Townsend Security Data Privacy Blog

“Encryption and key management can’t become endemic the way it needs to be without being easy and affordable. That’s a fundamental fact.” - Patrick Townsend, Founder & CEO of Townsend Security

Every day securing sensitive data becomes more and more important. With sensitive information being entered into databases, and many databases moving to the cloud, the risks associated with unprotected data increase exponentially. Data such as credit card information, social security numbers, financial information, and protected health information (PHI) gets dumped into internal IT networks as well as the the stratosphere of the cloud. Without adequate data security tools, businesses are sitting ducks when it comes to data loss.

Unfortunately for a lot of organizations, the security tools their IT departments have deemed “adequate” are mostly firewalls and other access prevention mechanisms. Today, however, it is widely acknowledged by security professionals that these mechanisms are easily breached by hackers. In fact, many data breaches are simply caused by employees mishandling data. Because firewalls don’t keep data secure, industry regulators such as the Payment Card Industry Security Standards Council and HIPAA/HITECH Act mandate or strongly recommended organizations use strong encryption and encryption key management to secure the data itself. If encrypted data is compromised, but the encryption keys are securely protected, then the data remains unreadable.

Recently Joan Ross, security expert, published a White Paper outlining critical encryption key management principles that will help organizations overcome one of the biggest barriers to implementing a strong encryption key management solution: The need for a solution that is affordable and quick to deploy.

Time, money, compatibility, and hidden costs are issues every business struggles with. Almost every single successful, new innovative technology these days is designed to help individuals or businesses reduce time, save money, and increase compatibility between devices--unfortunately, the hidden costs sometimes persist. You see simplification driving down costs with tools such as virtualization and cloud computing, for example. These technologies are so effective at helping businesses reduce costs that more and more people are using them every day.

However, as businesses move more and more data into virtualized and cloud platforms, securing that data becomes even more difficult due to the inherent complexities of these environments. As this happens it’s important to remember that data security shouldn’t fall to the wayside.

With over 25 years in the data security industry, Ross addresses in her White Paper the issues of affordability and hidden costs in effective encryption key management systems. When choosing a key management vendor, Ross reiterates that hidden costs can quickly add up, resulting in a solution that that becomes too exorbitant to execute. Transparency, she urges, is critical to a successful relationship with a key management vendor. Achieving affordability and transparency is possible today because there are vendors today who want to work with customers--and who believe that cost should not be a barrier to good data security.

In Joan’s words: “Data security has come a long way within just the past few years.  Organizations no longer have to continue to maintain current patchwork methods because there are no available, cost-effective, or interoperable solutions that easily solve their problems.  Encryption and encryption key management are now industry standards and work across both legacy and newer business systems, multi-platform and multi-tenant networks, remote access workstations, geographical offices, data centers, and third-party business partners.”

Download the White Paper "Industry Must Haves for Effective Encryption Key Management" to learn more about must-haves in an encryption key manager and how to ensure your data is fully protected.

More than any other industry, it is surprising that the gaming industry struggles with protecting customer credit card information. For businesses that deal in money, you’d think that protecting this asset would be their number one concern. However, just like every other industry, some casinos still lack many proper controls such as encryption and encryption key management to keep customer card data safe.

The truth is, there are so many credit and debit card transaction points from the moment a customer walks into a casino. At every single point a customer swipes their card, that card information needs to be encrypted. This isn’t just a best practices--credit card encryption is mandated by the Payment Card Industry Security Standards Council (PCI-SSC). This means that at any point during any transaction, credit card numbers should never be transferred, processed, or stored “in the clear.” PCI also sets regulations around how businesses handling credit card data should manage encryption keys.

Even though encryption key management is required by PCI, not every business manages their encryption keys, and if they do, not every business does it right. Just like in the financial world, there are several critical encryption key management “best practices” that should be put in use in order to manage encryption keys in the most secure way possible. The number one risk associated with not following best practices is data loss. A data breach of credit card numbers can be devastating, especially if your business relies on customer loyalty.

