Townsend Security Data Privacy Blog

4 Best Practices to Prevent a Data Breach

Last year a massive data breach at Wyndham Hotels was revealed to have exposed payment card data of over 600,000 customers during three breaches over two years. This has resulted in massive, ongoing litigation from the Federal Trade Commission (FTC).

In a few articles I read about this breach, recommendations were offered to hotels and payment application ISVs who provide payment software to prevent a data breach from happening to them. Much of these suggestions were variations on a theme: use strong passwords, reset passwords often, use strong firewalls, and get compliant with PCI-DSS or PA-DSS.

There’s nothing inherently wrong with those recommendations. In fact, these are good recommendations. However, businesses in the hospitality and retail industries should know these three facts: Firstly, passwords and firewalls will not keep an intelligent hacker out of your network. They will also not help you if a hard drive or backup tape containing sensitive data is lost or stolen. Lastly, it is possible to get under PCI compliance and still be vulnerable to a breach.

Victims of a data breach will often blame the regulations for not using specific language around how to adequately protect data. Unfortunately, there is some truth to these complaints. Many data security professionals would agree that cyber security regulations do not mandate strict enough guidelines around the protection of sensitive data. For example, the Payment Card Industry Security Standards Council (PCI-SSC) sets forth a set of regulations and recommendations for the protection of credit and debit card-holder data called the PCI Data Security Standards (PCI-DSS). PCI-DSS mandates the use of strong encryption and secure protection of encryption keys for encrypted data at rest or data transferred across networks. However, PCI-DSS does not give specifics on how to manage keys securely and in a way that will prevent a data breach. Thus, many businesses use poor key management and are still at risk for a breach.

PCI-DSS Section 3 puts hospitality businesses on the right track by mandating encryption and key management; protecting the data itself is a critical step to preventing a breach. However, several best practices need to be utilized in order for encryption to do its job. It’s not enough to encrypt--you must protect your encryption keys using these critical steps:

1. Use a dedicated hardware security module (HSM) or virtual appliance. Using an external, secure key server to manage encryption keys is critical to success. Many companies store their encryption keys on the same server as the encrypted data. If an intruder gains access to this server, they will have access to the key and will be able to decrypt the sensitive data.
2. User certified solutions. When choosing a key management solution, look for NIST validation and FIPS 140-2 compliance. These certifications ensure that your key manager has been tested by a third-party against government standards.
3. Use Dual Control, Separation of Duties, and Split Knowledge. These access controls ensure that no single person alone has total access to or management of encryption keys or the encrypted data it protects.
4. Document Key Lifecycle and Rotation. Your key manager should be able to automatically or manually rotate encryption keys with complete documentation of key rollover and history.

In the articles I’ve read on the Wyndham data breach and FTC litigation, there is almost no mention of the need for encryption, despite the fact that encryption is a primary control mandated by PCI-DSS. It was even revealed that Wyndham had stored cardholder data in the clear (meaning unencrypted), and yet few articles pointed out this massive failure to protect the data itself. While strong passwords and firewalls are considered a fundamental step to preventing unwanted intrusions, most data security experts now agree that with simple attacks such as SQL injection and malware phishing hackers can easily break these barriers. The only way to truly protect data is to protect the data itself, with encryption, and protect encryption keys away from the data.

To learn more about encryption key management, download the eBook, “Encryption Key Management Simplified.”

Most encryption discussions start with my customers asking about the algorithms available. My usual response is "That's a great question. But talking about that now is like worrying about how to dispose of a bomb before disarming it." The point I'm trying to make is that effective encryption algorithms are required, but not sufficient. If you don't have robust, secure key management, encrypting data is a waste of resources regardless of the algorithm used. Therefore, the first place to begin any new encryption project is key management.

So what does a robust key management solution enable? Good key management systems have, in my mind, three functional, must have components:

1. Key generation and storage management,
2. Secure key distribution
3. Standards compliance

All of these need to be provided in a manner that provides tight control by a select few encryption key administrators who don't also have access to the encrypted data.

At first glance, key generation may seem relatively easy. Just generate a key of the appropriate length and store it somewhere. But that's only a piece of the problem. First, best practices says that no person should know the key and no one person should be able to generate a new key and put it into use.

