24
ALSO INSIDE: TOKENIZATION COMES OF AGE PROTECTING SSNs MARKING 25 YEARS OF RSA AUTHENTICATION vantage VOLUME 6 | NUMBER 2 | 2009 INSIGHTS ON THE BUSINESS OF SECURITY Eyes on glass EMC’s Critical Incident Response Center

ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

Page 1: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

ALSO INSIDE:

TOKENIZATION COMES OF AGE

PROTECTING SSNs

MARKING 25 YEARS OF RSA

AUTHENTICATION

vantage

VOLUME 6 | NUMBER 2 | 2009

INS

IGH

TS

ON

TH

E B

US

INE

SS

OF

SE

CU

RIT

Y

Eyes on glass

EMC’s Critical Incident

Response Center

VantageFall 09_01_current_r1.indd 1 10/7/09 12:47 PM

Page 2: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

2 Vol. 6, No. 2, 2009 RSA, The Security Division of EMC Vantage Magazine

an array of compliance and auditing requirements.

Tokenization is an emerging tech-nology that replaces sensitive data, such as Social Security and credit card numbers, with a token value that acts as a “safe proxy” for the sensitive in-formation. The safe proxy cannot be linked back to the original data but otherwise behaves like the number it replaces.

Tokenization is becoming a popular alternative to encryption for protecting certain types of data while minimizing the cost of compliance. On Page 20 we explore this emerging technology and learn how some companies are using it today. We also discuss an exciting new alliance between RSA and First Data, a global leader in payment processing services. Through this partnership, First Data is offering merchants a new service to protect payment card data, which is built on the RSA SafeProxy™ architecture, a unique combination of tokenization, encryption, and key man-agement.

By now, we all know that Social Se-curity numbers are no longer a secure means of assuring an individual’s iden-tity. To prove just how insecure SSNs are, researchers at Carnegie Mellon University conducted a study to deter-mine how easy it would be to guess an individual’s nine-digit SSN. They con-cluded that simply knowing an indi-vidual’s date and state of birth provides sufficient information to guess their Social Security number with accuracy.

Starting on Page 8, Vantage talks with officials from the Federal Trade Commission and the Federal Deposit Insurance Corporation on how organi-zations must begin – or continue – to use other means of identifying and

authenticating consumers, customers, and patients.

In addition to these stories, other highlights in this issue include:

• An in-depth look at EMC’s Criti-cal Incident Response Center, which utilizes EMC and RSA technologies to monitor and protect the company’s worldwide IT infrastructure

• A profile of how HDFC Bank, one of India’s premier financial institutions, is protecting its operations and custom-ers from the latest online threats

I would also like to extend a special “thank you” to Vantage readers as we mark six years of providing news and commentary on issues and trends in the IT security industry. In recognition of this success, Vantage was recently honored with an APEX 2009 Award, earning an Award of Excellence in the Custom Published Magazines and Journals categories. And speaking of awards, I want to congratulate our own Mischel Kwon, who received the Ex-ecutive Women’s Forum 2009 Public Sector “Woman of Influence” Award in September. Mischel joined RSA’s Worldwide Professional Services unit as vice president of Public Sector Se-curity Solutions earlier this year, after serving as director of the U.S. Com-puter Emergency Readiness Team (US-CERT) at the Department of Homeland Security. We are glad to have her on board.

Enjoy this issue of the award-win-ning Vantage magazine.

Sincerely,

Arthur W. Coviello Jr. President—RSA, The Security Division of EMC

program team

RSA EditorPAUL JOYAL

Contributing EditorsGAIL FREEMAN

HEIDI BLEAU

editorial team

Managing EditorsCHRISTINE KANEANDREA E. STILL

Design DirectorRONN CAMPISI

Contributing WritersALISON J. CASE SARAH JENSEN

CHRISTINE KANEJASON M. RUBIN

NATASHA K. WAIBEL

Copy EditorSARAH JENSEN

Editorial content for Vantage is developed and managed by Libretto, 560 Harrison Avenue, Suite 501, Boston, MA 02118 617.451.5113

www.libretto-inc.com

©2009 RSA Security Inc. All Rights Reserved

All RSA product names are either registered trademarks or trademarks of RSA Security, Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corpora-tion. All other products or services mentioned are trademarks of their respective companies.

For a FREE subscription to Vantage magazine, please go to

www.rsa.com/go/vantage

Postmaster: If undeliverable, notify RSA Marketing, 174 Middlesex Turnpike,

Mail Stop 32A080, Bedford, MA 01730

www.rsa.com

Winner of the APEX 2009 Award of Excellence

On the cover

Using real-time network aware-ness software, an analyst at EMC’s Critical Incident Response Center zooms in on a segment of EMC’s

WAN infrastructure.

Let’s talk tokenization

opening notes

Cover photograph by Kathleen Dooher

Organizations have struggled for years with how to best protect Personally Identifiable Information (PII), such as credit card numbers, in order to prevent data breaches and address

vantage

VantageFall 09_01_current_r1.indd 2 10/7/09 12:47 PM

Page 3: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

RSA, The Security Division of EMC Vantage Magazine Vol. 6, No. 2, 2009 3

in this issueF E A T U R E S

4 Celebrating 25 years of RSA authenticationAuthentication technology is everywhere, embedded in the devices, processes, and services that we use throughout an ordinary day.

7 Protecting the hyper-extended enterpriseHere’s a round-up of RSA-sponsored research and recommendations on how to safeguard today’s hyper-connected organizations.

8 Social Insecurity Misuse and overuse of Social Security numbers has made them a favorite target of identity thieves. Protection strategies are a work in progress.

12 Eyes on glassEMC’s state-of-the-art Critical Incident Response Center (CIRC) provides busi-ness operations protection for what CSO Roland Cloutier calls “a $15 billion rev-enue machine.”

16 The fraud stops here After deploying RSA® Adaptive Authentication, India’s HDFC Bank saw successful fraud attempts against its cus-tomers drop to almost zero.

20 Tokenization: Beating the high-risk numbers game Leveraging emerging tokenization technology and a new partnership with electronic commerce leader First Data Corporation, RSA solves some of the toughest challenges of protecting sensi-tive data.

D E P A R T M E N T S

2 Opening NotesBy Art Coviello Jr.

18 Partner ProfileVerizon Business teams up with RSA

22 Inside RSA LabsWhat color is your PIN?

4816

12

1822

VantageFall 09_01_current.indd 3 10/7/09 6:19 PM

Page 4: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

by heidi bleau

Authentication has come a long way in 25 years. It is everywhere we turn and has become a part of our everyday lives. Today, RSA technology is used by more than 30,000 organizations to secure access to their networks, protect business-sensitive information, and safeguard the identities of more than 250 million online users and the activities they perform.

4 Vol. 6, No. 2, 2009

mile

ston

esWe’ve come a long way, baby

John is working from a home office. He uses an RSA SecurID® two-factor authentication token to log in to the corporate network through a VPN to check his e-mail.

