Townsend Security Data Privacy Blog

Townsend Security recently asked business executive and mid-market expert Todd Ostrander to contribute his expertise and thought leadership on C-level risk management to our most most recently published eBook, Turning a Blind Eye to Data Security (Mending the Breakdown of Communication Between CEOs and CIOs).

In his article, Todd Ostrander discusses several key points around data security and business risk including:

• The roles and responsibilities of a CEO around data security
• The high costs associated with a data breach
• How unencrypted data represents a significant business risk
• Why proper encryption key management is needed to prevent a breach

In addressing these issues, Todd Ostrander urges us to implement the solution that many businesses have yet to adopt.

Read an excerpt from his article below:

“In any organization, the CEO has many jobs. At the macro level, a CEO’s job is to instill a high level of confidence in his or her stakeholders, including customers, investors, employees, suppliers and partners. To accomplish this, a CEO must establish a level of trust with these stakeholders in order to inspire, encourage, and engage them to take part in the entity’s vision and pursuits. Ultimately, the organization uses its stakeholders’ trust—their confidence in the CEO and his or her team’s ability to execute—to grow and build its value.

Every business has inherent risks in its execution—such as hiring dependable employees and maintaining financial stability. In order for a CEO to instill the kind of confidence that increases a business’ value, he or she must be able to identify and address each of the risks in the business.  Therefore, risk mitigation by nature becomes a core component of a CEO’s job.

In a pre-internet world, the risk of data loss was limited to a physical breach of an actual building. Security guards, fences, and access control systems were established to keep people away from sensitive information. However, as today’s world has become electronically connected at virtually every level, businesses need to focus not only on preventing access to data but also on protecting the data itself. This is where a comprehensive data protection strategy comes in to play.

Most CEOs are well aware that encryption methodologies were created for their CIOs to be able to protect data in their networks. However, encryption is such a new field that few CEOs understand all of the risks associated with unprotected data as well as evolving industry-based regulations which they must comply with.

CEOs may not know that even if their data is encrypted, without proper encryption key management, they are still at risk and do not comply with many industry regulations. Without good key management practices, you are practically inviting hackers to break in to your system…"

Todd Ostrander is a professional with over 25 years of F1000, mid-market and emerging market startup experience. Throughout his career, he has been at the forefront of groundbreaking changes that create new markets and opportunities. While he has a broad range of skills from finance to procurement, strategic marketing and product strategy, his core functional expertise is in exploiting existing markets as well as identifying and creating new market opportunities with specific focus on go-to-market, intellectual property, and capitalization strategies. Within the technology industry, he has specific expertise in workflow management, Software as a Service (SaaS), wireless, digital marketing, and mobility.

Since it's release in 2001, Microsoft SharePoint has quickly become one of the most widely used applications for document storage and collaboration.

SharePoint originally stored and organized documents and other critical information about those documents in rows and columns. However, as the use of SharePoint began to quickly grow, administrators began to notice that the huge number and size of the documents being stored began to impact the performance of SharePoint, slowing down the application until it was fairly unusable. To rectify this issue Remote Blob Storage (RBS) was introduced to store the documents themselves outside of the SharePoint database so that the size of the documents wouldn't impact SharePoint performance. Now, when a SharePoint administrator starts to see performance impact from documents stored in SharePoint, they can store the files themselves separately, and SharePoint talks to the remote server in order to retrieve the files.

Now that SharePoint is so widely used, protecting data stored in SharePoint has become a big issue. Many companies use SharePoint to track customers, retail orders, personal health information, and other personally identifiable information (PII) that most industries (PCI-DSS, HIPAA/HITECH, GLBA/FFIEC, etc.) and many state laws mandate the protection of. Typically these regulations mandate the protection of this data using encryption and encryption key management.

The good news is that encrypting data in SharePoint is pretty easy, and it's often only a two-step process. SharePoint administrators must:

1. Encrypt the SQL Server database SharePoint runs on
2. Encrypt the Remote Blob Storage (RBS) used to store documents.

Encrypting SharePoint on SQL Server is easy with transparent data encryption (TDE) for SQL Server 2008/2008 R2/2012. Extensible key management (EKM) also allows admins to manage encryption keys and meet compliance regulations using an external third-party encryption key management hardware security module (HSM).

Townsend Security offers FIPS 140-2 compliant encryption key management system for Microsoft SharePoint to help you protect SharePoint and meet compliance. To learn more about securing data in SharePoint, check out our podcast, “Securing SharePoint with Encryption & Key Management.”

