Data Fall 2018 Security

Protecting Your Enterprise – That’s Our Mission

Our Story

From connecting systems that never stop, to data protection

comforte was founded in 1998 by the creators of a connectivity solution for mission-critical systems.
Soon after becoming the most widely used terminal emulation solution for HPE NonStop systems, comforte realized the next logical step was to make sure that communication between systems and applications were securely connected as well.

Solving the need for simple to implement data encryption for data moving between systems and applications proved to be extremely necessary. In 2010, HPE realized the strength of the solution and worked with comforte to include our data encryption solution in every HPE NonStop operating system shipped.

Recognizing the need to secure data at rest as well, comforte decided to develop a solution providing rock-solid data protection. The first active customer went live in 2014 and a patent for the tokenization algorithm was received in 2015. At the time of this article’s publication, over 40 organizations worldwide have successfully implemented data-centric security with comforte in their production environments.

With more than 20 years of experience in unlocking more value from systems that never stop, comforte has evolved into a market leader for data protection on mission-critical systems. Today, comforte proudly serves more than 500 businesses in every vertical around the globe.

As our experience with data protection increases, all indications continue to show that the enterprise market as a whole needs to address data protection. This need is validated on multiple fronts:

    • Our own customers tell us they need data protection on enterprise systems as well
    • Data breaches and security incidents are happening more and more each year
    • Regulations continue to be released requiring companies to do more to protect sensitive data and maintain data privacy

As comforte has developed long-term commitments to many customers and partners throughout the years, a thoughtful approach is required to address the enterprise data protection market while maintaining customer loyalty and brand recognition in the mission-critical market.

Setting a new strategy in an already established market is risky

After co-founder and CEO Dr. Michael Rossbach retired in 2016, the timing was right to bring in a new CEO who would understand the history, success, and customer-relationships of the existing market and who could set a strategy to address a new market. Michael Deissner was selected by the board in July 2016.

About Michael Deissner
Deissner has a long history of successfully growing organizations in demanding environments. Before joining comforte, he was at Cytonet for 15 years, in several leadership roles including Managing Director, CFO, and CEO. Michael started his career as a managing director of a medium-sized services company and worked at SAP managing internal and external projects.

Along with looking at digital payments and securing comforte’s solutions on mission-critical systems, Mr. Deissner has committed to providing enterprises with data protection as a key strategic driver for comforte.

Where the Market is Going and Our Mission

High profile data breaches have recently become a reoccurring theme in the news. In 2017, Verizon, Equifax, Uber, Deloitte, and Alteryx, among many others, have all lost billions of sensitive data elements. In most cases, individuals whose data had been lost did not consent or know that their personally identifiable information (PII) was stored by these organizations. Upon closer examination of the Equifax and Alternyx breaches, it is possible that nearly every adult living in the United States has been impacted. Equifax lost 140 million records and Alteryx lost 123 million records, each of which contained personally identifiable Information about U.S. citizens. Compared to the U.S. Census Bureau’s estimate of approximately 248 million adults living in the United States, more than half were affected by the Equifax breach alone.


Taking a closer look at compliance challenges that organizations are facing

To help companies deal with these breaches, numerous standards have evolved over the last few years which describe how data should be protected. Legislators and industry leaders are constantly updating their standards and regulations as new threats and new counter measures emerge.

On May 25, 2018, a new set of rules took effect in the European Union that can carry significant financial consequences if organizations suffer a data breach without having taken the necessary preventative measures. These rules, called the General Data Protection Regulation (GDPR), define and strengthen the rights that EU residents have when they are impacted by a data breach. Most corporations limit the data fields they consider sensitive to data elements such as name, address, date of birth, Social Security number and driver’s license number. The GDPR Includes any data elements that can be traced to a specific person, including GPS data, genetic and biometric data, browser cookies, mobile identification identifiers (UDID and IMEI), IP addresses, MAC addresses, application user IDs, and many others.

The Payment Card Industry Data Security Standard (PCI DSS) is a standard for organizations that process, store, or transmit payment card data. The PCI standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Requirements 3.3 and 3.4 are of particular interest as they directly discuss how payment card numbers, referred to as Primary Account Numbers (PAN), can be used.

The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) established standards to protect individuals’ medical and personal health information. It applies to health plans, healthcare clearinghouses and healthcare providers that conduct transactions electronically. HIPPA requires organizations that deal with personal health information to fully protect those records from unauthorized access while at rest and in motion.

Once compliance is addressed in your organization, is your business safe from data breaches?  Not necessarily – in the cybersecurity space, it is commonly said that “compliance does not equal security”.  Compliance does help identify potential security gaps and weaknesses and may reduce the risk of data breaches, but there’s still more that can be done.

Looking Beyond Compliance –
Why the Rate of Data Breaches is Increasing Globally


In most cases, data breaches are not a result of neglect on the part of the affected organization. Malicious actors are constantly devising new methods to gain unauthorized access to sensitive data and it is extremely difficult for risk analysts to detect every possible vulnerability and foresee which will be exploited and how.

Why do data breaches happen in spite of all the technology we have access to? Here are three reasons:

    • Ubiquitous connectivity as a result of digital business, Internet of Things, and commercial micro-ecosystems. Since everything is connected, attackers only need one successful entry point to penetrate further than ever before.
    • Digital Workplace initiatives are becoming more common: employees get access to company data from any device, from any location, and at any time. This poses a serious challenge to security professionals as the traditional means of perimeter security become less effective.
    • Complex IT and application infrastructures with modular architecture and many different devices and sensors create new attack vectors for hackers.

Protecting data against these challenges may seem like a daunting task, but there is a way to improve your data security strategy right now…


The Right Way to Secure your Data

Data-centric security is an approach to security that emphasizes the security of data itself, rather than the security of the networks, servers, or applications where the data lives. There are two common methods used to protect data: tokenization and encryption. Tokenization replaces the sensitive data with tokens that are meaningless without compromising security. Encryption renders the data useless without the key that was used to encrypt it. The best approach is a layered defense with tokenization and encryption at its core.

The vast and highly complex IT infrastructure of enterprises requires an extremely flexible deployment model. comforte’s data protection suite is a scalable and fault-tolerant enterprise tokenization and encryption solution enabling robust protection of sensitive data with minimal effort and with little to no impact on existing applications. Different elements of the solution can run fully distributed across your enterprise including on-premises, in the cloud, or in a hybrid fashion. This results in the perfect combination of the benefits of cloud deployment or “as a service” usage with the security and performance of on-premises deployment. Yes, tokenization as a Service (TaaS) has become a very feasible option.

Message from Michael Deissner
comforte has emerged at the forefront as having the best-in-class solution to address data-centric security. It allows organizations to achieve end-to-end data protection, lower compliance costs, and significantly reduce the impact and liability of data breaches


Leveraging our Special Sauce to satisfy multiple needs

Deploying data-centric security not only exceeds data protection requirements, it also benefits the enterprise as a whole.

IT security & operations teams benefit from the ease of implementation of comforte’s data protection suite. Passive integration capabilities eliminate the need to make code changes to existing business applications. Built-in capabilities for elasticity and a self-healing architecture help these teams to spend less time on managing and operating the system

For IT security & operations teams

    • Passive integration capabilities minimize implementation efforts and costs
    • Minimal impact to the applications that get protected means that they can just keep running – implement data-centric security without downtime
    • Elasticity & self-healing as fundamental architecture principles reduce the time needed for management and operations

For line of business and risk & compliance teams

    • Data-centric security significantly reduces the impact of data breaches
    • Compliance can be ensured and maintained without being dependent on compensating controls
    • Data protection is a competitive differentiator and can also be positioned as a value-added service to drive additional revenue

For your customers – it is all about trust

In an age where choice has never been bigger and where it has never been easier to simply switch to a different product or service, customers are looking for business partners they can trust. Data protection is the foundation to demonstrate to your customers that you care about their data and their privacy.


The increasing importance of compliance, the shift in technology, and the ever increasing amount of data breaches clearly show that companies need to look beyond traditional means of securing their data. Data-centric security has become a best practice and should be top-of-mind for risk, security, and compliance professionals. Don’t be one of those organizations that have waited too long to take the right measures to protect their data and who suddenly find themselves in the headlines as yet another company that has been breached.

Learn more