Townsend Security Data Privacy Blog

When we walked in the room at St. Martins University, there was a look of amazement in my eyes to see the amount of people involved in our community.  Two hundred people filled the room Tuesday for a lunch put on by United Way for their Spirit of Giving celebration.  Today was not just a lunch date, it was for honoring businesses and community members for their stewardship.  We had the chance to enjoy listening to one of the local high school choir groups and Bill Grace, the director of Common Good Works, speak to us about “Leadership for the Common Good.”  We had a few heart felt moments during our special lunch, for example when handing out the Gladys Burns Human Service Award.  The award went to a man who has recently passed away, but has left a hand print in the world with his generosity toward Thurston County.  His wife accepted the award on his behalf and explained how his life was spent helping others.  

Townsend Security received the award of corporate sponsor of the year, by increasing our donations by 132%.  Here at Townsend, our company matches our donations dollar for dollar to any 501(c)(3) non-profit organization, up to $500 per employee each calendar year.

Patrick Townsend, the Founder and CTO of Townsend Security, is also a board member for the United Way.  He has started a path for this company and its employees to follow in his footsteps by giving back to our community.  Townsend Security is not only an encryption software company providing certified products to our customers and meeting PCI compliance, but also giving back to our community.  We understand the need of giving and United Way is one of the many ways we do that.  

We invite you to take a look at all of our community sponsorships we are apart of.  You can also follow us on Facebook, Twitter, and LinkedIn to see what we are up to next.

What is NIST?

The National Institute of Standards and Technology (NIST) is a US government agency that is a part of the Department of Commerce. The NIST sets non-military government standards for a wide variety of techn ologies including data encryption. Because the NIST uses an open and professional process to establish standards, the private sector usually adopts NIST standards for commercial use. The NIST is one of the most trusted sources for technology standards.

What is AES?

The Advanced Encryption Standard (AES) is the standard for data encryption adopted by the NIST in 2001. This encryption standard replaced the earlier Data Encryption Standard (DES). The DES encryption standard became weaker due to the advancing power of computer systems. The NIST began a process in the late 1990’s to find a replacement for DES. After a lengthy examination of several alternatives, the AES standard for encryption was adopted and codified as FIPS-197. AES encryption is now the de-facto standard for strong data encryption.

What is AES Validation Testing?

NIST sets the standard for AES encryption testing, and charters independent labs to administer and oversee the testing process. Through the National Voluntary Laboratory Accreditation Program (NVLAP) the NIST certifies independent testing labs for the Cryptographic Module Validation Program (CMVP). Data security software vendors administer the tests, validate the results, and submit the results to the NIST for acceptance. Software vendors work with an independent certification laboratory and not with the NIST directly.

The NIST established five methods, or modes, of encryption that can be used with AES. These are Electronic Code Book (ECB), Cipher Block Chaining (CBC), Counter (CTR), Output Feed Back (OFB), and Cipher Feed Back (CFB) modes. There are separate tests for each mode. A software vendor can choose to validate on only one mode, a subset of the five modes, or all modes of encryption. In addition, the NIST defines three key sizes for encryption: 128-bit, 192-bit, and 256-bit keys. A software vendor can choose from one to three key sizes to certify.

Most software vendors choose to certify just one or two modes of encryption, and on one key size. The Alliance AES Encryption products are certified on ALL five modes of encryption, and all three key sizes.

Certification Means Strong Encryption

NIST certification is your assurance that a vendor’s AES encryption solution implements data encryption the right way. There are many ways to use encryption and a wide variety of modes of encryption. Improperly implemented solutions may work for one type of task, but fail under different application requirements. All software vendors claim they implement strong encryption. Can they prove it? Ask them for their NIST certification.

Certification Means Compatibility

One of the biggest challenges facing Enterprise customers is encrypting and decrypting data on a variety of platforms. Data may be encrypted in an Oracle database, then transferred to Microsoft SQL Server, then to an IBM i (AS/400) platform. Computer vendors use different methods of encryption, and different modes of encryption. How can you be sure that your encryption solution will be able to handle all of your requirements?

