In a recent survey of attendees at the annual Black Hat Security conference, 77% responded that they believe no passwords are safe from hackers or the government. With so many enterprises facing so many different challenges it’s no wonder why security seems like such an overwhelming and difficult thing to do well. Every CIO and CISO tries to balance the need for data security and user access to allow them to do their job, but far too often this balancing act becomes untenable because of rapid changes to their business and the need to react fast to changing conditions. IT Security needs to provide business safe guards while not impeding the ability of the business to meet their needs and service their customers.
There are several ways and methods that are considered best practices to protect enterprises from breaches from the edge of your network all the way down to access controls. As cyber attacks continue to dominate news headlines it stands to reason that many enterprises struggle with implementing and staying current with security best practices. As hackers get more sophisticated and find new ways to breach your security protections, it seems that user access (passwords) tends to be the area with the most success. It stands to reason that all enterprises will eventually have some form of a breach.
So what are hackers after? Most of the time it’s what your business holds and maintains that keeps you in business. For Gaming and Hospitality enterprises much of that is sensitive customer data and what drives your business everyday such as credit card numbers, addresses, player data, etc. There has been much work on securing application systems, but what about the data itself? Too often there are business reasons that users need to access the data for a myriad of reasons such as reporting, analysis, and even to share information with other departments that may not have access to the system in question, but need to access a portion of the data. How many times have you gotten an Excel spreadsheet that contains sensitive data over email? Hopefully this doesn’t occur often, but when it does there probably was a good intention that has resulted in data without the security safeguards put in place by IT security personnel. This leads me to the conclusion that IT Security professionals need to treat the data itself as another layer of protection in their Cyber Security strategy.
Traditional Information Technology Encryption Security
In many cases IT Security professionals employ strategies such as encryption to protect the data and keep it secure. Encryption is simply the process of encoding information in such a way that only authorized parties can read it. There are many methods of encryption such as Hashing, Public Key and Private Key. These all use algorithms to change the clear text information into a format that is essentially unreadable and protected if the data is intercepted by someone who is unauthorized.
The problem with this method is that it basically leaves the data unreadable to anyone and any program that uses this data unless it is entirely decrypted. This can be a problem if an application needs to use part of the data because unless the program is capable of using credentials to decrypt the data and then re-encrypt the data when it is done using it, the data is basically unusable. This is typically known as Cypher Block Chaining(CBC) encryption.
In contrast, another method of encryption that can deal with encrypting or “scrambling” certain characters or fields of data is called Format Preserving Encryption (FPE). This method refers to encrypting data in a way that the results after encryption is in the same format as the input. The input is typically called clear-text and the encrypted output is known as the cypher-text. This is sometimes referred to as tokenization and essentially is the process of substituting sensitive data with a non-sensitive version that has no extrinsic or exploitable meaning or value.
Traditional Encryption Models and Next Generation Encryption/ Tokenization Models
To illustrate how FPE compares to CBC encryption, please refer to Figure 1: FPE and CBC Encryption Comparison. In this example there are two different records for two different kinds of information, but both require protection because of the sensitive nature of the data. This is typical data that gets collected through many different methods such as hotel reservation systems, Casino Player card information, credit applications and similar points of customer service.
In the first example, the customer’s first name, last name, social security number and date of birth need protection. By using FPE, the characters are replaced with text so that when the data is stored it retains the same characteristics or field requirements without breaking field integrity of the database. The unique advantage of this type of encryption is that it is possible to define what fields or what characters should be scrambled and what fields or individual characters should not be scrambled. In the first example the first name and last name have been scrambled completely. However, for the social security number the last four digits can remain clear while the rest of the numbers are scrambled. This allows other programs, systems, or individual users to use or see this data without full exposure to all of the sensitive data. If you compare these encryption results with the results of the CBC encryption, absolutely none of the data is useful unless it is all unencrypted.
Typically, CBC encryption does not retain datafield integrity and strings of encrypted data areunusable by other programs, systems, or users without full decryption of all of the data. (As shown in Figure 1)
- Advanced Encryption Standard (AES) – Cypher Block Chaining (CBC)
- Advanced Encryption Standard (AES) – Format-Preserving Encryption (FPE) and Tokenization
In the second example, we focus on the fields for first name, last name, and checking account number. In this case the business needs to have portions of the checking account number to be readable, but the last nine digits need to be scrambled. With FPE this can be accomplished as compared with the CBC results that encrypt everything, again all or none of the data.
Data Centric Security Model
In today’s IT Security models there are multiple layers of protection and each one serves a purpose that is intended to safeguard sensitive business and customer information. As sensitive data traverses each one of these layers there are potential security gaps that exist and are potential areas of exploit. On top of this potential problem, how many vendors would a multi-layer model employ? And then of course are the challenges between vendors and interoperability and compatibility. This quickly can become overwhelming especially during audits and other regulatory exercises. A method that many IT Security professionals are implementing is a data centric security approach in addition to the existing security safeguards.
An example representation is in Figure 2. If encryption or tokenization is implemented at the data ingestion or creation point, then that data will be protected regardless of what layer of data ecosystem it passes through. This also opens up the possibility to use real data, which has been tokenized and protected, in other areas of the business without having the potential to increase the PCI scope because sensitive data is already encrypted. Initiatives such as Big Data projects can now use real data for real business value without PCI scope impacts or fear that sensitive data will be seen by any user. Test and Dev environments can now use real data as well since the source is tokenized and only elements are of the data are unencrypted and the format fields are maintained.
These are just two examples that could bring significant value to a business while still maintaining strong safeguards for what is important to any operator, their customer data.
Summary
Today cyber security is such an important aspect of an IT operation and this adds to the already huge demand to maintain operational efficiency. With the constant security threats that every IT Security professional faces, it makes it difficult to maintain a consistent security model with so many points of data entry and so many demands from the business for easy access to needed data. As hackers become more sophisticated and security breaches occur more often, an additional approach to protecting the primary asset, sensitive customer data, would make sense while maintaining operational access without any additional burden on systems or users.
Through the use of tokenization encryption, enterprises can protect the important data so that if it is compromised it has little to no value for the attacker. And in today’s world of connected systems, it seems it’s not a matter of if an enterprise will have a data breach, but more likely a question of when it will occur.
Victor Barajas serves as the Enterprise Architect and Chief Technologist for Hospitality and Gaming at HP Enterprise supporting gaming operations across North America. Mr. Barajas is responsible for establishing the technology roadmap for customers that look to HP Enterprise to help develop strategic business transformation within technology and the digital guest experience. Mr. Barajas has over 15 years in the Hospitality and Gaming industry and he has been involved in more than 6 casino resort ground-up projects and major system conversions. Prior to joining the HP Enterprise, he served as part of the Hospitality and Gaming vertical team at Microsoft Corp. and served as its Technology Strategist for Las Vegas for 5 years.