Breach-Proof Your Data
Company and consumer information is compromised every day. Here’s how to stop it.
While organizations like to think their data stores and transmission channels are secure, in reality, that’s not the case. Breaches happen almost daily. And the type of data targeted by hackers is changing.
According to the “2012 Data Breach Investigations Report” by Verizon, payment card information was still the most often cited at 48%. However, 42% of security rifts—and by far the largest number of records stolen—focused on authentication credentials. This includes names, email addresses, national identity numbers and other information collectively referred to as “personally-identifiable information” (PII). While only 4% of events included the loss of personal information, those losses were substantial and resulted in the “largest hauls” by thieves: PII comprised 95% of the records lost, according to the report.
Much of the change in the types of data stolen is the result of financial institutions taking more stringent protection to comply with payment card industry data security standard (PCI-DSS) requirements. But since PCI-DSS compliance only secures credit card information, not the associated identity data, the PII data is left vulnerable and a target for theft.
From customer information to healthcare records to student files, PII theft is growing exponentially. That means organizations need to determine the best place to store their data and how to protect it.
Compliance with PCI-DSS, the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act and other regulations requires data to be protected. Access controls are not enough, which then dictates the baseline protection organizations need to have in place.
System Advantages and Drawbacks
Typically, the stronger the security, the greater the potential negative impact on performance, storage and transparency. And while organizations have their pick from a range of data security options, not all of them bring value to the business. This listing provides an overview of the various types of security currently available:
Native database protection methods typically perform well, do not impact storage and have a high level of transparency. But since they are not protecting the actual data, security remains an issue. Relying solely on access controls, for example, will not prevent a disgruntled DBA from accessing the data. This option encompasses a number of complementary security controls that can include:
- Authentication and authorization
- Row-, column- and role-based access control
- Activity logging and monitoring
- Discretionary and mandatory access controls
- Network and physical security controls
Hashing algorithms are one-way transformation functions that turn a message into a “fingerprint.” They typically secure data fields where there is no need to use the original data again. These algorithms are helpful for passwords, but not suitable for an environment that needs to reuse data.
Format-preserving or datatype-preserving encryption generates cipher texts that are the same length and data type as the input and can simplify retrofitting encryption into legacy application environments. It’s slower than strong encryption and, like other encryption technologies, requires complex distributed key management.
Strong encryption is more applicable to high-risk data than the format-preserving method and is the “gold standard” for encryption. It gives the encrypted text a different data type and length, which increases database size requirements and is unable to provide as much transparency as other methods.
Vault-based tokenization provides a more manageable, less-intrusive solution than encryption while still meeting PCI requirements. Tokenization replaces sensitive data such as credit card information with fake data (tokens) that has no resale value. But the large look-up tables (vaults) rapidly become unwieldy, negatively impacting performance, ease of deployment and total cost of ownership (TCO).
Vaultless tokenization is much more manageable than the vaulted method. By eliminating the vault, businesses benefit from a high-performance, scalable, lightweight solution that delivers a much lower TCO while expanding security applicability beyond PCI. Vaultless tokenization virtually eliminates encryption’s key management drawbacks and delivers transparency with strong security. One company, Protegrity, is now developing new tokenization algorithms that go a step further: incorporating sufficient business intelligence (BI) that reduces the need for de-tokenization when the original data is required for analysis.
Full Spectrum of Protection
Access and authentication controls, however complex, sophisticated or multi-layered, are often insufficient for protecting data. If these controls are breached, the data is open to misuse. Because PII can contain both structured and unstructured data that’s subject to demands for analysis and manipulation, neither encryption nor tokenization alone can deliver the full spectrum of business needs or security mandates. But combining the two can deliver the best attributes of both methods for reliable data protection.