger encryption exception this would mess things up. While you have to worry about using a stronger encryption to protect your data, you also have to worry about complying with export regulation laws.

Intel Tokenization solutions would be a perfect fit in such situations. Our PCI and PII tokenization allows you to strike a balance between both issues. You can keep your Enterprise data encrypted and tokenize the sensitive data when it is sent over the wire to cloud locations, partners, etc. Given this fact, unless they are a whitelisted application, they won’t know where to go to get the original data. You can rest in peace knowing that while your sensitive data is sitting safe and secure, only your tokens are floating around everywhere.

If you are interested either in PAN tokenization or PII tokenization (such as SS#, DOB, etc) use the bottom link to check out our solution details and reach out to me if you need further details. http://cloudsecurity.intel.com/solutions/tokenization-broker-reduce-pci-scope

Also, check out this whitepaper by Walter Conway, QSA, who is an expert on this subject.

The “Intel” on Intel is we do software!

Are you surprised? I start off most of my presentations/ conferences with the following question:

How many of you know that Intel ‘does’ Software?

Very few hands usually go up, and that is exactly the challenge I have today in getting the word out about other exciting developments that people wouldn’t normally associate with this technology juggernaut. And while the Silicon Valley behemoth often conjures up images of powering a plethora of devices (including phones too!), it’s Application Security & Identity Products division (ASIP), my unit, is quickly escaping the formidable shadow of the “mother ship” as it gains prominence in the world at large with Cloud, Application security, Identity and Tokenization software now being “top of mind”. Intel ASIP group is on the cutting edge of innovation in a myriad of ways with some very advanced technologies such as Cloud SSO, Cloud based Identity services, Identity Manager, OTP (One Time Password), Big Data, Analytics, API Gateway, Cloud Service Broker, Security Gateway, Mobile middleware and Security as a Service.

Every Intel commercial you see on TV, or through other media channels, usually promotes Intel chips as that is a core strength of ours. But I want you to be aware that we are far more than just chips. We are a leading edge technology company that constantly renews itself as well as its raison d’être. We hold more patents than almost anyone else in almost every field that we are in. And we employ an army of engineers in some of the largest research efforts in the world, with one of the largest research budgets.

There was a great article in Forbes not too long ago, about how Intel is one of the largest software companies in the world, that you’ve never heard about. Lead by our fearless leader, Renee James – SVP of Intel Software group, Intel recently announced Security as our third pillar. Our CEO Paul Otellini didn’t just stop there; he showed the world he meant it by acquiring McAfee soon after. However, we’ve also made some very key strategic acquisitions in software security and identity areas to strengthen our position. Those include, but are not limited to: McAfee, Nordic Edge, Sarvega, WindRiver… (a complete list can be seen on the Forbes link below or at Intel.com). This is consistent with our strategy. We continue to acquire and develop a lot more software/ security solutions with unwavering commitment.

You might be surprised to learn the following:

  • Intel turbo-charges the Linux community by putting hundreds of full-time engineers to work on the free operating system.
  • Intel’s tools helped Apple’s engineers move its Macintosh computers to Intel processors.
  • Intel helped Google move into the Smartphone business.
  • Maybe the company’s biggest software triumph has been its push into high-performance computing. Five of the ten fastest supercomputers in the world now run Intel’s chips.
  • Intel has a solution that helps companies Tokenize their sensitive data.
  • Intel’s Cloud Service Broker (CSB) and API Gateway solutions help companies seamlessly move their enterprise applications to the cloud.

Along these lines, Intel has been a pivotal partner on many projects that have helped to move the “proverbial needle” by developing tools, frameworks and enhancements – all of which often have gone unrecognized since the efforts are not branded with any kind of Intel logo.

With the acquisition of security software vendor McAfee last year, Intel became one of the world’s 10 largest software companies. – Forbes May 2012.
http://www.forbes.com/sites/briancaulfield/2012/05/09/intel-is-the-biggest-software-company-youve-never-heard-of/.

