Townsend Security Data Privacy Blog

Data Privacy Day (January 28, annually) is an annual international celebration designed to encourage awareness about privacy and education on best privacy practices.  Sponsored by companies such as Intel, eBay, and Google, the day is designed to promote awareness on the many ways personal information is collected, stored, used, and shared, as well as education about privacy practices that will enable individuals to protect their personal information.  

As a data privacy company, this day is almost like our birthday – a day for the IT world to focus on our slice of the pie (can we celebrate Data Privacy Day with pie too?).  It also is a time to reflect on some of the data breaches that made news headlines in the previous year – “is my organization making some of the same mistakes?”

In honor of Data Privacy Day, StaySafeOnline.org has published a document titled “Stop. Think. Connect” that gives tips and advice on keeping your personal information safe.  Here is some of their advice:

Protect Your Personal Information

• Secure your accounts: Ask for protection beyond passwords.  Many account providers now offer additional ways for you verify who you are before you conduct business on that site.
• Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.

Connect with Care

• Get savvy about Wi-Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine.
• Protect your $$: When banking and shopping, check to be sure the sites is security enabled.  Look for web addresses with “https://” or “shttp://”, which means the site takes extra measures to help secure your information. “http://” is not secure.

Keep a Clean Machine

• Keep security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
• Automate software updates: Many software programs will automatically connect and update to defend against known risks.  Turn on automatic updates if that’s an available option. 

By following these few tips your personal information/data will be more secure than ever.  We also urge you to think about who you give your personal information.  Do you think twice about whether it is being properly protected?

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

 

During our monthly webinars we receive some great questions that we like to share with our blog readers.  Our most recent webinar titled “Secure Managed File Transfers on the IBM i” discussed meeting compliance regulations, as well as how to automatically transfer files to trading partners using sFTP or SSL FTP.  While on the topic of secure transfers, one attendee asked the following question that Patrick Townsend, Founder & CTO, was able to answer:

A public/private key pair is needed for SSH/sFTP Transfers.  Does the Alliance FTP Manager exchange keys with the destination server?

Yes, SSH as a technology, implements a number of ways to secure and authenticate connections.  Public/Private Key or PKI implementation is a part of that.  Also password authentication is an option within the SSH world too.  Looking back over the last few years, public/private key based encryption has predominately been the rule with SSH and sFTP Transfers.

Recently, there has been an interesting migration with a trend of moving to a password-based authentication for sFTP sessions, and I understand why.  Many large institutions have a big task of managing all of their Public/Private key pairs.  If you are transferring just one file outside of the company, like to a bank, then there is not really much of a problem.  But some of our customers use thousands of keys within their IT environment, which becomes very difficult to manage. 

Alliance FTP Manager supports Public/Private key based authentication as well as “password based” authentication. Usually, your trading partner is choosing the authentication for you, but we do support both models.  

There is another aspect to this question and that is the key exchange, which can be a bit of an administrative nightmare.  We have really tried to help our customers by automatically pulling in a remote SSH severs Public Key into the proper files on the IBM i.  Additionally, we have developed utilities that make that a matter of selecting on option in a menu.  In some cases you still have to send a public key to your partner, but we have done a lot to help manage the PKI infrastructure exchange that needs to happen.  From an administrative perspective, you don’t want to be emailing keys around all over and we have done a lot to help make secure managed file transfers an easy process. 

View our webinar “Secure Managed File Transfers on the IBM i” for more information on automatically transferring files to business partners while meeting compliance regulations.

 

Meeting compliance regulations on your IBM i for securing data in motion doesn’t need to be difficult.  They all have the same overlying theme – encryption.  PCI DSS requires encryption when transferring files over the internet and WiFi networks.  HIPAA/HITECH says that encryption is the only Safe Harbor from a data breach.  While failing to comply with these regulations can financially impact your organization, the good news is that with just a few core encryption components, you can easily satisfy these requirements.

There are a handful of core components to look for when deciding on a managed file transfer solution for your organization.

• SSL FTP with 128-bit encryption
• sFTP with 128-bit encryption
• PGP file encryption with 2048-bit keys
• Audit trails

Our Alliance FTP Manager not only contains all of these components, but also enables users to automate their managed file transfers.  Alliance FTP Manager provides several automation functions to help you exchange files without human intervention.  Users can automatically transfer files using Secure Shell sFTP or secure SSL FTP to banks, insurance companies, benefits providers, payment networks, and any other internal or external server.  The transfers are encrypted to meet compliance regulations (such as PCI DSS, HIPAA/HITECH, and privacy notification laws).  Additionally, audit trails and system logs provide the permanent history needed for compliance regulations.

Finally, Pretty Good Privacy (PGP) is the de facto standard for file encryption before transmission to a trading partner.  Based on open standards and tested by time, PGP has won the trust of governments and private enterprises to protect their sensitive data.