Second, unlike military secrets on the battlefield, data encrypted today may need to stay protected for years or even decades. But the longer data remains encrypted with the same key, the higher the risk of that data being compromised. Best practices address this by implementing key rotation (i.e. generate a new key, unencrypt data encrypted with the old key, and re-encrypt with the new key).

The next important area for a good key management solution to address is key distribution. One aspect of key distribution is secure storage, retrieval and transmission of keys. Key management solutions must make it easy for approved application and system interfaces to work with unencrypted data while not exposing the keys to those interfaces or to any human users of the system. Good key management solutions typically use a hierarchy of keys (such as key encryption keys and data encryption keys) to help enable this function.

Another aspect of key distribution is authorization. While operating systems can be used to specify which people are allowed to access data in a database, they do not provide mechanisms to indicate whether encrypted fields in the database should be decrypted or not. Consider a scenario where Joe has access to the CUSTMST database because he runs a specific application. Joe's job does not require him to access customer credit card information, which is encrypted. The application does not show Joe this information so it isn't a problem from that point of view. But what if Joe uses DBU or ODBC to access the database? Good encryption solutions allow an administrator to indicate if Joe is allowed to view decrypted data and will enforce the decision of the administrator by not decrypting information for the user JOE (or Joe user? :-) ).

Of huge importance for good key management solutions is government and industry standards compliance. Any key management solution worth their salt will be compliant with any standards that affect your organization. While uncertified solutions may be compliant, there is no way to tell if they haven't been certified by an appropriate third-party as compliant.

I recently collaborated with Patrick Townsend of Townsend Security on a white paper discussing the topic of encryption standards compliance on the IBM i. You can download a copy of it here.

Finally, good key management solutions provide the functionality discussed above in an easy to use package. What does "easy to use mean?" It means that business logic programmers and system administrators are not forced to become crypto experts or to learn the internals of the key management solution in order to efficiently and effectively implement encryption in your organization.

So when you begin your quest to implement encryption on your system, start by looking for the qualities of good encryption key management described here. Only after you find one should you begin to worry about the technical details associated with the encryption algorithms supported by that solution.

About the Author
Patrick Botz is the President and CTO of Botz & Associates. Patrick’s expertise includes security strategy, security policy enforcement, password management and single sign-on (SSO), industry and government compliance, and biometrics.

Previously as Lead Security Architect at IBM and founder of the IBM Lab Services security consulting team, Patrick achieved intimate knowledge of system security capabilities and pitfalls on a broad spectrum of platforms, with special emphasis on IBM i (formerly AS/400), AIX, Linux and UNIX operating systems.

What do business executives need to know about encryption key management best practices? As it turns out, CEOs don’t need to know every tiny detail about encryption and the tools used to protect encryption keys, but they do need to know enough to protect their business and mitigate major risks.

Just like financial and legal best practices that business executives are tuned in to and monitor weekly, if not daily, business leaders need to have a heightened awareness of how their IT departments are handling both their own and their customers’ sensitive data. Sensitive data such as credit card information, social security numbers, protected health information (PHI), and other personally identifiable information (PII) such as names, addresses, email addresses, and passwords needs to be protected as mandated by industry regulations and many state laws. Unencrypted data or encrypted data with poorly protected encryption keys is a ticking time bomb that could lead to a major data breach.

I recently sat down with Patrick Townsend, Founder and CEO, to discuss the critical security risks executives face, how to start a conversation on data security with your IT team, and the encryption and key management best practices that will save your company from a data breach.

Patrick Townsend explains the importance of protecting encryption keys:

“Executives need to know that A.) they might not be encrypting the data that they need to, and B.) if they are encrypting that data, they might not be protecting their encryption keys, which are the core secret that have to be protected the right way. When you leave the house in the morning and you lock your door, you don’t tape the key right next to the lock. Your house key would be easy to find when you come home, but we all know that’s a bad practice. In a similar way, a lot of organizations are not implementing best practices around protecting encryption keys and are putting their business at risk.”

The major risks associated with unencrypted or poorly encrypted data are these:

• A data breach is no longer a matter of “if,” but, “when”
• The average cost of a data breach is $5.4 million, according to the Ponemon Institute
• This cost typically is a culmination of fines, lost customers, brand damage, credit monitoring, and litigation

How does an organization properly encrypt their sensitive data?  They need to follow best practices such as deploying AES encryption and NIST FIPS 140-2 compliant key management, as well as important practices such as separation of duties, split knowledge, and dual control.