If you're starting an encryption key management project, you should always know the warning signs of obstacles that might make your project way more difficult and costly than it needs to be. We often see companies who have recently failed a data security audit, or realize that they are about to, because they didn't watch out for these pitfalls before they began an encryption key management project.

1. Complicated Project Requiring Outside Consultants and Time
If you find yourself bogged down by hiring outside consultants (beyond your encryption key management vendor) to help you set up and run your encryption key management system, you're probably headed for trouble. Encryption key management should be simple, straightforward, and easy to deploy.

2. No Certifications
NIST certifications are a must when it comes to implementing good encryption key management. In order to meet compliance for PCI-DSS, GLBA/FFIEC, FISMA, and other compliance regulations, always use NIST-certified AES encryption and FIPS 140-2 compliant encryption key management. Your QSA or other data security auditor will look for these certifications.

3. No Client-Side Support
Your encryption key management vendor should supply you with the appropriate client-side applications to make your encryption key management run as smoothly as possible. If you find yourself scrambling to find sample code, binary libraries, key retrieval and other tools, your encryption key management project time will almost certainly increase and not come to a complete halt.

4. No Dual Control and Separation of Duties
When it comes to doing your encryption key management right, one of the critical pieces to meeting compliance requirements such as PCI-DSS is using the principles of dual control and separation of duties. These are hard and fast guidelines when it comes to the handling of encryption keys, and are considered a "best practice" for encryption key management. If your encryption key management hardware system doesn't implement these policies, it will be difficult to pass your data security audit down the road. Some compliance regulations such as HIPAA/HITECH Act don't yet require these policies; however, you should expect these best practices policies to be implemented into regulations down the road.

5. Complex and Hard to Predict Licensing
When you don't know how much your encryption key managemer is going to cost, your project will stop in its tracks. When you don't know how many licenses your company will need over time and how your encryption key management vendor will charge you for them, estimating the cost becomes very complicated. Often a vendor might limit how many devices can connect to your key server or the number of keys the key server can create, resulting in unpredictable costs. As we all know, a project with an unpredictable cost never gets off the ground! The cost of licensing should not be a barrier to protecting your sensitive data.

To learn more about how encryption key management and how easy it can be, check out our webinar, “Key Management Simplified.”

XN3H7FQ298CU 

I recently read about a data breach that came into public light a few weeks ago in South Carolina at the Savannah River Site (SRS), a nuclear reservation owned by the U.S. Department of Energy. This breach exposed personal information of over 12,000 employees. The state of South Carolina has been in the news over the past few months because of a massive governmental data breach caused by an international hacker that exposed millions of credit card and social security numbers.

At first I thought the SRS breach might be similar or related to the other breach, but I quickly realized there was something different about this one. According to Carla Caldwell of the Atlanta Business Chronicle, officials at the site say that the breach wasn't caused by a cyber attack. However, despite the fact that there was no hacking involved, employees are still being told “to be vigilant in monitoring financial transactions and emails or phone calls relating to such personal transactions.”

What does this mean? It means that:

1. Despite the absence of a malicious hacker, a data breach still occurred, and
2. Because the breach had to be reported, it likely exposed employee financial data such as credit card information or social security numbers.

Many people think that all breaches are caused by vigilante hackers, and while cyber attacks are a real threat, the truth is that a HUGE proportion of data breaches are caused by simple employee mistakes and theft of devices such as disk drives, backup tapes and personal devices such as laptops and smartphones.

According to the PricewaterhouseCoopers 2012 Information Security Survey, over 80% of enterprise data breaches are caused by employee errors. Many of these breaches occur on unencrypted mobile devices. In the healthcare industry, the Ponemon Institute found that nearly 40% of data breaches were caused  by employee negligence.

Serious breaches occur inside companies simply because mistakes are made, thefts happen, and the right technology is not in place to protect sensitive data.  Some of these events include:

• Backup tapes and disk drives are stolen out of cars
• Laptops and other personal devices such as iPads and phones are stolen out of cars
• Tapes, drives, and personal devices are lost (Think lost luggage, leaving items on a train)
• Employees email files containing sensitive data to their home devices
• Unauthorized employees view sensitive data at work because the right protocols are not in place to protect that data.

However there's a way to protect data even if it gets into the wrong hands: Encryption. If the data is encrypted it will be completely unreadable if it is stolen or mishandled. Protecting your encryption keys is also a critical piece in protecting sensitive data. If your encrypted backup tapes get stolen out of your car, but you've stored your encryption keys on those tapes, the thief will be able to use the keys to access the information.