Joan is signing into her online bank account to pay bills. Her bank uses RSA’s site-to-user authentication technology to assure Joan that she is on the legitimate website of her bank and not a phishing website.

Rick calls an electricity provider to request service in his new house. The provider uses RSA® Identity Verification know–ledge-based authentication to confirm the identity of new customers requesting service.

Ken works for a govern-ment agency that uses RSA® Digital Certificate Solutions to assure his identity when he logs in to the agency network.

Marking 25 years of RSA authentication technology

At work and at play, at home and on the road, RSA authentication technology

VantageFall 09_01_current_r1.indd 4 10/7/09 12:48 PM

Page 5: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

RSA, The Security Division of EMC Vantage Magazine Vol. 6, No. 2, 2009 5Illustration by John S. Dykes

Julia is logging in to a healthcare portal that uses RSA® Adaptive Au-thentication risk-based authentica-tion technology to secure access to a patient’s medical and personal information.

Ted is making a transfer for a large sum from his online brokerage account to another financial account. The broker-age firm uses the RSA® Adaptive Authentication Out-of-band Phone module for high-risk transactions to prevent unau-thorized money transfers.

is part of daily life

Sarah uses a credit card to pur-chase a gift for her husband on-line. Her credit card issuer uses RSA® Adaptive Authentication for eCommerce to assure the online purchase is not fraudulent.

VantageFall 09_01_current_r1.indd 5 10/7/09 12:48 PM

Page 6: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

6 Vol. 6, No. 2, 2009 RSA, The Security Division of EMC Vantage Magazine

IDG REPORT

Some leap before they lookA 2009 IDG Research Services survey of 100 top security executives reveals that some companies are so enthusiastic about next-gen technolo-gies, they are deploying them without adequate security measures. Key findings include:

In this era of the hyper-connected, hyper-extended enterprise—when the barriers that once encircled and protected enterprise networks have completely dissolved—enterprises must be hyper-vigilant in the face of ever-growing threats. Yet they must also forge ahead with the kinds of innovations that create business advantage in a tough and hyper-competitive economic climate.

sbic

Security for Innovation

Hyper-extended, Hyper-vigilant,

Hyper-innovative

GOING HYPER

73% of

respondents

say their

organizations

are becoming

hyper-extended

enterprises,

reflecting

increased use of

virtualization,

personal

mobile devices,

and social

networking.

57% say the

security team is

not involved or

little involved in

implementing

these new

technologies.

ALL ATWITTER

44% report

their companies

have “acceptable

use” policies

for employees

who use social

networking sites.

30% report

their companies

block access to

these sites.

CLOUDY FUTURE

16% of those

surveyed plan

to migrate

applications or

processes to the

cloud in the next

12 months, but

two-thirds do

not yet have a

security strategy.

17% of

companies

operating in

or planning to

move to the

cloud are “very

confident” in

their company’s

readiness for

widespread

adoption of cloud

computing.

RISK ON THE RISE

81% have

some concern

regarding

increased risk

tolerance at their

companies due

to increasing

pressure to

cut costs and

generate

revenue.

RSA helps enterprises drive tighter linkages between innovation goals and security strategies. With a more strategic approach

to information risk management, enterprises can enable business innovation while protecting information assets. Research and

recommendations on securing the hyper-extended enterprise are excerpted here and available at www.rsa.com/innovation.5

a

a

a

EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

VantageFall 09_01_current.indd 6 10/7/09 6:20 PM

Page 7: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

RSA, The Security Division of EMC Vantage Magazine Vol. 6, No. 2, 2009 7

iIN ITS MOST recent report, “Charting the Path: Enabling the ‘Hyper-Ex-tended’ Enterprise in the Face of Unprecedented Risk,” the RSA-sponsored Security for Business Innovation Council (SBIC) provides an overview of today’s evolving threat environment. Council members, whose ranks include top security executives from Global 1000 companies, offer seven recommendations on how to securely tap the hyper-extended enterprise for business advantage.

Experts Offer Advice on Securing Virtualized EnvironmentsVIRTUALIZATION IS BEING adopted widely and swiftly by IT organizations worldwide. In August, at the VMworld conference in San Jose, RSA released a security brief titled “Security Compliance in a Virtual World.” Co-authored by some of the industry’s foremost security and virtualization experts, the brief defines five measures that can help organizations address the compliance challenges posed by today’s increasingly virtualized enterprise computing environments. These measures are:

• Platform hardening

• Configuration and change

management

• Administrative access management

• Network security and segmentation

• Event reporting

The authors include BRET HARTMAN, chief technology officer for EMC’s RSA security division; DR. STEPHEN HERROD, chief tech-nology officer and senior vice president of R&D for VMware; and DAVE SHACKLEFORD, chief security strategist, EMC Ionix.

“The biggest business driver for security is now innovation—enabling the business to be rapid, flexible, and adaptive in this environment. It’s ... the antithesis of what security has traditionally been.”

DAVE CULLINANE

SBIC Member

Vice President

Chief Information Security Officer

eBay Marketplaces

rein in the protection environment: Allocate resources more efficiently by taking a risk management approach to security. For example, curtail the protection of extraneous information assets, data, and devices.

get competitive: In challenging economic times, focus on the quality and efficiency of security services. Be able to articulate to senior management the value your security team brings to the business.

embrace new technology: Rather than trying to block corporate use of emerging Web and communications technologies, establish a roadmap for their adoption and secure use.

shift from protecting the container to protecting the data: Increasingly, enterprise data is processed and stored in containers not controlled by the business. Within this environment, the Council provides guidance on shifting from protecting the container to protecting the data itself.

adopt advanced monitoring techniques: Update your approach to monitoring for abnormal and malicious events. Move away from techniques such as signature-based antivirus and blacklisting to more accurate techniques such as behavior-based monitoring and whitelisting.

collaborate on industry standards: Support uniform standards for security professionals, third-party providers, and emerging technologies.

share risk intelligence: Defend against international attackers and sophisticated fraudster networks by participating in intelligence-sharing activities among enterprises, law enforcement, and government.

Seven Steps to Better Security

a

a

a

a

a

a

a

VantageFall 09_01_current.indd 7 10/7/09 6:23 PM

Page 8: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

8 Vol. 6, No. 2, 2009 RSA, The Security Division of EMC

SOCIAL INSECURITY:

Protecting the number that unlocks everything | By Jason M. Rubinid

entit

y

Winning a high-stakes

numbers gameWhen Carnegie Mellon researchers announced in July 2009 that they had been able to accurately predict people’s Social Security numbers (SSNs) by scouring various publicly available information sources, the reaction among much of the media and the general public was shock. But the ease with which the researchers reported accomplishing this feat – which surely excited the ranks of criminals and fraudsters already coveting SSNs as a key component in identity theft – points out the simple fact that these highly sensitive numbers have been vulnerable all along.