Encryption key management best practices will:

• Provide you with strong encryption
• Provide you with powerful, defensible encryption key management
• Protect your business in the event of a data breach
• Put you in compliance with industry and state regulations
• Give you peace of mind

To learn more about the business risks of data security, download our free eBook "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication Between CEOs and CIOs" and learn about the business risks associated with unprotected sensitive data, tools and resources to begin the discussion about data security in your company, and actionable steps you can take today.

Four steps to better encryption key management in the retail environment

When the PCI Security Standards Council released the Payment Application Data Security Standard (PA-DSS) in 2008, the security of payment applications took a big leap forward. Today, All retail ISVs providing payment applications must certify their products with PA-DSS (which requires encryption and encryption key management for applications that process credit card data). Merchants expect this level of certification in payment applications they use, and their customers expect personal information to be secured.

Yet time and time again we see news reports about retailers experiencing data breaches through their payment application software. These breaches tell us that PA-DSS certifications alone don’t always equal good security.  

Here are four steps you can take on the road to better security:

1 ) Be Aware of Security Issues

In the rush to meet PA-DSS requirements for credit card encryption, many payment applications incorporated just enough technology to pass the certification requirements around encryption of sensitive data, but not enough to stay current with encryption key management best practices.

Do your payment applications incorporate critical components of encryption key management including:

• Tested and certified encryption key generation techniques
• Physical and logical protection of data encryption keys (DEK)
• Protection of data encryption keys by key encryption keys (KEK)
• Proper management of the life-cycle of encryption keys
• Certification of key management solutions to international 
standards such as NIST, FIPS 140-2, and KMIP

2) Use Security Best Practices

In order to protect customers from data breaches and prepare for evolving compliance requirements, retail ISVs should strive to meet these encryption and key management best practices:

• Use Strong Encryption
  The Advanced Encryption Standard (AES) is the standard when it comes to data encryption. AES has been adopted as a standard by the US government and is the recommended encryption method for PCI, HIPAA/HITECH, GLBA and individual state privacy regulations.

• Use Key Management Best Practices
  Your encryption is only as good as how well you protect the encryption keys. Encryption keys should be secured away from the encrypted data using an external piece of hardware such as a hardware security module (HSM).

• Use Certified Solutions
  Always use NIST validated AES encryption and FIPS 140-2 certified encryption key management. These certifications ensure that their key management has been tested by a third-party against government standards and will stand up to scrutiny in the event of a breach.

3) Pick Your Partners Wisely

Townsend Security has redefined what it means to partner with a security company:

• With our NIST validated and FIPS 140-2 certified encryption and encryption key management solutions, retail ISVs can offer their customers easy, affordable, and powerful data security.
• Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model. You focus on what you do best, and we’ll help you turn encryption and encryption key management into a revenue generating option to help build your business and protect your valued customers.
• We have more than 20 years of experience supplying encryption and key management solutions to over 3,000 companies worldwide.
• We help our customers achieve data privacy compliance at an affordable price and with a personalized touch.

4) Download the eBook “Overcoming Critical Security Issues”

This eBook resource is designed to give you the tools and information needed to have a high-level discussion about data security in your company. Click the button below to request your complimentary download!

What exactly is data security and encryption & key management, and why care about it? 

Interesting conversation this morning as I walked from the parking lot to my office building.  Another person from one of the eight companies that occupy this building and I walked in together and chatted... first it was just “looks like the weather is getting better”... then it moved to “what floor are you on?  what company?” and when I told her ‘Townsend Security’, she said “oh, I’ve always wondered what you folks do”...

As the newest staff member, I wasn’t sure I had perfected my 30 second elevator pitch, but I told her that we were a data encryption company and design the software (and provide hardware) that almost everyone needs to protect themselves from a data breach. At first her response was “oh, we don’t need that, we have a guy that takes care of our computers”. Then we talked about how high the statistics are for people who would experience a data breach ("In 2010, if you received a data breach notification, your odds of being a fraud victim were one in nine. Last year, that jumped to one in four."), and after asking if they had a database and if they kept any records that held personally identifiable information (PII) or credit cards, it quickly became “I think we need that!”.

