Townsend Security Data Privacy Blog

Since it's release in 2001, Microsoft SharePoint has quickly become one of the most widely used applications for document storage and collaboration.

SharePoint originally stored and organized documents and other critical information about those documents in rows and columns. However, as the use of SharePoint began to quickly grow, administrators began to notice that the huge number and size of the documents being stored began to impact the performance of SharePoint, slowing down the application until it was fairly unusable. To rectify this issue Remote Blob Storage (RBS) was introduced to store the documents themselves outside of the SharePoint database so that the size of the documents wouldn't impact SharePoint performance. Now, when a SharePoint administrator starts to see performance impact from documents stored in SharePoint, they can store the files themselves separately, and SharePoint talks to the remote server in order to retrieve the files.

Now that SharePoint is so widely used, protecting data stored in SharePoint has become a big issue. Many companies use SharePoint to track customers, retail orders, personal health information, and other personally identifiable information (PII) that most industries (PCI-DSS, HIPAA/HITECH, GLBA/FFIEC, etc.) and many state laws mandate the protection of. Typically these regulations mandate the protection of this data using encryption and encryption key management.

The good news is that encrypting data in SharePoint is pretty easy, and it's often only a two-step process. SharePoint administrators must:

1. Encrypt the SQL Server database SharePoint runs on
2. Encrypt the Remote Blob Storage (RBS) used to store documents.

Encrypting SharePoint on SQL Server is easy with transparent data encryption (TDE) for SQL Server 2008/2008 R2/2012. Extensible key management (EKM) also allows admins to manage encryption keys and meet compliance regulations using an external third-party encryption key management hardware security module (HSM).

Townsend Security offers FIPS 140-2 compliant encryption key management system for Microsoft SharePoint to help you protect SharePoint and meet compliance. To learn more about securing data in SharePoint, check out our podcast, “Securing SharePoint with Encryption & Key Management.”

Here at Townsend Security we’re always engaging with businesses and organizations who not only need to meet data security compliance regulations such as PCI-DSS, HIPAA-HITECH, and GLBA/FFIEC, but are also deeply concerned about their customers’ data and the protection of their own company’s brand in the event of a data loss. Compliance is often the main driver of encryption and encryption key management, but these days the fear of a data breach weighs heavy on my peoples’ minds. 

I recently spoke with a prospect who downloaded our AES Encryption Standards White Paper, and then decided to contact us. He was eager to find out about pricing and how AES encryption could work with his company. He told me about their need for encryption: he is very concerned about meeting HIPAA/HITECH and SOX Acts (both recommend if not require encryption and key management), and he knows his company’s data is unprotected in many critical areas. As he put it, they’re just waiting for something bad to happen. Although they are already encrypting much of their sensitive data (a great first step), they have outgrown their current encryption solution, need to encrypt more data, and are still out of compliance.

He said to me point blank, “We are sitting here with our pants down, waiting to be exposed!” 

I asked the prospect, “Well let me ask you an easy first question to make sure our NIST Certified AES Encryption fits you and your company’s needs.  What system are you currently running on?”  

His reply: IBM i, Power 7.  

I told him: WE CAN DO THAT!!

Townsend Security has a deep history with IBM i.  We have been working with IBM i systems for over 20 years. With the new FIELDPROC capabilities in IBM i V7R1, our AES encryption solution installs into an IBM i customer’s environment, provides both our optimized and certified AES encryption libraries, and the encryption key management you need to be compliant. IBM has done the hard work of making this capability available, and we do the work of snapping in proper encryption and key management.

Later in our conversation, we discussed risk management, cost and what would happen to the company if they were exposed.  He told his boss that they were subject to fines and damage to their company brand and would spend time remediating the breach instead of growing the business.  Protecting the company’s sensitive data not only protects the business as a whole, it also protects your customers who rely on and trust your company to protect their personal information.