NAOMI LEFKOVITZ of the FTC says, “Many sectors of society and our economy rely on SSNs ... and it can take significant time and money to replace legacy systems.”

SSNs were never meant to be used

VantageFall 09_01_current_r1.indd 8 10/7/09 6:17 PM

Page 9: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

RSA, The Security Division of EMC Vantage Magazine Vol. 6, No. 2, 2009 9Photographs by Chris Hartlove

“THE ISSUE HAS always been there,” says Naomi Lefkovitz, an attorney with the Federal Trade Commission’s (FTC) Division of Privacy and Identity Protection, “but many sectors of society and our economy rely on SSNs as identifiers, and it can take significant time and money to replace legacy systems. So our view is that we need to promote new best practices and strategies for data security, such as better authentication techniques that don’t rely solely on the SSN.”

In fact, the Social Security Administration has been warning about this issue for years. “The root of the problem,” notes Shannon L. Kellogg, director of Information Security Policy at EMC’s Office of Government Relations, “is that while the Social Security number is commonly employed for identification and authentication purposes, that was never its intended use. But because different organizations and agencies need to share information about people, it became a convenient identifier. Then it became a common authenticator, and that’s where the challenges started. Today, with the growth of social networks in which people

willingly reveal personal information to unknown lurkers, SSNs are more valuable than ever, but for all the wrong reasons.”

THE 411 ON SSNS

The first SSNs were issued by the Social Security Administration in November 1936 as part of President Franklin Roose-velt’s New Deal. Roosevelt created the agency when he signed the Social Secu-rity Act into law on August 15, 1935. The goal of the measure was to prevent the suffering that retirees experienced dur-ing the Great Depression from recurring in the future. Payroll contributions in the form of a mandatory tax would be col-lected by the government and disbursed to workers upon their retirement.

The original purpose of the number itself, therefore, was to track individuals’ accounts within the Social Security program. Back then, the numbers were only needed when a person began earning wages, but because they have

come to be used for identification purposes, today SSNs are routinely assigned at birth. Yet Social Security cards were never meant to be used for personal identification purposes and until the 1980s the cards explicitly stated, “NOT FOR IDENTIFICATION.”

For many years, though, SSNs have been widely used both for identification and authentication by financial institutions, hospitals, schools, and gov-ernment agencies. Their pervasive use, in fact, has only increased their value to identity thieves. An-other problem is that the Social Security card itself, though rarely required to be physically presented, has no photograph, signature, or biometric identifi-ers to match it with the person trying to use it.

But the real issue lies within the very structure of the number itself, which is what the Carnegie Mellon researchers were able to exploit. Each SSN is a nine-digit value divided into three parts. The first three digits comprise the area number, which is assigned by geographic region. Generally, numbers assigned in the Northeast are the lowest and those assigned in the West are the highest. This means

for identification purposes.

JEFF KOPCHIK of the FDIC points out what makes SSNs so useful but also so vulnerable. “There are many Dave Smiths but only one unique number to identify each.”

VantageFall 09_01_current_r1.indd 9 10/7/09 12:48 PM

Page 10: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

10 Vol. 6, No. 2, 2009 RSA, The Security Division of EMC Vantage Magazine

that knowing a person’s birthplace or longtime place of residence provides a valuable clue into part of the number. The next two digits are known as the group number, and the last four digits, which are issued sequentially, are the serial number.

Most Americans born since 1989 were issued SSNs shortly after birth so it’s easier to predict their numbers based on geography and chronology. In fact, what the Carnegie Mellon researchers found was that in many cases an individual’s date and state of birth were sufficient to guess his or her SSN. Testing their prediction method using records of people who died between 1973 and 2003, they were able to accurately identify the first five digits for 44% of the individuals in a single attempt. Further, they were able to successfully guess all nine digits for 8.5% of those individuals in fewer than 1,000 attempts. This led them to conclude that an SSN “is no more secure than a three-digit PIN.”

GUIDANCE FOR BANKS

Perhaps no sector has been so historically reliant on SSNs as the financial industry, where they have long been required on bank accounts. This is due, in part, to the high-risk nature of the financial transactions.

“There are many Dave Smiths,” notes Jeff Kopchik, senior policy analyst at the Federal Deposit Insurance Corporation’s (FDIC) Technology Supervision Branch, Division of Supervision and Consumer Protection, “but only one unique number to identify each. So if Dave Smith wants to transfer money, a banker wants to make sure that only the correct Dave Smith can do so.”

According to Kopchik, the concern over protecting SSNs is just another play in an ongoing game of cat and mouse with fraudsters. “It’s a constant back and forth battle,” he says. “And it’s not some teenage hacker doing this for fun anymore. These are professional criminals who are highly trained, well-organized, and well-funded.”

That’s why the Federal Financial Institutions Examination Council (FFIEC) – a body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System, the FDIC, and three

other agencies – issued a guidance to the industry called “Authentication in an Internet Banking Environment” in 2005. The guidance, which falls short of regulation, explicitly states that for any high-risk Web-based banking system – defined as one that allows transfer of funds to another party or access to private information – a simple logon ID and password authentication system is insufficient. Without mandating a specific type of technology, the guidance is clear that strong authentication is required to protect sensitive information from theft.

To quote from the guidance:The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer informa-tion or the movement of funds to other parties. Financial institutions offering Internet-based products and ser-vices to their customers should use effective methods to authenticate the identity of customers using those prod-ucts and services. The authentication techniques em-ployed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication ex-ploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial in-stitutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

Kopchik, who was the FDIC’s primary representative on the FFIEC working group that drafted the 2005 guidance, understands that 2005 was a long time ago in hacker years. “What was good yesterday is not necessarily good today,” he says, “and one of the things we’re discussing right now is whether those authentication guidelines should be updated to account for advances both in hacker

techniques and in authentication technology.” The 2005 guidance was itself an update of an earlier document issued by the FFIEC in 2001.

RECOMMENDATIONS FOR ORGANIZATIONS

The FTC issued its own report on the matter, “Security in Numbers: SSNs and ID Theft,” in December 2008. An outgrowth of the FTC’s participation in the President’s Identity Theft Task Force, the report was intended to explore the relationship between SSNs and identity theft and recommend “approaches that would preserve the SSN’s beneficial uses while curtailing its availability and value to identity thieves.” Of the former, the report notes that “criminals obtain the SSNs of victims they impersonate and use them to facilitate the opening of new accounts, gain access to existing accounts, commit medical identity theft, seek employment, and obtain government benefits.”

This description of the scope of the risk, according to Kellogg, underscores the seriousness of the

Most Americans born since 1989 were issued SSNs shortly after birth, so it’s easier to predict their numbers based on geography and chronology.

GuessworkFor people who died between 1973 and 2003, researchers developed a method that let them guess the first five digits of an individual’s Social Security number 44% of the time on the first attempt.

