If I was writing this in the early 2000s, I would have started with the line “open any newspaper and the headline will be screaming about…” but since this is 2018, and newspapers have pretty much gone the way of the dodo bird, I will start with: open any web browser or news app…” My point is that things have evolved very quickly over the last 20 years thanks to the internet. We are all so fully connected that sometimes we forget how much of our lives are lived online. None of us can live without the internet or our connected gadgets. The convenience of having a small computer in our pocket is unmeasurable. Kids born in the last 30 years don’t know what an encyclopedia is, if they want to explore a topic they just fire up Wikipedia or Google and voilà they have the combined knowledge of the world at their fingertips.
Everything online is hackable; if information is on a computer connected to the Internet, it is vulnerable
All this knowledge and access has a downside that you can’t ignore, which is the security implications of living on the web. Open any web browser or app these days and there is sure to be a story about how some company has experienced a data breach. Everything online is hackable; if information is on a computer connected to the Internet, it is vulnerable. In the last few months the TSA, Verizon, Equifax, NSA, Uber, CIA, US Air Force, Deloitte, and Alteryx just to name a few, have all lost billions of sensitive data elements. If you just examine the Equifax and Alteryx breaches you will quickly determine that pretty much every person that lives in the United States has been impacted. Equifax lost 140 million records, and Alteryx lost 123 million records, each of which contained Personally Identifiable Information (PII) about US citizens. In most cases the folks whose data has been lost didn’t consent or know that their PII was stored by these companies.
Sometimes, it’s not your fault!
The latest threats in the security arms race, Meltdown, Spectre, Ryzenfall, Masterkey, Fallout, and Chimera – enable hackers to steal sensitive information from a computer’s memory or install malware during startup. These are an entirely new class of attacks and are probably just the tip of the spear for this type of vulnerability. These flaws are seismic events because even though there are software patches being deployed by the CPU manufacturers, they aren’t perfect. To totally eradicate these flaws will require a new generation of computer processing chips.
Every second of every day 59 records are lost or stolen. Juniper Research predicts that by 2020, the average cost of a data breach will reach $150M! (The Future of Cybercrime & Security). Since 2013 ~10 billion data records have been lost or stolen, of those records only about 4% were encrypted/tokenized which rendered them useless – the rest most likely are for sale on the dark web. To help companies deal with these breaches, numerous standards have evolved over the last few years which describe how data should be protected. In response to this hostile environment, legislators and industry leaders have developed and are constantly updating their standards and regulations for data security.
Standards and Regulations Driving Change
Starting May 25, 2018, a new set of rules takes effect in the European Union that makes having a data breach much more than a bad public relations event. These rules, called the General Data Protection Regulation (GDPR), define and strengthen the rights that consumers have when they are impacted by a data breach.
Most corporations limit the data fields they consider sensitive to things such as name, address, date of birth, Social Security number and driver’s license number; the GDPR adds things that can be used to track a person, including GPS data, genetic and biometric data, browser cookies, mobile identification identifiers (UDID and IMEI), IP addresses, MAC addresses (a unique number that is part of your network adapter) and application user IDs just to name a few.
Additionally, the GDPR will require corporations to provide information to their users about what personal data they collect on them and how it is processed. Any data they collect must have controls to ensure the privacy of that data. Perhaps the most interesting component of the GDPR is that any company with over 250 employees will be required to have a Data Protection Officer (DPO) who will be responsible for securing a corporation’s data assets. The GDPR has some real consequences for companies that experience a data breach with minimum fines of €10 million or 2% of its gross sales worldwide, whichever is higher!
Once GDPR takes effect, companies will need to either encrypt or tokenize almost all their data to be compliant (Data protection by Design and by Default). They will need to be able to remove a user’s data upon request, known as the right to erasure, or face fines and public backlash. While the GDPR requires companies to do an enormous amount of work, it will make consumers much safer.
GDPR requires companies to document their security controls and to demonstrate that they are compliant with them. Corporations will need to proactively monitor, detect, and defend their data assets.
It is not a question of if you will be attacked, but when.
The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule established standards to protect individuals’ medical and personal health information. It applies to health plans, health care clearinghouses, and health care providers that conduct transactions electronically. HIPPA requires companies that deal with personal health information to fully protect those records from unauthorized access while at rest and in motion. Since 2015 over 200M patient records have been lost.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that process, store, or transmit credit cards. The PCI standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Requirements 3.3 and 3.4 are of particular interest as they directly discuss how credit card numbers, referred to as Primary Account Numbers (PAN), can be used.
Requirement 3.3 states: Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the of the PAN.
Requirement 3.4 states: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs).
Industry best practice is to tokenize the PAN which allows a business to perform the tasks that it deems necessary while protecting the card number.
In the United States the National Institute of Standards and Technology (NIST) has issued standard 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations, a 450-page document that has a simple and logical framework to help prioritize and address key risks.
The 5 main points of this framework are:
- Identify – Asset, Governance, and Risk Management
- Protect – Access Controls, Training, Processes, and Policies
- Detect – Monitoring, Event Management, and Detection Processes
- Respond – Analysis, Communications, and Mitigation
- Recover – Improvements, Communications, and Planning
While all 5 points of the framework are important, number 2 – Protect, is the one that most companies seem to struggle with. If the data is properly protected, the consequences of a data breach are greatly reduced.
Having lived through a data breach I can tell you that these companies didn’t want to lose their customers data, they didn’t skimp on security, they were just the losers of the latest arms race – the race between bad actors and corporations. In the newspaper age, it wasn’t feasible to steal data at the massive scale that we are seeing today. Data was in paper form or contained within a private network that had very limited outside access. Today everything is interconnected to everything else. It makes our lives better, but it also creates a whole host of new attack vectors. Security professionals and military professionals talk about defense in depth where the attacker must get through many layers of defense before they can get to their target objective. In the military when the attackers get through the outer defenses they still must get past the folks making the last stand, in the IT world that last stand must be tokenization and encryption!
Tokenization replaces sensitive data with random characters and preserves the format of the original data element. The token has no value, if a data breach does occur the tokenized data elements are worthless to the thief.
No matter how many cyber-attacks you manage to prevent, you can never assume you’re stopping them all.
Data-centric security is an approach to security that emphasizes the security of the data, rather than the security of the networks, servers, or applications where the data lives. There are two common methods used to protect data: tokenization and encryption. Tokenization replaces the sensitive data with tokens that are meaningless without compromising its security. Encryption renders the data useless without the key that was used to encrypt it. Companies should use both tokenization and encryption to protect their digital assets.
Tokenization allows for the preserving of the characteristics of the data such as the type (numeric, alpha, alphanumeric) and length which makes the implementation easier for companies.
Encryption doesn’t preserve the format of the data, so it requires more work to implement (field size changes, encrypt/decrypt when the data is used, a hash added to be able to search the data).
Data is a critical asset that crosses traditional boundaries (on-premises, hybrid, and cloud) and requires a scalable, fault-tolerant solution that can both tokenize and encrypt it to ensure that it stays protected. Once data has been properly protected, a corporation maintains its regulatory compliance while protecting it from hacking, fraud, and ransomware. Gartner Research has said that tokenization has emerged as a best practice for protecting sensitive fields or columns in databases during the past few years.
With both the PCI DSS and GDPR requiring security measures such as tokenization, one company, comforte, has emerged as having best in class solutions. They have products that provide integration to business applications without having to rewrite existing applications while also providing intelligent APIs for new applications. Their sophisticated and flexible framework allows multiple layers of data protection for new and existing applications. In many cases, data protection can be achieved without any application changes. You read this success story which provides a real-world example of how their products work.