To learn more about Townsend Security’s easy and automatic encryption and key management solutions for IBM i contact us day at 1-800-357-1019. Or if you’re not into picking up that heavy phone, contact Kristie Edwards (kristie.edwards@townsendsecurity.com) today, and we’ll make sure we do the heavy lifting on our end. You might also enjoy watching a recording of our recent webinar, "Top 3 IBM i Security Tips,” presented by data security experts Patrick Townsend and Patrick Botz.

Managing risk is at the forefront of responsibilities that "C" level executives deal with on a daily basis.  Fire fighting--managing business risk--is part of the job description, and planning to prevent the fires is what successful companies do.  In his book Good to Great, management expert Jim Collins uses the analogy of a bus to analyze leadership of Great companies.  When you have the right people in the right seats, Collins says, the company is elevated to a new level.

However, if there is a wall between the driver of the bus (the CEO) and the rest of the passengers, then there ensues a serious lack of communication.  If the passengers know more than the driver about things such as weather conditions and the location of the destination, and there is no way to communicate effectively with the driver, then the navigators can't warn the driver of severe risks that lie ahead.

One of the areas where I continuously see this disconnect is in the area of IT Security. Because technology is an always evolving component of businesses, protecting sensitive data will always be an issue, and hackers will always be trying to find a way “in”.  Chief Information Security Officers (CISOs) are hired to manage this risk.  But when the CEO is ignorant of the risks due to a lack of understanding or an unwillingness to take the time to learn the risks, then the lines of communication between the CEO and CISO are obscured, and important decisions about data security do not get made.

In a published study by CIO magazine recently and PriceWaterhouseCoopers stated that, "only 1/3 of security policies were tightly aligned with business goals.”

Although there is a combination of factors that lead to this disconnect, two primary factors prevail: 1) The CEO, CFO, or COO isn't well informed of the risk of a data breach and what it will cost their organization in real dollars, company value, and publicly perceived value. And 2) The security professional (CISO) understands the vulnerabilities but can’t articulate them in terms of the business cost.  The result is that neither the CEO or CISO are able to effectively quantify the risk.  Risk unquantified is a risk ignored.

Fortunately, the press has provided us with significant examples over the past several months to help us educate both the CEO and the CISO of the risks associated with unprotected data.  In 2012 alone, there were multiple data breaches that cost individual companies BILLIONS of dollars in lost value and recovery cost.

These are the costs resulting from a publicly disclosed data breach:

1. Cost to fix the issues that led to the breach
2. Cost to protect the individuals data / company data that was compromised from future breaches
3. Cost of future audits that will be required to maintain compliance in the future
4. Cost of the fines that can be levied depending on the type of breach
5. Cost of customers no longer willing to trust the organization
6. Cost of the negative press / PR associated with the breach
7. Cost of combatting the negative PR with a new PR / Social Media campaign to assure customers / vendors that everything is okay

At the end of the day, we want to see CEO's succeed by increasing the value of the company in the eyes of the shareholders while reducing the risk of value erosion.  We also want to see CISOs who are confident in educating their CEO's to these risks.  As long as this issue continues to go unrecognized, the CEO has one more fear to keep him up at night.

Can you afford it?

Download our white paper "AES Encryption Strategies - A White Paper for the IT Executive" to learn more about key issues in data security, how to choose the right data security partner, and how to develope a strategy that insures early successes.

I recently read about a data breach that came into public light a few weeks ago in South Carolina at the Savannah River Site (SRS), a nuclear reservation owned by the U.S. Department of Energy. This breach exposed personal information of over 12,000 employees. The state of South Carolina has been in the news over the past few months because of a massive governmental data breach caused by an international hacker that exposed millions of credit card and social security numbers.

At first I thought the SRS breach might be similar or related to the other breach, but I quickly realized there was something different about this one. According to Carla Caldwell of the Atlanta Business Chronicle, officials at the site say that the breach wasn't caused by a cyber attack. However, despite the fact that there was no hacking involved, employees are still being told “to be vigilant in monitoring financial transactions and emails or phone calls relating to such personal transactions.”

What does this mean? It means that:

1. Despite the absence of a malicious hacker, a data breach still occurred, and
2. Because the breach had to be reported, it likely exposed employee financial data such as credit card information or social security numbers.