VantageFall 09_01_current_r1.indd 10 10/7/09 12:48 PM

Page 11: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

RSA, The Security Division of EMC Vantage Magazine Vol. 6, No. 2, 2009 11

problem. “With a person’s SSN, criminals can not only steal the victim’s money but also defraud businesses and government agencies,” he says. “It’s much more troublesome than having someone steal your PIN.”

Of the five recommendations in the report, the first is “Improve Consumer Authentication.” Reasons Lefkovitz, “If we can move away from using SSNs as authenticators, they will have less value to criminals.” The second recommendation is “Restrict the Public Display and the Transmission of SSNs.” This means that organizations should discontinue the practice of putting employees’ or customers’ SSNs on ID badges, statements, pay stubs, applications, or documents sent through the mail. (It’s worth noting that since December 2005, it has been illegal for states to print a person’s SSN on driver’s licenses, state ID cards, or motor-vehicle registrations.)

Taken together, the first two recommendations seek to restrict both the supply of and demand for SSNs by criminals. The next three cover the need for establishing national standards for data protection and notification of data breaches, conducting outreach to businesses and consumers, and sharing information and best practices on the safe use and secure storage of SSNs.

RISING AWARENESS PROMPTS GRADUAL CHANGE

Thanks to the FFIEC guidance, the FTC report, and the publicity generated by the Carnegie Mellon research, there has been broader awareness of the misuse and overuse of SSNs – and with this awareness is coming change, according to Lefkovitz. “We talk to a lot of businesses and many of them are trying to either use randomly generated numbers or other workarounds,” she says. “Health insurers and universities are changing their policies to reduce their reliance on SSNs, and the Department of Defense no longer uses them as a military ID.”

Kopchik concurs. “It was common several years ago for consumers to be required to use their Social Security number as the logon ID for an Internet banking system,” he says. “Today, that is quite uncommon, and a vast majority of financial institutions not only have been complying with the FFIEC guidance, but also have told us that they believe the guidance ultimately is good for them because it levels the playing field while also protecting their customers.”

Because of the size of some organizations, institutions, and government agencies, and the presence of large legacy systems, it will be a costly and lengthy process for them to change, and the move away from SSNs may never be universal. But in the meantime, how can consumers protect themselves? Lefkovitz recommends they be inquisitive when asked

for their SSNs. “Some forms require it but on others it’s optional,” she says. “Given a choice, don’t provide it. Some agencies such as the IRS are mandated by law to obtain SSNs, but other organizations may accept a customer’s refusal.”

The best advice would seem to be to ask questions and to be aware of how and when you’re using it and who you’re giving it to. No two people in the U.S. have the same SSN, so it’s incumbent on everyone to protect theirs as best they can. i

“It’s not some teenage hacker doing this for fun anymore. These are professional criminals who are highly trained [and] well organized.”

FTC RecommendationsIn its December 2008 report, “Security in Numbers: SSNs and ID Theft,” the U.S. Federal Trade Commission issued five recommendations to “preserve the SSN’s beneficial uses while curtailing its availability and value to identity thieves.”

1 IMPROVE CUSTOMER AUTHENTICATION

Establish national consumer authentication standards

covering all private sector entities that maintain consumer

accounts (other than financial institutions, which are already

subject to such regulations).

2 RESTRICT THE PUBLIC DISPLAY AND THE

TRANSMISSION OF SSNs

Create national standards for the public display and trans-

mission of SSNs, including prohibitions against placing SSNs

on identity cards and in documents posted in the mail.

3 ESTABLISH NATIONAL STANDARDS FOR DATA

PROTECTION AND BREACH NOTIFICATION

Establish national data breach notification standards requiring

private sector entities to provide public notice when a breach of

personal information creates a significant risk of identity theft

or other harms.

4 CONDUCT OUTREACH TO BUSINESSES AND CONSUMERS

Increase education and guidance efforts to businesses on how

to reduce their reliance on SSNs and safeguard them when they

are used.

5 PROMOTE COORDINATION AND INFORMATION

SHARING ON USE OF SSNs

Help private sector organizations establish a clearinghouse of

best practices on SSN usage and protection , fraud prevention,

and consumer authentication.

VantageFall 09_01_current_r1.indd 11 10/7/09 12:48 PM

Page 12: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

12 Vol. 6, No. 2, 2009 RSA, The Security Division of EMC Vantage Magazine Photographs by Kathleen Dooher

IT’S A TYPICAL weekday at EMC’s Critical Inci-dent Response Center (CIRC), located in east-ern Massachusetts. With its two tiers of analyst workstations, facing a wall of 52-inch flat-pan-el displays, the center resembles a small-scale war room. But the atmo-sphere is relaxed as five members of the Critical Incident Response Team (CIRT) sip coffee and go about the job of protect-ing an infrastructure that spans 60 countries and more than 500 sites.

Fed by more than 1,300 security devices—which generate 15 to 20 million security events

per hour—the screens function like a giant dashboard, display-ing in near real time the security status of EMC’s global informa-tion infrastructure. One screen shows top attack-ers bombarding EMC IP addresses that day. Other screens depict the top viruses detected, the most common at-tack signatures, alert-ing trends, behavioral reports, and attempts by EMC servers and desktops to access sites known to harbor spy-ware and malware.

“The CIRT is charged with security incident response for all of

EMC,” says CIRT Man-ager V. Jay LaRosa. “We manage virus outbreaks and denial of service attacks. We hunt out malware that may have compromised critical servers or systems, and we look for business-sensitive information that may be leaking outside the corporation. When we identify suspi-cious activity, our job is to investigate, contain, remediate, learn from, and move on to the next investigation.”

PROTECTING EMC’S

REVENUE MACHINE AND

ITS CUSTOMERS

It’s all about protect-

ing the company and its customers, says Roland Cloutier, vice president and chief security of-ficer of EMC. “As part of EMC’s converged security organization, the CIRC protects the company’s business operations, which is a $15 billion revenue machine,” says Cloutier. “Indirectly, we are also protecting thousands of our customers’ criti-cal infrastructures in industries that affect everyone’s lives every day, such as government, healthcare, electrical, oil, and gas. Because our products are so integral to these organizations,

ente

rpris

e se

curit

y

How EMC’s Critical Incident Response Center provides business operations protection for a $

Eyes on glass

By Christine Kane

VantageFall 09_01_current_r1.indd 12 10/7/09 6:13 PM

Page 13: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

RSA, The Security Division of EMC Vantage Magazine Vol. 6, No. 2, 2009 13

$ 15 billion revenue machine

Team member Pat O’Brien analyzes a piece of malware to gain a better understand-ing of how it behaves.

Analysts Anthony Muccio (left) and Dave Earle inves-tigate a series of related security alerts to determine whether they indicate a legiti-mate threat or a false alarm.

Staff members (standing from left to right) Dave Earle, V. Jay LaRosa, and Pat O’Brien review system performance data including the events per second coming in to the CIRC.

VantageFall 09_01_current_r1.indd 13 10/7/09 12:48 PM

Page 14: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

14 Vol. 6, No. 2, 2009 RSA, The Security Division of EMC Vantage Magazine

we have to protect ev-ery aspect of how those products are designed, manufactured, deliv-ered, and serviced.”