Are you ready to get started?  Download a 30-day evaluation of Alliance FTP Manager, configure it, and send your first encrypted file transfer in about an hour. Sending and receiving encrypted data just doesn't get any easier.

As the social revolution moves into the business world, protecting your data is more important than ever.  This was a key takeaway for attendees of the recent “Dreamforce to You” event in Seattle, WA, hosted by Salesforce.

Similar, yet smaller in scale to the Dreamforce conference held annually in San Francisco, this event brought together sales and marketing professionals who use Salesforce.com (a cloud-based Customer Relationship Manager) to see what is new with the CRM, how it can help you do your job better, as well as allow attendees to network with peers.  Additionally, Peter Coffee, an IT visionary who acts as the VP and Head of Platform Research at Salesforce.com, delivered an inspirational keynote titled “Toward the Social Enterprise: Trust; Vision; Revolution”.

The focus of both Dreamforce and “Dreamforce to You” is that by and large  business is embracing the social revolution.  Whether you are Bank of America and helping your customers find the nearest ATM or are collaborating with co-workers internally using social tools, businesses are migrating to the social world.  During the keynote, Peter Coffee presented a slide titled “Social is a model, not an app.”  By being social, businesses are able to work more efficiently and reach more customers in ways that were never thought possible.  “Salesforce is not just using social tools but instead is driven and formed by the social network.”

As Peter Coffee continued to discuss cloud computing, the future of IT platforms, and how businesses are “going social”, he conveyed a key concept – companies need to protect their sensitive information.  

We couldn’t agree more.  As a security company, this is something we have been saying since the beginning.  We have offered NIST-validated AES encryption for all the major enterprise platforms for over ten years, been securing managed file transfers with PGP encryption, and recently stepped up our game with a FIPS 140-2 compliant encryption key management HSM.  Simply put, we are helping organizations protect their sensitive information and meet compliance regulations with certified encryption solutions.

Occasionally we hear “I don’t need encryption, nothing can get inside my network” (De-Perimeterization concept). The truth is, no matter how many of the latest and greatest network security devices you implement, there is still nothing as fail-safe as properly encrypting your data.  As keynote speaker Peter Coffee would say about investing in the wrong technology, “doing it better is still doing the wrong thing.”

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

I recently had a conversation with one of our customers about the automatic encryption webinar they attended.  The webinar demonstrated how companies can implement AES encryption on their AS/400 without making application changes. This customer currently has our managed file transfer solution, FTP Manager with PGP encryption, and was confused as to why they would need AES encryption if they were using PGP. I explained that PGP encryption protects data in motion - when it is transferred outside his company. If he was storing data on his AS/400, he would need AES encryption to protect his data at rest.

AES Encryption
AES encryption is the standard when it comes to encrypting data in a database. Advanced Encryption Standard (AES) has been adopted as a standard by the US government and many state and local agencies. AES is the recommended encryption method for PCI, HIPAA/HITECH, GLBA and individual state privacy regulations. AES encryption uses an encryption key to encrypt the data. Typically, this key is stored on the AS/400 and used when the data needs to be decrypted.  To side track here a little, this is not a good idea. Leaving your encrypted data and keys in the same place is like leaving the key to your house under your door mat. If you want to learn more about why this is a bad idea, take a look at this blog article on the topic.

PGP Encryption
PGP encryption is the standard when it comes to encrypting files that need to be transferred. Pretty Good Privacy (PGP) is the standard for encrypted file exchange among the world’s largest financial, medical, industrial, and services companies. Also know that when encrypting a file with PGP, you may be using AES encryption.  

AES encryption and PGP encryption solutions work together to ensure that all your sensitive data is secure. AES will protect data at rest within your organization and PGP encryption keeps it secure when it is sent outside your company.

I hope this has been helpful in better understanding the differences and similarities of PGP encryption and AES encryption. Learn more about AES and PGP encryption with the webinar "Automatic Encryption on the IBM i" that spurred this conversation or the whitepaper "AES Encryption and Related Concepts". 
 

 

 

I’ve been writing about encryption performance lately because our customers and potential customers have been asking about the impact of encryption on the overall performance on their systems.  It’s good that they are asking these questions as a poorly performing encryption library can have severe impact on your application environment. This is especially true on an IBM Enterprise platform like the IBM i (formerly known as AS/400 and iSeries) where customers often run multiple applications.

While it is common in the Microsoft, UNIX, and Linux worlds to segment different applications onto different physical servers, it is common in the IBM i world to run many applications on the same server. You typically find CRM, ERP, web, and many other applications happily co-existing on one IBM i server. But this means that a poorly performing encryption library will have a ripple impact on all of these applications, and not just one.

IBM provides a no-charge, AES software encryption library on the IBM i platform that developers can use to encrypt data. It implements all of the standard AES key sizes (128, 192, and 256) along with a variety of other encryption algorithms, both open and proprietary.  I don’t believe the software library has been independently certified to the NIST standards, but I believe that it properly implements the AES encryption algorithm.

But how does it perform?

We did a simple little comparison test of encrypting 1 million credit card numbers on an entry level IBM i model 515 server with a single processor. We compared the native IBM AES library with our own AES encryption library which is NIST certified and optimized for encryption.  The difference is very large. Our IBM i encryption library clocked in at 116 times faster than the native IBM i library. Note that this is an informal test and not independently verified, but practical experience by our customers is very similar.

What does this mean in terms of application performance when you add encryption to the mix? The math is pretty simple. An encryption task that takes 10 minutes with our library will take several hours with the IBM library. That’s painful. And all of the other applications that share this system will also feel the pain.

The problem is not limited to just an occasional developer at an individual customer site. Some vendors of IBM i software use the IBM encryption libraries, too. So you can be inadvertently using the poorly performing libraries without knowing it.

Often I see IBM i customers trying to fix an encryption performance problem by adding additional processors to their servers. This can be expensive, and usually involves software license upgrade fees. It can also not have the impact that you might think. Due to the way that encryption works, adding a second processor usually will not double your encryption throughput. Another bit of disappointment and extra cost.

It is usually not hard to fix an encryption performance problem if you catch it early. If you’ve take a modular approach to the implementation, you can usually swap out one module for another without too much difficulty. You just don’t want to be doing that for hundreds of applications.

For more information on AES encryption, download our white paper "AES Encryption and Related Concepts" and learn about how proper encryption and key management work together to secure your data.

Patrick

Recently, Townsend Security hosted a donation drive for the YWCA’s “The Other Bank”.  The Other Bank provides items to low income families in Thurston County, where Townsend Security is headquartered.  They collect a variety of things to help families in need - for example; diapers, toilet paper, dish soap, deodorant, etc.  From the The Other Bank’s website:

THE OTHER BANK offers assistance to over 100 families each week, representing 350-450 individuals; one-third of whom are younger than thirteen and half of those are under the age of 5. We also provide supplies to clients who are disabled, elderly, or otherwise housebound, averaging approximately 10-20 individuals monthly with the aid of their caregivers or chore workers. The average income for a family of four who use THE OTHER BANK is $650 a month. Family circumstances vary; there are families who are homeless, receiving unemployment benefits, and others who are working minimum wage jobs. All are struggling to make ends meet and would have to go without the items we distribute if we did not have them available.

At Townsend Security we wanted to give back to our community during this holiday season and when I learned about this organization, I knew that everyone in the office would want to help.  I asked the The Other Bank what was most needed and decided that the best way to help was to conduct a hygiene drive.  Our team rose to the occasion and helped to donate nearly $600.00 worth of hygiene products.  This is our first annual donation drive and we are hoping to do more next year.

Without organizations like The Other Bank, there are a lot of people that would go without.  In an earlier blog post this year, I mentioned how great it is to work at a company where the community is so important.    It is great to work at a company that not only says they want to make their community better - they actually do it and encourage all of its employees to do the same.  Working at Townsend Security has inspired me to be a volunteer at the YWCA and I have put in over 20 hours these past few weeks.

How have you paid it forward this year?  Please share your stories to help inspire new ideas.

We invite you to take a look at all of our community sponsorships that we are a part of.  You can also follow us on Facebook, Twitter, and LinkedIn to see what we are up to next.

I recently attended a webinar for accountants on the importance of IT security.  The webinar discussed findings from the newly released 2012 Global State of Information Security Survey®, a worldwide study conducted by Pricewaterhouse Coopers, CIO Magazine and CSO Magazine.  They used the information from the survey to make two important points

1. IT security isn’t just the responsibility of the compliance officer and IT department, everyone in the organization is responsible for keeping corporate assets secure - all of us, even those in accounting, customer service and sales play an important role in data privacy.  
2. IT security is not just a project with a due date for completion, it is something all of us must remain diligent about.  

Some of us have access to sensitive customer information or account numbers, while others may be collecting credit card information to process payments.  Sure, our IT department implements safety policies, installs security software and sets access rules and passwords to give us access to data we need to see.  But do we stop and think about what information is on our laptop before we take our laptops home or what files might be on that USB drive?  We need to think about the information that we email or send outside the company and think twice about the way we send it, especially if we think the information could cause damage if it landed in the wrong hands.

The companies used for the survey all felt they implemented strong controls around access to their data, but nearly all of them had some sort of budget allocated for additional resources because they know they need to do it better.  Interestingly, the confidence level these companies felt about their security strategy had declined over the years due to the increase in use of mobile devices and social media, which have introduced new risks and challenges for companies.  In 2009, 73% of the companies surveyed felt they had a good security strategy in place, however, in 2011 that fell to only 53% feeling confident about what they are doing.