To learn more about protecting encrypted data with encryption key management, download our resources package, “Encryption Key Management Simplified.”

Townsend Security recently asked data security expert Kevin Beaver, CISSP, to contribute his extensive knowledge and expertise about the current climate of data security to our most recently published eBook, Turning a Blind Eye to Data Security (Mending the Breakdown of Communication Between CEOs and CIOs).

Read his entire article, "Information Security is Up to You," in your free copy of the eBook now.

In his article, Kevin inspires CEOs to ask some critical questions about data security such as:

• Who is in charge of data security at your organization?
• Is there transparency and communication across your organization when it comes to data security?
• Who will be held responsible in the event of a data breach?
• Why do we keep talking about the need for better data security but nothing seems to be getting done?

With these questions in mind Kevin Beaver leads us into a discussion on how both IT administrators and business executives avoid critical conversations about data security and why this poses a huge business risk to organizations.

“When it comes to information security, many people within a business – from executives to end users – often assume that security is a technical issue that falls under the umbrella of duties performed by the IT department. These IT administrators manage network firewalls, clean up virus outbreaks, and manage the IT infrastructure. These tasks are often so far removed from the actual goings-on of the business, that few people in the company—including the CEO—truly understand the ever-evolving complexities of IT infrastructure and security.

With little understanding of these systems, networks with sensitive data are left unsecured and at risk to hackers, network failures, and employee mistakes. Today, an average data breach costs a company $5.5 million. At this price, information security is not an IT problem. It’s so much more.

The Ponemon Institute surveyed 1,894 people in 12 countries in its 2012 State of Global IT Security study and found the main reasons why the appropriate steps are not being taken to improve information security are 1) insufficient resources, 2) it’s not a priority issue and 3) lack of clear leadership.

However, in most situations, good information security is achieved with easily accessible and simple solutions.  In fact, in a 2012 study on data breaches, Verizon found that 96% of security attacks were not highly difficult, and were easily preventable. If security attacks are preventable, why are so many breaches occurring every year...”

Download the eBook to read more!

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with over 24 years of experience in IT - the last 18 of which he’s dedicated to information security. Before starting Principle Logic in 2001, he served in various information technology and security roles for several healthcare, e-commerce, financial firms, educational institutions, and consulting organizations. Kevin Beaver has written 32 whitepapers, over 600 articles, and authored/co-authored 10 books on information security. Visit Kevin’s blog to learn more about information security, and his website to learn more about his business, Principal Logic.

http://securityonwheels.blogspot.com
http://www.principlelogic.com

Data breaches of sensitive, unencrypted information occur almost every week and many of these events become highly publicized. Organizations are thrust into the public's eye and scrutinized for gross lack of oversight and accountability around data security. Despite the fact that these breaches happen at the IT level, the burden and the blame for a data breach almost always falls on C-level leaders such as the CEO or CIO. Consumers ask, “why didn’t you protect my personal information?” and the leaders respond, “We didn’t think it would happen to us.”

Today business leaders need to know that data breaches are no longer a matter of “if” but “when.” Even behind firewalls and secure networks, unencrypted sensitive data is a goldmine for hackers. Not protecting this information with encryption is like driving a brand new Ferrari without car insurance. You can drive as safely as you want, but you can’t control the behavior of other drivers. Just like driving without insurance, not encrypting your organization’s  sensitive data in a time when hackers are always trying to break into networks is taking a huge risk with both your organization’s financial resources and reputation.

I recently sat down with data security expert Patrick Townsend, CEO & Founder of Townsend Security, to discuss why unprotected data is a business problem, not just an "IT problem."

Watch the video of that discussion here.

Why is unprotected data a business problem?

In most organizations, a large part of the CEO's role is to assess risk. Every day the leaders in any given organization address financial, market, competitive, and many other types of risk. These leaders are used to assessing risk in their organizations, but they are not yet thinking about unprotected data and the possibility of a data breach as a fundamental risk. Unprotected sensitive data leads to identity theft, fraud, and theft of financial resources from employees and customers.

Data breaches happen to both large, small, public, and private companies. In fact, today hackers are targeting small to mid-sized businesses simply because those networks tend to be less secure. However, every day I come across large business that have failed to protect their customers' data either by not encrypting the data, or failing to protect the encryption keys.

Anyone who's been through a data breach understands in their bones the importance of encryption and encryption key management. The costs associated with a data breach are far reaching.