Many people think that all breaches are caused by vigilante hackers, and while cyber attacks are a real threat, the truth is that a HUGE proportion of data breaches are caused by simple employee mistakes and theft of devices such as disk drives, backup tapes and personal devices such as laptops and smartphones.

According to the PricewaterhouseCoopers 2012 Information Security Survey, over 80% of enterprise data breaches are caused by employee errors. Many of these breaches occur on unencrypted mobile devices. In the healthcare industry, the Ponemon Institute found that nearly 40% of data breaches were caused  by employee negligence.

Serious breaches occur inside companies simply because mistakes are made, thefts happen, and the right technology is not in place to protect sensitive data.  Some of these events include:

• Backup tapes and disk drives are stolen out of cars
• Laptops and other personal devices such as iPads and phones are stolen out of cars
• Tapes, drives, and personal devices are lost (Think lost luggage, leaving items on a train)
• Employees email files containing sensitive data to their home devices
• Unauthorized employees view sensitive data at work because the right protocols are not in place to protect that data.

However there's a way to protect data even if it gets into the wrong hands: Encryption. If the data is encrypted it will be completely unreadable if it is stolen or mishandled. Protecting your encryption keys is also a critical piece in protecting sensitive data. If your encrypted backup tapes get stolen out of your car, but you've stored your encryption keys on those tapes, the thief will be able to use the keys to access the information.

To learn more about protecting encrypted data with encryption key management, download our resources package, “Encryption Key Management Simplified.”

Townsend Security recently asked data security expert Kevin Beaver, CISSP, to contribute his extensive knowledge and expertise about the current climate of data security to our most recently published eBook, Turning a Blind Eye to Data Security (Mending the Breakdown of Communication Between CEOs and CIOs).

Read his entire article, "Information Security is Up to You," in your free copy of the eBook now.

In his article, Kevin inspires CEOs to ask some critical questions about data security such as:

• Who is in charge of data security at your organization?
• Is there transparency and communication across your organization when it comes to data security?
• Who will be held responsible in the event of a data breach?
• Why do we keep talking about the need for better data security but nothing seems to be getting done?

With these questions in mind Kevin Beaver leads us into a discussion on how both IT administrators and business executives avoid critical conversations about data security and why this poses a huge business risk to organizations.

“When it comes to information security, many people within a business – from executives to end users – often assume that security is a technical issue that falls under the umbrella of duties performed by the IT department. These IT administrators manage network firewalls, clean up virus outbreaks, and manage the IT infrastructure. These tasks are often so far removed from the actual goings-on of the business, that few people in the company—including the CEO—truly understand the ever-evolving complexities of IT infrastructure and security.

With little understanding of these systems, networks with sensitive data are left unsecured and at risk to hackers, network failures, and employee mistakes. Today, an average data breach costs a company $5.5 million. At this price, information security is not an IT problem. It’s so much more.

The Ponemon Institute surveyed 1,894 people in 12 countries in its 2012 State of Global IT Security study and found the main reasons why the appropriate steps are not being taken to improve information security are 1) insufficient resources, 2) it’s not a priority issue and 3) lack of clear leadership.

However, in most situations, good information security is achieved with easily accessible and simple solutions.  In fact, in a 2012 study on data breaches, Verizon found that 96% of security attacks were not highly difficult, and were easily preventable. If security attacks are preventable, why are so many breaches occurring every year...”

Download the eBook to read more!

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with over 24 years of experience in IT - the last 18 of which he’s dedicated to information security. Before starting Principle Logic in 2001, he served in various information technology and security roles for several healthcare, e-commerce, financial firms, educational institutions, and consulting organizations. Kevin Beaver has written 32 whitepapers, over 600 articles, and authored/co-authored 10 books on information security. Visit Kevin’s blog to learn more about information security, and his website to learn more about his business, Principal Logic.

http://securityonwheels.blogspot.com
http://www.principlelogic.com

Data breaches of sensitive, unencrypted information occur almost every week and many of these events become highly publicized. Organizations are thrust into the public's eye and scrutinized for gross lack of oversight and accountability around data security. Despite the fact that these breaches happen at the IT level, the burden and the blame for a data breach almost always falls on C-level leaders such as the CEO or CIO. Consumers ask, “why didn’t you protect my personal information?” and the leaders respond, “We didn’t think it would happen to us.”

