Maintaining data security and compliance in the 21st century IP connected world

If you re-visit predictions made 30 years ago about the expected state of technology in our early 21st century, you would likely see the vision of a world of marvels well beyond the realm of possibility at that time. From universal communications to artificial intelligence to robotics to inter-planetary travel, it looked like revolutionary technologic advances of “the future” would transform all aspects of our human existence.

Well, the future is now, and we are already submerged in many of the technological wonders that were once only a visionary marvel. Granted, we’re not quite living in a world run by robots and shuttling back and forth to Mars, but our generation relies extremely heavily on IP (Internet Protocol) connected technology for some of the most fundamental aspects of our business’ success and our personal and professional lives – from banking to travel to healthcare, and just about every area in between.

At the same time, technology – particularly information technology – continues to advance by leaps and bounds at a rapid pace. We can almost take for granted what we now routinely achieve with advanced IP networking, virtual computing, and new generation network services.

However, with the added power and convenience of using these technologies for banking, purchasing, information gathering, retail operations, and the whole gamut of other practical applications, there is a cost: security.

Unfortunately, with these new technologies come significantly greater security risks. First of all, they open up a host of new channels for the transmission of, and access to, potentially sensitive customer and corporate information, all which must be secured. Gone are the days when data was only transferred among two to three computers and legions of terminals that were hardwired together, with all the personnel with system access easily authorized and accounted for. Now, anyone, anywhere in the world, with ill-intent and sufficient knowledge of hacking or sniffing techniques can potentially tap into wired as well as wireless data transmissions and wreak all kinds of havoc.

Second, in many organizations still today, most transactions ultimately pass through legacy mainframe systems at some point, which were not originally designed to handle the scope, nature and volume of today’s IP-networked world.

While we strive to keep up with the next round of innovative communication products and services, it’s time we put security at the forefront, rather than making it an afterthought after costly breaches or audit failures occur, as is now too often the case.

Who’s watching the store?
So, the question is: how secure is the data transmitted through your geographically diverse network? Depending on whom you ask, you might get different answers. High-profile data security breaches resulting from weak Wi-Fi security have unfortunately become part of our new folklore. How many internal network breaches have occurred? How many “wired” Internet breaches have gone unreported? As many more of our employees and our customers use their PCs, and even their PDAs and smart phones to interact with our core systems, query our databases, and purchase goods, you can bet that would-be hackers, both outside and inside large organizations are already planning new attacks.

The responsibility for securing sensitive consumer transaction information as it traverses broad multi-site networks ultimately falls on a few parties in particular: the card processors, the card-issuing banks, the credit card companies, and retailers involved with the transactions. Some key security factors they need to consider include:

• Start at the beginning – Every node in the network, be it IBM Mainframe, UNIX, Linux, or Windows Server, PC, POS System, or PDA should incorporate security as a foundational design consideration. Also, while the power of today’s networked systems are increasing dramatically, IT network designers must take into account security performance considerations early on in the planning process.

• Encrypt everything – It is important to encrypt all data and file transmissions across the multi-site diverse platform network. This requires a new class of nimble, yet powerful technologies to accommodate the broad range of system platforms, as well as new and rapidly evolving applications.

• Better authentication – Even if all network data were encrypted, it does little to ensure security if the malicious personnel can disrupt or tamper with it. Therefore, new and better types of authentication technologies, coupling passwords with active certificate-based or physical tools and devices, are required to close this potentially dangerous loophole. In addition, service providers, banks and other associated vendors should implement authentication solutions that provide a flexible, dimensional architecture to manage security behind the scenes, while offering employees and customers user-friendly features that automatically comply with needed security measures.

• Regulation – The need for data security has rapidly evolved to establish a now-accepted role for federal and industry regulators to mandate minimum levels of security for consumer and critical corporate data. For example, the Payment Card Industry (PCI) Data Security Standard (DSS) protects consumer data, such as credit card information, in transit from point-of-sale (POS) through retail enterprise networks and beyond.

Go back to the source

It used to be that computer systems on internal networks were utilized for a few select applications. Then, once the internal enterprise network became connected to the Internet, internally protected assets became accessible electronically, and the number of individuals potentially having access expanded dramatically. Essentially, employees or customers worldwide can access the network at any time, creating exponentially more opportunities and risks for theft or manipulation of sensitive company or consumer data stored on these enterprise systems.