If you have time, I suggest you give our annual report a read. You’ll get a first-hand look at the contributions of the software division. They are impressive. Just from the numbers alone, we could easily be considered one of the largest software vendors in the world.

We, the software group of Intel, get access to information coming from advanced security labs of McAfee and extreme performance labs from Intel. This allows our software unit to understand what is coming down the road and architect solutions for the future. That is why when you choose Intel for any of the aforementioned products, the performance comparison numbers against our direct competitors our numbers are truly outstanding. If you have any questions about this, please give me a shout and I will demonstrate to you how awesome we really are.

A very familiar AllState commercial states “Are you in good hands?”, With Intel I can guarantee you are.

Intel Cloud SSO – Control your Cloud Identities

If you were in a cave, hunting hibernating Siberian bears you might have missed this news. Intel made a big splash last week by announcing the solution to manage Cloud based Identities. This is a brainchild of my unit within Intel and I am so proud of our guys who took the concept to execution; beta to GA in just about a year.   What is more impressive is that we are the “First, and currently, the ONLY” force.com based Identity provider.   While many can follow the suite, the original idea was conceived and well executed by our guys, who spent many sleepless nights on this. Congratulations guys!!!, you showed the world how to do get things done well and fast.

Salesforce Adds Intel Cloud SSO

By Stefanie Hoffman

Channelnomics

http://channelnomics.com/2012/05/25/salesforce-adds-intel-cloud-sso/

Service providers might be able to add security to the list of reasons to move customers to cloud applications with a partnership that enables Intel’s Cloud Single Sign On to be delivered on SalesForce’s social enterprise platform.

Intel delivers cloud-based identity application to salesforce

By Staff Writer

Computer Business Review

http://cloudsoftware.cbronline.com/news/intel-delivers-cloud-based-identity-application-to-salesforce-250512

Cloud SSO deployed on Force.com is now available via salesforce.com’s AppExchange and Intel

Intel Cloud SSO lets IT manage SaaS apps

By James Furbush

TechTarget

http://searchconsumerization.techtarget.com/news/2240150788/Intel-Cloud-SSO-lets-IT-manage-SaaS-apps

Intel has entered the Identity as a Service space this week with software that provides a way to secure employee access to SaaS apps.

Intel Rolls Out Cloud SSO Identity Solution

By Darren Allen

ITProPortal

http://www.itproportal.com/2012/05/24/intel-rolls-out-cloud-sso-identity-solution/

Intel has announced Cloud SSO, a cloud-based identity and “Access Management-as-a-Service” system which is now live on Force.com, Salesforce’s social enterprise platform.

Intel announces Cloud SSO link-up with Salesforce

By Matthew Finnegan

ChannelBiz

http://www.channelbiz.co.uk/2012/05/24/intel-announces-cloud-sso-link-up-with-salesforce/

Intel has announced a cloud based identity management system for social enterprise apps through Salesforce’s Force.com.

Intel unveils cloud-based SSO service

By Rene Millman

CloudPro

http://www.cloudpro.co.uk/saas/3731/intel-unveils-cloud-based-sso-service

Intel has revealed a new cloud-based single sign-on service that integrates with Salesforce.com and will allow customers to ditch on-premise password management.

Intel Cloud SSO Goes from Private Beta to Public

By Staff Writer

Sys-Con Media

http://www.sys-con.com/node/2283889

We’re happy to announce general availability of Intel Cloud SSO IAM-as-a-service today after running it in private beta mode for 2 months with select customers.

Intel brings Cloud SSO to Salesforce’s Force.com

By Rachel King

ZDNet

http://www.zdnet.com/blog/btl/intel-brings-cloud-sso-to-salesforces-forcecom/77336

Salesforce.com is integrating Intel’s Cloud SSO to provide enterprise customers with single sign-on access to Force.com and thousands of cloud-based apps.