Cloutier notes that customers are very in-terested in the CIRC. “We are providing a whole new level of ser-vice around business operations protection that wasn’t available before, and our custom-ers want that,” he says. “Our approach is inno-vative, but it is built on proven technology that people have deployed throughout their data centers for many years. But instead of using 20% of the available capabil-ity for an IT or security function, we are stretch-ing it to 80%.”

GAINING A WORLDWIDE

VIEW OF SECURITY

As recently as October 2008, responsibility for managing security inci-

dents at EMC was split three ways, among a se-curity operations center, a data loss prevention team, and an “eyes on glass team” of skilled security analysts—the type who watch packets at two in the morning to see what the bad guys are doing. “By break-ing up these functions, we were driving inef-ficiency and higher cost into the system,” says Cloutier. “So we took a step back and said, ‘How can we integrate this team of disparate practitioners? How can we re-engineer our plat-form to handle multiple streams of log data from different technologies? How can we implement a single workflow for monitoring and enforce-ment out of one center?’ The end result is the CIRT, which enables us to see what is happening across the environment,

prioritize the most criti-cal issues, and respond to them very quickly.”

THE INDUSTRY’S BEST

DOG FOOD

Following the phi-losophy that a company should demonstrate confidence in its prod-ucts by “eating its own dog food,” the CIRC is built on technologies from RSA, The Security Division of EMC. Most notably, these include the RSA enVision plat-form for centralized security monitoring and the RSA Data Loss Prevention (DLP) Suite. In addition, security technology embedded in EMC’s information infrastructure products generates much of the event data stream-ing into the CIRC. As LaRosa explains, “EMC storage infrastructure products collect data on encryption and au-

thentication. Content management systems generate logs relating to digital rights manage-ment. It’s all sent to the security monitoring platform, giving us a holistic view of our se-curity posture across the enterprise.”

The RSA enVision system forms the core of the CIRC, collecting event logs generated by security devices world-wide. Advanced analyti-cal software turns this mass of raw data into structured and action-able information and displays it in a highly visual form. When enVi-sion detects suspicious activity, it generates an alert and classifies it based on the likely severity of an incident and whether it requires a Level 1, 2, or 3 analyst to address the issue. By checking the Task Triage Queue, analysts can quickly identify the incidents requiring their immediate attention. To investigate an incident, they can interrogate the full volume of stored data—for example, cor-roborating an intrusion detection alert by look-ing at related antivirus or firewall data. “Hav-ing one place to go, one pane of glass for viewing everything is a huge timesaver for us,” said LaRosa.

CALLING OFFENDERS

TO ACCOUNT

If a specific user or group repeatedly vio-lates security policy or takes a high-risk ac-tion, such as connect-ing their own wireless

The CIRC uses Sourcefire RNA software to gain real-time visibility into EMC’s network topology worldwide.

CIRC by the numbers

EMC’s Critical Incident Response Center consists of:

2 advanced facilities ...

Staffed by 13 security analysts in the U.S. and India ...

Protecting 60 countries ...

Encompassing 500+ offices and partner sites ...

Guarded by 1,300+ security devices ...

That monitor 45,000+ end nodes ...

Averaging 15 TO 20 MILLION security-related logs per hour.

VantageFall 09_01_current_r1.indd 14 10/7/09 12:48 PM

Page 15: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

RSA, The Security Division of EMC Vantage Magazine Vol. 6, No. 2, 2009 15

router to the network to temporarily bypass the IT-managed wireless network for reasons of convenience—thereby neutralizing multiple layers of network pro-tection—the CIRC has a couple of options: It may engage the Global Investigations Security group to conduct an investigation or contact Human Resources to initiate communication with the offender. Ana-lyst A. J. Muccio recalls occasions where local personnel have been dispatched to walk the halls of a facility with a device that allows them to sniff out such rogue access points, which are sometimes tucked under a desk or in a closet to avoid detection.

DETECTING AND

PREVENTING DATA

LEAKAGE

The CIRC also deploys the RSA DLP Suite on nine Internet gateways worldwide to detect sensitive information, such as EMC intellec-tual property, customer records or employee Social Security numbers that are being transmit-ted out of the company through myriad meth-ods. A large datacenter deployment of RSA DLP constantly scans all fileservers around the world and classifies any sensitive information found on them.

As one of his respon-sibilities, Level 3 Analyst Jeff Hale develops DLP “content blades” to de-tect new categories of information that need protection. “If we have

a new product launch, we get that informa-tion ahead of time and program DLP to look for that information and be sure no one is talking about it or sending it out ahead of time,” says V. Jay LaRosa “Similarly, before quarterly or year-end financial results are announced, we activate a content blade that looks for financially sensitive information to make sure no one is leaking it early.”

KEEPING OPERATIONS

SEPARATE FROM

INCIDENT RESPONSE

Analyst Dave Earle notes that customers are sometimes curious about why the CIRT and EMC’s security opera-tions group are distinct entities, though they work closely together. “Where the CIRT is charged with monitor-ing and remediating se-curity events, operations manages our Level 1 adds, moves, and chang-es for security devices,” says Earle, who was recently promoted to a senior security engineer within the GSO Security Operations team from the CIRT.

“We’ve found that when one group is re-sponsible for both func-tions, the daily demands of operations tend to pull people away from incident response, ex-cept for events that are too big to ignore,” he says. “One result is that staff members can’t find the time to continually enhance the security monitoring environ-ment, which is critical

if you want to keep up with evolving threats. When we talk to cus-tomers about the separa-tion of duties, customers immediately get it.’”

EXPANDING AND

ENHANCING CIRC

CAPABILITIES

When the CIRC was launched, the center was only staffed during business hours on the U.S. East Coast. Since then, shifts have been expanded to 13 hours a day, and a second, iden-tical facility was opened in Bangalore, India, allowing the center to offer follow-the-sun service. Key enhance-ments under develop-ment include improved workflow, which will greatly streamline inves-tigations, and integra-tion of the CIRC with RSA’s Anti-Fraud Com-mand Center, which

helps customers prevent phishing, pharming, and Trojan attacks. The cen-ter also helps shut down fraudulent sites globally.

SECURITY MUST BE A

BUSINESS ENABLER

Cloutier is adamant that security must be deployed in the service of business goals, enabling the innovation and responsiveness that create competitive advantage. “As security practitioners, our aim is to create an environment for our executives, engineers, and sales folks to build, deliver, and service the absolute best technologies without any impedance or concern about security in our environment,” he says. “We want them to understand that security is not a business inhibitor.” i

Among his duties, Level 3 Analyst Conrad Constantine evaluates how newly emerging threats might impact EMC and what steps should be taken to reduce the risk they pose.

Identical CIRC facilities in the U.S. and Bangalore, India, provide follow-the-sun support worldwide.