At a minimum, enterprise IT managers must design and deploy the highest levels of security for the “traditional” enterprise infrastructure, including:

• End-to-end communications security – This includes encrypting all files and data transmissions from the source to the destination, not just within the perimeter or from firewall to firewall. This approach, called “end-to-end communications security,” secures all data all the way from application server-to-user, or any combination of two secure endpoints exchanging information within the enterprise throughout the enterprise internal network and through encrypted transit through the Internet between systems at different physical sites.

• Standardized protocols – The protocols used to transmit data should be limited to those which have been proven over time and have been passed by accredited certification authorities.

• Security management capabilities – With the increased frequency and sophistication of security attacks, it can be extremely tedious and time consuming for IT managers to manage their enterprise security solutions. An easy-to-use, automated security management platform is needed to enable IT managers to efficiently deploy security products and upgrades, enforce security policy, and monitor technical issues from a central location. Also, an automated management solution can lower overhead costs, while simultaneously reducing human errors.

• Solid Support Partner – Network security technolgy is a complex and rapidly evolving area, and enterprise IP networks are by their nature complex with many moving parts. Therefore, unsupported open-source protocols should be phased out, and enterprises should engage a trusted commercial partner with the IP network security depth and expertise to keep the solution ahead of the attack curve, and assure smooth navigation through inevitable implementation and interoperability issues.

• Regulatory compliance – IT security managers must also make sure that their systems are in compliance with the relevant government regulations and industry standards. Designed to help enterprises protect against security threats, measures like PCI DSS, the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX), and Federal Information Security Management Act (FISMA), to name a few, add a valuable framework for protection and oversight to the IT security process.

One very important, yet easily overlooked, aspect of enterprise security is making sure that all legacy mainframe computing systems are secure. Even with the prevalence of WinTel-based machines in today’s enterprise computing environments, many organizations still rely on mainframe systems to store, process and transmit sensitive data. In fact, many transactions initiated across the network eventually cross a mainframe system at some point in time.

In the past, the mainframe had the strongest security because its approach consisted of proprietary interface protocols and stringent control over user access. However, today’s world of expanded computing platforms and the rise of IP network interconnected applications and systems has drastically increased the potential for mainframe security breaches.

Therefore, IT security managers must also be diligent to secure all data that crosses mainframe systems, to eliminate the possible threat of a data security breach by an outside party.

SSH Tectia developed by SSH Communications Security, enables IT security managers to effectively secure all data across the enterprise from end-to-end. It provides secure remote access, secure file transfers and secure data-in-transit, and allows centralized deployment, maintenance, monitoring, and auditing capabilities. Because SSH Tectia supports all popular enterprise computing systems, including Unix, Linux, Windows, and IBM mainframe, it allows security managers to deploy and manage robust security throughout the enterprise.

SSH Tectia also helps companies to meet key compliance regulations requirements, including PCI DSS, GLBA, SOX, and others, to protect critical consumer and corporate information.

Security at the forefront
When dealing with personal data, you can never be too safe. All devices that store or transmit personal data, including Point-of-Sale systems, mobile devices, store servers, branch servers, up through full data center IBM Mainframes must adhere to the highest standards to assure strong data security.

If there is no guarantee that data is secure then, at a minimum, these modern technologies may drastically lose their appeal. However the bigger and potentially more devastating scenario is that disgruntled employees, hackers, and cyber-thieves will quickly learn to exploit the vulnerabilities of these new IP network interconnected systems. And, with millions of these systems in use worldwide, the potential monetary damage of such breaches could be staggering, even to the largest banks, enterprises, or even not-for-profit organizations.

About George Adams
George Adams is President and CEO of SSH Communications Security Inc. Based in Boston, he is responsible for developing and executing strategies to build the company’s market position, financial position and organization.

Prior to joining SSH in 1999, Mr. Adams was with Phoenix Technologies Ltd, a leading supplier of software for enabling standards and enhancing PCs, servers, and information appliances. At Phoenix from 1988, he served as VP of business development, VP of marketing and strategic alliances, and VP of PC products. Earlier, he held general management and marketing responsibilities with Sun Microsystems, Intel, Analog Devices, and Motorola.