Intel launches cloud-based single sign-on service

By Antone Gonsalves

CSO

Reposts: Network World, Computerworld

http://www.csoonline.com/article/706874/intel-launches-cloud-based-single-sign-on-service

Intel launched a cloud-based password management service on Wednesday that has been tightly integrated with Salesforce.com to give its customers an alternative to on-premise single sign-on software.

Intel and McAfee team on cloud single sign-on

By Iain Thomson

The Register

http://www.theregister.co.uk/2012/05/23/intel_mcafee_single_signon/

Intel and MacAfee have been talking about the fruits of their merger and their plans for a cloud to computer security network that will be built into new systems.

Intel Cloud SSO: Single Sign On Across Cloud, SaaS Apps

By Joe Panettieri

Talkin’ Cloud

http://www.talkincloud.com/intel-cloud-sso-single-sign-on-across-cloud-saas-apps/

Intel, leveraging the Salesforce.com cloud, has developed a single sign on (SSO) solution for cloud computing. Intel Cloud SSO stores user identities on Force.com, and leverages that information to authenticate users across multiple third-party cloud applications.

Intel Wants to Manage Your Passwords in the Cloud

By Penny Crosman

Bank Technology News

http://www.americanbanker.com/issues/177_100/Intel-debuts-cloud-security-for-saas-apps-1049550-1.html?zkPrintable=1&nopagination=1

Intel and McAfee (the security software company Intel acquired in 2011) are today rolling out software for providing such single sign-on across all software-as-a-service applications, with user names and passwords stored and managed in Salesforce’s cloud utility, Force.com

Intel, McAfee launch Cloud SSO, expect busy year

By Staff Writer

PanArmenian.Net

http://www.panarmenian.net/eng/news/108671/

As a first step to this, the companies have launched Cloud SSO, a single sign-on facility developed to manage authentication for a range of cloud applications that can be used to supplement or replace existing access management systems.

Articles in press

Tax man cometh – Whose Identity is it anyways?

If you are like me, I am sure you waited until the very last minute, milking every second of it, before you filed your taxes last week. Now that it is all taken care of, I want to talk about a video that I happen
to watch on CNBC about how an innovative tax scam is evolving. This is about how any individual who is filing tax can be scammed, so you better read up. (No I don’t have a solution that I want to sell you and make money; just being a good citizen educating others who follow my blog).

First of all, I was sitting there and watching on how that is done, CNBC was pretty much giving away step by step instructions on how to do it and wondering; so why is CNBC broadcasting it to the whole world. Much same way as Discovery channel would broadcast our weapons capabilities to our enemies. Anyways, this simple scheme works like this.

The Identity thieves are getting bolder and smarter these days. They gave up on applying for credit cards and loans using your name now that you can freeze your credit or have an alert set notifying you when suspicious activity happens using your name. Unfortunately, they are going after the IRS inefficiencies and lack of security verification, using their easy exploitation that occurs once each year.

What is shocking is that IRS requires you to have ONLY Name, SS#, DOB to file a tax return. That is it, mama mia!. They don’t check if the filing address was same as last year (or years), why your filing status has changed suddenly, why you don’t have proper W2 filing information, why your dependents have changed, etc. Maybe it is just me but when I see a tax return with every information from last year has changed shouldn’t that flag something for them?. Thieves have people working for them where they pick up this information such as hospitals, car dealerships, etc., but of course these are easy pieces of information that you can even buy as a list from online sources. Worst thing is that if they target the dead, active military service personnel, or people abroad then it can be months or years before anyone can find out. The thieves then make up income, withholding taxes, and deductions and have the refund wired to a pre-paid debit card that can be used in retail stores and banks to cash out. Contrary to what people think IRS takes days, or months before they verify/ match up the income stated in your tax return. At that time, neither IRS nor you have means to trace these guys. What is worse IRS thinks you owe them that money as they supposedly paid it out to you, ouch!