VantageFall 09_01_current_r1.indd 15 10/7/09 12:49 PM

Page 16: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

16 Vol. 6, No. 2, 2009 RSA, The Security Division of EMC Vantage Magazine

stops

Photograph by Ritam Banerjee / Getty

Adaptive authentication protects high-risk transactions ca

se s

tudy

Online banking has many benefits, including greater profitability for banks and improved convenience for customers. Yet as its popularity grows throughout the world, Internet banking exposes more customers to the risk of fraudulent activity, including phishing, pharming, and Trojan horse attacks.

The fraud

here

HDFC Bank serves up

continuous innovation to

protect its customers a

HDFC Bank was one of the first banks in India to enable its customers to transact on the Internet. Like many organizations new to the virtual realm, HDFC Bank experienced a spate of phishing attacks in the early 2000s. At the time, the bank was using a standard authentication service comprising a user ID and password as well as manual security controls, which were prone to errors. Anticipating more at-tacks and eager to stay ahead of industry compliance requirements, HDFC Bank sought a robust security solution that would be cost-effective and easy to implement and maintain the ease of their customers’ online experience.

“Our customers trust us to look after their money, and we take this responsibility very seriously,” says Vishal Salvi, chief information security officer

at HDFC Bank. “We needed a secure platform to protect their personal assets and give them peace of mind.”

IDENTIFYING RISKS, REAPING REWARDS

HDFC Bank considered a number of fraud protec-tion options and eventually chose a solution pow-ered by RSA, The Security Division of EMC. “We really did our homework,” says Sanjeev Patel, head of direct banking channels at HDFC Bank. “And we identified RSA as the one company that could fulfill our needs.”

HDFC Bank implemented RSA® Adaptive Au-thentication, a risk-based authentication and fraud detection platform used by more than 8,000 orga-nizations worldwide. Among other benefits, RSA

VantageFall 09_01_current_r1.indd 16 10/7/09 12:49 PM

Page 17: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

17

Adaptive Authentication has the capability to add an additional layer of security during online transac-tions, based on risk indicators tracked by the RSA® Risk Engine. High-risk and potential fraud scenari-os, including the transfer of large sums and transac-tions from unrecognized computers, can be assigned a further level of authentication such as challenge questions.

Additionally, HDFC Bank deployed RSA FraudAction™, a 24/7 monitoring service that detects, tracks, blocks, and shuts down phishing and other online attacks. RSA FraudAction analysts work round the clock to reduce the lifetime and severity of online attacks. To date, they have helped shut down more than 150,000 illicit websites in 140 countries.

“We were impressed by the solution offered by RSA,” says Salvi. “As hosted, API-based services, RSA Adaptive Authentication and FraudAction were very simple to integrate into our existing infrastruc-ture and deployed quickly with minimum invest-ment in resources.”

TRANSACTING WITH CONFIDENCE

HDFC Bank is already seeing the benefits of part-nering with RSA – and so are its customers. “We’d

anticipated a slight drop in the number of custom-ers using online banking services as they got used to the new security measures, but we didn’t see that at all,” says Salvi. “Today our customers enjoy bet-ter security with no negative impact on their online experience.”

The evidence is more than anecdotal. HDFC Bank has reduced phishing attacks by 60% and brought successful fraud activities against its cus-tomers to almost zero. When attacks are made, HDFC Bank is able to deploy countermeasures in five to seven hours – much faster than the industry average.

“We now have three levels of fraud protection,” says Salvi. “We can prevent fraud with the additional layer of authentication in RSA Adaptive Authentica-tion, detect it faster using the RSA Risk Engine, and respond to it more effectively thanks to RSA Fraud-Action. We look forward to working with RSA to bring new benefits to our customers in the future.”

And the future, it seems, is not far away. HDFC Bank is already planning to extend the layered secu-rity approach to its customers’ credit and debit card payments and is considering adopting additional security features, including the RSA SecurID® two-factor authentication system. i

HDFC BANK AT A GLANCE

Headquartered in

Mumbai, India,

HDFC Bank is one of

the leading private

sector banks in India

with more than 15 million customers,

1,400 branches, and

3,400 ATMs. HDFC

Bank was founded in 1994 following

the liberalization

of India’s banking

system and has since

gained significant

market share through

its innovative use of

technology and com-

mitment to customer

service. HDFC Bank

has been named one

of the 50 best com-

panies in Asia Pacific

by Forbes magazine.

“ Our customers are at the heart of every-thing we do. Partnering with RSA has not only helped us protect their assets – it has helped us gain their trust.”

vishal salvi, senior vice president and chief information security officer,

hdfc bank

ååå

VantageFall 09_01_current_r1.indd 17 10/7/09 12:49 PM

Page 18: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

18 Vol. 6, No. 2, 2009 RSA, The Security Division of EMC Vantage Magazine

How Verizon Business and RSA are tackling data loss prevention | By Natasha K. Waibelpa

rtne

r pro

file

Battlingthe

breachWhen Verizon Business released its 2009 Data Breach Investigations Report in April, several findings sent shock waves through the security world. For starters, more electronic records were compromised last year than in the previous four years combined. In 69% of the cases analyzed, companies were unaware of the data breach until informed by a third party. In nearly 40% of the cases, companies didn’t know where the sensitive data in their system was stored.

VantageFall 09_01_current_r1.indd 18 10/7/09 12:49 PM

Page 19: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

RSA, The Security Division of EMC Vantage Magazine Vol. 6, No. 2, 2009 19Photographs by David Deal

That last statistic speaks to a basic but cru-cial principle of data loss prevention: Know where your information lives. “If you know where your data is, you’re going to protect it,” says Omar Khawaja, global services product manager, Verizon Business. “If you don’t know where your data is, you’re probably not going to protect it, and there’s a much greater chance that it will be breached.”

SECURING THE EXTENDED ENTERPRISE

Considering how business models have been transformed by the advent of the extended en-terprise, it’s no surprise that many companies have trouble keeping tabs on their data, says Kerry Bailey, senior vice president of global ser-vices at Verizon Business. “Companies no lon-ger operate within the four walls of their data center. They operate globally and are connected to their partners and supply chains, which is beneficial from a business standpoint but chal-lenging when it comes to security. That’s where the value of our relationship with RSA comes into play.”

Verizon Business and RSA first worked to-gether on authentication management in the late 1990s and continue to collaborate on a vari-ety of offerings, from Web access management and iden-tity federation to application log monitoring and manage-ment. Their latest joint initiative is called Data Discovery, Identification, and Security Classification (DDISC), an offering that marries Verizon Business’ security manage-ment services with RSA’s Data Loss Prevention Suite technology.

DDISC AT WORK

“Every book ever published on risk management says to begin with discovery and classification,” says Peter Tip-pett, vice president of innovation and technology at Veri-zon Business and lead author of the Data Breach Investi-gations Report. “Most companies who claim to be doing risk management are actually doing vulnerability manage-ment, which skips the classification piece. Other times people assume someone else knows where the sensitive data is and how important it is. DDISC simplifies the dis-covery and classification process, allowing companies to take the appropriate steps to protect their data.”