These costs include:

• Fines
• Forensics investigation
• Credit monitoring for customers
• Lost sales due to brand damage
• Litigation costs

These are costs all organizations want to avoid. They represent huge risk in terms of actual financial costs and damage to reputation. Not considering these costs and not protecting your company and customers' sensitive data is a failure to assess risk.

Want to learn more about the risks associated with unencrypted data? Check this video, “Why is Unprotected Data a Business Problem?” featuring Patrick Townsend, Founder & CEO of Townsend Security.

The updates to the HIPAA/HITECH Act Meaningful Use standards were recently released and indicate a stronger urgency by Health and Human Services (HHS) to encourage healthcare companies to encrypt sensitive patient data in order to protect that data and avoid data breach notification.

I recently sat down with Patrick Townsend, CEO & Founder of Townsend Security, to discuss what these meaningful use updates mean and how healthcare organizations should respond to the recommendations:

If you’re a healthcare organization, and you are wondering if you should be encrypting your electronic data, the straightforward answer is yes. Patient information should be encrypted at rest and in transit, and HHS will really start to bring down the hammer in terms of fines and penalties for those who have a data breach and have not encrypted data. We live in a time when a data breach is no longer a matter of “if” but “when,” and encryption is really an insurance policy to protect your organization when a data breach happens to you.

HHS still does not mandate that health care organizations encrypt sensitive patient data, but the meaningful use updates reiterate that they should encrypt their data.

The original HIPAA law and HITECH Act of 2009 did not mandate encryption of electronic patient information. However, HHS has the ability to set rules in a number of areas, and they have added stricter rules around data privacy by mandating that all data breaches must be reported to HHS. Data breach notification typically results in hefty fines and other financial losses associated with brand damage and credit monitoring for affected patients. HHS has been very clear that the only way to avoid breach notification and the impacts of a data breach, is to encrypt patient data. In these most recent updates, they reaffirmed that the only safe-harbor from breach notification is encryption.

Many organizations believe they can prevent a data breach by using strong passwords and other network security tactics such as access control lists. It's true that those actions fall within the purview of the law, but they will not help you avoid breach notification.

Another piece of the update of meaningful use concerns encryption keys. Encryption keys that are used to protect data should not be stored on the same server with encrypted patient information. HHS is trying to give better and clearer guidance on this to the best of their ability while staying within the law.

To learn more about encrypting protected health information (PHI) and achieving safe-harbor from data breach notification, download our podcast, “HIPAA/HITECH Act Breach Notification Meaningful Use Update.”

Today there are so many ways to lose control over sensitive data. Hackers are constantly trying to access networks, laptops get stolen out of cars, and unauthorized employees are given access to data that they were never meant to see. With so many ways to lose data, no wonder so many IT execs bury their heads in the sand at the idea of data security. It seems like there's nothing they can do.

Unfortunately for those people who ignore the pressing need for tighter data security (and are probably setting themselves up for a data breach), there is something they can do. They can encrypt their data, and they can use key management best practices to protect their encryption keys.

Encryption and key management are considered the highest standard in data protection, and are required or recommended by most industry regulations such as PCI-DSS, GLBA/FFIEC, FISMA, and HIPAA-HITECH Act.

But what exactly is encryption and why do you need key management?

I recently talked with data security expert Patrick Townsend, founder and CEO of Townsend Security, to find out. Watch the video of that discussion here.

What is encryption?

Encryption is a means of encoding data using an encryption algorithm to render data unreadable. AES encryption is a standard put forth by the National Institute of Standards and Technology (NIST). It is accepted as the strongest method to secure sensitive data. Encrypted data looks like gibberish. For example, an encrypted version of the name "John Doe" might look like "Ue%#KD#@". In order to read the gibberish, someone must have access to the encryption key, which unlocks the encrypted data to make it readable.

What is an Encryption Key?

When you encrypt data, an encryption "key" is created. Each encryption key is unique.  Encryption keys are the secret that must be protected. Encryption keys are a lot like the keys you use to lock your house. It's likely that you and several of your neighbors use the same kind of lock on your door, but each of you owns a unique key. Like a house lock, encryption uses the same algorithm to encrypt data, however in each instance, a unique key is created to unlock each piece of data. Losing your encryption key to a hacker is like losing your house key to a thief.

Hackers don't break encryption. They find the keys.

A lot of IT executives have dug themselves into a hole because they know they need encryption and key management, but they don't want to admit to their bosses that they've been ignoring the issue--and putting the company at risk--for years. It can be a very difficult subject to talk about, especially when budget has played a role in the decision making.

