Protect PII with Encryption and Tokenization for Defense in Depth

Many organizations are formulating a multi-layered defense strategy to protect Personally Identifiable Information (PII). Why?

• The frequency of data breaches is increasing, and PII is among the most valuable data types for cybercriminals.

• Government and industry mandates for PII protection are increasing, and becoming more stringent and well-defined.

• The consequences of a breach are becoming much more significant – in terms of both cost and brand trust.

• Today’s extended enterprise is tearing down digital boundaries. Intentionally porous borders are making sensitive data protection even more important.

Information security investment has progressed in waves. The first wave was perimeter protection. The second wave focused on protecting mobile data – laptops, thumb drives and other devices that carry sensitive enterprise information.

The newest wave finds organizations investing in “inside out” protection that neutralizes inevitable breaches by encrypting or tokenizing sensitive data right where it lives in databases in applications. In fact, many regulations emphasize the desirability of encrypting sensitive data at rest and in transit – and encryption is a safe harbor that exempts organizations from breach notification.

New methods can make this completely transparent to the applications and business processes that contain sensitive data unnecessarily exposed. For example, it’s easy to replace social security numbers with meaningless tokens that (1) are in the exact same format that’s expected by existing applications and (2) preserve the last four digits so that customer service procedures can continue unchanged. Most sensitive data only needs to be seen or used by a very few authorized people, systems or use cases. If you apply this principle of “least privilege” – obfuscating sensitive data in every case except the few that need it – breach risk is exponentially reduced.

In combination, the three waves described above are the foundation for a defense-in-depth strategy to protect PII, to prove compliance and to avoid costly breach notification requirements.

PII Protection Solutions from nuBridges

nuBridges offers packaged software solutions that are ideal for compliant protection of PII at rest and in transit. They are designed with the needs of today’s enterprise in mind – non-invasive where possible, multi-platform, SOA-compliant for interoperability and scalable.

Proven in production use, nuBridges technology:

• Protects PII and billions of credit card transactions for some of the most recognized brand names in the world;

• Securely exchanges confidential business documents among thousands of business partners; and

• Safely automates the DEA-mandated controlled substance ordering system (CSOS);

to name just a few use cases. nuBridges Protect™ is an encryption solution and nuBridges Exchange™ is a secure file transfer solution.

Perspectives on PII

Personally identifiable information includes a variety of data types that, alone or in certain combinations, are extremely valuable to cybercriminals:

• Drivers license number

• Social Security Number

• Bank account number

• National Insurance Number

• Government-issued identification number

• Brokerage account number

• Mother’s maiden name

• Address

• ...and more

Interestingly, the Payment Card Industry Data Security Standard (PCI DSS), which has mandated encryption of payment card data since 2004, has spawned a set of solutions and best practices that are directly applicable to these PII data types – and already proven in high-volume, business-critical implementations around the world.

Propelled by the HITECH Act, EU Privacy Directives, U.S. State Breach Notification Laws, Sarbanes Oxley Act and other regulations, along with the general desire on the part of IT security and risk management professional to apply best practices in their enterprises; the third wave of information security investment is rapidly gaining momentum.

It’s also interesting to contemplate where the “perimeter” actually is in today’s extended enterprise. One challenge to traditional notions of perimeter defense is the mobile and remote workforce. Another is the extended enterprise – the most competitive organizations are connecting with their customer and business partner communities electronically. They’re making it easy to share information that shortens order-to-cash, gives early warning of opportunities and threats and makes all manner of business processes more efficient and more “green”. One perspective is that the perimeter is moving closer to the data itself.

Contact nuBridges to learn more about “inside-out” approaches to information security.