The first step of the DDISC process is data discovery, which enables companies to identify where data exists in their enterprise and how it flows from one place to the next. Then comes identifying what the data is and to whom it belongs. “Identification takes data and converts it into meaningful information,” says Khawaja. “Instead of a stream of nine digits, you identify it as a Social Security number or a phone number in Zambia.”

The final step is classifying how the information is

used and its importance to the company – a key aspect of risk management. “When you classify your data, you start treating it as an asset,” says Khawaja. “For example, you can say, ‘This credit card information is relevant to my business because that’s how I generate revenue. These other credit card numbers, however, aren’t relevant because they’re expired and dissociated from the card-holder’s name. Therefore I shouldn’t expend as much ef-fort to protect them.’ Now you’re looking at information in the context of your business and tying it into revenues and operational efficiencies.”

A PERENNIAL SOLUTION

Part of what makes DDISC such a valuable offering is that it helps companies monitor and protect their information over the long run. “In developing DDISC, we realized that services and consulting were important components of the solution but simply not enough on their own,” says Khawaja. “Once the consultants left, we wanted to leave our customers with technology solutions that would pe-rennially enhance the security of their environment, and with the help of RSA, we are able to do that.”

Adds Tom Heiser, senior vice president of global cus-tomer relations at RSA, “We’re excited about our strategic partnership with Verizon Business and the value that we can bring to our customers. Verizon Business’ professional and managed security services teams leverage the RSA portfolio to deliver advanced security controls that miti-gate information risk for customers.” i

↑KERRY BAILEY“Companies no longer operate within the four walls of their data center. They operate glob-ally and are connected to their partners and supply chains.”

←PETER TIPPETT“Most com-panies that claim to be doing risk management are actu-ally doing vulnerabil-ity manage-ment.”

VantageFall 09_01_current_r1.indd 19 10/7/09 12:49 PM

Page 20: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

20 Vol. 6, No. 2, 2009 RSA, The Security Division of EMC Vantage Magazine Illustration by Daniel Hertzberg

WHENEVER A CONSUMER enters their credit card number on an online check-out form or slides the card in a point-of-purchase terminal, that number be-comes not only a source of funds for the merchant but also a potential headache. Because of the Payment Card Industry Data Security Standard (PCI DSS, or PCI) rules, as well as privacy statutes enacted in 32 U.S. states to date, merchants must be able to protect that highly sensitive piece of data and store it securely – or face significant consequences.

Aside from the legal ramifications, payment card data is the leading target of fraud (accounting for $22 billion in

2008, up from $19 billion in 2007), so it is a major area of concern for businesses and consumers alike. Currently, there are a few approaches that merchants can take to protect this data. One is to encrypt the credit card numbers, which, while effective, has drawbacks. For one, it requires changes be made to all affected applications, since to ensure PCI compli-ance, every downstream application that touches such information would have to be modified to enable encryption. In addition, it requires that the encryption keys be securely managed so that the numbers can be decrypted for later, le-gitimate purposes.

Other methods typically used to protect credit card numbers include masking (e.g., xxxx-xxxx-xxxx-5608), which provides just enough information to confirm that the correct card was used without revealing the full number to an outsider’s eyes, and hashing, which is a form of “one-way” en-cryption that is useful when storing numbers in a data warehouse. In both cases, however, the original card number cannot later be re-created when needed.

COMING TO THE RESCUE

An emerging solution known as tokenization (see box) solves these issues and more. Tokenization makes it impossible for hackers to as-certain and steal the original

credit card number and not only facili-tates PCI compliance but also reduces the cost and scope of compliance efforts. Here’s how it works.

When sensitive data such as a credit card number is input to an application or POS terminal, the tokenization server substitutes a randomly generated, cryp-tographically strong numeric value that preserves the format and look and feel of the original data structure but has no actual cryptographic or mathematical relationship to it. This means it cannot be “decoded” by a hacker. Furthermore, since there’s no relation between the tokenized value and the actual number, downstream applications that receive and process it are not subject to PCI audit. Applications can simply allow the tokenized data to flow through, without the need for additional code or database schema changes.

The original, clear-text card number that corresponds to the tokenized value, meanwhile, is centrally stored and en-crypted so it can be retrieved by autho-rized administrators and applications when needed. For maximum protection, the encryption keys are also stored and managed centrally, and the tokenized

FIRST DATA AND RSA: PARTNERS IN PRIME

In September 2009, RSA and First Data, a global leader in

electronic commerce and payment processing services,

announced that they are partnering to develop First

Data Secure Transaction Management, a tokenization-

based service designed to reduce organizational risk

and ease the process of complying with PCI DSS.

First Data Secure is powered by the RSA SafeProxy™

architecture, which employs a unique combination of

tokenization, advanced encryption, and public-key tech-

nologies to provide merchants with the ability to elimi-

nate credit card data from their environments without

loss of business functionality or massive rewrites of

applications.

According to Art Coviello, executive vice president

of EMC Corporation and president of RSA, The Security

Division of EMC, “This fruit of our partnership with First

Data will provide organizations with a simplified and

scalable solution for payment card protection that dras-

tically reduces management complexity and costs. We

look forward to a continuing and mutually rewarding

collaboration.”

TOKENIZATIONso

lutio

ns

high-risknumbers

game

Beating the

VantageFall 09_01_current_r1.indd 20 10/9/09 10:40 AM

Page 21: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

RSA, The Security Division of EMC Vantage Magazine Vol. 6, No. 2, 2009 21

value itself can be generated automati-cally at the moment the credit card num-ber is transmitted.

A FIRST-CLASS SOLUTION

For credit card-processing company First Data, tokenization promises to protect its own interests as well as those of its merchant customers and their custom-ers. With First Data® Secure Transaction ManagementSM, a service First Data will begin offering its customers thanks to a partnership with RSA (see sidebar), merchants will send their payment card numbers and other information to First Data for card authentication just as they do currently. But now, customers will receive back a tokenized value that can then be used in online applications instead of having to use actual card num-bers. First Data will maintain the real payment card information in a highly secure data store from which it can be retrieved for payment processing once a

transaction is complete.“Payment card data protection and

PCI compliance are some of the most significant challenges that our merchant customers face today. Addressing these challenges is both complex and costly,” says Michael Capellas, chairman and chief executive officer of First Data. “The simplicity of integrating encryption with tokenization through the First Data Se-cure Transaction Management service dramatically redefines how merchants of all kinds manage and protect their customer payment data.” Merchants will benefit from First Data Secure Transac-tion Management because they will no longer have to process and store actual card numbers onsite, thereby greatly reducing their risk profile and the scope of PCI compliance efforts. They can also pass on assurances to their customers that their data is secure from hackers and identity thieves. The solution supports all types of payment card data.

