The Big Picture

The More Things Change. . .
image description

Every time I'm privileged to meet my peers in the industry, as I recently did at the RSA conference in San Francisco, I'm struck by how much things have changed since the last gathering—and how, in many ways, they've stayed the same.

Those of us who work in technology are constantly bombarded with the Next Big Thing: new technologies, new paradigms, new regulations, new solutions. The potential of cloud computing, the rapid growth of big data, the proliferation of mobile devices and applications—these are all major changes. And as professionals at the cutting-edge, we need to integrate these offerings into the infrastructure, and of course, cut costs and reap efficiencies in the process. We don't often get the luxury of stepping back and assessing the big picture.

We recently did just that with a fresh look at some of our customer successes. And again, I'm struck by how each scenario is unique, and yet similar.

Our core message is still jarring to some enterprises, and that's not a surprise—given their investments in IT security, it's hard for most businesses to assume that hackers will gain access to their data. However, it's the follow-up message that truly hits home: traditional security measures only protect the data when it's at rest, or within the traditional perimeter. By contrast, Voltage's data-centric approach ensures that the data is useless to hackers even after it's been breached.

But how does all this work in the real world?

Take the case of a global telecommunications provider, which needed most to secure data in its data centers. Through an extensive audit, it identified some 1,800 applications with sensitive data. An attenpt to prioritize them by risk still left 700 applications, and within those there were at least 26 distinct data types that needed protection. This in turn included details on social security numbers, credit card information, etc, covering nearly every privacy regulation, from PCI to HIPAA and state regulations. The technologies included were equally diverse and complex: mainframe, open systems, both packaged and custom-built applications, Oracle, DB2, Teradata, Unix, IMS, J2EE (Websphere, WebLogic) and HP NonStop, to name a few.

Here's another:  A global bank that needed to enhance enterprise email and data protection, masking, and data residency. This was as complex as the first example, but similarly unique. The project covered data protection for the entire enterprise cloud strategy, state privacy and banking rules, data residency challenges and hundreds of application services. Team members were confronted with multiple sensitive fields to encrypt, diverse platforms (including mainframe and open systems), the need to plug into existing ETL systems and hundreds of Terabytes of test data. And of course, the corporation insisted on simplicity (as it should).

Then there's the case of a travel organization that's heavily PCI-regulated and had multiple point solutions enterprisewide. It shouldn't come as a surprise that this led to major challenges over scalability and usability. The new implementation required replacing just about everything, across applications from the mainframe platform through end-user products, banking systems, internal applications, and of course  e-mail and file systems.

And just one more—another global financial services provider, but this time with the goal of secure document sharing between employees, partners and customers. This entailed a strategic enterprise project that covered some 200,000 users, along with internal and external email encryption, file encryption for desktop and USB replacements, and end-to-end protection, from the desktop to external communication channels. It also prioritized integration with the existing infrastructure, desktop management, portals, statement delivery, mobile, archive, e-discovery and, as you can imagine, plenty more.

We have these case studies available for you to see, but here's the Big Picture: The goal is always the same, but each scenario is unique. It's incumbent on each of us to incorporate new ideas and solutions as they come down the pike, and accept that our infrastructure and processes will continue to change as a result. Our priorities and standards, however, should not be compromised accordingly. A data-centric strategy, one that's not dependent on specific technologies, is the best way to ensure that.

Spotlight: Customer

Innovation That Wears Well
Innovation That Wears Well
Columbia Sportswear is not exactly a technology company—it's a global leader in apparel, footwear, accessories and equipment for the great outdoors. But the commitment to innovation in designing products that ensure true comfort puts Columbia far ahead of the competition and squarely alongside the best in the business.

The company had the same philosophy in mind when it came time to implement a new payment system for retail outlets. “We were looking for a solution that would minimize or eliminate the need to store payment data with the scalability to support future growth,” said Susan Leafe, Retail Application Manager at Columbia.  That meant a fully outsourced solution that uses customer-facing terminals to capture the data, immediately securing it with encryption and tokenization technologies.

It was a tall order, but combining its own innovation with that of Voltage Security, Merchant Link and Equinox Payments, that's exactly what it got.

In keeping with its international reputation for innovation, quality and performance, the company was determined to ensure the highest possible level of security for its retail customers. At the same time, it would have to be easily integrated with the existing point-of-sale system, and allow choices for payment processing. On top of everything else, given the company's growth, it had to be scalable.

The team assigned to the project first integrated the POS with the Merchant Link Payment Gateway, which provided a single, cloud-based interface to all major payment providers. Next, Columbia deployed Equinox Payments' next-generation L5300 payment system, which incorporates an integrated contactless reader and features Equinox's remote PIN key injection system to accept debit card transactions.

