Townsend Security Data Privacy Blog

I am on a new kick to share some security resources with you that I’ve found valuable over the years. I am not following any particular order or ranking people and resources by importance:  I’m just going to do this as the mood strikes me.

Let me introduce you to Chris Evans and his blog.

Chris works for Google, he’s a software and security geek, and is an independent sort. A lot of his work is technically deep, which is great for those of us who enjoy that sort of thing. But I also really like his world view.

Chris has a hacker’s mentality (in the good sense) and his values are lined up with making the world a better and safer place. He doesn’t avoid talking about his own mistakes, and believes that more information about security problems makes the world safer as it gives people the information they need to protect themselves, and it helps developers make their solutions better.  He also provides a lot of just plain good advice that anyone can use.

One example is a recent blog on web browser security. The blog combines some technical information, but it also gives you information about how to think about web browser security, and why some web browsers are better than others.

He also makes an interesting statement about browser security that I think has corollaries that apply to anyone writing software that needs to be safe. Chris says:

“The security of a given browser is dominated by how much effort it puts into other peoples' problems.”

For those of us who write business applications and security software, I would put it this way:

"In addition to everything else you do to make your solution more secure, you have to include other people’s problems in the scope of your thinking, including the unexpected ways they might use your solution."

Enjoy.

Patrick

An alarming number of security breaches have occurred in the last decade victimizing families of military personnel, who belong to TRICARE. Since the fall of 2009, over 400 breaches have occurred. At least 500 people have been directly affected and another 50,000 smaller scale breaches have been reported to the government. The community of Palo Alto, California was hit closest to home, when over 20,000 names of emergency room patients were available on an online public forum before the list was discovered by authorities. For several months, all these people were susceptible to a profusion of afflictions such as identity theft, credit card fraud or fraud against Medicare and Medicaid programs. Just one move can financially ruin a family.

One major cause of the breach was that security tapes were stolen from the car of a TRICARE employee, and these backup tapes had people’s private information on them. The big problem of course, was that after these tapes were stolen, the information was readily available to pirates. Any encryption didn’t exist, so the information was just there for the taking.  If the data on these tapes was encrypted, TRICARE wouldn’t have to worry about the tapes being stolen and you wouldn’t be hearing about this problem – HIPAA grants a breach notification safe harbor to organizations who are encrypting their sensitive data.

If you aren’t familiar with HIPAA (The Health Insurance Portability and Accountability Act), it was established in 1996 and its main focus is to protect the rights to health insurance for families when the wage earner was to change or lose a job. It’s second objective focuses on standards for electronic health care transactions. With HIPAA, there are legal regulations that the government has put in place to protect our Personal Health Information (PHI).  While there is no encryption requirement, it is strongly considered a best practice.

The largest concern when a story like this breaks is for the victims. The Federal Trade Commission (FTC) has published a few tips for individuals who are affected from the TRICARE breach:

• Don’t willingly give out personal information over the phone unless you know exactly whom you are dealing with.
• Increase the frequency at which you check over your medical records to make sure nothing looks out of the ordinary.
• Any fraudulent report you notice should be reported to the police immediately.

The TRICARE breach should be an example of why encryption should be mandatory for organizations that deal with PHI.  Not only does it protect the privacy of your customers, when a breach does happen, HIPAA grants you a breach notification safe harbor.

Learn more about encryption and key management best practices for HIPAA and HITECH Act in our white paper titled "Achieve Safe-Harbor Status from HITECH Act Breach Notification".

We have been talking a lot recently about the benefits of FIELDPROC as being the main reason to upgrade to IBM i 7.1 (V7R1). Since IBM recently announced the end of support date for IBM i 5.4 (V5R4), we are seeing many shops planning upgrade projects and discussing whether to move their systems to V6R1 or V7R1. Without a doubt, V7R1 is the correct choice – it is even a fully supported V5R4 upgrade  path from IBM.  So, aside from FIELDPROC, what other security reason is there to skip V6R1?  Simply, the updates to Secure Shell sFTP.  I recently sat down with Patrick Townsend, Founder & CEO, to discuss how these updates can help further secure your data.

Another key security feature in V7R1 is a new version of the Secure Shell sFTP application. How is it different and better?

