The handling of sensitive data requires compliance to standards and laws that include high demands on data security. But the handling of sensitive data can be restricted with tokenization. Companies that process sensitive data do not always need the specific data content in every processing step. Sometimes only the unique identification of data is required. Tokenization replaces sensitive data by unique strings that cannot be converted back to the original by an algorithm. Systems that use these strings do not handle sensitive data anymore.
Tokens can be generated with different techniques such as encryption, hashing and numbers. Tokens that were generated with encryption can be converted to their original state. Thus, encryption techniques are less suitable to generate tokens. By using hashing, a digital fingerprint is created, which is generally unique. But depending on the hashing algorithm used, the risk of collisions can be present and the uniqueness of the token is no longer ensured. Other techniques for the generation of tokens are the use of a serial number or a random number. In principle, any string of numbers may be used as a token as long as it allows a unique identification, almost no collisions and it cannot be converted by an algorithm to its original state.
An exemplary use case for a tokenization system is the integration of an e-commerce merchant who accepts credit card payments through a web store. It is most advantageous for the merchant to keep payment data outside of his/her network so that he/she is not bound to the regulations of the payment card industry. In a token-based method, the merchant must ensure that the web session is redirected to the systems of an external payment processor, e.g., by using a plug-in, before the payment information is entered by the customer. When customers enters their, cardholder data, the data are sent directly to the processor who operates a tokenization system. The processor assigns the cardholder data in the tokenization system to a multiusable token and sends the token to the merchant.
By using tokenization, the scope of systems that handle sensitive data and, therefore, must meet compliance and audit requirements can be reduced. It facilitates a more restrictive handling of sensitive data without adjusting business processes. Hencem tokenization offers not only a security improvement, but also potential savings.
We are all familiar with the concept of classifying data as public or private or strategic. (In certain industries we further break out information as nonpublic personal, or NPI.) For most of the business world, these classifications reside in policy and are subject to broad control strokes.
Amid the complexity of regulations governing financial institutions, health care providers, and defense-department organizations, there are specific instructions to ensure confidentiality and security over NPI, and to disclose when such information is breached or lost.
In 2012, PWC released a survey stating that only 34% of regulated institutions knew what types of data they were holding and where all of their data resided on their networks. In other words, two thirds of regulated industries were unable to comply with standards and legislation that has been in place for a decade. This is disastrous. The 2012 Verizon Data Breach Investigations Report revealed that it takes almost seven months for organizations to realize data has been lost or a breach has occurred. The Chronology of Data Breaches maintained by the Privacy Rights Clearinghouse documents 3,964 reported breaches across industries since 2005, for a total of more than 616 million records.
In plain English, while we have long been required to ensure the confidentiality of NPI, two thirds of us are unaware of our own data. We are not aware of its loss in a timely manner. And most often we need an outside party to communicate to us that we have lost information in the past.
Why are we here?
With the evergreen oversight of information security, risk management, audit and examination cycles, it would seem illogical to remain in such an uncomfortable place. Our professional responsibility is to protect the private information of our customers (internal and external). Yet we are woefully behind. To be blunt, we are unsuccessful.
I believe that the roots of this trouble are the very advances that technology has provided, the mainstreaming of “access anywhere across devices.” There are simply too many repositories to store and sync information. With enterprises demanding quick scalability and end users demanding ease of access and storage, untrusted devices and repositories are everywhere.
Adding to this problem is the focus of our control efforts. We tend not to look at information, rather we look around it. We focus on data-in-motion. Our attention is focused on policy, risk assessments, audit-examination clearance and control structures around the data. Meanwhile, we are woefully unable to protect the data itself.
What must we do?
Information security professionals, especially those that hold designations such as the CISA, CISSP and CITP, should take a step back from the traditional audit and risk-assessment frameworks that focus on the existence of controls around data-in-motion. COBIT 5 can be used to conduct risk assessments in alignment with stakeholder requirements and enterprise goals. In particular, COBIT 5: Enabling Information addresses aspects including quality goals for information in all its states, including data at rest.