Whether you’re a casino, gaming vendor, or gaming ISV providing card processing applications to casinos, always look for an encryption key management solution with these 3 features:

• Follows Best Practices - Your encryption key management vendor should have best practices integrated into their solution in order to guarantee your success. Best practices include having certified solutions, using industry standard encryption, and implementing controls such as dual control and separation of duties.
• World Class Support - When protecting critical customer data, your reputation is only as good as your encryption key management vendor’s reputation for providing solid products and world class support. Choose a vendor that has a reputation for helping customers.
• World Class Partner - If you’re a gaming ISV that sells applications that handle credit card data inside casino IT networks, you should be offering your customers encryption key management to protect that data. Choosing an encryption key management partner is a big decision, and you should look for one with a powerful solution that will grow with you and is focused on your success.

The gaming industry isn’t exempt from needing to protect sensitive data, although it is sometimes the industry that flies under the radar and has some of the biggest issues around data security. As we have seen, data breaches "are not a matter of if, but when."  Encryption key management is fundamental to protecting yourself from a data breach. By protecting yourself from a breach, you in turn will in turn maintain your customers' loyalty to your casino - because who wants to play at a casino who gambled with their personal information and lost.

Even though technology has evolved to reduce cost and complexity in our IT infrastructure through virtualization and cloud computing, these technologies have also introduced new concerns and complications around data security. The main reason security and IT professionals are so concerned about virtualization and the cloud is that these environments share resources. In a virtualized environment, a single application will share resources with every other application including RAM, disk storage, memory, and CPU. In a cloud environment, these same resources are shared amongst multiple users.

A fundamental fact to acknowledge if you’re using virtualized, hosted, or cloud services is that the companies who provide these services are not required to protect your data. In fact, you should never assume that they are doing just that. When it comes to meeting compliance regulations such as PCI, HIPAA/HITECH, or GLBA/FFIEC, the burden of compliance falls upon individual companies and organizations. If organizations want meet compliance and protect their data from a data breach, they need a powerful, certified, and industry standard data protection strategy.

When it comes to protecting sensitive data such as credit card information, social security numbers, protected health information (PHI), and other personally identifiable information (PII), it is a recognized fact that only using network security protocols such as firewalls and strong passwords is not enough to protect data from outside intruders. The Payment Card Industry Security Standards Council (PCI-SSC) knows this, which is why they require the use of strong encryption and encryption key management to protect credit card data.

Once you realize this, then you should also consider your options when choosing an encryption key manager. An encryption key manager will generate and protect your encryption keys and should include these five critical features:

1. Certifications. Is the encryption key manager NIST FIPS 140-2 validated? The National Institute of Standards and Technology (NIST) is governmental organization that sets the highest standard for encryption and encryption key management. A FIPS 140-2 level compliance means that your key manager has been heavily tested and will stand up to scrutiny in the event of a data breach.
2. Virtualization and Cloud Compatibility. Even if you haven’t moved to virtualized environments or the cloud, it is very likely that someday you’ll consider these options. You want to choose an encryption key manager that can securely protect your encryption keys “in-house,” and will move with you to virtualized environments or the cloud when you’re ready.
3. A Key Manager that Uses Best Practices. Encryption key management best practices are not outrightly required by many compliance regulations, but they are critical to a successful data security strategy. Protocols such as dual control and separation of duties should be implemented in your encryption key manager as a part of its operability. This is the only way to truly protect data and protect yourself in the event of a data breach.
4. Easy to Deploy. Encryption and key management has a reputation for being incredibly difficult. That may have been true ten years ago, but today encryption key management can be easy to deploy in your organization, depending on your provider. Keep in mind your vendor’s ability to deploy key management in multi-platform environments, in your own IT infrastructure as well as cloud and virtualized environments, if it’s easy enough to install and deploy yourself, and if your key management vendor provides supplemental code and encryption libraries free of charge.
5. World Class Technical Support. Choosing an encryption key manager and deploying it is a big decision. Choose a key manager with a reputation for amazing technical support.

Townsend Security’s Alliance Key Manager for VMware now supports VMware and vCloud.