IBM has been making Open SSH available on the IBM i for quite some time. We had the ability to install it back on V5R3. It has become a very popular secure file transfer mechanism, especially for financial institutions. We are seeing large commercial banks across the board moving to Secure Shell sFTP for encrypted file transfers. IBM brings the latest version of SSH to each new release and V7R1 is no exception. The latest version has picked up new security features since the V5R4 release, some of which are quite important. I think moving to V7R1 and getting the latest version of Secure File Transfer (sFTP) is really important. We are learning from security professionals at the NSA, NIST, and SANS just how important it is to make sure the patches to our systems are up-to-date. So again, having the latest version of any security technology is imperative, which re-emphasizes skipping V6R1 when upgrading from V5R4.

Download our podcast “IBM i Security: Skip V6R1 and Upgrade to V7R1” for more information on the security reasons that you should go straight to V7R1. Additionally, we will discuss how Townsend Security can help you take advantage of FIELDPROC, a new addition to V7R1, which allows companies to encrypt their sensitive data without changing their applications.

Really successful technology partnerships are hard to achieve and therefore are rare. There are so many potential pitfalls in this type of partnership that include conflicting goals, changing market conditions, and on and on. That’s why I am particularly pleased with our partnership with Symantec on the IBM Enterprise platform versions of PGP encryption. This technology partnership now spans more than a decade and several mergers and acquisitions. The level of trust and integration between Townsend Security and Symantec has just gotten better over time, and our IBM i (AS/400, iSeries) customers and IBM System z Mainframe customers have benefited.

One thing that has confused our customers is where they should go to get information and to license PGP Command Line for the IBM Enterprise platforms.

It can be hard to negotiate the Symantec web site to locate the PGP Command Line products. And calling Symantec’s 800 number can be downright disorienting. Symantec provides a large number of security and system management products, and finding the PGP products can be hard. Of course, you can always go to the old PGP web site, and it will re-direct you to the Symantec site. That helps, but not many people know about that little short-cut.

Here is a better idea – you can just go directly to the Townsend Security web site and you will be starting in the right place. Just select the PGP option under products.

IBM System z customers will be glad to know that we’ve partnered with Software Diversified Systems (SDS) to provide sales management and customer support that meets the Mainframe customer’s expectations of knowledge and experience with that platform. Just select the PGP Command Line product under their Products link. SDS and their worldwide partner network have really provided the Mainframe experience and depth of knowledge that customers expect. That’s also been a great partnership.

If you are an IBM Enterprise platform customer, save yourself some time and trouble. Go straight to Townsend Security or SDS for your PGP Command Line encryption solutions.

Patrick

Data breaches in the medical industry are occurring at a greater rate now than ever before. Emory Healthcare recently experienced a significant PHI (Private Health Information) breach and has announced that approximately 315,000 medical records have gone missing.

Included among those records are those of the chief executive officer of the hospital, who has tried to calm public outcry by noting that, to his knowledge, none of the personal information had been used in attempts at identity theft. But the loss is significant because it violates patient privacy rights and could have been prevented if Emory Healthcare was properly encrypting the data.

In total, 10 backup discs for the hospital system have been gone from their storage facilities since mid-February. Within each record was a wealth of information, including patient names, Social Security numbers, and surgical procedures and dates.

Emory has said that it had strong policies in place to protect the personal information of patients. It also attributed the cause of the theft to an honest mistake made by an employee.  However, HIPAA states that an organization is responsible for a breach notification regardless of whether the data was “hacked” or just lost.

As part of their remediation plan, Emory is providing free resources to help patients combat and prevent identity theft. While Emory has said it is revisiting its policies and procedures to better protect patient information, it's unclear if they are making systemic changes that could protect patients even if data is stolen in the future. Regardless of what security measures they take to better protect patient information, the only way Emory -- or any other medical facility -- can guarantee patient information is safe and avoid a breach notification will be to protect it with encryption and key management.

If you are not familiar, AES encryption (the standard for Data at Rest) is a form of data protection that uses an algorithm to transform information in a way that makes it unreadable by other entities. AES encryption that is certified by the National Institute of Standards and Technology (NIST) is used to attain the highest levels of security. Encryption can't be ignored as a security measure.

The second part of the encryption process is managing the encryption key. Only by knowing the encryption key can that information be unlocked and read. When data such as patient information is encrypted with proper key management, it is safe from being compromised by hackers or other entities that steal the information. Without the encryption key, the data is worthless.


With breaches in the healthcare industry up 32% in the last year, it is more important than ever to be encrypting PHI.  Data breaches have dollars lost directly tied to each record lost.  Download our white paper “Achieve Safe-Harbor Status from HIPAA/HITECH Breach Notification” to learn more about how your organization can protect PHI with encryption and key management.