It reminded me that when I started working here, I wasn’t fully aware of many of the reasons or regulations that make data encryption so important.  I’m not sure I will ever have a complete technical understanding of all the nuances, but I’m working on it... Luckily I work with incredibly brilliant people who daily do all of the hard programming work and are very passionate about encryption.

I am lucky enough to be working with a company that I believe in, doing work that I know is important and can really make a difference in peoples lives. One of the main reasons I love this job... all the wonderful people that I work with, people so passionate about data security and the positive impact we can have on other people’s lives!

The founder, Patrick Townsend, impressed me so much at our last staff meeting when he reminded everyone to really think about why we are here, why we do what we do.  “It isn’t about selling a product.  It isn’t about the bottom line.  It is about protecting people from the devastation that a data breach can have on their individual lives.  It is about making sure we help companies protect their customers and clients.  It is about stopping the bad guys from wrecking havoc by making it impossible for them to get what they are after.  That is why we are here, remember that”.

Think about what your company does with the data you collect.  Is it encrypted and secure when it is “data at rest” (just sitting on your server)? How about when it is “data in motion” (being transferred to someone else)?  Look into what is happening with your information, and if you depend on someone else to take care of it, make sure they are doing it right.

Data gets out. Period. Either by accident or by design (someone hacking into your information). Make sure that when it does get out (and unfortunately it is “when”, not “if”) that it can’t be read.  You can make that data useless by encrypting it.   Remember to keep the encryption key stored in a different location than the data (encryption key management 101) because you wouldn’t lock up your house and then tape the key to the front door or leave it under the welcome mat!...  Would you?

If you aren’t sure what encryption or key management is all about.  We have a wonderful resource section on our website, and I’ve gathered a collection of some great Key Management resources right here.

Check out the information we have on data security and encryption key management and then contact us with questions, we are here to help!

Are you providing your customers with the very best in point of sale (POS) data security?

On an almost daily basis, the news media reminds us of the risks associated with unprotected data as they report on each massive data breach that cost companies billions of dollars in lost value and remediation costs.  Data breaches are not a matter of “if”, but more a matter of “when” as hackers get more and more creative.  Many CEO’s think that meeting the basic requirements of the Payment Card Industry (PCI) for data protection will keep their point-of-sale (POS) systems from being compromised. Truth is, hacking into retailer POS payment applications is a recurring problem worldwide, even for retailers who meet compliance standards.

1.     Know Your Data Breach Risks – Ask the Right Questions!

As CEO, security and risk management is your bottom line. You need to know if and how your product development team is following best practices to protect your company and your customers from a data breach.  Most payment application vendors offer encryption and key management, however not all of them are following best practices by using an encryption key management hardware security module (HSM). An HSM keeps the encryption key physically separate from the encrypted data, making sure that the data a hacker retrieves from a compromised system is functionally unusable.

With tighter security standards for data encryption, encryption key management, and constantly evolving regulations, you have an opportunity to go beyond basic compliance and gain consumers’ trust amid growing concern about the amount of electronic data companies collect, analyze, and share. 

So, what can you do as a CEO to ensure your products are fully protecting your customers’ data? One important thing to do is start asking more specific questions of your product managers. Asking the right question can quickly expose data protection risks that you didn’t know you have.

Here are some sample questions:

• Where in our systems does sensitive data reside, even briefly, in unencrypted form? Could I get a list?
• What type of encryption do we use in our payment application for data at rest?
• How are we protecting encryption keys?
• Are any of the encryption keys stored on the same server with the protected data?
• Are we protecting our encryption keys with an HSM?
• Are we using industry standard encryption and key management?
• Are our encryption and key management solutions NIST certified?
  

There are really straight-forward answers to these questions. The lack of clear and unambiguous answers should raise an immediate red flag in your mind, and provide the beginning of a deeper discussion about data protection with your product development team.

2.     Know What Your Customers Fear– Think Like a Hacker!

Awareness is the first step toward point-of-sale security. Retail payment systems are frequently hacked by criminals who are employed seasonally or temporarily, and given access to a system with insufficient security measures in place.

Help gain your customers trust by training them on the importance of good password management and system log monitoring as a part of their overall POS security efforts.