Today business leaders need to know that data breaches are no longer a matter of “if” but “when.” Even behind firewalls and secure networks, unencrypted sensitive data is a goldmine for hackers. Not protecting this information with encryption is like driving a brand new Ferrari without car insurance. You can drive as safely as you want, but you can’t control the behavior of other drivers. Just like driving without insurance, not encrypting your organization’s  sensitive data in a time when hackers are always trying to break into networks is taking a huge risk with both your organization’s financial resources and reputation.

I recently sat down with data security expert Patrick Townsend, CEO & Founder of Townsend Security, to discuss why unprotected data is a business problem, not just an "IT problem."

Watch the video of that discussion here.

Why is unprotected data a business problem?

In most organizations, a large part of the CEO's role is to assess risk. Every day the leaders in any given organization address financial, market, competitive, and many other types of risk. These leaders are used to assessing risk in their organizations, but they are not yet thinking about unprotected data and the possibility of a data breach as a fundamental risk. Unprotected sensitive data leads to identity theft, fraud, and theft of financial resources from employees and customers.

Data breaches happen to both large, small, public, and private companies. In fact, today hackers are targeting small to mid-sized businesses simply because those networks tend to be less secure. However, every day I come across large business that have failed to protect their customers' data either by not encrypting the data, or failing to protect the encryption keys.

Anyone who's been through a data breach understands in their bones the importance of encryption and encryption key management. The costs associated with a data breach are far reaching.

These costs include:

• Fines
• Forensics investigation
• Credit monitoring for customers
• Lost sales due to brand damage
• Litigation costs

These are costs all organizations want to avoid. They represent huge risk in terms of actual financial costs and damage to reputation. Not considering these costs and not protecting your company and customers' sensitive data is a failure to assess risk.

Want to learn more about the risks associated with unencrypted data? Check this video, “Why is Unprotected Data a Business Problem?” featuring Patrick Townsend, Founder & CEO of Townsend Security.

With data breaches in the news every week, and each bigger than the previous, security is a top concern for system administrators, as well as business leaders.  As we have seen, a data breach can cripple an organization.  While the IT team performs forensics and updates their systems, the management team has to explain to investors why they weren’t adequately prepared and break the news that “Those big plans we had to grow the business in the next two years? Yeah, those are on hold while we remediate this breach.” 

While the IBM i (AS/400) is considered by many to be a secure platform, it is not immune to data breaches.  As a data security company, we see plenty of organizations think they are doing the right things to keep their data safe, but are falling down on a few key areas.  Below are the top three tips to keep your IBM i (AS/400) secure and your data safe:

1) Encryption and Key Management

Did you know that many compliance regulations consider an email address personally identifiable information (PII) and require it to be encrypted?  Security experts recommend using NIST-certified AES encryption coupled with an external encryption key management hardware security module (HSM).  With the introduction of FIELDPROC in V7R1, IT teams can now encrypt their sensitive data without application changes – saving development resources and time coming up with excuses to company leaders on why the company is still at risk.

For organizations who have been encrypting their sensitive data, security audits often find they haven’t been properly managing their encryption keys.  Encryption keys should never reside on an IBM i with encrypted data. We help more enterprises than you would like to know after they fail a security audit for improper encryption key management.   

2) Password Management

Password management continues to be a challenge for all organizations.  Poor management leads to insecure passwords and inconsistent policies – which in turn leads to more data breaches.  Fortunately for IBM i administrators, IBM realized this and made a Single Sign On (SSO) option as part of the OS – all administrators have to do is enable it.  Patrick Botz, former lead security architect and founder of the IBM Lab Services security consulting practice, regularly helps organizations enable SSO and eliminate 80% or more of an organization’s password management problems just using tools that IBM provides as part of the OS.  Additionally, there is a clear return on investment when an organization enables SSO, which makes you a hero when you tell management “I have a way to make our jobs easier and save money at the same time.”