As for credit card numbers, Voltage provided encryption capabilities via Voltage SecureData Payments built into the tamper-resistant terminals. Voltage SecureData Payments  leverages breakthrough technology and encryption innovations such as the patented Voltage Format-Preserving Encryption and Voltage Identity-Based Encryption. The unique Stateless Key Management technology enables credit card data to be encrypted at the point of capture, but without the need for additional key management complexity or operational overhead, and works alongside PIN debit encryption. Merchant Link's TransactionVault tokenization and BizPortal reporting functionality are also featured in the overall solution.

The project represented a broad implementation with a narrow timeframe, so teamwork was essential.  Merchant Link, Voltage Security and Equinox Payments worked together to deliver the complete solution in just 14 weeks, with only minimal staff training. The first site went live right before the holiday season in 2011, followed by two pilot stores in December. The companywide rollout is scheduled to be completed next month.

The benefits of the implementation are manifold and undeniable. To cite a few: The secure, cloud-based network which transactions travel through ensures high availability and performance. It preserves connectivity to all major payment processors, while offering the ability to switch with minimal disruption to business processes. It reduces key management overhead, with no key injection required for credit card encryption. It simplifies the payment process by bringing enterprise reporting down to the transaction level.

Perhaps most importantly, given the pressures currently faced by the retail industry in this area, it reduces PCI audit scope by removing payment data from IT environment. In many similar projects, this benefit alone is cause for celebration. In the case of Columbia Sportswear, it's another indication of how this project stayed true to the brand and helps ensure customer trust.

Spotlight: Solution

Securing New Channels
Securing New Channels
Voltage SecureMail Application Edition extends data security even
further beyond the email backbone
The very notion of 'email' conveys the idea of communication between people, but that's not always the case. In every business every day, documents are generated via email by applications, or into applications, and they pose just as great a security risk as any other message. In some cases the risk might even be higher. Many such applications typically generate documents that contain demographic data that can be used to identify individuals---name, address, birth date, Social Security Number, financial records, etc. There are also numerous internal business processes where these practices are routine, exposing both customer and employee data to unwelcome viewing.

These diverse communication channels require the same level of data security as any other kind of content, and that's exactly the role played by Voltage SecureMail Application Edition. The functionality that now comes with this solution takes this protection even further, extending data protection from person-to-person emails to application e-mails.

Voltage SecureMail has played a critical role for a while now in encrypting outbound email generated by internal applications. For example, consider V-payments—virtual payment cards that are generated by an internal application and mailed out to external recipients, but only after they're encrypted at the gateway. At many financial institutions, this feature is routinely applied to bank statements, account receipts, and so on.

Via the new capability, Voltage SecureMail now protects emails sent from an application to a recipient, as well as the other way around, ensuring end-to-end protection of sensitive information. This, too, greatly reduces business risk and makes it easier to meet compliance mandates.

Here's one typical use case. A customer goes to the corporate site and fills out a web form—a claim, a job application, etc. Many of these communications involve Personally Identifiable Information (PII). With Voltage SecureMail Application Edition, this data is automatically encrypted at the gateway and maintains that level of protection when it travels to, and resides within, the recipient's inbox.

Another example might be the provisioning credentials required of, say, new employees—active directories, portal accounts, authorization codes for tokens, etc. This is important data, and it now has a higher level of protection. The same applies to password reset messages, fax-to-email transfers, certain enterprise collaboration tools and even enterprise-specific social networks.

As with all Voltage solutions, this one is simple to deploy. It doesn't require companies to reroute the mail flow, or undergo a complex SDK integration process. Voltage SecureMail Application Edition can be integrated with email-enabled applications via REST-style web service or over SMTP.

Simplicity of deployment aside, the real benefits of Voltage SecureMail Application Edition is that it extends messaging data protection far beyond the email backbone—i.e., corporate email servers and clients—and into applications. It eliminates security gaps that previously existed between applications and individuals, while avoiding the complexity and operational cost of integrating email encryption with applications: changing email architectures, re-routing email flows, and SDK integration. And of course, it serves the core purpose of greatly reducing the risk of data theft, fines, and damage to the corporate reputation while ensuring compliance with regulatory requirements.

It might seem to counter-intuitive to think of emails as being anything other than communications. Voltage SecureMail Application Edition protects them even when they're not.

Learn more about Voltage SecureMail Application Edition »
Download Voltage SecureMail Application Edition data sheet »

Into the Breach

image description
News from the world of hack attacks

Intergalactic Breach

While numerous U.S. government agencies have suffered significant data breaches in the recent past, a public admission by the National Aeronautics and Space Administration, better known as NASA, still came as a surprise. The agency acknowledged that hackers conducted no less than 13 successful breaches in 2011, stealing employee credentials and gaining access to mission-critical data.  One particular target was NASA's Jet Propulsion Laboratory in California, where even the most secure accounts were compromised.  JPL currently manages active space missions to Jupiter, Mars and Saturn, but on this planet hackers were able to gain full system access, which in turn meant they could tamper with every file and upload new tools to compromise other systems. NASA spokesmen emphasized that the breaches did not jeopardize the operation of the International Space Station.