According to IRS, they stopped about 200,000 returns worth $1.15 B with questionable return submissions. Imagine how much slipped through. This is all because of IRS inability to verify the Identity. Identity is the main cause for this fraud. Wow!. Fair enough that IRS has to process about 145 million tax returns with about 110 million refund for requests, but come on, with about 75% of the population filing electronically how difficult it is to do a colon search on the rest 25%?. (BTW, if you file electronically they ask you for information from last year tax returns before they accept it. But the problem is if yours was already filed by an Identity thief as a paper return you can’t file at this point, so you are scrutinized but they are not – double whammy huh?).

Why is it so easy for the Identity thieves to do this.

Hard to detect, Easy to cheat, Takes months before the issue is found, Thieves know the loop holes in our system.

Fix: Have a government mandated universal identity system with bullet proof detection. (ya right, like that is going to happen).

Right now it is done mostly by small time scammers, just imagine if a well organized crime gang or a foreign government funded group picks this up. We will all be screwed.

http://www.miamiherald.com/2012/04/16/2752607/tax-fraud-by-identity-theft-a.html
http://www.cnn.com/2012/03/20/us/tax-refund-scam/index.html http://www.cnn.com/2012/03/20/us/tax-refund-scam/index.htmlhttp://www.cnn.com/2012/03/20/us/tax-refund-scam/index.htmlvvv

How this could be fixed?. Well very simple,
1. In Tax returns ask for something from last year only you would know – such as your AGI, your total deductions or even your refund amount.
2. Mail the check to the address as of last year’s return. If the address given is other than last years then put them on suspend.
3. Debit only to last year’s bank account and stop fly by night refund activities such as debit card scheme.

Unfortunately, IRS is not doing any of this. I can think of a roundabout way this can be prevented, but would love to hear from you all, if there is a way we all can benefit by stopping these identity thieves.

Let me know your thoughts and save the fellow geeks from losing their hard earned money.

Perfection Series – Forgotten data in your logs (Log Redaction service)

From business standpoint, leaking sensitive information into your logs is not only bad, but could lead to compliance, liability and risk disaster sooner than you think. While there are solutions, including DLP, out there to inspect the data traffic to help capture sensitive data leakage, not many solutions out there are proactive and intrusive enough inspect the backplane of your systems for sensitive data leakage or regulatory appliance analysis. This becomes more pronounced when you have multiple ways you allows users (especially the admin users) to access your system – such as browser, command line, XML interface, etc. You need to not only worry about the logs for each of those interfaces, but also you need to worry about the types are logs that are kept and where they may go in the future; i.e. – record of such as trace log, transactional log, exception log, command log, admin log. Etc.

Recently Intel / McAfee Service Gateway (ESG/MSG) have seen a lot of activity and interest in providing API/ services in/from the cloud. One of the major issues they all faced was the fact that the log, which is stored in the cloud, might contain information that is sensitive or a compliance issue, especially when you offer this as a service (*aaS) and exposed 24×7 to the hackers in the cloud. While this detailed logging may not be an issue for the enterprise customers, where the actual log information stored in a centralized secure storage, most times this becomes an issue when you offer a multi-tenant environment and you share resource with other users. In order to provide more control to the customers in the cloud we introduced a new log redaction future, which can be used either in the enterprise version or in the cloud version. This helps customers with sensitive information such as PAN data (especially when there are some credit card information is sent over for processing), personal data PII, names, addresses, SS#, DOB and other pertinent information including passwords in verbose modes. Intel solution allows that data to be removed/masked with ease and it is user definable, both for patterns and for masking specifics.

I was talking to a customer of mine few days ago on this very topic and I told them how cool this is. He was like, “I think our system is very secure and we have taken “extra measures” given that they deal with multiple compliance standards and issues.” So I suggested to perform a log spider scan. He called me 2 days later panicked with what he found. If you don’t know whether you should worry about this or not there are spider scan tools available on the net, just Google it and see what your logs tell you. If you don’t like what you see don’t blame me :).