The NIST certification provides the assurance you need that your software is up to the task. Certified software must work the same way for all of the NIST defined encryption tasks.

The Alliance AES solutions provide even more assurance of compatibility – Alliance AES solutions are certified on all key sizes and all modes of encryption. No other data security vendor provides this level of certified support.

Alliance AES Encryption on Every Enterprise Platform

The modern Enterprise uses a wide variety of server platforms from a number of different vendors. In addition, data is exchanged with customers, vendors, and service provides outside the organization. To meet these challenges the Alliance AES Encryption products are certified and available on all Enterprise platforms including:

•  Microsoft Windows (2000/XP/2003)
•  Linux (SUSE and Red Hat, on Intel and POWER)
•  UNIX (AIX, Solaris)
•  IBM i (AS/400, iSeries)
•  IBM z (mainframe)

All of the certified Alliance AES encryption solutions work the same way on every platform.

Townsend Security is currently offering a free 30-day evaluation of the Alliance AES encryption solution for your platform.

As companies work to meet regulatory requirements to protect Personally Identifiable Information (PII), one option to minimize the risk of loss is to replace sensitive data with a non-sensitive replacement value, or “token.” 

Tokenization is the process of replacing sensitive information, such as a credit card or social security number, with a non-sensitive replacement value. The original value may be stored locally in a protected data warehouse, stored at a remote service provider, or not stored at all.  The goal of tokenization is to reduce or eliminate the risk of loss of sensitive data, and to avoid the expensive process of notification, loss re-imbursement, and legal action.

There are three primary approaches to tokenization:
    •  Tokens are recoverable and stored by external
       service providers
    •  Tokens are recoverable and stored locally
    •  Tokens are not recoverable

The first method of tokenization uses external storage of recoverable tokens and is implemented by a small number of credit card authorization networks.

The second approach to tokenization involves the creation and storage of the token on local IT servers. The token is protected by encryption and can be recovered by decryption when it is needed.

The third type of tokenization involves the creation of a token on local IT servers, but does not allow for the recovery of the original value.

If you do not need to store sensitive data in your database systems, tokenization can greatly reduce your risk of data loss. The original sensitive data can still be used to query a database or locate information in a business application. But by not storing the sensitive data, you will not be at risk of losing it.

It is important to note that if you use recoverable tokens you will still have the risk of data loss and will not be protected from any liability for a loss. You will also still be subject to all of the regulations  for protecting sensitive information.

Tokenization can be a powerful way to minimize risk in your development, QA, and UAT environments. When moving data to these environments you should always eliminate sensitive data to prevent its loss. Tokenization is an excellent way to do this.

Lastly, if you are a payment systems vendor you may wish to provide tokenization as a value added service to your merchant customers. Not only will you be helping them minimize their exposure to data loss, this can also be marketed as a competitive advantage for your business.

If you would like to learn more about tokenization, we recently presented a webinar titled "Tokenization & Compliance: 5 Ways to Reduce Costs and Increase Security."

I found the data breach of Epsilon just shocking for several reasons:

First, the scope of the breach was astounding. About 2,500 companies are using Epsilon for email communications with their customers, and some of these companies are quite large. Thus the number of email addresses exposed was gigantic. You really have to wonder why those email addresses weren’t encrypted. Anyone would see those email addresses as a high value target. And email addresses are Personally Identifiable Information (PII), after all.

Second, you have to wonder why really large companies trusted Epsilon with their customer information without insisting on good data protection practices.  What were they thinking? When you hand over your data to an outside company, you aren’t off the hook if there is a data loss.  It wasn’t Epsilon who had to send emails and letters to customers. The originating companies bear the cost of that effort, and the business damage that follows.