It was very apparent to me after viewing this webinar that the adoption of mobile devices by employees and the acceptance of social media has made IT security everyone’s responsibility.  Key take-aways for me from this webinar – we all need to be thinking about how we keep information that our company entrusts with us secure.  We need to follow company policies and procedures and be diligent. We are all in this together.

For more information on data privacy, we have put together a podcast titled "Data Privacy for the Non-Technical Person."  Let us know what you think.

Periodically people ask me about hashes and why the use of a salt value with a hash is recommended. Let’s have a look at this topic in our last blog for 2011!

The use of a secure hashing algorithm is common in business applications. It has a variety of uses in the areas of authentication, data integrity, and tokenization. A hash method is sometimes called one-way encryption, but this is a bit of a misnomer.  It is true that you can’t reverse the result of a hash operation to recover the original value (thus it is one-way), but it is not formally an encryption method. This one-way property of hash methods is what makes them so useful. You don’t have to worry about sending a hash value across a network in the clear as it can’t be reversed. (At ease you crypto people, I know about the developing security concerns about SHA algorithms; more on that later).

While there are a number of hash algorithms available in the public domain, most security professionals recommend the use of the SHA-2 family of routines. I find that most people now use the SHA-256 algorithm when they want to create a one-way hash of some data, although the more secure SHA-512 method is being used more frequently. Older methods such as MD5 and proprietary hash methods should not be used in modern applications due to security concerns.  With SHA-256 and SHA-512 we have a really good method for doing one-way hashes.

So why do some security professionals recommend the use of a salt value with hashes, and what is salt?

The term salt refers to a one-off value that is difficult to guess. In practical application, a random number is generally used for a salt value. For the sake of this discussion, we will assume that a salt value is a random number.

By adding a salt value to some data before hashing it, you make it more difficult to guess the original value. Notice that I didn’t say you make it easier to reverse! For all practical purposes, you can’t reverse a hash value. But a clever attacker might guess at the original value and perform a dictionary or brute force attack on a hashed value. How can that be?

Well, take the example of your banking PIN code. It might be 4 or 5 digits in length. From the point of view of modern computers, that is a really small set of numbers to test against a SHA-256 algorithm. Only 9,999 values for a 4-digit banking PIN code. That is going to take less that a second to run through all of the possibilities. So this is where a salt value can come in handy. If you are creating a hash value of very small bit of data, you can append a salt value to the original data and make it really hard to attack that hash value. And that’s why using salt with your hashes is often a recommended security practice.

By the way, even though credit card numbers are only 16 digits in most cases, that is still a small number in computational terms. And once you account for BIN codes and LUHN check digits, credit card numbers are effectively smaller than 16 digits. This is why PCI and other regulations require or recommend the use of salt with hashes.

If you do use a salt value with a hash, you have to take care to protect the salt value from loss. You should take as much care about protecting the salt value as you take with encryption keys. If someone knows the salt value you’ve lost your advantage. Also, you should be sure to use a salt value that is large enough to provide good security. A 128-bit salt value is adequate for most business applications.

As I hinted at above, there have been some developments in attacks against the SHA-2 family of hash algorithms. I don’t think these attacks rise to the level of a practical concern in business applications, but the professional cryptographic community is hard at work on new hash methods. I think you should continue to use SHA-256 with confidence, but you should salt that hash for added protection!

Happy Holidays!

Patrick

Be sure to follow us on Facebook, Twitter, and LinkedIn to stay up to date on the latest technology and news about data protection.

   

At Townsend, we have a lot of conversations with customers and prospects about data privacy, compliance requirements and best practices for IT security in general.  We have written numerous articles on these topics and posted them on our blog.  As the end of 2011 quickly approaches, we thought it would be worthwhile to list out our most read articles of the year.

Listed below are the top five read articles from the past year:

• AES Encryption Flaw - Calm Down
  
• PCI DSS 2.0 and Encryption Key Management
  
• Encryption and Key Management in a .NET World
  
• IBM i FIELDPROC Surprises
  
• RSA Encryption Key Size Requirements Change in 2011

We aren’t surprised that the articles on these topics; encryption, key management and PCI compliance are some of the most read on the blog.  We spend the majority of our days talking to people about these topics and helping them solve challenges around data privacy and compliance.  In fact, many of the conversations we have lead to new products and product enhancements.    

In 2012, we encourage you to talk to us about what you need and what you are doing at your company to protect sensitive data.  Subscribe to our blog, like us on Facebook, follow us on Twitter or join us on LinkedIn.

We hope you find the articles listed useful and that it inspires you to think of topics you would like us to write on for 2012. Thank you for your readership in 2011!

We are already preparing and looking forward to sharing more about data privacy in 2012.  

Happy Holidays!!