Tuesday, November 13, 2012

Losing my mind! Protection is becoming paramount – an intro to PANfinder and SecurData!

What everyone fears most of all happened to me – my laptop failed while I was travelling. Partially restored, I am at least able to get on with my business. However, it was a wake-up call not just about keeping backups but about security as well.

If you haven’t already read about it elsewhere in posts to blogs and other social media channels, I killed my laptop this past week – spilling a drink over the keyboard and watching the computer simply fizzle. Ouch – but yes, I have my fingers crossed and am hopeful the hard drive will prove recoverable. But I do maintain a multiplicity of back-up approaches that I will not go into details, other than to say, restoration will be labour intensive and that yes, there has to be a better way!

As my IT resource is working through the process, I am being asked regularly about which emails are important, which files I absolutely must have and which spreadsheets and other tables, files and logs do I require? Of course, I have some basic folder structures in place where I can go to find what I have written for a particular party, and there’s picture folders where I keep photos that I may include in posts and discussions – I have begun to post to Facebook almost as often as I do to LinkedIn, all the while aware that the communities may appear vastly different, but so many of my business colleagues are also friends, the lines are getting somewhat blurred.

However, what the exercise in restoring my working environment is highlighting for me more than anything else is the crude nature of my security model. Well, actually, that’s putting the fine a point on it – I don’t even have a model let alone a pattern that I follow. It’s a mess, and it has come to this as I have embraced many different approaches and have been forced to make adjustments as emails arrive informing me that due to some internal incident, my login information may have been exposed and even compromised. Ruining my laptop has opened my eyes to the fact that I do need to rethink my approach.

Of course, there’s the obvious issue of figuring out what I have secured and what I haven’t. Mostly due to inherent laziness, that in the end, “she’ll be right” as I am so used to saying, as an Australian. But of course, it will not be all right – my online banking with a major American bank requires some security steps to be taken for very obvious reasons. I have also just taken delivery of my new Square – downloading the application to my iPhone and receiving the physical Square reader – for some time now I wanted to be in a position to accept credit cards and certainly, this isn’t a matter either where I can continue to be casual.

“A first good step in understanding a problem,” suggested comForte’s head of marketing, Thomas Gloerfeld, rather passionately, “is simply knowing where critical data is located and to be knowledgeable about the types of data that need to be protected. For instance, when it comes to the Financial Institutions (FIs) we work with, when it comes to the Payment Card Industry (PCI) and their mandates for security and subsequent monitoring of compliance, comForte continues to run into member institutions that simply don’t know where sensitive information is located. And for that reason, we are truly excited to be able to distribute the PANfinder tool - simply for the purposes of providing these companies with a tool that will locate where Primary Account Numbers (PANs) can be found. It’s a first step for sure but you would be surprised just how many of these companies struggle to even know how big of a problem they have and frequently, they are loathe to do anything until it is pointed out to them during an audit.”

I don’t need anything quite like PANfinder to help me out with my plans for security but simply maintaining a list of all my logons and passwords seems a vulnerability to me. True, I did password protect the list (and buried it deep within an unrelated folder), but there it is, my whole plan laid out for pretty much any hacker to see. But it’s all gone now and I am back to square one, no pun intended. Over the next couple of days I will be logging onto different systems and applications to find out what password I have been using and once completed, I will go back in and change everything … but again, I need a plan!

“Protection of Data-at-Rest is the over-arching theme for what we are doing,” Gloerfeld responded. “Simply, PAN data discovery is the starting point of any PCI project. Where are the PANs located, etc.? At least this then gives the FIs an understanding – possibly for the very first time – of what they are up against and a first-look at what they will need to do. Then it becomes a question of what do these FIs then do with the PAN data and for comForte, we see this discussion quickly pivoting on just how to protect the PANs and for us, this means tokenization, something we now address with SecurData.”

I didn’t know my security was as bad as it was until I was put into a position to closely examine it – and perhaps it takes the shock of losing a system, facing a complete rebuild, that opens your eyes to the dilemma we all face – a really good plan is time consuming and can prove expensive.  “For many NonStop folks, security is not the highest priority. Quite often, just keeping the systems running while dealing with reduced budgets and staff - just getting by with the day to day business can be a daunting task - so it is no wonder that it may take an external audit to push security higher up the to-do list,” explained Thomas Burg, comForte CTO.  “From talking with PCI auditors at various events, we believe that it will probably be external (or internal) auditors who will drive what is mandatory in securing NonStop systems. For instance, not encrypting Telnet is considered a big NO in most customer environments these days. Running products such as PANfinder to get a grip on where your data is could very well be mandatory soon; followed by implementing proper means to secure the data”.

In the coming months, there will be several more posts on security. I have been skirting the topic for some time now, but in the recent exchanges with Burg and Gloerfeld its becoming more than obvious that it’s not something any NonStop user can take lightly. Perhaps re-examining our approach to security will not be driven by a lost system as I have been doing to highlight the many weaknesses in a plan (or indeed, the complete lack of a plan as in my case).  I nearly lost my mind when the failure occurred and that’s not something any business, FI or otherwise, can ever let happen.

Perhaps all it needs is to start talking to a partner with the same passion for security as you do and then, make the investment in time, resources and “networking” that is required. There’s simply no excuse today to have security as something that includes post-it notes on displays or scraps of paper under your mousepad.  As for me, these discussions with Burg and Gloerfeld couldn’t have proved timelier and I am well aware now of all that I must do.

No comments:

Post a Comment