Three questions to ask yourself when choosing encryption key management for vCloud

Businesses are moving more and more data to the cloud, and in our world, more data floating around in the cloud means more concern about securing sensitive data. It is no surprise to anyone that a single business can processes millions of pieces of sensitive data every day. From credit card numbers to social security numbers and protected health information (PHI), retail, financial, and healthcare organizations are processing this data in greater numbers than ever before.

Storing data in the cloud is one way businesses are conserving resources. Another way they are doing this is with platform virtualization. VMware is one of the most popular and widely used virtualization solutions currently used by enterprises. Alongside their virtualization software, VMware also supports the vCloud architecture that allows users to seamlessly move their workloads to a hosting or cloud vendor that supports this architecture.

Securing data in a virtualized environment introduces new security concerns, simply by the fact that applications processing sensitive data share resources such as memory, disk storage, and central processing units (CPU) with other applications on a physical machine. If a business decides to move their data to vCloud, this introduces even more concerns around the fact that a cloud environment shares these resources with other people and businesses as well.

Security professionals agree that security should be the number one concern for businesses moving data to the cloud. No one should ever assume that their cloud provider is protecting their data, especially if you need to meet compliance regulations such as PCI-DSS, GLBA/FFIEC, or HIPAA/HITECH. The only way to protect sensitive data in the cloud is by implementing a data security plan that includes strong encryption and encryption key management.

Townsend Security recently released Alliance Key Manager for VMware. This encryption key management solution is identical to our FIPS 140-2 compliant Alliance Key Manager hardware security module (HSM) for database encryption and is compatible with vCloud architecture to provide powerful data security for data in the cloud. This versatile instance of our encryption key manager works with any cloud or hosting provider that supports VMware vCloud architecture.

When choosing a third-party encryption key management provider to secure your data in vCloud, it is important to ask yourself these three questions:

1. Is it cost effective?
Businesses are looking towards simplified and scalable data storage solutions to reduce cost and conserve resources. Virtualization and cloud services serve businesses by providing cost-effective options for data storage and processing. Your encryption and key management should not thwart your goals to reduce cost and complexity in your business. You need solutions that will scale with your transition to virtualization and the cloud and that will work seamlessly in these environments. One of our fundamental beliefs is that budget should not be a barrier to good data security!

2. Will your encryption key management move with you to the cloud?
Not all businesses have moved to the cloud. However, as the cloud becomes more and more prevalent as well as cost effective, it’s important to keep in mind that you might decide to migrate to the cloud in the future. This migration can either be relatively simple or a huge headache depending on how cloud-compatible your software and hardware providers are. Choosing sophisticated solutions that are prepared to move with you to the cloud and will provide you with thorough technical support is critical to your success.

3. Will your key management prepare you for a breach?
In today’s data climate, a data breach for most businesses is no longer a matter of “if,” but, “when.” The only way to secure a breach, prevent data loss, and avoid data breach notification is by using strong, industry standard, and certified encryption and encryption key management. You’ll want your encryption key management solution to implement key management best practices that go above and beyond industry certifications. Certifications are often a low bar in data security, and implementing best practices will increase your security posture tremendously. Your encryption key management should be NIST FIPS 140-2 compliant if you want your data security to stand up to scrutiny in the event of a breach.

To learn more about enterprise key management for VMware and vCloud, download our podcast "Virtualized Encryption Key Management."

Businesses are virtualizing their IT infrastructure to save time, money, and manage many other resources that often go unused in IT environments. Virtualization of data centers evolved from the basic principles of resource sharing used in hosting and cloud environments. Virtualization enables businesses to have more efficient data center operations. With multiple operating systems running on a single server, multiple applications can also run on that server which in the long run allows a company to reduce the number of servers that they run and maintain. 

However, virtualization introduces new security concerns for companies that must protect sensitive data. Because virtualization allows businesses to run multiple applications on the same server, the encryption of sensitive data must work in conjunction with the virtualization platform. For businesses such as retailers and banks who run payment and financial applications on virtualized operating systems, they must encrypt sensitive credit card and financial information on their virtualized platforms, which requires a specialized third-party security solution.

Previously, companies would encrypt data on a server by server basis, using a single key management server to securely provide encryption keys to multiple servers on the network. The new infrastructure that virtualization brings into play, however, has caused encryption key management to need a different approach. New security concerns such as shared disk storage, network infrastructure, processing CPU components, need to be addressed.

Townsend Security has addressed the concerns in a new version of our encryption key manager, Alliance Key Manager for VMware. Alliance Key Manager for VMware is a NIST and Payment Card Industry (PCI) compliant virtual instance, identical to our original Alliance Key Manager hardware security module (HSM) that is in use by over 3,000 customers worldwide.

Simplified and Cost Effective Data Security

If you’re trying to reduce costs by moving to virtualized environments, implementing powerful data security that helps you meet compliance regulations doesn’t have to negate those efforts. Just like you choose virtualization to reduce costs in the long run, you can choose an encryption and key management solution that does the same, at a lower upfront cost. Townsend Security’s Alliance Key Manager for VMware is a specialized version of our key manager that allows you to encrypt data and securely manage encryption keys in a virtualized environment.

Alliance Key Manager for VMware manages encryption keys throughout the key lifecycle from the generation of those keys to their activation and use all the way through to retirement and deletion of keys.

Meet Compliance Regulations

By themselves, applications running VMware aren’t PCI compliant. Companies using VMware to reduce costs and consolidate their IT infrastructure still need to take responsibility for their own PCI compliance. Thankfully, VMware has made achieving PCI compliance through third-party security solutions easy with open architecture and standard APIs. VMware also recognizes the need for security in virtualized environments and has gone so far as to team up with CoalFire, a QSA auditing firm to publish guidelines for achieving PCI compliance in a virtual environment.

Many people believe that their hosting company is protecting their sensitive data. In actuality, it is never safe to assume your hosting company is doing this. Individuals and companies are responsible for protecting their own sensitive data. If you’re hosting in a virtualized environment, there are some hosting companies who have passed an infrastructure certification for compliance regulations, but they are few and far in between. In order to achieve compliance, businesses must review PCI standards and implement data security controls such as encryption and key management

Alliance Key Manager for VMware works in vCloud as well as any hosted environment that supports vCloud.  If you are moving your virtualized environment in the cloud, Alliance Key Manager for VMware will support this migration and can provide you with powerful encryption key management for the cloud.

If you’re an independent software vendor (ISV) who sells payment applications to retailers, what does it mean when your payment application meets PCI standards, but doesn’t actually protect your customers? A lot of people out there, especially consumers, wouldn’t even think the security of the software that handles their credit card data is an issue. Many people don’t realize that there’s a huge problem with data security in point-of-sale (POS) and retail software applications. However, time and time again we see major data breaches occurring through cash register systems that process credit card data, which invariably means that those systems aren’t adequately protecting consumer data.

The problem with data security in payment applications arises when retail ISVs and POS vendors certify their payment applications with the Payment Card Industry Security Standards Council (PCI-SSC). The PCI-SSC requires that these businesses use strong encryption and encryption key management in their payment applications. Although most payment application vendors incorporate encryption and encryption key management into their solutions, many of them do it poorly, skating by with the minimum requirements. In the end, their applications pass certifications but would not protect their customers--or themselves--in the event of a data breach.

And data breaches are happening every day! Today data breaches are considered a matter of “when,” not “if.” It is almost a certainty that it is only a matter of time before a data breach affects one of your customers.

Unfortunately, encryption and encryption key management are complicated tools for ISVs to build on their own--in fact, doing a “home grown” encryption project is almost never recommended by encryption experts. Because many ISVs don’t have the resources to create their own encryption and encryption key management, Townsend Security offers an encryption key management solution that retail ISVs and POS vendors can integrate into their applications to provide their customers with industry standard, certified data security solutions.

We recently published an eBook titled, “Overcoming Critical Security Issues - a Guide to Proper Encryption Key Management,” for POS vendors and Retail ISVs. Read an excerpt written by Townsend Security Founder and CEO Patrick Townsend and download the eBook now:

“Merchants are very worried about data breaches and the potential effect of a breach on their business. The average data breach costs a company $5.5 million, which includes the cost of fines as well as the costs associated with lost business, litigation, and brand damage. A successful exploit of poor data security can destroy years of work building brand reputation. Smaller businesses may never fully recover from a well-publicized data breach. Payment application vendors with poor encryption and key management are subjecting not only their customers to these risks, but themselves as well.”

Good encryption and key management for credit card numbers will also give payment application vendors an advantage over their competitors. PCI standards are not set in stone; data security is constantly evolving to meet new challenges and threats. CEOs and Product Managers in the payment application industry should be having a high-level discussion about data security. Now is the time to move to a second generation data security strategy for protecting customer credit card information. You need a solution that doesn’t just look good on paper, but will protect you and your customers in the event of a breach.”

To read more, download the eBook now.

If your company is an ISV, VAR, or OEM providing software or hardware to businesses who must meet data security compliance regulations (PCI, HIPAA/HITECH, GLBA/FFIEC, etc.), finding the right technology partners to offer your customers the best security available can be a difficult task.

Technology partnerships have a reputation for being difficult and risky. Legal agreements, licensing models, and product performance are just a few examples of serious barriers. Unfortunately in today’s technology climate, there are many examples of technology partnerships that have reinforced this reputation.

When it comes to protecting sensitive information and meeting security compliance regulations, we don’t believe anything should get in the way of offering your customers the best data security tools available. Townsend Security helps businesses of all sizes protect sensitive data with powerful encryption and encryption key management that not only helps companies meet compliance requirements, but will protect them in the event of a data breach.

Here’s how Townsend Security makes partnering with a technology company easier than ever:

1. Reduced Complexity to Lower Costs - Your technology partner’s product shouldn’t be so complicated that it takes outside consultants, drawn-out projects, and extra time and money to implement. In our eyes, a good partner works hard to make sure their product integrates seamlessly into your existing technology infrastructure. Townsend Security is able to accomplish this quickly and at a lower cost by having the capacity and functionality to specialize our solutions to meet our partners’ needs. We also ease the burden of implementation by providing our customers with a simple and cost-effective licensing model.
2. Provide Powerful Products - With the staggering number of data breaches that happen every month, there is no excuse to using sub-standard encryption to protect sensitive data. Many companies try to cut corners or meet the minimum standard by using “home-grown” encryption and key management or cheap solutions that don’t adequately protect data. However, when businesses use these solutions, many end up having to re-do their encryption and key management projects in order to comply with data security regulations (which are always becoming more stringent), or even worse, they experience a data breach and realize they can no longer skate by with weak data security. Townsend Security offers powerful, NIST-certified encryption and FIPS 140-2 encryption key management for all legacy platforms and the cloud to help you exceed standards and prevent data loss.
3. Excellent Back End Support - When it comes to back end support, the people you deal with on a day-to-day basis can make or break a partnership. Townsend Security works closely with our partners to ensure their success. We provide our partners with training, marketing materials, OEM options, as well as easy and cost effective licensing models to get our powerful solutions protecting your customers as soon as possible.

At the end of the day, the technology partner you choose should leverage your existing solutions by making them more powerful. It’s easy to secure data poorly, and it can be difficult to do it well, but Townsend Security has developed and scaled our encryption and encryption key management to eliminate the pains and obstacles of doing data security the right way.

Over the past two years the IBM i 7.1 (V7R1) has come to be known as a powerful, reliable, and highly scalable solution for businesses. IBM i V7R1 supports total integration and virtualization with new encryption capabilities that are appealing to many companies who must comply with data security regulations such as PCI and GLBA/FFIEC. This new exit-point feature, called field procedures (FIELDPROC), helps businesses to encrypt their sensitive data at column level without any application changes in order to meet compliance regulations and protect data from hackers.

This is great news since data breaches have become painfully common. Despite the staggering amount of data breaches that happen every month, a new study has shown that nearly 70% of data breaches could have been avoided had the proper security measures been implemented.

Patrick Botz of Botz and Associates recently joined our founder and CEO, Patrick Townsend, in an interactive webinar that focused on security tips both he and Patrick recommend. Patrick Botz is an expert on data security and data breach prevention. He held the position of lead security architect at IBM and was the founder of the IBM Lab Services security consulting team.

Here are the top three security tips for users securing sensitive data in IBM i V7R1 and meeting data security regulations according to Patrick Botz and Patrick Townsend:

1. Use Encryption & Encryption Key Management Best Practices - Encryption is the tool that protects your data. If you do your encryption poorly, there’s really no point in doing it at all.  In order to do encryption well you must follow best practices for encrypting data and managing the encryption keys. These best practices include: using AES encryption certified by the National Institute of Standards and Technology (NIST) and key management certified under the FIPS 140-2 standard; and using key management that utilizes controls such as separation of duties and dual control. Your encryption is only as good as your key management. If you follow best practices for encryption and encryption key management, you are also more likely to avoid having to report a data breach and deal with the severe costs.

2. Use Password Best Practices - Password management is often the downfall of many companies who suffer a data breach, especially a data breach that happens internally or by mistake. Patrick Botz specialized in password management and has enabled IBM i users to manage their passwords more securely with his Single SignOn (SSO) service, SSO Stat! Using a program called Kerberos, SSO works with both Windows and IBM i domains to streamline password use in a secured environment.

3. Monitor Your IBM i with System Logging - A crucial step to achieving good data security, receiving important system logs in real time and using a SIEM solution can help a database administrator prevent or catch a system breach as soon as it happens. System logging is also a critical part of meeting most compliance regulations. One challenge around system logging on the IBM i, however, is that security audit journal, QAUDJRN, is in a proprietary IBM format. In order for these logs to be centralized and correlated with other logs in your server environment, these IBM logs must be translated into a useable format.  File integrity monitoring (FIM) is also important to monitor configuration changes. Townsend Security’s Alliance LogAgent provides file integrity monitoring and translates all of your logs into a single usable format that can be read by your SIEM provider.

Encryption, encryption key management, password management, Secure System Logging and File Integrity Monitoring are all absolute necessities for a business to safely store their data, and avoid legal complications due to negligence.

Please check out our resources tab to find out more information. You can find us on Facebook, Twitter and LinkedIn as well as our website, www.townsendsecurity.com. Start better security today!

Lack of security around passwords, emails, usernames, and other personal information leads to another easily preventable, massive data breach.

Last week we saw another major data breach of personal information due to a hacker who gained access to names, email addresses, dates of birth, and passwords protected using hashes and salt. When this story started to pop up in the news we were pretty surprised by what happened. Didn’t this exact same breach happen to LinkedIn nine months ago?

In June of last year LinkedIn suffered a similarly huge data breach and lost 6.5 million hashed passwords. The passwords were posted online and within a few hours over 60% of the passwords had been exposed. Why were these passwords so easy to crack? Because LinkedIn had been “protecting” user passwords using the hash algorithm SHA-1. SHA-1 is a known weak algorithm that is no longer recommended by the National Institute of Standards and Technology (NIST). Today it is a basic industry standard to use the stronger hash algorithm SHA-256 or SHA-512.

In the end, however, LinkedIn’s breach was really more of a headache than a disaster. A class action lawsuit brought against LinkedIn was thrown out due to lack of clear evidence that any real damage was caused by the breach. Where many consumers and data security experts had probably hoped that their breach had been a wake-up call to the e-commerce community, and anyone still using SHA-1 should have upgraded their data security practices immediately, it seems that many organizations have done nothing.

This is so surprising to us, not only because today using better data security such as strong hashing algorithms is considered to be trivially simple, but because in many states personal information such as first and last names, birthdates, and email addresses are considered to be personally identifiable information (PII) under state data security law. Most of these laws provide safe-harbor from data breach notification if a companies protect this information using industry standard tools.

In the end we hope that other businesses take note from this series of data breaches and update their data security.

How can you prevent a data breach of passwords and emails from happening to you?

1. Use only an up-to-date hash method such as SHA-256 or SHA-512
2. Use a hash based on industry standards - NIST publishes recommendations and standards. Always follow the most up-to-date standards.
3. Use salt for an additional layer of security
4. Protect the salt from loss or disclosure
5. Use two-factor authentication

How can you prevent a data breach that compromises your customers very sensitive data such as credit card information, social security numbers, and private health information (PHI)?

1. Use AES Standard Encryption to protect critical sensitive data such as credit card information and social security numbers.
2. Use a FIPS 140-2 compliant key management system that implements key management best practices such as dual control, split knowledge, and separation of duties.
3. Use a system monitoring tool that will alert you to important changes in your database such as unauthorized access in real time in order to stop suspicious activity before it’s too late.

To learn more about how companies such as LivingSocial and LinkedIn could have avoided a data breach, download the Podcast: How LinkedIn Could Have Avoided a Data Breach.

In October of this year, IBM will end support of V5R4 of IBM system i. This decision will force their customers running on V5R4 to upgrade to either V6R1 or V7R1. Many customers are currently in the process of or have already completed this upgrade. For IBM i administrators out there who have not yet begun this critical upgrade, it's important to know the differences between V6R1 and V7R1. The most notable difference is the new FIELDPROC capability offered exclusively in V7R1. Short for field procedure, FIELDPROC allows automatic, column level encryption in the DB2 database without any program changes.

Patrick Townsend, CEO and Founder of Townsend Security, recently sat down with data privacy expert Patrick Botz at this year's COMMON exposition to discuss FIELDPROC, encryption key management, and what these changes mean for retail merchants who must comply with PCI-DSS. Here is an excerpt from that discussion:

Patrick Townsend: Patrick Botz, can you tell us why encrypting sensitive data is more important than ever, and how FIELDPROC can help IBM i customers easily encrypt sensitive data and meet compliance regulations?

Patrick Botz: I think encryption is something that we're realizing everyone should have been doing a long time ago. Today many businesses are required or recommended to encrypt sensitive data by data security regulations such as PCI-DSS, HIPAA/HITECH, GLBA/FFIEC, and many state laws. This is evidence that encryption is extremely important today, not just from a security point of view, but from a compliance point of view. FIELDPROC is an excellent tool that IBM has added in V7R1 that makes it easier for ISVs to provide efficient and easy to use encryption without having to change programs. This is huge for customers. In fact, I've worked with at least two customer groups so far who's primarily reason for upgrading to V7R1 is to be able to use products that use FIELDPROC.

Townsend: Jumping from V5R4 to V7R1 is a supported path, right?

Botz: Right!

Townsend: Patrick, I know that you're company, Botz & Associates, does a lot to help IBM i customers with their security projects, can you describe a typical  encryption project and how FIELDPROC has saved them time, money and aggravation in terms of getting the project done?

Botz: Yes, there is a pattern these projects tend to follow. Before they embark on their encryption project, the first discussion I have with and IBM i customers is to answer questions such as, how many programs am I going to have to change and how long is it going to take because we can't afford to have our systems down. Then when we start talking about the different products that take full advantage of FIELDPROC, and how they won't have to change their programs to do encryption with FIELDPROC. Once we get to that point, customers are ready to jump in and they're excited! The next step is to discuss if they want to encrypt just the fields with personally identifiable information (PII) or the whole database. From that point on it's a pretty easy process to get data encrypted.

I see many IBM i customers trying to do their own encryption, and one of the things I say to people is, "Have you heard the phrase 'it's not rocket science'? Well, with encryption, to make sure you get it right, it approaches rocket science." The fact is that customers really need to pick a solution that handles not only the encryption, but the key management as well. In my opinion the most important part of encryption is key management. I like to use the analogy of using a padlock: If you buy the world's best padlock for your backyard shed and then you pound the nail on the shed right next to the padlock and hang the key there, is that best padlock doing you any good...

In case you missed the presentation by Patrick Townsend and Patrick Botz, we recorded their session and have made it available for online listening. Download the podcast "FIELDPROC Encryption on the IBM i" to learn more about:

-Encryption Key Management with FIELDPROC
-The importance of certifications
-And what QSA and compliance auditors will look for in your key management system

Patrick Botz is an internationally known information security expert, specializing in security as a business requirement first, and as technology second. His passion for SSO began while working at IBM which he joined in 1989. He held several positions at IBM, including  Lead Security Architect and founder of the IBM Lab Services security consulting practice. He architected the SSO solution for OS/400 and i5/OS, and he holds several security-oriented patents.