Hundreds of thousands of Medicaid recipients are up in arms about a recent security breach that saw their personal information abducted by hackers. Originally it was reported that 181,000 had their information stolen including 25,000 who actually had their social security numbers taken as well. Currently the report has been updated to a staggering 900,000 and 280,000 respectively. Over a quarter million people on Medicaid had their social security numbers exposed, and many of these victims don’t have the means to hire private investigators or attorneys to right their personal situations. 

As many organizations that suffer a breach do, the Utah Department of Health is offering free credit monitoring services for one year to those who had their social security numbers compromised. Other than that, there isn’t much to be done for the breach victims.  Unfortunately, many are still concerned their identities could be stolen among other potential hardships.

To prevent security snafus such as this, the Utah Department of Health should have been protecting their sensitive data with encryption and key management.  Encryption would have rendered the breached data useless. The Utah Department of Technology holds millions of its citizen’s personal information and, unfortunately, didn’t take proper precautions to protect it. Alliance Key Manager, our encryption key management HSM, could have provided exactly what they would have needed to avoid a breach.  With on-board encryption, sensitive data can be sent to the HSM, encrypted, and then sent back to where the data needs to live. Additionally, Alliance Key Manager also meets regulatory requirements - a hurdle for many companies trying to pass an audit around encryption key management.

When you see a situation like this in Utah, its naive to think that hackers can’t access your information in your own home state. But just ask a Medicaid recipient from Utah, and it is clear that these dangers aren’t so far from home. Utah’s governor spoke on behalf of its citizens saying "Individuals provide sensitive personal information to the government in a relationship of trust. It is tragic that not only data was breached, but now individual trust is also compromised."

It’s a difficult situation, but as they try to mend the fences, it is important to audit your own encryption and key management processes to ensure that what happens in Utah stays in Utah.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

Whenever I am asked what Townsend Security does I have to explain that we aren't in the business of deploying security cameras or contracting out shopping mall guards. We are actually a software security vendor for the IBM i (AS/400) platform.  It's usually at this point the recipient's eyes glaze over and I am left simply stating that I am in the 'computers' field.  On occasion however I will be chatting with a colleague who also works in the tech industry who will scoff when they hear the name AS/400, iSeries, Systemi (take your pick).  Often I'll hear, "Whoa, that's legacy technology. You have customers still using that platform?"

The simple answer is “yes”, many of the companies that we rely on for consumer needs, medical services and entertainment, to name a few, depend upon the stability of IBM's iSeries platform.  It's the system that you rarely have to IPL.  As a matter of fact, I was surprised to learn many of the casinos in Nevada and N.J. run on AS/400's. 

However, despite the pervasive use of the platform, is it legacy?  The AS/400 was introduced in 1988 and is actually younger than the PC!   Much like the PC, IBM rolls out continuous hardware and software improvements to keep the platform stable and secure.   As a matter of fact, I am sure many of you are planning to upgrade your systems as V5R4 nears its EOL date later this year.  Take a look at this blog on why skipping V6R1 and going straight to V7R1 will benefit you.

Security on the IBM i

Townsend Security offers a variety of security solutions to help your business meet regulatory compliance.  In addition to our AES encryption and key management offerings for the enterprise platforms, we offer solutions specifically for the IBM i (AS/400).  For instance, FTP manager, our secure managed file transfer offering, can automatically transfer PGP encrypted files using sFTP or SSL to banks or trading partners.  Or Alliance LogAgent, our system logging solution, can be used to capture all your logs from your AS/400's audit journal and transmit them via UDP,TCP, or SSL to a log collection server to just name a few.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

As security auditors get more educated on the IBM i platform, more customers are having the experience of failing a security audit around encryption key management. CIOs, IT Managers, and System Administrators want to know why this is happening to them now? They ask, why was our approach OK two years ago, and why is it not OK now?

I think I can answer that.

My job brings me into conversations with a lot of companies undergoing security audits under a broad range of regulations including PCI DSS, SOX, GLBA/FFIEC, FERPA, and many others. Security and compliance auditors look to industry standards and best practices for guidance on what their clients should be doing in the area of key management. In the US this inevitably brings them into contact with the National Institute of Standards and Technology (NIST), an agency within the US Department of Commerce. NIST provides a wide set of standards and best practices guidance in the area of encryption and key management.

As you become familiar with the broader set of data security regulations, you start to realize that the one common source they have is NIST. Even if not directly referenced in the regulations, the concepts are largely drawn from work done by NIST, and that is why there are a set of common attributes that auditors look for in a key management implementation.