• A surprising number of retailers never change the factory passwords on their POS systems and this is a huge security risk. Not only should factory passwords be changed, subsequent passwords should be changed regularly. Often, cracking a payment application system relies on the merchant being lazy about password implementation and changes.  Make sure your customers know best practices and you’ll be their hero!
• Hackers’ techniques have gotten more sophisticated and they can hide evidence of attacks; going undetected for months or even years. Yet, a study of confirmed breach cases in 2009 found that nearly 90 percent of victims had evidence of the breach in their system log files.  Do you train your customers in the importance of monitoring their system logs in real time?

3.     Proactive Security Planning - Use Best Practices To Start With!

Keeping on top of point-of-sale security is essential for every business.  Good encryption and key management is the cornerstone of good security. It can’t be an afterthought at the executive level; data security has to be a critical element in every risk management plan and conveyed well to your customers.

An effective data breach plan can mean the difference between a quick recovery and a serious blow to a company’s reputation. The steady pace of data breaches reinforces the need for encryption as a first line of defense. Firewalls and VPNs can provide some protection against data breaches and theft, but there is no substitute for strong encryption and effective encryption key management, especially in customer data and cloud environments. There’s no longer an excuse not to properly protect your POS payment application system and educate your POS system customers in security best practices.

In this complimentary eBook, "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication CEOs and CIOs", authors Kevin Beaver, CISSP, Patrick Townsend, and Todd Ostrander will teach you about:

• Business risks associated with unprotected sensitive data
• Tools and resources to begin the discussion about data security in your company
• 5 Common misconceptions
• Actionable steps YOU can take
   

With the emergence of data security standards, encryption and key management have become a necessity for most companies storing or transferring sensitive data such as credit card numbers, patient data, social security numbers, and other personally identifiable information (PII). 

Transparent Data Encryption (TDE) on Microsoft SQL Server 2008, 2008 R2, and 2012, allows automatic encryption on these editions of SQL Server without application changes. With newly available SQL Server encryption capabilities, encryption key management--a critical step to securing your data--is done easily on SQL Server with extensible key management (EKM). EKM allows customers to choose a third-party encryption key management hardware security module (HSM) and integrate that HSM easily into their SQL database.

Without an encryption key management HSM, SQL Server users are essentially leaving the keys to their data underneath their welcome mat!

Three things to remember for following security best practices:

# 3 – SQL Server Encryption isn’t as imposing as it sounds…

• Compliance regulations drive the need for encryption and require that you protect the encryption keys apart from the encrypted data storage.  
• An encryption algorithm is simply a mathematical formula that protects data. The critical element is the way the “Key” to that formula (the encryption key) is managed. 
• HSMs like Alliance Key Manager create, manage, and protect encryption keys through the entire lifecycle and deliver them securely when they are needed.
• Alliance Key Manager is a quick, efficient, and compliant solution that is easy to implement with our “Key Connection for SQL Server” EKM provider software. Based on FIPS (Federal Information Processing Standard) 140-2 certified technology, it is easy to implement, deploy, and configure with “out of the box” integration with SQL Server.
• Townsend Security is Microsoft Silver partner and Alliance Key Manager works with all versions of Microsoft SQL Server including SQL Server 2005. Additionally, Alliance Key Manager allows you to protect sensitive data stored in Microsoft SharePoint and Microsoft Azure.

#2 - You are required to protect data by government and industry created regulations…

• PCI-DSS (Payment Card Industry – Data Security Standard) for merchants
• HIPAA/HITECH  (Health Insurance Portability and Accountability Act)/(Health Information Technology for Economic and Clinical Health) for medical providers
• GLBA/FFIEC (Gramm-Leach-Bliley Act)/(Federal Financial Institutions Examination Council) for the financial industry
• FISMA (Federal Information Security Management Act) for US Government agencies

#1 - Customers expect their data to be protected!

• PCI-DSS is required for anyone who takes credit cards.
• While expectations for data protection in the medical and financial industries are wide-spread, and easily understood, compliance regulations affect business and organizations of all sizes. 
• Beyond the expectations for privacy, and the laws that require it, the consequences of a data breach or data loss can be substantial. 
• Small to mid-sized companies can be an easy target for data thieves, resulting in costly losses to their business and reputation.