The Price Tag of a Medical Records Breach

A new report from the PHI Project—a group composed of the American National Standards Institute and its Identity Theft Prevention and Identity Management Standards Panel, consultant Santa Fe Group and the Internet Security Alliance—warns that despite some improvements, efforts to promote digital security and maintain data integrity have not kept pace. More than three quarters of the professionals surveyed acknowledged that malware infestation is a very likely or likely threat, and while most want to implement more stringent security measures, a combination of budgetary constraints and the evolving nature of threats and technologies make greater protection a challenge. The report offers a complex risk-quantification formula that takes into account different cost factors associated with a medical records breach. For example, an unintentional breach of 845,000 records that led to an incident of clinical fraud resulting in a patient's death would cost nearly $25.5 million for an organization with $242 million in claims revenue.

Here at Voltage

  • Voltage Security Extends Data-Centric Mobile Security with Voltage Security Mobile Plus Initiative
    Voltage announced Voltage Security Mobile Plus, a comprehensive initiative to extend existing mobile security solutions to protect the new generation of mobile devices, applications and data. Building on the data-centric approach that's already used to protect unstructured and structured data wherever it goes, the Voltage approach protects e-mails accessed by mobile devices, enhances protection for sensitive business data and files, and protects transaction data captured at any new mobile payment method/device. The first product with enhanced capabilities for e-mail protection is targeted for release in the second quarter of this year.

  • Voltage Security Page-Integrated Encryption Enables Risk Mitigation and 100 Percent Scope Reduction for E-commerce Transactions
    Voltage announced that Coalfire, a leading independent Payment Card Industry (PCI) Qualified Security Assessor (QSA), has released a security assessment validating that Voltage SecureData Web with Page-Integrated Encryption (PIE) technology provides end-to-end data encryption from the consumer's browser to the merchant's processer. Coalfire found that a merchant, working with its acquiring bank or QSA, could achieve 100% removal of PCI DSS scope in e-commerce and cloud transactions with Voltage SecureData Web. When a merchant removes PCI DSS scope for their e-commerce environment, it can also remove 100% percent of the PCI compliance validation costs. Voltage is not only the first data security supplier to offer scope-eliminating capabilities for card-not-present transactions using end-to-end encryption, but also the first  to have a comprehensive solution for merchants to secure payment data from point-of-sale and e-commerce transactions.

Coming Up

Voltage Security webinars are designed to bring together industry-leading professionals to address current issues. Each webinar is concise, focused and directed toward real-world solutions.

  • Webcast: Data-centric Security Register Now  
    Mar 20 - 10:00am PT / 1:00pm ET

    Data-centric Security: How Six Enterprises Successfully Turned Gold into Straw

    (You will be redirected to BrightTALK to register for this webcast)

     

    We all know compliance doesn't automatically equal security—fully compliant systems are breached every day, and data stolen at will. In today's highly fluid and interconnected world, where data is the new perimeter, the traditional approach to setting up barriers to prevent infiltration has become irrelevant. This webcast featuring Mark Bower, Vice President, Product Management, will highlight the success stories of six Global 2,000 enterprises—including AIG, JPMorgan Chase and Heartland Payment Systems—that have overcome these challenges.

    Sponsored by:
    BrightTALK
  • Webcast: Killing Data View Now  
    On demand webcast

    Killing Data

    Will encryption become the cornerstone of your data security? John Kindervag, Principal Analyst at Forrester Research, discusses his latest thought leadership initiative in this insightful webcast about 'killing data' to make it useless to cybercriminals. As today's hackers become more sophisticated, they have eroded the effectiveness of traditional perimeter-based security controls. The constantly mutating threat landscape requires new defensive measures, such as the use of data encryption technologies.

    Sponsored by:
    BrightTALK
  • Webcast: New Strategies for Securing Personally Identifiable Information View Now  
    On demand webcast

    New Strategies for Securing Personally Identifiable Information: Protection Beyond Health Information Portals

    From secure email to shared health data in the cloud, what are the best ways to develop an effective security strategy for disseminating health information while adhering to privacy regulations?

    Sponsored by:
    HealthInfoSecurity.com
  • Webcast: It's not about Big Data, but Big Data Security: View Now  
    On demand webcast

    It's not about Big Data, but Big Data Security:
    Understanding the difference between IT Security and Data Security

    In today's business environment, data travels constantly—between customers, partners, users, third parties, etc.—and therefore must be protected accordingly. It's time to move on from point solutions focused on IT security to a single, enterprise-wide architecture that can effectively ensure data encryption wherever it resides, and wherever it goes.

    Sponsored by:
    The Data Warehouse Institute (TDWI)