We should retarget efforts to include specific activities that identify the information assets at rest. Only when we start with the assets can we satisfy the objective to ensure their security. Only when we start with the assets can we effectively and efficiently establish a proper control environment.
Paul Hugenberg III, CISA, CRISC, CPA, CITP, CISSP
CVP–Chief Information Security Officer
First Place Bank, a subsidiary of Talmer Bancorp
Everything in this world, it seems, is becoming connected, from household appliances that “speak” to one another to drones that deliver groceries. These are part of the emerging world of disruptive technologies. Since businesses’ survival is more dependent on technology than ever before, today’s CIOs must act as technology leaders in addition to critical business partners who understand the nature and direction of their businesses.
A problem that continues to nag many CIOs, however, is that they are seen as technologists. This is exacerbated with the decrease of useful lifecycles of technology and increased awareness and empowerment of businesses to directly procure IT-enabled business solutions. This leads to investments in capital equipment that holds little value to organizations, causing some to question the CIO’s business acumen.
In response, many CIOs are transitioning to a new, agile environment where speed is critical. To deliver, they need to integrate at the rate and pace of business (based on the risk appetite, of course). This is not always easy, as too many IT organizations still do not classify their information properly, often implementing a single security approach rather than an information approach, which spurs business frustration as there are too many controls guarding the critical information.
The CIOs that make this transition will be best equipped to deal with upcoming trends such as the Internet of Things and Big Data. Information related to these developments, when correctly leveraged, will provide a critical competitive advantage, but many CIOs are still coming to grips with the resources required to drive value.
As such, the role of data scientists is emerging. This role will require sound business knowledge paired with the skills to read these new types of information and make speedy decisions about them.
Robert E. Stroud, CGEIT, CRISC
Vice president of strategy and innovation at CA Technologies
Chair of ISACA’s ISO Liaison Subcommittee
The demand for skilled security professionals will only grow
The data breaches that took place in 2013 were game-changing in their size and scope. Adobe reported the compromise of over 38 million users, Chinese hackers cracked into the systems of media giants, while usernames of 22 million users of Yahoo Japan were stolen. Then there were revelations of surreptitious intelligence-gathering by national security agencies such as the NSA and GCHQ.
These events are evidence that security departments still have not mastered the basic “blocking and tackling” of data protection. Critically, they also expose the weaknesses of security that relies primarily on technology as the most important line of defence. For instance, the Adobe breach exposed the weaknesses of password authentication and the failures of current, outdated forms of authentication.
In 2014, the industry will begin to beef up security teams with more skilled personnel in conjunction with adoption of better technology. The C-suite will begin to invite the security department to the table to constructively discuss major business and organisational initiatives. Security will start to be truly seen as a fundamental building block of IT-driven programmes, and cyber security risks will begin to be factored into the business equation.
Driven by this C-suite approach, we will see a new wave of collaboration between IT and security. IT managers will integrate security into business-critical initiatives such as mobility, application development, and business intelligence. All this will culminate in more secure systems, and awareness of security in IT operations, software development, and endpoint management.
The overwhelming and sophisticated nature of social engineering and denial of service attacks exposes the shortage of manpower and skills in the security department, such as computer forensics and application security. Attacks on vertical markets have also uncovered the need for industry-specific skills, such as the support of healthcare and government systems. Given the well-publicised data losses in healthcare, we will find more recognition for the need for core level knowledge and expertise to address security and privacy concerns relating to health information, with estimates of up to 500,000 people in the sector responsible for data governance or security.
The new emphasis on security in the C-suite and in the IT department will drive growth in security’s ‘human capital.’ Spending on security staffing and training will increase. Salaries for skilled security professionals will grow. And there will be a stronger understanding of the value of security to the business, making this function an even more important part of future plans and budgets.