TOKENIZATION VS. TOKENS Though the term “aliasing” is also sometimes used, “tokenization” has become the most common term for the substitution

of sensitive data with a random numeric value. Though the terms are similar, tokenization in this sense is different from RSA SecurID tokens, which

employ randomly generated numbers for strong authentication. RSA follows industry practice in using the term tokenization, while acknowledg-

ing the need to distinguish between tokenization and SecurID tokens, given the latter’s widespread success and deployment. The price of success!

Because tokenized data cannot be reverted to the original number without accessing a secure vault within First Data’s secure data center environment – and cannot be used to initiate a transac-tion at the point of sale – it is essentially worthless to criminals. Tokenized data can, however, can be used safely and effectively by merchants in a range of important business capabilities, such as tracking customer loyalty, managing refunds and returns, and supporting cus-tomer analytics.

COMPLIANCE FOR BUSINESSES,

CONFIDENCE FOR CONSUMERS

“No organization wants to be the lead in the next national news story about a company that had a data breach and al-lowed sensitive customer information to be accessed by hackers or insiders,” says Robert Griffin, director of solution design for the Data Security Group at RSA, The Security Division of EMC. “Tokenization is an ideal solution for these organiza-tions because the cost, time, and impact of deployment are small relative to other solutions, yet it can also be more effec-tive. Furthermore, it’s capable of support-ing multiple data types and eliminates cross-platform complexities often intro-duced by encryption-based methods.”

In addition to PCI and the state pri-vacy laws, tokenization can also help organizations comply with other regula-tions, such as those mandating security of Personally Identifiable Information (PII) and health information, where clear-text storage of sensitive information is pro-hibited.

Tokenization is a powerful new solution to achieve compliance, protect consumers, and thwart thieves. As such, it can be a valuable component of a comprehensive defense-in-depth system for data security. Supported by identity and access management, security information and event management, and enterprise key management, tokenization can ultimately make the numbers work in your favor. i

VantageFall 09_01_current_r1.indd 21 10/9/09 10:40 AM

Page 22: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

Photographs by Asia Kepka22

NEW TECHNOLOGIES SEEM to appear faster than users can keep up, but our most common activities – auto-mated banking, point-of-sale credit card purchases, enter-ing the office via a badging system – rely on technology developed more than 40 years ago. The automatic teller machine (ATM) appeared in 1967 along with the personal identification number (PIN) to authenticate its users, but their underlying framework hasn’t changed significantly since then.

That situation intrigued RSA research scientist Kevin Bowers and his team, who are examining ways to improve the decades-old PIN system. “We began to wonder if tech-nology hadn’t advanced so

that we could develop a better authentication mechanism with more security and a better user experience,” he explains.

AND THEN CAME PIP

“There are concerns about how much security you’re actually getting from a PIN,” Bowers continues. “Four dig-its really aren’t enough to pro-vide secure authentication, but matching two pairs of colors on a touchscreen could provide five to six times the security of a four-digit PIN.” With that idea in mind, Bow-ers and his team created a sys-tem prototype they’ve dubbed Personal Identification Pairs, or PIP.

Where the PIN entry sys-tem requires the user to type

digits on a keypad, PIP presents a grid of 16 tiles, each a different color. The user must connect tiles representing his two secret color pairs by sliding his finger across a touchscreen similar to that on a mobile phone. “In two swipes, you con-nect the colors that make your pairs,” explains Bow-ers. “If one of your pairs is maize and blue, for example, you touch the maize tile and don’t let go until your finger is over the blue one. You’re actu-ally entering more infor-mation in fewer gestures than when you enter a PIN.”

FULL-SPECTRUM

SECURITY AND USABILITY

PIP is particularly ef-fective in thwarting “shoulder surfing” attacks by the shady character next in line at the ATM. “Shoulder surfing is an easy attack because the person behind you can

simply watch as you enter your PIN,” says Bowers. “He immediately knows what but-tons you’ve pressed.”

PIP tiles, on the other hand, can be randomly mixed each time the user approaches an ATM. “You perform your two swipes and the person behind you has no idea what

colors you just touched,” says Bowers. “When he walks up to the screen, his 16 colors are in different places. Even if he can mimic where you put your fingers, he’s not selecting the same colors.”

Currently in the prototype phase, PIP is poised for us-ability testing. “The next step is determining how many colors a user can actually dis-tinguish under various light-ing scenarios,” says Bowers. “We’re also working to make sure PIP addresses the needs of all its users; we’re looking at adding textures or patterns to the PIP touchscreen to assist color-blind or vision-impaired users.”

Bowers envisions an in-cremental rollout of PIP, whereby color touchscreens and upgraded software would be integrated into existing devices during routine main-tenance and repair. Users would also have the option to revert the devices to the fa-miliar numeric touchpad until they’re comfortable with the PIP process.

Memorizing one’s PIP shouldn’t be a worry, says Bowers. “Studies indicate that people remember colors much more easily than they do numbers.” And recalling one’s high school colors and the hues of their dream house just might make waiting in the ATM line a bit easier, too. i

insi

dersa labs

A colorful approach to security

RSA research scientist Kevin Bowers, left, and his team were inspired to explore ways of improving the decades-old PIN system of user authentication.

Matching two pairs of colors on a touchscreen could provide five to six times the security of a four-digit PIN.

A new authentication technology based on color could help stop “shoulder surfing” at the ATM | By Sarah Jensen

VantageFall 09_01_current_r1.indd 22 10/7/09 12:49 PM

Page 23: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

SECURITY STRATEGY. EXPERTLY EXECUTED.Security Assessment and Research

Risk and Compliance Management | Technology Solutions

800.574.0896 / www.accuvant.com

Is your company’s security program built on the same foundation?

Among the fastest-growing private companies in America, Accuvant is a leading information security consulting �rm specializing in security assessments, vulnerability research, risk and compliance management, and technology solutions. As an RSA Signature Partner and key solution partner for enVision since 2004, Accuvant has a deep understanding of RSA technologies including data loss prevention, authentication and security information, and event management solutions. In 2007, Accuvant was named RSA Partner of the Year.

VantageFall 09_01_current_r1.indd 23 10/7/09 12:49 PM

Page 24: ALSO INSIDE: TOKENIZATION INSIG - First Data · Identity Verification know– ledge-based authentication to confirm the identity of new customers requesting service. Ken works for

The best way to beat hackers? Never let them in.

Even basic security controls make the job of a data thief far more difficult.*

That’s why it’s important to have a sound security foundation. Our professional and managed

security services help you establish solid security policies, processes, and technology. Which

means you can proactively manage risks and threats across your enterprise and build confidence

with partners, suppliers, and customers. This end-to-end approach to security is why thousands

of organizations around the world trust us for security solutions.

See more at verizonbusiness.com.

*2009 Verizon Business Data Breach Investigations Report. Statistics represent cases investigated by Verizon Business.© 2009 Verizon. All rights reserved.

VantageFall 09_01_current_r1.indd 24 10/7/09 12:49 PM