If you’re ready to begin having this discussion with your IT team, you should arm yourself with the right questions. We recommend you check out this video, “What is Encryption Key Management?” featuring Patrick Townsend, Founder & CEO of Townsend Security.

When it comes to data security, the question every single CEO and CISO should be asking her or himself is, "how do I prevent a data breach from happening to me?"

I recently sat down with data security expert Patrick Townsend, founder and CEO of Townsend Security to discuss the challenges around protecting sensitive data in the cloud and the most common methods of how people are protecting data in the cloud today.

Watch the video of that discussion here.

We live in a word today where data breaches are no longer a matter of "if" but "when." It is almost certain that some unauthorized person will at some point access your company's sensitive data, either by mistake, or with malicious intent to commit fraud. Whether it's by accident or intentional, unauthorized access of unencrypted sensitive data is usually grounds for data breach notification.

With so many companies moving their data storage to the cloud, preventing a data breach or unauthorized access to sensitive data becomes even trickier. Across the board, the number one concern people have with the cloud is data security. Because the cloud is fundamentally a shared environment in a location most users don't typically have physical access to, people are right to wonder, "Am I inadvertently sharing data with other people, and I don't know it?"

The truth is, in the cloud it's really hard to tell who you may inadvertently be sharing data with. That's why in order to prevent a data breach and avoid data breach notification it's critical to encrypt your sensitive data in the cloud, and you must use key management best practices. In fact, the concepts of protecting data in the cloud are fundamentally the same as protecting data outside of the cloud. You must (in review):

1. Encrypt the data
2. Use key management best practices to protect encryption keys

Using key management best practices for data in the cloud is fundamental, especially if you need to pass compliance regulations such as PCI-DSS, FFIEC, or FISMA.

As you'll learn in the video, there are really three ways to protect keys for encrypted data in the cloud:

1. Store the keys "in-house"
2. Store the keys in a hosted environment
3. Store the keys in the cloud

All three methods have their own advantages. But there are also ways with each method  to incorrectly protect encryption keys. In the end, it's essential that you use key management best practices, and often times the easiest way to make sure you're doing that is by using an third party vendor with expert knowledge of key management best practices for the cloud.

Check out "Encryption Key Management for the Cloud" where Patrick Townsend discusses the challenges and solutions for protecting encryption keys.

If you could find out if your network is being hacked or tampered with, as it happens in real time, would you want to know? If there was a tool that collected, encrypted, and standardized your IBM i security events to give you peace of mind, would you use it?

We’re guessing yes. Luckily, system monitoring software is widely available for IBM operating systems, and there are two big reasons why you should use system monitoring:

1. Most system breaches go unnoticed for months (sometimes years) before the breach is discovered and dealt with. By then a hacker or employee may have gained access to thousands of personal files containing sensitive information such as credit card numbers and home addresses.

2. Less than 1% of the breaches in 2011 were discovered through log analysis, even though 69% of these breaches could have been detected before any data was lost if proper system logging was in place.

You know you need to collect your system logs in real time in order to detect unauthorized changes to your system, but with all of your security logs being created on different systems, web services, and applications, the task might seem overwhelming. How do you get a consolidated view of the security state of your database? How do you get information into usable format for log collection and Security Information & Event Management (SIEM) servers?

The answer is in a third party logging solution that can standardize, collect, and report security events. There are many logging solutions out there, but your solution should always provide you with these four key points:

1. Real time Log Collection. Your logging solution should collect logs of events in real time as they happen across multiple applications and servers. You should be alerted immediately to suspicious log events on your servers instead of receiving a batch at the end of the day or week.

2. High Speed Performance. Performance should not be a barrier when it comes to log collection and analysis. Your logging solution should be able to collect tens of millions of events from multiple applications and thousands of users per day without huge performance impacts.

3. Secure Communication. Your logging solution also needs to secure the transfer of events to a log server. Your logging solutions should use SSL TCP to encrypt log entries in transit from an IBM server to a log collection server.

4. Industry Standard. There is a standard format for system log events, and the data you collect from your IBM i and transfer to your log collection server should be in that format. The most widely used standards are the syslog standard based on RFC 3164 and the Common Event Format (CEF) used by a number of SIEM vendors.

Townsend Security’s Alliance LogAgent and LogAgent Suite with File Integrity Monitoring (FIM) allows IBM i users to meet compliance regulations by collecting security system logs and transmitting to a log collection server or any SIEM solution. Alliance LogAgent will help you achieve inner peace of mind.