Fundamentally, the capabilities of technology are extremely limited unless they are supported by security professionals who are strong in numbers and honed in skills. I believe that the tide in the cyber security war will begin to turn in 2014; the side with the strongest skills will have the advantage.
After many major breaches this year, it’s time to rethink 2014’s cyber defense with an eye on people, not products
By W. Hord Tipton, CISSP, Executive Director (ISC)2
As security professionals, we look back at 2013 with a sense of frustration that we are still losing ground to the bad guys. But while there were plenty of battles lost this year on the technical side, there is good reason to hope that the war can still be won in the long term – with promising developments on the human side.
There were many frustrations for the defense in 2013. Adobe reported the compromise of more than 38 million users’ personal data, and there were serious questions raised about the security of its source code. Chinese hackers cracked the systems at the New York Times and other major media, and an investigation later showed a calculated effort to crack U.S. government and commercial systems as well. And the face of privacy and cyber espionage changed with revelations of secret U.S. government documents that disclosed the details of NSA activities and intelligence-gathering practices.
These unprecedented data breaches were game-changing in their size and scope, but at a more fundamental level, they were reminders that today’s security departments still have not mastered the basic “blocking and tackling” of data protection. The Adobe breach exposed the weaknesses of the password system and the failures of current, outdated forms of authentication. China’s attacks on the media pointed out enterprises’ vulnerability to social engineering and the inability of current systems to detect sophisticated malware.
These fundamental failures exposed the weaknesses of defenses that rely primarily on technology as the most important line of defense. They were setbacks of epic proportions – but sometimes it takes such setbacks to force an industry to think differently. And there is good reason to believe that such a shift is beginning now, and that the wave of new thinking will continue to rise rapidly in the New Year.
At its heart, this sea change puts a bright spotlight on an issue that has long been overlooked: the need for skilled security professionals. For years, the industry has been skimming by with a small, undertrained security workforce, and the weaknesses have begun to show. The overwhelming nature of hacktivists’ social engineering and denial of service attacks exposes the shortage of manpower in the security department. The sophisticated nature of today’s targeted attacks exposes the need for more specialized skills, such as computer forensics and application security. Attacks on vertical markets have exposed the need for industry-specific skills, such as the support of healthcare and government systems.
In 2014, I predict that the industry will begin to meet its frustrating chain of breaches and failures not only with better technology, but with more skilled, and improved, security teams. Finally tired of compromises that put their organizations in the headlines, members of the C-suite will begin to invite the security department to the table during the discussion of major business and organizational initiatives. Security will begin to be seen as a fundamental building block of IT-driven programs, and cybersecurity risks will begin to be factored into the business equation as a business imperative.
Driven by awareness at the topmost levels of the executive suite, IT managers will also rely more heavily on their security teams, integrating security into business-critical initiatives such as mobility, application development, and business intelligence. Once seen as separate camps, IT and security will begin a new wave of collaboration, and the result will be secure systems, improvements and awareness of security in IT operations, software development, and endpoint management.
This new emphasis on security in the C-suite and in the IT department will drive growth in security’s “human capital.” Spending on security staffing and training will increase. Salaries for skilled security professionals will grow. And there will be a stronger understanding of the value of security to the business, making security an even more important part of tomorrow’s plans and budgets. The impacts of security breaches are now recognized as negatively impacting the global economy and the effects may take several years to recover.
And of course, our team at (ISC)2 will be there to support this growing emphasis on security skills and staffing. Already we are developing new methods for testing and certifying security professionals to make them more applicable to today’s changing threat environment. For example, you will see that our tests are evolving to now emphasize scenario-based and advanced format questions and detailed practical knowledge over traditional multiple-choice testing methods.
Technology lost many battles for the defenders in 2013, but those losses taught us a valuable lesson – that the capabilities of technology are extremely limited unless they are supported by an army of security professionals that is strong in numbers and honed in its skills. Armed with this lesson, I believe that the tide in the cybersecurity war could turn in 2014 – and the defenders with the strongest human skills will have the advantage.