Q&A with Mark Bower of Voltage Security
Recently I talked with Mark Bower, director of Information Protection Solutions at Voltage Security. I have written about Voltage in the past, and still argue that the Format Preserving Encryption (FPE) it offers is unlike anything I have seen with regard to data protection and security. I e-mailed Mark during a news cycle of several information breach disclosures, all within a few days of one another. The Q&A is provided as is, and is just one expert's insight into data security.
Q: In each of the three cases, Stanford University, East Tennessee
State, and U of SC, there were over 85,000 records lost. "6,200 (Tennessee) to 72,000 (Stanford) -- the U. South Carolina breach falling in between with 7,000 affected." Why were these systems not encrypted? Who is at fault?
A: Data encryption to date has been a complex problem: the change impact to legacy systems and the corresponding downstream application changes were difficult and complex, and required specialized resources to manage and operate.
In many cases the solutions were incomplete -- for example, encryption that only protects data at rest and not in use (as in some of the built-in database encryption systems) don't protect data once it leaves the database, and so data in motion is data in the clear... However, a lack of understanding of the real risks -- such as the well-funded specific attacks on databases, and an assumption that applications are safe is where the blame comes from. These days, if data is not persistently protected, it has the potential to fall victim to breaches at some point in the future -- either from insider threats, or from well-funded directed attacks. Why? Personal data is money.
Q: "Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center." Here you have a careless driver, no encryption that is mentioned for the data. Isn’t this covered under HIPAA? What is the average cost to encrypt one backup tape of a typical size? You have clients in the medical and financial fields, what could have the hospital done to prevent this?
A: If the data contains patient information and personal data -- like Social Security numbers, names and addresses etc., or Social Security numbers and Disease Codes or diagnostic results, etc., then this is covered under HIPAA and other privacy regulations like SB1386.
As to the cost of encrypting the backup, if persistent data encryption is implemented, such as Voltage SecureData, on the data in the database, then it's a ZERO cost -- the data is already protected when it goes to tape, is extracted from the database, or even is accessed by inside persons, it is still encrypted and only made available in clear form when policy permits. All the analysts agree now that this persistent encryption -- or a data-centric approach -- is the way forward and an emerging best practice to solve the data breach issue.
Q: Another data breach is related CottonTraders.co.uk. 38,000 card details were lost after a server hack. What is it with data and security? One side of the coin has people shouting 'secure the systems and the data is fine', while the other side says 'secure them both'. As a data security vendor I know where you stand. Tell me, in your opinion, what will it take before universities, financial, and medical sectors start to learn their lessons and encrypt personal and sensitive data?
A: What's been lacking from the solutions is ease of implementation, completeness of solution (protection of data beyond the database itself) and speed to implement. Database encryption projects were either halfway solutions, like those that decrypt the data as it leaves a table in the database and not protecting when it's in the application or in a backup, or very complex to implement, taking months or years before data is protected -- and at great cost.
However, this has all changed -- breakthroughs like Format Preserving encryption and Stateless Key Management to take away key management pain mean that the data privacy problems can be taken care of in literally days, and without a truckload of security experts to manage and maintain it -- of course, in this economic environment, nobody wants to add more operational or high cost expertise to teams, so cost is an important factor, and that can now be minimized.
Q: Do you think we need more regulation to fix this issue?
A: We already have more regulations coming -- the Identity Theft Red Flag regulations are going to bring a reality check to many organizations, as they require board level sign off of data privacy handling policies. This puts privacy where Sarbanes-Oxley was a few years ago -- right at the forefront of executive management. Existing regulations like PCI are having an impact too -- a necessary forcing function -- to make organizations handle other peoples' data in a more secure manner.
However, it is still early days. One can hope that the visibility and momentum created by PCI, Red Flag, GLBA, and SB1386 etc., creates a desire to achieve best-in-class status for information privacy management, rather than being a knee-jerk audit check box problem: if the latter is the case, breaches will still continue as information security is a continuous process problem and not a one-time activity.
Q: What do you say to the company that says data security is a concern, but there is no budget for adding it?
A: Any company taking this approach is hedging their reputation and future on a highly [probable] event. Indeed, organizations taking such an approach may already have data being extracted from their systems without knowledge right now with future consequential damages that are not only career limiting, but also a risk for the entire company. History shows this with well known cases such as Card Systems with millions of dollars in shareholder value destroyed from a data beach.
The solution to this of course is to build security and privacy into the fabric of the company, and to educate senior management about the measure of risk. Sometimes there is the gap in knowledge on what the risk actually is -- the assumption that systems are safe because there has been no such breach reported, but when in fact on a daily basis customer and employee data is routinely emailed or FTP'd to business partners without any encryption at all.
In these cases, it's important for the CIO and CISO to understand the true risk profile of how the business is handling data, and define risk mitigation strategies, best practices & policies and enforce them with technology. An organization doing nothing today can start small and build -- after all, there is actual business value in the ability of a business to show it can comply to industry best practices aligned to Sarbanes-Oxley, GLBA, and other privacy-oriented regulations for its own business reputation.
Q: I am not sure if you know the details of the recent Verizon Business survey. Here are some points for your comment:
In 59 percent of data breaches, the organization had security policies and procedures established for the system, but these measures were never implemented. With 66 percent of all breaches involving data that a company did not even know was on its system, Verizon said it's critical that an organization knows where data flows and where it resides. How often do you see this when you visit a potential client?
A: This is a challenge for every customer we work with and who uses our technology to solve the problem: the gap between the legacy "perimeter" of the business, and the new perimeter -- the data -- which extends to the business partners and customers' own systems. The data-centric approach is the solution to this: extend the control over your data to align with where the data goes. It really is the only way forward.
Q: Finally, I know you have something up your sleeve with data protection, so what is new, and how will it help?
A: If you look at all the breaches mentioned here, there's one thing in common: the data comes from databases. Now, changing databases, as we've said, to accommodate encryption has been a big, big problem -- schema changes, changes to applications, workflows etc., are often multi-month projects. Format Preserving encryption, which is a mode of AES, shrinks those months to days.
With AES FPE, you can encrypt fields so they stay the same formats -- like a Social Security number, credit card number, name, and address -- without changing the database, and since the format stays the same, most of our applications reading data don't need to change.
For those "trusted" applications that need the real data, the change is tiny -- 1-2 lines of code for and we can use SOA models, SDK, or a command line. On top of this, the Voltage SecureData has stateless key management -- so there's no database of keys to manage, and a direct relationship between keys and identity and roles are giving "Role-Based encryption," if you will. So now, we can have trusted people accessing trusted data, at will, on the fly, whilst protecting the data itself no matter where it goes. Data-Centric Security at its finest!
Reproduced from an article published by The Tech Herald
© The Tech Herald
The original article can be viewed here:
http://www.thetechherald.com/article.php/200825/1279/Q&A-with-Mark-Bower-of...
Permalink Bookmark Digg this story
