Enterprises worldwide are spending approximately $20 billion per year on IT security, yet costly security breaches and leaks of sensitive consumer information continue to take place on an alarmingly regular basis. While the specific nature of these breaches vary, the central security flaws exposed are all too common: since the majority of security efforts have been focused on network security, and building and strengthening a network perimeter, most organizations have largely ignored the critical steps necessary to ensure data is secured inside the corporate network.
   While traditional technologies like firewalls and intrusion detection systems are a critical part of protecting an enterprise’s network perimeter, they are only part of a complete security picture. According to Gartner, 75% of external-based attacks are tunneling through applications and so go undetected by a range of perimeter security mechanisms.
   The ongoing battle of patching known exploits is being lost. According to a study by Symantec, in 2003, fully 70 percent of all security vulnerabilities were simple for attackers to manage, and this number grew 10% over the previous year. Most estimates cite that now over 50% of security breaches are perpetrated by internal staff.
   Even with a fortified network perimeter, storage systems can be breached via insecure storage management interfaces and physical storage systems and data in the databases and applications themselves can be stolen.
   To effectively combat these threats and ensure data privacy, independent sales organizations (ISOs) and merchant service providers (MSPs) need to secure critical data as it is being stored, transmitted and used within the enterprise. Given the trends above, organizations that fail to address data privacy in a cohesive fashion will be exposed to a growing and very severe risk. Public disclosure of breaches can be catastrophic to an organization’s brand, market capitalization and consumer trust. And, if the disastrous consequences of these breaches aren’t enough, the increasingly rigorous guidelines of credit card issuers, not to mention the steep penalties for non-compliance, provide even more incentive.
   A comprehensive data privacy implementation must address security across the whole enterprise. To achieve data privacy, it is important to think about the security of applications, databases and the infrastructure that supports them as a whole. While the modes and details of implementation will vary greatly among each MSP and ISO, there are also strong commonalities, central building blocks, that are shared across all effective implementations. Each of these components are key to deploying a data privacy solution, and ensuring security, scalability and the ability to deploy in production environments. Following is a brief overview of each of the data privacy building blocks and important issues to consider in each area.

Secure Key Management

   One of the essential components of encryption that is often overlooked is key management, which refers to the way cryptographic keys are generated and managed throughout their lifetime. When evaluating a data privacy solution, it is essential to include the ability to securely generate and manage keys. This can often be achieved by centralizing all of the tasks of key management on a single platform and effectively automating administrative key management tasks, which will lead to both operational efficiency and reduced cost of management. Data privacy solutions should also include an automated and secure mechanism for key rotation, replication and backup.

Cryptographic Operations

   MSPs and ISOs evaluating data privacy solutions should fully understand the capabilities of cryptographic operations. This includes understanding when to use certain algorithms to secure data, hashing functions and keyed hashes for data elements such as passwords and digital signatures to ensure non-repudiation. Additionally, data privacy solutions should be designed and deployed to leverage both symmetric and asymmetric encryption algorithms as both have an important role in the overall design of a proper solution. Authentication and authorization are critical components of any data privacy solution. An authentication component will allow the enterprise to restrict which users (application users, database users or even individual users) are allowed to see access data in the clear. If deployed correctly and coupled with an authorization component, this can provide a strong layer of security with granular access controls. This is especially important in an environment in which encryption is being deployed at the application or database level, and that leverages standard application or database security measures. Authorization is of particular importance in a data privacy solution, especially as it relates to access controls for both data and the keys used to unlock that data. Once a user is authenticated, it is important to incorporate a solution that restricts user access to only designated keys and specific cryptographic functions. This type of feature will allow an enterprise to further restrict users and segment data security functionality.

Logging, Auditing and Management

   When encrypting data within an organization, one has to consider the fact that data, keys and logs will be accessed, encrypted, managed and generated on multiple devices and in multiple locations. When considering an enterprise-wide solution, it is essential to consider one that will enable the administrator to centrally log and audit access to data and keys. Doing so will address three fundamental necessities of deploying a data privacy.

Solutions

   First, it will reduce the cost of management by leveraging a single and centralized interface. Second, it will ensure a more secure solution by providing a centralized mechanism with which to view information as attacks occur. Third, it will allow an enterprise to ensure compliance with logging and auditing requirements as set forth by card issuer’s security policies, such as MasterCard’s Site Data Protection Program (SDP) or Visa’s Cardholder Information Security Program (CISP).

Backup and Recovery

   There are two essential components to consider when evaluating backup and recovery within the context of a data privacy solution. First, one must design a mechanism to backup all cryptographic keys and configuration information. This must include a mechanism that can appropriately and relevantly restore all of the information after an unplanned outage, and it must include a mechanism by which the keys are secured once they have been backed up from a security device. Failure to design a secure mechanism for backing up cryptographic keys in a central location will significantly affect the overall security of the solution. Secondly, as the enterprise considers key rotation as part of a proper security strategy, they must also design a mechanism with which to associate cryptographic keys to periods of time during which the keys were used. Doing so will allow an enterprise to restore encrypted data and decrypt it with the appropriate cryptographic keys.

Hardware

   Today’s complex and performance sensitive environments require the use of specialized cryptographic chipsets whose sole purpose and design are built around handling high volume cryptographic operations. Doing so will help restore application, database and storage systems to optimal performance levels. Furthermore, today’s hardware can also be leveraged to enhance overall security by storing sensitive cryptographic secret keys in hardware to minimize the threat to key theft.
   MasterCard stipulates that large merchants and MSPs must generate and store the keys used to encrypt and decrypt data in a HSM [Hardware Security Module]. There are various levels of hardware security that can be achieved, including those that conform to the Federal Information Processing Standard (FIPS). When choosing a data privacy solution, an enterprise should consider all options for FIPS-compliance, which are discussed in the following url: www.itl.nist.gov/fipspubs/.

Scalability and High Availability

   When choosing or designing a data privacy solution a security architect must take scalability, distribution and high availability into consideration. Scalability should be considered when analyzing capacity for cryptographic functions. An enterprise must be able to determine the number of required cryptographic operations that will be processed and build a solution to support that requirement.
   If capacity planning yields variable results without a clear understanding of future needs, one must consider a solution whose basic architecture is designed around the principle of growth. This must include the ability to add additional specialized cryptographic hardware without having to retrofit applications and databases or increase the size of the system chassis. Furthermore, an enterprise must also consider a solution that has the ability to scale outside of a single geographic location and that can adequately replicate configurations and key infrastructures within enterprises that have multiple sites. Finally, strong consideration must be given to deploying a high availability architecture that can ensure the timely encryption and decryption of data, even when hardware failures occur. Redundancy should be employed at every layer in which encryption occurs, whether at the Web, application, database, or storage layer.

   It is increasingly incumbent upon MSPs and ISOs to undertake a data privacy implementation in order to ensure that cardholder data is protected from the myriad security threats in existence today. When considering a data privacy implementation, it is imperative for those managing this implementation to know the fundamental elements that make up the overall solution, to leverage standards-based technologies and to ensure that the proper planning and cooperation occurs across the organization. Doing so will help ensure an effective deployment that helps MSPs and ISOs achieve compliance with card issuer’s security policies and regional legislation and, most importantly, proactively guard against a devastating security breach.