While most customers take extra care of their transactional messages, I have seen a lot of customers a bit lax in regards to logging and administrative interfaces. I had recently blogged about an incident with a customer with an exposed data in the logs which you can read here.

Our solution allows them to tighten their logs up multiple notches. We come with about 30 or so pre-defined filters, with an option for customers to build more on their own, using a simple visual tool. It can be applied to any level of logs including the most verbose levels. The masks are user defined and are flexible. Once you turn them on, define them, there is no need to restart your system, it is always on after that until you explicitly turn it off. What is more cool is that the logs would be instantly cleaned once you push the config and the push is cluster wide into all node points. Imagine the power of controlling the sensitive log data in all edge devices (whether Enterprise edge or extended to the cloud) in one push of a button.

In reality, the logging system normally logs the content given from many different underlying components, such as from Input Server, Invocation Agent, runtime Workflow, mediation Engine, Security engine, etc. This makes it complicated to manage when you deal with so many components as when you log things from input side, at some verbose log levels (such as detailed trace), it can log the wire data which can be anything (imagine that most solutions out there log everything comes on the wire for auditing purposes). So it is very hard to prevent the sensitive data logged in the log without special handling such as these contrary to what you think.

Imagine if you are dealing with PCI, HIPAA, etc and have an edge device to define saying I need my logs to be clean from these sensitive data and define masking / encryption on transactional data as well. You can be sure that from your edge inside, or going out, your message and logs are all cleanup to your satisfaction and for compliance.

If you need more information on this or on our solutions in general please check out www.intel.com/go/identity or reach out to me.

Cloud Identity Services – Models and Challenges

I am co-presenting with Martin Kuppinger (of KuppingerCole) on a panel about Cloud Identity Services – Models and Challenges. Please stop by for my session if you are attending European Identity Conference and want to understand the challenges of how Cloud based Identity is totally different than Enterprise Identity. http://lnkd.in/VrgDft
—–

Cloud Identity Services – Models and Challenges
Martin Kuppinger, KuppingerCole
Andy Thurai, Intel

As the software-as-a-service (SaaS) market explodes, more and more organizations struggle to gain control over their user’s identities in the cloud. Some are also exploring outsourcing their identity and access management (IAM) functions to the cloud.

There are three architectural models for implementing cloud identity services:

In the cloud – identity and access management as an on-demand service
To the cloud – IAM from an on-premise platform
Hybrid – a model that includes elements of both on-demand and on-premise solutions.

In this session, we will discuss the key architectural, platform, integration, security, scalability and reliability issues which organizations seeking to adopt cloud-based identity need to consider, including the increasingly significant role that Cloud Identity Broker/Cloud Security Broker technology is playing. The discussion will also assess current and evolving technology and industry standards available for managing SaaS account provisioning/de-provisioning, single sign-on, strong authentication, and other identity operations.

Objective:

When you finish this session, you will have a framework for analyzing the state of today’s technology options and selecting the most appropriate architectural platform to meet your businesses identity requirements in the cloud.

Perfection series – How do you define/measure perfection?

A few weeks ago I had a conversation with a customer of mine and we discussed this very topic. How do you measure perfection? It’s a good question worthy of inquiry. I was really surprised at the different answers suggested in the conversations that ensued.

Perfection is, as stated by Merriam-Webster dictionary, “broadly, a state of completeness and flawlessness, an unsurpassable degree of accuracy or excellence”. Some would also would say perfection is the absence of judgment. 🙂

If you operate within a Math or Science context, the term perfection is actually used to designate a range of diverse concepts. These concepts have historically been addressed in a number of discrete disciplines, notably mathematics, physics, chemistry, ethics, aesthetics, ontology and theology.

