If I was writing this in the early 2000s, I would have started with the line “open any newspaper and the headline will be screaming about…” but since this is 2018 and newspapers have pretty much gone the way of the dodo bird, I will start with “open any web browser or news app…” My point here is that things have evolved very quickly over the last 20 years thanks to the internet. We are all so fully connected that sometimes we forget how much of our lives are lived online. None of us can live without the internet or our connected gadgets. The convenience of having a small computer in our pocket is unmeasurable. Kids born in the last 30 years don’t know what an encyclopedia is, if they want to explore a topic they just fire up Wikipedia or Google and voilà they have the combined knowledge of the world at their fingertips.
All this knowledge and access has a downside that can’t be ignored, which is the security implications of living on the web. Everything online is hackable – if information is on a computer connected to the Internet, it is vulnerable. Every second of every day, 59 records are lost or stolen. Since 2013, around 10 billion data records have been lost or stolen, of which only about 4% were encrypted or tokenized which rendered them useless – the rest most likely are for sale on the dark web.
Everything online is hackable - if information is on a computer connected to the internet, it is vulnerable.
Open any web browser or app these days and there is sure to be a new story about how some company has experienced a data breach. In the last few months the TSA, Verizon, Equifax, NSA, Uber, CIA, US Air Force, Deloitte, and Alteryx just to name a few, have all lost billions of sensitive data elements. If you just examine the Equifax and Alteryx breaches you will quickly determine that pretty much every person living in the United States has been impacted. In most cases, the folks whose data has been lost didn’t consent or know that their PII was being stored by these companies.
Having lived through a data breach I can tell you that these companies didn’t want to lose their customers’ data, they didn’t skimp on security, they were just the losers of the latest arms race – the race between bad actors and corporations. In the newspaper age, it wasn’t feasible to steal data at the massive scale that we are seeing today. Data was in paper form or contained within a private network that had very limited outside access. Today everything is interconnected to everything else. It makes our lives better, but it also creates a whole host of new attack vectors.
It's not a question of if you will be attacked, but when.
To help organizations deal with the constant onslaught of data thieves, numerous standards and regulations have emerged which describe how data should be protected. These includes the Payment Card Industry’s Data Security Standard (PCI DSS), the EU’s General Data Protection Regulation (GDPR), the U.S. Health Insurance Portability and Accountability Act (HIPAA), and the 800-53 standard from the U.S. National Institute of Standards and Technology (NIST), among many others.
PCI DSS Requirement 3.4: “Render data unreadable anywhere it is stored. Technology solutions may include strong one-way hash function of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography”.
GDPR Article 32: “…the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data…”
What all of these regulations have in common is that they prescribe a layered approach to data security with data protection at its core. Security and military professionals talk about defense in depth where the attacker must get through many layers of defense before they can get to their target objective. In the military when the attackers get through the outer defenses they still must get past the folks making the last stand, in the IT world that last stand must be tokenization and encryption!
Tokenization has emerged as a best practice for protecting sensitive data.
Tokenization replaces the sensitive data with tokens that are meaningless without compromising its security. It allows for the preserving of the characteristics of the data such as the type (numeric, alpha, alphanumeric) and length which makes implementation easier because many systems are sensitive to data type and length. Encryption renders the data useless without the key that was used to encrypt it. It doesn’t preserve the format of the data, so it requires more work to implement (field size changes, encrypt/decrypt when the data is used, a hash added to be able to search the data). Companies should use both tokenization and encryption to protect their digital assets.