When I first joined Citibank in the 1990s, one of the underlying philosophies reinforced by CEO John Reed was that Citicorp had two products: money and trust. “If you can’t sell the trust, you can’t sell the money,” he’d say.
In today’s business environment, the concept takes on even greater meaning. Now, trust is implicitly tied to security. As we work our way through this rocky economic climate, establishing security in a way that ensures trust is going to be critical in maintaining credibility to all manner of businesses. Yet the path to this goal is littered with convoluted solutions that solve part of the equation. What’s needed is an effective, well thought-out risk assessment process tied to easy-to-use solutions.
So much of our day-to-day personal details end up in corporate databases, yet organizations are only just coming to grips with methods to protect that data wherever it goes. The good news is that there are many dynamics compelling companies to protect data, notably regulations and standards. One thing a good friend, who is the head of technology risk at a major financial institution, always tells me is that ‘data wants to be free,’ and nothing will ever change that (which is a good thing). Trying to trap data as it wriggles out of the organization is always a challenge. You can never really be sure you got everything, and then, of course, there’s the question of what should you do with the data that absolutely positively must get to your business partner on time.
The latest trend here is data-centric security. The folks at Forrester Research, like Dr. Chenxi Wang (who worked with me at Citibank) have been talking about this for quite a while, as have many forward-thinking CISOs. There are many reasons to protect the data itself wherever it goes. But in the real world, it can mean the difference between dealing with multiple cases of identity theft, and knowing that you can pass the next series of audits and examinations.
The types of solutions out there to help protect data typically fit into two categories: native capabilities in the databases themselves, and application development toolkits that can be used to ensure data is protected in applications. The problem with the native database support is that it’s great for the database, but does nothing for the applications, so you’re not really solving the complete problem. The cryptographic application development toolkits are cryptic – finding a mainframe programmer who understands cryptography and key management can be tough, not to mention the sheer cost of opening up applications and modifying code, as well as the resources it takes to handle all the change control. There’s got to be a better way.
This is why we should all be on the lookout for true innovation, which is tough to come by in matters of security.
I know of a few financial/retail companies that are using a technique called “format-preserving encryption.” This is a cryptographic approach based on AES that lets you take, say, a 16-digit credit card number and encrypt it.
Normally, when information is encrypted, it becomes larger, requiring changes to the database schemas and applications, but with this approach the format stays the same. In fact, all the business rules around the credit card number (like its checksum) can be enforced. You get a credit card number that looks and feels like a real credit card, but it can’t be mapped back to someone’s identity. No database changes are required, only minimal changes to a few trusted applications. So, it is very quick to implement (these companies got it done in weeks rather than months). What’s interesting is that the research behind format-preserving encryption was done almost a decade ago, but it took a spark of creativity to apply this technique to solving a very costly problem that affects any entity that stores structured sensitive data.
We need more security innovation like this.