We have resources to share with you about SQL Server Encryption and how to best secure your data.  Please click the button below to access these informative downloads! 
 

As always, we welcome your comments and questions!

If you're starting an encryption key management project, you should always know the warning signs of obstacles that might make your project way more difficult and costly than it needs to be. We often see companies who have recently failed a data security audit, or realize that they are about to, because they didn't watch out for these pitfalls before they began an encryption key management project.

1. Complicated Project Requiring Outside Consultants and Time
If you find yourself bogged down by hiring outside consultants (beyond your encryption key management vendor) to help you set up and run your encryption key management system, you're probably headed for trouble. Encryption key management should be simple, straightforward, and easy to deploy.

2. No Certifications
NIST certifications are a must when it comes to implementing good encryption key management. In order to meet compliance for PCI-DSS, GLBA/FFIEC, FISMA, and other compliance regulations, always use NIST-certified AES encryption and FIPS 140-2 compliant encryption key management. Your QSA or other data security auditor will look for these certifications.

3. No Client-Side Support
Your encryption key management vendor should supply you with the appropriate client-side applications to make your encryption key management run as smoothly as possible. If you find yourself scrambling to find sample code, binary libraries, key retrieval and other tools, your encryption key management project time will almost certainly increase and not come to a complete halt.

4. No Dual Control and Separation of Duties
When it comes to doing your encryption key management right, one of the critical pieces to meeting compliance requirements such as PCI-DSS is using the principles of dual control and separation of duties. These are hard and fast guidelines when it comes to the handling of encryption keys, and are considered a "best practice" for encryption key management. If your encryption key management hardware system doesn't implement these policies, it will be difficult to pass your data security audit down the road. Some compliance regulations such as HIPAA/HITECH Act don't yet require these policies; however, you should expect these best practices policies to be implemented into regulations down the road.

5. Complex and Hard to Predict Licensing
When you don't know how much your encryption key managemer is going to cost, your project will stop in its tracks. When you don't know how many licenses your company will need over time and how your encryption key management vendor will charge you for them, estimating the cost becomes very complicated. Often a vendor might limit how many devices can connect to your key server or the number of keys the key server can create, resulting in unpredictable costs. As we all know, a project with an unpredictable cost never gets off the ground! The cost of licensing should not be a barrier to protecting your sensitive data.

To learn more about how encryption key management and how easy it can be, check out our webinar, “Key Management Simplified.”

XN3H7FQ298CU 

Data breaches of sensitive, unencrypted information occur almost every week and many of these events become highly publicized. Organizations are thrust into the public's eye and scrutinized for gross lack of oversight and accountability around data security. Despite the fact that these breaches happen at the IT level, the burden and the blame for a data breach almost always falls on C-level leaders such as the CEO or CIO. Consumers ask, “why didn’t you protect my personal information?” and the leaders respond, “We didn’t think it would happen to us.”

Today business leaders need to know that data breaches are no longer a matter of “if” but “when.” Even behind firewalls and secure networks, unencrypted sensitive data is a goldmine for hackers. Not protecting this information with encryption is like driving a brand new Ferrari without car insurance. You can drive as safely as you want, but you can’t control the behavior of other drivers. Just like driving without insurance, not encrypting your organization’s  sensitive data in a time when hackers are always trying to break into networks is taking a huge risk with both your organization’s financial resources and reputation.

I recently sat down with data security expert Patrick Townsend, CEO & Founder of Townsend Security, to discuss why unprotected data is a business problem, not just an "IT problem."

Watch the video of that discussion here.

Why is unprotected data a business problem?

In most organizations, a large part of the CEO's role is to assess risk. Every day the leaders in any given organization address financial, market, competitive, and many other types of risk. These leaders are used to assessing risk in their organizations, but they are not yet thinking about unprotected data and the possibility of a data breach as a fundamental risk. Unprotected sensitive data leads to identity theft, fraud, and theft of financial resources from employees and customers.

Data breaches happen to both large, small, public, and private companies. In fact, today hackers are targeting small to mid-sized businesses simply because those networks tend to be less secure. However, every day I come across large business that have failed to protect their customers' data either by not encrypting the data, or failing to protect the encryption keys.

Anyone who's been through a data breach understands in their bones the importance of encryption and encryption key management. The costs associated with a data breach are far reaching.