To an extent, “perfection” is a state of mind. Why am I telling you all of this?. I was asked the question “Is your solution Perfect for our situation”?. So instead of pursuing a quest for the meaning of perfection (and the meaning of life) I thought I would take this opportunity to write a series of blogs within which I am going to highlight our solution capabilities and recent enhancements that may make our solution perfect for you! (You knew that plug was coming right?).

A few years back (I used to work for a competitor at that time), I was visiting a customer of ours to discuss a complex architectural issue they were having. I sat down with the Security Architect, Enterprise Architect, and the CISO of a big insurance company (who shall remain unnamed) to discuss an issue. At the time, to show me the issue at-hand, they pulled up a specific transaction to analyze. There it was, the admin password for the system (the holy grail), for their important backbone component, baring its nakedness to us in clear text. In all fairness, the ‘most verbose log feature’ was turned on to debug a specific issue in that situation. After we joked about the fact that I then knew the admin password for their the backbone and for their entire enterprise, I was told I was going to spend most of my life in a corner of their data center sleeping on a rug!

The conversation got very serious when we talked about how admin passwords should NEVER be displayed, in clear text, on any log for any reason. I took this noted and avoidable vulnerability back to my Product Management/Engineering teams. To my surprise, the concern was brushed aside as a non-issue.

A risk of this magnitude could easily be considered a major compliance issue if you are an organization that deals with HIPAA and/or PCI compliance. Regardless of whether you have the most verbose mode turned on or not, if you leave PCI or PII (personally identifiable information) clearly visible in logs, in clear text, you are creating potential breaches. As is sometimes the case, log data gets lost and at the most innoportune time — could be unearthed during an audit. Aside from exposing one’s self to the risk associated with not properly safeguarding data, those risks multiply when failed audits lead to very expensive fines.

The California supreme court recently ruled in a case, Pineda v. Williams-Sonoma, that zipcodes are really “personally identifiable information” (PII). In a California’s Song-Beverly Credit Card Act, California Civil Code section 1747.08, reversing the Court of Appeal‘s decision the supreme court made a ruling on this. Penalties of up to $250 for the first violation and $1,000 for each subsequent violation could accrue, without there even being any allegations of harm to the consumer.

Section 1747.08 of this law states that a retailer cannot ask their customers for PII information (including zip codes), or record it during credit card transactions. (I have distilled the legalese for you. However, those so inclined may read about the ruling in its entirety at http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1747-1748.95. Though this information is applicable only to PCI compliance right now, there are laws pending in California (and in other states) around the essence of PII. This may end up being germaine to medical records, EHR (Electronics Health Records), and prescription Information, etc.

Initially it could be limited to include SS#, PAN (credit card info), date of birth, zip codes, address, age, gender, password (in the corporate world), etc. However, safeguarding data could potentially expand into several other domains. All organizations need to be cognizant of how the laws and regulations continue to change at a state and national level and how they may vary from one country to another. Imagine if you are using a cloud provider, which is hosting your data in a country (not of your) choice, where you have virtually no control.

In the next few blogs I am going to talk about our Log Redact, Data Redact, Data privacy, Compliance, Encryption and Tokenization capabilities, which will help address some of the aforementioned issues. They not only help you address today’s needs but will also enable you to “change direction” as necessary as incipient changes come to fruition.

You may already know that Intel acquired McAfee, the leader in the security software business, over a year ago. We are quickly seeing the successful integration of both entities. However, as part of this perfection series, I’m going to share with you, in greater detail, our integration efforts with McAfee security components. At the end of this series, you’ll get a sense of palpable energy abound, and the synergies that are helping us to bring even better solutions together for our customers.

As far as that company that had given me a rug to sleep on in the datacenter corner for sharing their family secrets? I wish I had this solution set handy when I was at that meeting!. Oh well, comfortable sleep is often over rated anyways.

If you would like a sneak preview of some of the solutions that I’m going to address in this blog series, please visit:

http://www.intel.com/go/identity

http://software.intel.com/en-us/articles/Expressway-Tokenization-Broker-Reduce-PCI-Scope/

%d bloggers like this: