Tuesday, December 18, 2012

Shutting the Gate; closing the Windows; Securing the Data!

In this introductory post on SecurData, a family of product offerings aimed at ensuring personal information remains personal, the importance of mandates and directives and the impact that they are having on data center managers, is presented. Look for further posts on SecurData as this topic becomes the subject of a number of follow-on posts …

As the holiday season gets under way and that time of year comes around where there will be many gifts exchanged, big dinners consumed, and many evening drives to look at all the pretty lights we are constantly opening our doors to friends and relatives all anxious to join the festivities. Living tucked underneath the front ranges of the Colorado Rockies, as we do, there’s always the added treat to watching for snow as everyone has the fingers crossed for a white Christmas.

Like so many other neighborhoods that we know of, there are numerous residents that simply don’t lock their doors – the peaceful setting inside of quiet cul-de-sacs projecting an image of serenity that reinforces the perception that in this time of giving, everyone’s intentions are well founded with the only ones walking the streets of an evening being carol singers. Former neighbor, and founder of Insession Inc., Mark Hutchens, often told me that honestly, he had no idea where to find the keys to his house.

Unfortunately, just as there are townships where this lifestyle would lead to disaster, so too are there few data centers today that would ever make the assumption that all those accessing their data had only good intentions. Securing the building, the physical components within the data center including the network and most of all, the data, is of paramount importance to all charged with the oversight of an enterprises data center. And there are simply no business reasons why a data center manager would not want to protect every possible resource important to the business.

And yet, the mere presence of important data, including personal information about clients, is frequently viewed as an opportunity to try to penetrate a data center’s defenses by those bent solely on disruption and personal gain. Lifting the personal information pertaining to our finances is among the priorities of these individuals – and the many headlines published of successful attacks only fuel others to try. At every turn, unfortunately, there is the assumption that individual data centers will be alright and that the greater the complexity is, in and of itself, will prove a barrier across which few will be able to pass.

For many years, when it comes to NonStop and the mission-critical applications that they support, this has often been the case. While data center managers running NonStop systems always knew where the keys to the door could be found, the relative uniqueness of the NonStop architecture was all the protection they required. However, there are few remaining NonStop systems that are not connected to the outside world, where just a few hops away there’s a web server or other internet connected hub of one sort or another – the world is now just too well connected for any user to assume the applications and the data they collect is off limits and out of bounds to any parties motivated enough to try an break through.

What of the vendors and security that they provide? For decades, what was on offer from HP NonStop was sufficient – you could lock down access to a system very well. As for major solutions vendors, including the likes of ACI Worldwide, they too, provided security when it came to critical Personal Identification Numbers (PINs) being passed system to system – you could select a couple of configuration options to ensure your users were protected. When it comes to NonStop systems supporting applications for Financial Institutions, greater attention is being focused on cardholder information and much of what we thought was adequate protection is no longer good enough.

“The definition of cardholder data for most of us”, one trade publication recently wrote, “usually stops at the Primary Account Number, or PAN - those pesky digits that we have to protect as they run through our systems cause CIOs to cringe”. Yes, the PAN; that’s the 13-16 digit numbers that you see on the payment card itself. And today, the requirements have ratcheted up significantly and new rules have come into force. It’s no longer good enough just to protect PINs as they are passed from one system to another, but you need to protect PANs as well.

The Payment Card Industry (PCI) has documented crucial requirements across a series of specifications – 3.4 requires members to render PAN, at a minimum, unreadable anywhere it is stored and then, 6.4.3 states that production data (including live PANs) not be used for testing or development. In other words, PANs like PINs are sacrosanct. Don’t mess with them and don’t ever let them be seen unencrypted. And don’t think for one moment the underlying operating system will help you out here – the stated demand from PCI is for all logical access, to encrypted file systems, must be implemented via a mechanism that is separate from the native operating systems mechanism.

Fortunately none of this is lost on comForte. Readers of this blog may recall the May 21, 2012, post of comForte CTO, Thomas Burg, “
Nightmare on PCI street” and reprinted in the September – October, 2012, issue of The Connection of where Burg stated “I don’t want to oversimplify things, but I do believe that a big problem of securing NonStop systems is serious underfunding and under-staffing. The fact that NonStop systems are not always well known higher up in the IT hierarchy also does not help; I have seen several ‘Enterprise security initiatives’ completely ignoring the NonStop platform.”

What may be less known is that comForte now has a product developed specifically to address improving the protection of personal data, SecurData/Tokenization. Replacing sensitive data such as PANs with tokens for use within payment systems and related applications, SecurData/Tokenization provides enterprises with a powerful solution for the tokenization of sensitive data. For the financial institutions running BASE24 there’s even a separate product, SecurData/24 providing them with a PCI compliant solution for the protection of PANs in BASE24.

“A Brazilian payments processor is among the first to test with SecurData/24,” comForte Marketing head, Thomas Gloerfeld, told me recently. “They are an existing customer of comForte having already installed MR-Win6530 terminal emulation, SecurCS and SecurTape. But they were concerned about PCI compliance and when our sales team introduced them to SecurData they initiated a Proof of Concept(PoC) a few months back and it only took them about a week for SecurData to demonstrate support of key BASE24 logs – completely satisfying the requirements of the processor

In the coming weeks I will be covering this PoC, as well as others that are currently under way, in a little more detail but the early feedback is proving “extremely encouraging,” according to Gloerfeld. “And we are looking at early adopters going live sometime in February, 2013.” The holiday season may be an occasion to welcome all and sundry to our homes and in many neighborhoods the whereabouts of the front door keys may remain a mystery.

But when it comes to data centers and to CIOs and data center managers, there’s no respite from the need to protect all who interact with their systems. And perhaps that’s how it’s meant to be – the angst we all share about our personal information being compromised and our money taken is not a subject we take lightly, even at this time of year. It wasn’t all that long ago when all we worried about was someone inadvertently misplacing a tray of punch cards but in today’s globally connected world, we have all but ruled out that everyone’s intentions will be honorable!

No comments:

Post a Comment