So, auditors now look for key management implementations based on NIST best practices and standards. Key management best practices can be found in the NIST Special Publication 800-57 (three parts).

One of those best practices is Separation of Duties. This best practice says that the people who manage encryption keys should not be the same people who manage and have access to sensitive data such as credit card numbers, social security numbers, patient data, and so forth. It makes sense – you want as few people as possible with access to sensitive data, and you only want people who have a real need to access sensitive data to do so. The same is true with encryption keys that protect that sensitive data.

On the IBM i platform the security officer and anyone with All Object (*ALLOBJ) authority can access any database file at any time, and can access any locally stored encryption key at any time, regardless of the protections you try to put in place. This is not really a limitation or weakness of the IBM i platform, the same condition exists on other operating systems and platforms, too. No matter what you do you can’t achieve a defensible level of Separation of Duties if you store encryption keys on the IBM i platform. You can try to mitigate this situation through system logging and similar controls, but you can’t eliminate it.

Auditors have learned this about the IBM i platform.

Separation of Duties is only one problem area with the local storage of keys. You also have to contend with Dual Control, Split Knowledge, key lifecycle management, and a broader set of key management best practices most of which are difficult or impossible to achieve when encryption keys are stored locally.

And that’s the main reason IBM i customers are failing security audits around encryption key management.  Download our our Encryption Key Management Requirements for PCI white paper to learn more on how you can pass your next key management audit with flying colors.

Patrick

Former Mayor Daley’s goal of having a camera on every street corner in Chicago is slowly becoming a reality. The idea behind cameras at intersections is to create additional revenue and increase safety. The cameras take a quick snapshot of your car if you decide to make your trip quicker by zooming through a red light.  Current Mayor Emanuel has continued the initiative by blanketing close to half the city with cameras to catch prospective speedsters. With the extra cameras, the Chicago police department is now able to track an automobile by taking a picture of the license plate and following it throughout the city.  If proper data encryption practices are not implemented, this could result in a dangerous violation of the average person’s right to privacy.

What happens if the data collected by these cameras is un-encrypted and gets into the wrong hands? What if a hacker gains access to a live stream from the cameras? A whole wealth of personal information could be exposed – creating a huge liability to the city of Chicago.  Currently, little information is being released regarding what data is stored and how the data is protected. Being in the security industry, we hope there is an annual audit that focuses on encryption and monitoring system logs.

AES encryption, key management, and system logging are the best ways to make sure the camera feeds and your personal privacy are kept safe. Encryption would make it impossible for someone to misuse the personal information collected.  Additionally, monitoring system logs would alert administrators if an unauthorized person is trying to gain access.

Chicago citizens with a “need for speed” may be unhappy about the increased surveillance across their city, but without proper security practices in place, a speeding ticket should be the least of their worries.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person. Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

Your CIO told you that you need to meet compliance regulations around data in motion on your IBM i (AS/400).  It’s not just a good idea, but customers and trading partners are starting to demand it.  So what do you look for when selecting which Managed File Transfer vendor to trust your sensitive data to?  What separates one solution from another?  I recently sat down with Patrick Townsend, Founder & CEO, to discuss what to look for when selecting a Managed File Transfer vendor.  Here is what he had to say:

There are some common business issues that I would look at when selecting a Managed File Transfer product. First, look at the providence of the vendor you are buying from. Have they been around for a substantial amount of time? Are they committed to security? If security is not their core mission, it’s very likely that they are NOT going to get it right, and a Managed File Transfer solution really has to get security right.

I think that looking for solutions that are committed to independent certification of their products is paramount. For example, our commercial PGP product, which in partnership with Symantec, has been through multiple certifications. As a company, we have been through NIST certifications many times. We have a FIPS 140-2 certified encryption key manager as well. If I were looking for a Managed File Transfer solution, I would really want the confidence of knowing that the vendor knows security, is committed to security, and is comfortable with putting their product out there for independent review. That is how I would look at this from a business point of view.

Managed File Transfer and security in general is about building confidence so that your company can move forward, start new initiatives and build confidence with new customers and trading partners. You want to be sure you are deploying a solution from an established security company committed to NIST standards. Looking at a vendor or a solution, I would look deeper than the feature set of the particular Managed File Transfer product and ask myself, am I comfortable with this companies’ security posture and their mission, and do their actions really support what they say is their mission.

Download our podcast “Secure Managed File Transfer on the IBM i – An Introduction” for more information on how your organization can save time and money by securely automating file transfers.