3) Secure System Logging and File Integrity Monitoring

A recent study shows that 69% of data breaches could have been detected before any data was lost if proper system logging was in place. Maybe that is why most compliance regulations (PCI DSS, HIPAA/HITECH, etc.) require it.  So why isn’t system logging a common practice on the IBM i?  Simply put, the IBM i doesn’t log information like other systems.  There are some big challenges getting security information into a usable format and transmitted to a SIEM for monitoring.  Challenges an administrator faces with propriety IBM i logs:

• Data format – IBM security events are in internal IBM format, not syslog format.
• Multiple sources – Security events get collected in a variety of locations, almost always in an internal and proprietary IBM format.
• Timeliness – Tools are lacking to collect security events in real-time, increasing the security exposure.
• Communications – There are no native syslog UDP, TCP or SSL TCP communications facilities.
• Data completeness – While it is possible to print security information using IBM tools, critical information is missing from reports.

Fear not, there is a solution – Alliance LogAgent Suite with File Integrity Monitoring (FIM).  Alliance LogAgent Suite can send system logs to any collection server that is listening for messages.  Additionally, the FIM tools allow system administrators visibility right down to the field and column level, record-by-record, in their databases.

While this is by no means a comprehensive list of everything security-related an administrator should do to their IBM i, these three areas are where we recommend you start. If you are currently encrypting data, we challenge you find out where your encryption keys are being stored (it might scare you).  If you aren’t securing your systems with SSO, what are you waiting for?  Are you under a compliance regulation that requires system logging?  A complete system logging solution like our Alliance LogAgent Suite can be installed and running in an hour. To hear security experts Patrick Townsend and Patrick Botz elaborate on these three IBM i security tips, view our webinar “Top 3 IBM i Security Tips.”

The updates to the HIPAA/HITECH Act Meaningful Use standards were recently released and indicate a stronger urgency by Health and Human Services (HHS) to encourage healthcare companies to encrypt sensitive patient data in order to protect that data and avoid data breach notification.

I recently sat down with Patrick Townsend, CEO & Founder of Townsend Security, to discuss what these meaningful use updates mean and how healthcare organizations should respond to the recommendations:

If you’re a healthcare organization, and you are wondering if you should be encrypting your electronic data, the straightforward answer is yes. Patient information should be encrypted at rest and in transit, and HHS will really start to bring down the hammer in terms of fines and penalties for those who have a data breach and have not encrypted data. We live in a time when a data breach is no longer a matter of “if” but “when,” and encryption is really an insurance policy to protect your organization when a data breach happens to you.

HHS still does not mandate that health care organizations encrypt sensitive patient data, but the meaningful use updates reiterate that they should encrypt their data.

The original HIPAA law and HITECH Act of 2009 did not mandate encryption of electronic patient information. However, HHS has the ability to set rules in a number of areas, and they have added stricter rules around data privacy by mandating that all data breaches must be reported to HHS. Data breach notification typically results in hefty fines and other financial losses associated with brand damage and credit monitoring for affected patients. HHS has been very clear that the only way to avoid breach notification and the impacts of a data breach, is to encrypt patient data. In these most recent updates, they reaffirmed that the only safe-harbor from breach notification is encryption.

Many organizations believe they can prevent a data breach by using strong passwords and other network security tactics such as access control lists. It's true that those actions fall within the purview of the law, but they will not help you avoid breach notification.

Another piece of the update of meaningful use concerns encryption keys. Encryption keys that are used to protect data should not be stored on the same server with encrypted patient information. HHS is trying to give better and clearer guidance on this to the best of their ability while staying within the law.

To learn more about encrypting protected health information (PHI) and achieving safe-harbor from data breach notification, download our podcast, “HIPAA/HITECH Act Breach Notification Meaningful Use Update.”

When it comes to data security, the question every single CEO and CISO should be asking her or himself is, "how do I prevent a data breach from happening to me?"

