Recently the State of Alaska DHSS was fined a hefty sum of $1.7 million for non-compliance. This issue came to forefront when a USB drive containing PII (Personally Identifiable Information) data was lost (or stolen). This is not the first high profile incident in which stern action was taken by government agencies for someone losing or being careless with consumer data.
Recently, I blogged about how California declared zipcodes as PII and what you should do to protect the information you capture, regardless of whether it is credit card information, patient data, or electronic health records. http://soacloudsecurityblog.wordpress.com/2012/04/02/perfection-series-how-do-you-definemeasure-perfection/
It is not just about tokenizing your data, you have to make sure your logs, storage, and monitoring systems are clean too. If you fail to do that you can be found non-compliant, and when a compliance/ forensic analysis is done they look at all collateral repositories as well. I have previously blogged about being careful about leaving PII residue in your logs.
Remember the classic case of employees going after Starbucks about their personal data being carelessly handled. http://soacloudsecurityblog.wordpress.com/2012/04/09/you-too-seattle/
And we all know about FTC going after a data broker Spokeo for $800,000 to settle the FTC charges that it sold personal information gathered from social media and other websites to employers and job recruiters without taking steps to protect consumers required under the Fair Credit Reporting Act. http://www.networkworld.com/news/2012/061212-ftc-spokeo-260092.html?page=1
These are only a few examples of the revolution that is happening. For years we have had our data exposed, particularly personal information, and watched helplessly as our data was collected, sold, used, marketed to, abused and often stolen and circulated in the black market. Finally, the government and related agencies are stepping in to make a statement.
The core of all these issues stem from the fact that it is hard to fix the holes across your enterprise ecosystem. While you can continue to encrypt the data in as many places as you can, the human element still wins most of the time. And there is also the issue of encryption algorithm strengths or weak links in your process flow. That is why the newer model “tokenization” is becoming very popular. Especially since when you move your data applications and processes to the cloud, you lose a lot of control. Essentially when you lose control over the data trails, transport and storage i.e. – alerts, monitoring, logs, auditing, etc., compounded by the fact that you’re at the mercy of the cloud provider. This exponentially complicates your ability to figure out how vulnerable your data is, and thus could be very dangerous. Additionally, you need to know where all your data is flowing (or leaking). Especially if your data flows to an application instance, which is controlled by export control laws with stronger encryption exceptions as this could really mess things up. While you have to worry about using a stronger encryption to protect your data, you also have to worry about complying with export regulation laws.
Intel Tokenization solutions would be a perfect fit in such situations. Our PCI and PII tokenization allows you to strike a balance between both issues. You can keep your enterprise data encrypted and tokenize the sensitive data when it is sent over the wire to cloud locations, partners, etc. Given this fact, unless they are a whitelisted application, they won’t know where to go to get the original data. You can rest in peace knowing that while your sensitive data is sitting safe and secure, only your tokens are floating around everywhere.
If you are interested either in PAN tokenization or PII tokenization (such as SS#, DOB, etc) use the link below to check out our solution information and reach out to me if you need further details.http://cloudsecurity.intel.com/solutions/tokenization-broker-reduce-pci-scope
Also, check out this whitepaper by Walter Conway, QSA, who is an expert on this subject.
Andy Thurai — Chief Architect & CTO, Application Security and Identity Products, Intel
Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In his role, he is responsible for helping Intel/McAfee field sales, technical teams and customer executives. Prior to this role, he has held technology architecture leadership and executive positions with L-1 Identity Solutions, IBM (Datapower), BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience.