EnterpriseSecurity
SecurityProNews
ITmanagement







Securing Data In 2012

By Ulf Mattsson
Expert Author
Article Date: 2011-12-15

PCI Will Push for Greater Protection While Cloud Continues to Play Catch-up

PCI compliance and the security of data in the cloud are fast becoming a single issue for businesses. Unfortunately, while compliance and other legislative requirements will become more rigorous, demanding more robust data security that will better protect individuals, the security of that data while it's in the cloud, whether in transit or at rest, is struggling to keep pace.

Two significant trends are playing into the challenge. At the transaction initiation end of the process, the rapid increase in the use of mobile payments by consumers is taxing security at the point of purchase. And at the storage end of the process, rapid expansion of cloud-based data centers, and therefore multi-tenancy infrastructures, is focusing attention on how to manage compliance requirements in an environment that's essentially out of your control.

Google Wallet (Mastercard) and Visa (ISIS) are the engines of growth for mobile payments, and their early success is encouraging other, assuredly less secure, offerings to jump on the bandwagon. Mobile payment growth is particularly strong in Europe, and with Visa planning to introduce their program during the 2012 Olympic Games in London, we can expect hackers and scam artists to focus their sights firmly on this channel. Another perfect security storm in the making. So I expect to see the need for merchants to pay more attention to protecting payment data, no matter where the customer may be or what device is being used to transmit that payment data.

Meanwhile, back at the cloud data center, multi-tenancy and other cloud storage security issues will be under the security audit microscope. Just because the cloud provider is certified doesn't mean you are - rather, the reverse is true: you are responsible not only for the compliance of your data protection processes while that data is under your control but also while it is stored in the third-party cloud facility. The essence of the cloud value proposition is resource sharing - which is fundamentally against PCI principles. After all, you don't get to choose who your co-tenants are.

Smaller organizations are going to feel the brunt of these converging challenges. Anything that gets money from consumers' wallets - virtual or otherwise - to the merchant account more quickly is extremely enticing in a down economy. The cloud is an attractive storage medium because it's cheap, infinitely expandable and, most importantly, managed by someone else. And PCI audits will increasingly focusing on Tier 3 and 4 merchants, because major corporations have seen enough damage done through data security breaches to make sure they have heavy-duty protection in place.

Cloud security must start to catch up with the payment market and its associated security requirements. In my view, it's unlikely to ever close the gap without providing best-in-class data security methods. This year's PCI requirement revisions incorporated tokenization as a best practice for data security for the first time, and that's a very important step for the future of cloud security.

Because tokenization takes structured sensitive data and renders it meaningless to hijackers, it has a major impact on the resources, both human and financial, required to obtain and maintain PCI compliance. Tokenization is also "environment-neutral," addressing both the mobile and cloud challenges I've described above. Perhaps the biggest benefit of all is that, once data is tokenized, that's it. No further work is required, so data protection maintenance becomes a thing of the past.

I firmly believe that, until tokenization is added to the business security arsenal, the cloud cannot be considered a safe place for sensitive data at any point in the transaction process. I'm pleased that PCI standards are moving in that direction and look forward to a future where, if sensitive data stores are breached, all the hackers have to show for their effort is a long string of meaningless characters.
About the Author:
Ulf Mattsson is the chief technology officer of Protegrity, a leader in enterprise data security management, where he created the architecture of the Protegrity Data Security Platform. He is considered one of the founding fathers of tokenization and has been advising the industry’s top analysts and stakeholders including PCI Security Standards Council, ISACA and Visa as they navigate the role of tokenization in payments security. Prior to joining Protegrity, Mattsson spent 20 years with IBM working in software development as a consulting resource to IBM’s research organization, specializing in the areas of IT architecture and IT security.

Newsletter Archive | Submit Article | Advertising Information | About Us | Contact

EnterpriseSecurityNews is an iEntry, Inc.® publication © All Rights Reserved Privacy Policy and Legal