I recently sat down with data security expert Patrick Townsend, founder and CEO of Townsend Security to discuss the challenges around protecting sensitive data in the cloud and the most common methods of how people are protecting data in the cloud today.

Watch the video of that discussion here.

We live in a word today where data breaches are no longer a matter of "if" but "when." It is almost certain that some unauthorized person will at some point access your company's sensitive data, either by mistake, or with malicious intent to commit fraud. Whether it's by accident or intentional, unauthorized access of unencrypted sensitive data is usually grounds for data breach notification.

With so many companies moving their data storage to the cloud, preventing a data breach or unauthorized access to sensitive data becomes even trickier. Across the board, the number one concern people have with the cloud is data security. Because the cloud is fundamentally a shared environment in a location most users don't typically have physical access to, people are right to wonder, "Am I inadvertently sharing data with other people, and I don't know it?"

The truth is, in the cloud it's really hard to tell who you may inadvertently be sharing data with. That's why in order to prevent a data breach and avoid data breach notification it's critical to encrypt your sensitive data in the cloud, and you must use key management best practices. In fact, the concepts of protecting data in the cloud are fundamentally the same as protecting data outside of the cloud. You must (in review):

1. Encrypt the data
2. Use key management best practices to protect encryption keys

Using key management best practices for data in the cloud is fundamental, especially if you need to pass compliance regulations such as PCI-DSS, FFIEC, or FISMA.

As you'll learn in the video, there are really three ways to protect keys for encrypted data in the cloud:

1. Store the keys "in-house"
2. Store the keys in a hosted environment
3. Store the keys in the cloud

All three methods have their own advantages. But there are also ways with each method  to incorrectly protect encryption keys. In the end, it's essential that you use key management best practices, and often times the easiest way to make sure you're doing that is by using an third party vendor with expert knowledge of key management best practices for the cloud.

Check out "Encryption Key Management for the Cloud" where Patrick Townsend discusses the challenges and solutions for protecting encryption keys.

I was recently speaking with a technology value added reseller (VAR). When I asked how often he spoke with his customers about data protection, he answered “All the time!” When I pressed for what he actually talked about, he explained, “I talk about the best ways to keep intruders out of their systems.” By this, he was referring to anti-virus software, firewalls and VPNs; not surprisingly, things he had become quite proficient at selling over the last number of years.

“So, what happens when somebody gets in anyway”, I asked. He looked at me with a blank stare. He had only been having part of the full conversation around enterprise data security.

Although keeping individuals, or groups, with malicious intent out of your network is an important part of protecting your data, it is far from being the whole story. Intrusion Prevention is only one of the three legs to the data protection stool. The other two legs are Network Monitoring and Encryption. It takes all three of these to truly protect any company’s data. If any one of them is missing, the stool simply falls over.

Sadly, most companies learn about their own data breaches only after being told by a partner, vendor or customer. A recent study shows that 69% of data breaches could have been detected before any data was lost if proper system logging was in place. Knowing what is going on within your systems is important to tracking, and taking steps to neutralize, malicious activities. A number of solid and affordable solutions are available for security information and event management. These include LogRhythm, Dell SecureWorks, McAfee Enterprise Security Manager and others. You can’t fix what you don’t know about, and if you’re not actively monitoring your systems, you may be blissfully, but dangerously, unaware.

But ultimately, it’s not about “if” someone will get access to your data, but “when” they will. That means it’s vitally important to make sure they only get their hands on useless data when they do. Using NIST-certified AES encryption along with a FIPS 140-2 certified key management system is the best way to avoid costly fines and notification requirements in the case of a data breach. When that data is lost or stolen, correctly implemented encryption assures that it is nothing more than a bunch of random 1’s and 0’s. Townsend Security’s Alliance Key Manager is an affordable and reliable solution for your customer’s needs in this area.

If you sold your customer a firewall and anti-virus software, but they still experienced a data breach, would they thank you for what you did, or be upset you didn’t do more? I’m guessing the latter.

So the next time you talk to your customer about data protection, remember to have the whole conversation. Make sure you include all three legs of the data protection tool: Network Monitoring, Encryption AND Intrusion Prevention.