Third, the loss of an email address is not trivial. It’s true that email addresses are more public than many bits of personal information we have. But email addresses are often used as account identifiers for on-line services. If I have your account ID it is a lot easier to attack your password credential. People are amazing lax about creating strong passwords. So the loss of emails provides one more weak link in the chain of security for individuals.

Then there are the phishing attacks. If I have your email address it is a lot easier to send you an infected PDF file. I just look on your company’s web site or Facebook page and find the name of your CEO. Then I send you an email with the CEO’s name and an infected PDF. Perhaps I name the PDF “Look at these terrible results!.pdf”. You are probably going to jump to open that one!  So now I have invaded your internal network.

You can see how this can really escalate to bad news for you and your organization.

The lesson for any organization is to do some due diligence with your service providers. Be sure they are protecting your information with the same level of care that you do. After all, you are on the hook if they lose your data.  For more information, download our white paper titled AES encryption and Related Concepts.

Encryption and tokenization are the two leading technologies used to protect sensitive data from loss and subsequent breach notification and legal liability. Organizations who try to meet compliance regulations struggle to understand when to use strong encryption and when to use tokenization to protect information. Many organizations will find both technologies helpful in different places in their IT infrastructure.

Encryption protects data by obscuring it with the use of an approved encryption algorithm such as AES and a secret key. Once encrypted, the original value can only be recovered if you have the secret key. The use of strong encryption keys makes it impossible, from a practical point of view, to guess the key and recover the data. Almost all compliance regulations provide a safe harbor from breach notification if sensitive data is encrypted.

Encryption - Protecting Sensitive Data Where It Lives

Encryption is a mature technology with a recognized body of standards, independent certification of vendor technologies, and it undergoes continual scrutiny by the professional cryptographic community. Organizations that deploy professional encryption solutions that have been independently certified (NIST certification) enjoy a high level of confidence in the protection of their data assets.

Tokenization - Protecting Sensitive Data with Subsitution

Tokenization works by substituting a surrogate value for the original sensitive data. This surrogate value is called a “token”. The token value does not contain sensitive information, it replaces it, maintaining the original value.  There is one and only one token value for any given original value. For example, a credit card number 4111-1111-1111-1111 might be assigned the token value of 1823-5877-9043-1002. Once this token is assigned it will always be used when the original value would have been used.

Combining Encryption and Tokenization

For most organizations there will be appropriate uses for both encryption and tokenization. Encryption will be the right solution for one set of applications and databases, and tokenization will be the right solution for others.  The appropriate technology will be decided by each organization’s technical, compliance, and end-user staff working together.

In order to ease the development and compliance burden, organizations may wish to source encryption and tokenization solutions from the same vendor. There are many overlapping technologies in both encryption and tokenization, and you will probably want a common approach to both.

If you would like to learn more about tokenization, we recently presented a webinar titled "Tokenization & Compliance: 5 Ways to Reduce Costs and Increase Security." 

The other night I went to my very first WLC meeting.  WLC is apart of United Way, it stands for Women's Leadership Council.  WLC’s mission is to positively impact the lives of women in our community by promoting self sufficiency and financial stability through philanthropy and community service.

We went around the table and introduced ourselves.  There were many different job titles named;  financial advisor, real estate consultant, partner sales rep, and several others.  After we broke the ice (and secretly judged one another), we touched on all the subjects that women usually talk about, our children, significant others (what they are and are not doing), work and all the other stresses in our lives.   One lady suggested we do something that she does with all of her clients to help get to know them better and asked us, “What is your magic? What is it that sets you apart from everyone else in this world?”  
   
Well shoot!  What is my magic?  And for that matter, what is Townsend Security’s Magic - what sets us apart from the competition?

Our mission at Townsend Security is to provide our customers peace of mind when it comes to data privacy.  We help them do business securely and provide their customers peace of mind.  The way we deliver peace of mind is our magic, it is what sets us apart from any other encryption and key management company.  Our magic.... drum roll please.... is a combination of innovation, experience and our commitment to be known as more than just a data privacy company.  

