Adding Modern Security Layers to Legacy Systems
Below is an article that appeared on the HPE Matters website, “How Allegiant Air Prepares its IT Systems for the Holidays and Beyond,” with HPE Security – Data Security customer Chris Gullett. Chris is the Director of Information Assurance for Allegiant Air and he talks about adding modern security layers to legacy systems.
It is next to impossible to purchase an airline ticket or a drink aboard the plane without a credit card today. For customers, whether purchasing online, at a kiosk, or in-flight, credit cards add convenience and flexibility for the traveler.
However, credit card transactions can come with their own security risks, potentially offering financial and personal information through a data breach. Protecting credit card information is the responsibility of the airline, and just one of the cyber security concerns that airlines like Allegiant Air must address while being compliant with industry regulations.
Adapting to Today’s Security Threats
Companies that accept credit and debit cards need to follow Payment Card Industry (PCI) standards, but that’s no easy task. According to Chris Gullett, Director, Information Assurance at Allegiant Air, the airline is unique in that it has its own reservation system. “We have a software program that runs the entire airline. We don’t use an outside, third-party system like other airlines use,” he says. The system dates back to the mainframe days and was eventually migrated to a web environment in the 1990s. As anyone who uses legacy systems knows, they weren’t designed with current cyber-security risks in mind.
“We didn’t have the same level of threats back then as we do now,” Gullett says. But now these same systems are being tasked with handling today’s security tools, and they need to meet the same compliance standards as any modern system.
Improving Legacy Systems with Encryption and Tokenization
Rather than go through the costly, time-intensive process of replacing the entire legacy system, Allegiant Air looked for security technologies to work with their software while still being able to meet PCI compliance standards. The airline first turned to tokenization to secure the credit card transactions data in their back-end systems.
“We went from storing millions of credit card numbers to storing zero,” Gullett explains. The tokenization system Allegiant Air uses, HPE Secure Stateless Tokenization, which replaces each credit card number with a single token generated using random numbers. No human ever handles the credit card number.
That was a great first step, but it wasn’t going to be enough. With the prevalence of ecommerce and mobile devices, sensitive data can’t be protected with a hard perimeter. Therefore, Allegiant Air applies protection directly to the data itself with HPE Page-Integrated Encryption to encrypt the consumer’s credit card information the moment it’s entered into the web browser. The data is protected all the way into Allegiant Air’s back-end system—and there, converted to a token.
Encryption, Gullett explains, fixed the other major problem they faced in becoming PCI compliant: taking the legacy systems that were non-compliant, completely out of the scope of PCI audit.
In addition to credit card data, airlines collect other valuable information on each passenger, including full names, birthdates and travel itineraries. Gullett says if this information fell into the wrong hands, it could be sold on the black market, or combined with data from other breaches to gather very specific details about individual passengers. To combat this, Gullett also expects passport and social security numbers to be protected much like they protect credit card data from the consumer’s browser all the way into their back-end systems.
While it is still vital to have some form of network protection, data-centric solutions such as encryption and tokenization are critical as hackers go directly after the information itself. “The extensive use of encryption for data-in-motion and data-at-rest is often the best thing you can do,” Gullett says.
Season’s Security Greetings
As the holiday season approaches, online traffic in Allegiant Air’s network will increase significantly. There will be an increased risk of denial-of-service (DoS) attacks, which could take airlines’ websites offline and cost thousands of dollars of lost sales. With higher traffic, there will be more data to protect and more third-party systems, like weather and routing information, to connect. That means scaling the security efforts to prevent attacks has to match the scaling involved in bringing all of other systems online.
“In the end, our job is to worry about the customer experience,” says Gullett. Families want to have a good time on their trip, and not worry about coming home to identity theft caused by a breach in the airline’s network. “At the same time,” he adds, “we have to do that in such a way that we can continue to operate. We can’t be so inflexible that we can’t grow and succeed. Security is seen as the department who says ‘no’ all the time. Instead, Allegiant’s team is good at saying ‘yes, but’ and finding a way to implement what is needed in a secure manner
HPE SecureData provides best-in-class data encryption and tokenization for structured and unstructured data and enables cost-effective PCI compliance, scope reduction and secure analytics. HPE Security – Data Security solutions are used by leading enterprises worldwide, reducing risk and protecting brand while enabling business.