These costs include:

• Fines
• Forensics investigation
• Credit monitoring for customers
• Lost sales due to brand damage
• Litigation costs

These are costs all organizations want to avoid. They represent huge risk in terms of actual financial costs and damage to reputation. Not considering these costs and not protecting your company and customers' sensitive data is a failure to assess risk.

Want to learn more about the risks associated with unencrypted data? Check this video, “Why is Unprotected Data a Business Problem?” featuring Patrick Townsend, Founder & CEO of Townsend Security.

With data breaches in the news every week, and each bigger than the previous, security is a top concern for system administrators, as well as business leaders.  As we have seen, a data breach can cripple an organization.  While the IT team performs forensics and updates their systems, the management team has to explain to investors why they weren’t adequately prepared and break the news that “Those big plans we had to grow the business in the next two years? Yeah, those are on hold while we remediate this breach.” 

While the IBM i (AS/400) is considered by many to be a secure platform, it is not immune to data breaches.  As a data security company, we see plenty of organizations think they are doing the right things to keep their data safe, but are falling down on a few key areas.  Below are the top three tips to keep your IBM i (AS/400) secure and your data safe:

1) Encryption and Key Management

Did you know that many compliance regulations consider an email address personally identifiable information (PII) and require it to be encrypted?  Security experts recommend using NIST-certified AES encryption coupled with an external encryption key management hardware security module (HSM).  With the introduction of FIELDPROC in V7R1, IT teams can now encrypt their sensitive data without application changes – saving development resources and time coming up with excuses to company leaders on why the company is still at risk.

For organizations who have been encrypting their sensitive data, security audits often find they haven’t been properly managing their encryption keys.  Encryption keys should never reside on an IBM i with encrypted data. We help more enterprises than you would like to know after they fail a security audit for improper encryption key management.   

2) Password Management

Password management continues to be a challenge for all organizations.  Poor management leads to insecure passwords and inconsistent policies – which in turn leads to more data breaches.  Fortunately for IBM i administrators, IBM realized this and made a Single Sign On (SSO) option as part of the OS – all administrators have to do is enable it.  Patrick Botz, former lead security architect and founder of the IBM Lab Services security consulting practice, regularly helps organizations enable SSO and eliminate 80% or more of an organization’s password management problems just using tools that IBM provides as part of the OS.  Additionally, there is a clear return on investment when an organization enables SSO, which makes you a hero when you tell management “I have a way to make our jobs easier and save money at the same time.”

3) Secure System Logging and File Integrity Monitoring

A recent study shows that 69% of data breaches could have been detected before any data was lost if proper system logging was in place. Maybe that is why most compliance regulations (PCI DSS, HIPAA/HITECH, etc.) require it.  So why isn’t system logging a common practice on the IBM i?  Simply put, the IBM i doesn’t log information like other systems.  There are some big challenges getting security information into a usable format and transmitted to a SIEM for monitoring.  Challenges an administrator faces with propriety IBM i logs:

• Data format – IBM security events are in internal IBM format, not syslog format.
• Multiple sources – Security events get collected in a variety of locations, almost always in an internal and proprietary IBM format.
• Timeliness – Tools are lacking to collect security events in real-time, increasing the security exposure.
• Communications – There are no native syslog UDP, TCP or SSL TCP communications facilities.
• Data completeness – While it is possible to print security information using IBM tools, critical information is missing from reports.

Fear not, there is a solution – Alliance LogAgent Suite with File Integrity Monitoring (FIM).  Alliance LogAgent Suite can send system logs to any collection server that is listening for messages.  Additionally, the FIM tools allow system administrators visibility right down to the field and column level, record-by-record, in their databases.

While this is by no means a comprehensive list of everything security-related an administrator should do to their IBM i, these three areas are where we recommend you start. If you are currently encrypting data, we challenge you find out where your encryption keys are being stored (it might scare you).  If you aren’t securing your systems with SSO, what are you waiting for?  Are you under a compliance regulation that requires system logging?  A complete system logging solution like our Alliance LogAgent Suite can be installed and running in an hour. To hear security experts Patrick Townsend and Patrick Botz elaborate on these three IBM i security tips, view our webinar “Top 3 IBM i Security Tips.”