Our independently certified solutions are developed by experts. The team at Townsend is well-known and well-respected in the industry. We understand the issues around data privacy and compliance and use that knowledge to create and support our solutions. We believe we should be the experts in data privacy so our customers can be the experts in their own industries. No one wakes up and says they want to start an encryption project and no project is the same - so when the time comes we are ready to listen to the problem that needs to be solved and deliver the right solution

In addition to data privacy, Townsend Security is locally known for its commitment to the community.  We are a proud supporter of the United Way and many other local non-profits.  In fact, we were just named the "2011 Corporate Supporter of the Year for Small Busineses" by the Thurston County chapter of United Way.  It is great to work at a company that not only says they want to make their community better - they actually do it and encourage all of its employees to do the same, this is how I became involved with the WLC, which gets back on track about the question posed to myself that night.   My magic, well.. it is everything WLC stands for a hard working young woman, who is graduating from college, raising a small child and doing it all with a positive attitude.  

The phone is ringing, so back to work I go. Time to share more of that Townsend magic (and my own) with one of our customers.  And if they haven’t read this blog post yet, I’ll send it their way.  We want our customers and our community to know how seriously we take our commitment to providing peace of mind in the solutions we sell and in the service we provide.  We know that everyone has their own magic and brings something unique to the table - let us know what yours is.

Pretty Good Privacy (PGP) is the de facto standard for encrypted file exchange among the world’s largest financial, medical, industrial, and services companies. Based on open standards and tested by time, PGP has won the trust of governments and private enterprises to protect their sensitive data.  Here are the six key things to know about PGP encryption for your IBM i and IBM z platforms, and how to discuss them with your technology providers:

1) Always encrypt and decrypt sensitive data on the platform where it is created. This is the only way to satisfy regulatory audit and privacy notification requirements.

Moving data to a PC for encryption and decryption tasks greatly increases the chances of loss and puts your most sensitive data at risk.  In order not to defeat your data security goals it is important to encrypt and decrypt data directly on the IBM i or IBM z.

2) The best PGP encryption solutions manage PGP keys directly on the IBM i or IBM z without the need for an external PC system, or key generation on a PC.

Using a PC to generate or manage PGP keys exposes the keys on the most vulnerable system. The loss of PGP keys may trigger expensive and time-consuming privacy notification requirements and force the change of PGP keys with all of your trading partners.

3) The best data security solutions will provide you with IBM i and IBM z automation tools that help minimize additional programming and meet your integration requirements.

Most Enterprise customers find that the cost of the software for an encryption solution is small compared to the cost of integrating the solution into their business applications. Data must be extracted from business applications, encrypted using PGP, transmitted to a trading partner, archived for future access, and tracked for regulatory audit. When receiving an encrypted file from a trading partner the file must be decrypted, transferred to an IBM i or IBM z library, and processed into the business application. All of these operations have to be automated to avoid expensive and time-consuming manual intervention.

4) PGP is part of a comprehensive data security plan.

PGP encryption is ideal for exchanging data with trading partners, banks, insurance companies, benefits providers, and many other external partners. It’s ability to run on any computing platform makes it ideal for this type of secure data exchange.

5) PGP helps meet data privacy compliance regulations.

Even if your company is not directly subject to PCI and other similar regulations, you will soon find that your customers who are subject to these laws will require that you be in compliance, too. As the financial auditing profession matures, auditors realize that their customers cannot meet regulatory requirements unless their suppliers meet these requirements.

6) Choose the trusted leader in data security.

When PGP Corporation selected a partner to bring PGP version 9 to the IBM i, POWER Linux, and IBM System z platforms, they selected Townsend Security as their exclusive partner. PGP Corporation’s knowledge of Townsend’s history with PGP on the IBM i and IBM z platforms made Townsend Security the natural choice.

Click the button below to download a free trial of PGP for the IBM i or IBM z from Townsend Security.