In light of the ongoing news of retail breaches at Target and Neiman Marcus, cybersecurity expert Mark Bower, VP at Voltage Security, issued the following comments. Feel free to quote Mark, or let me know if you’d like to talk or have specific questions for him.
“Yet again, the attackers have gained access to sensitive data. The industry has to understand that incomplete approaches to protecting data that leave it exposed at some vulnerable point in its life will result in a breach. It’s merely a matter of time. Traditional defenses leave too many exploitable gaps that present an opportunity for compromise. Data breaches are unstoppable, but it’s entirely possible to neutralize their impact using new defenses that leading retailers and payment processors have already adopted successfully with the double benefit of risk and compliance cost reduction.
Today, the attackers are armed with the ability to penetrate IT architectures despite the presence of traditional perimeter defenses, monitoring, and scanning. Trying to stay ahead of the latest attack vectors is a costly arms race that’s always one step behind the attackers. The good news is there are ways to mitigate these threats which are setting the new standard in best practice in data security: data-centric, or end-to-end protection. Attackers go after high value data. Strong data level encryption and isolated key management with the ability to retain the business use of the data in protected form provides a powerful defense against these threats. The problem is not all encryption is created equal. Methods that merely encrypt the disk only address threats to data when the system is powered off do nothing to mitigate these kinds of advanced attacks. Retail systems and e-commerce systems are 24/7 platforms – so data is at risk after capture, in flight, in use and in active storage. Until the magnetic strip credit card system and static credit card data is replaced, which is a long way off, retail payment protection has to be about the full lifecycle of the credit and debit card data from the instant it is captured to its hand-off to the card brands.”
Some background: Voltage software is used by 3 of 5 the largest retailers in the US, 6 of the 8 top payment processors in the US, , top airlines and global credit card brands. The benefits are dramatic reduction in risk of data breaches by removing live data from systems without disruption to IT or business processes, and reducing the cost of PCI DSS compliance – in some cases by as much as 95%. After their similar large scale breach, Heartland Payment Systems looked to Voltage to solve their breach remediation challenge and move to a full end to end encryption strategy for their payments flow for their merchants. As Bob Carr, CEO of Heartland Payment Systems notes “Every single breach I know of wouldn’t have happened if our end-to-end encryption solution had been there.”