An up-and-coming technique for protecting sensitive data is to "tokenize" it -- to replace the sensitive data with a representative token that has no meaning or value if stolen. You can implement tokenization fully in-house or outsource portions of the process and the storage of the actual data vault to a third party service provider. This article explores a few of these options.
In last week's article, I talked about tokenization, the process of replacing sensitive data with a representative token value. The token is linked back to the original data, which has been encrypted and stashed away in a secure vault. The token, meanwhile, is useable in place of the real data in business applications such as marketing or human resources programs. The idea of using a token is that it is meaningless information to anyone who would steal it.
For example, credit card data can be tokenized soon after it is captured at the point of sale. If a hacker gains access to a merchant's server where tokenized data is stored, he will get worthless information instead of valuable cardholder data that can be used to commit fraud.
Tokenization is a security technology that can be used with many kinds of sensitive data, not just payment card information. You may want to protect Social Security numbers, customer account information, or corporate financial records. Turning these data types into tokens takes away the incentive for thieves to steal the information because they can't monetize tokenized data. For your own applications, however, the token is sufficient to represent the real data in most cases.
Organizations that choose to deploy tokenization can implement it in-house or outsource the process to a service provider. The most common use for an outsourced tokenization service is to protect cardholder data.
For organizations that want to deploy and manage the tokenization technology in-house, nuBridges offers a solution called nuBridges Protect, which is an integrated encryption, tokenization, key management and logging solution to protect sensitive data at rest in databases, applications and associated backup storage. The two data protection methods utilized by nuBridges Protect are format-preserving tokenization and encryption.
NuBridges Protect Token Manager is a software module that intercepts the data you want to protect, generates format-preserving tokens and inserts them in place of the sensitive data. It then encrypts the original data and stores the cipher text in a central data vault. Tokens can be safely used by any application or database without risk of exposing sensitive data. When applications or databases require the clear-text value, they make a Web services call to the Token Manager and present the token. The Token Manager validates the request credentials and, if authorized, looks up the token in the data vault, identifies the appropriate cipher text, decrypts the value and presents it back to the database or application.
Some of the key features of nuBridges Protect Token Manager are:
* Creates a central, protected data vault where sensitive data is encrypted and stored.
* Generates tokens that act as surrogates for sensitive data wherever it resides. Tokens maintain the length and format of the original data so that applications don't require modification.
* Enforces a strict one-to-one relationship between tokens and data values so that referential integrity can be assured whenever an encrypted field is present across multiple applications and data sets; and data and trend analysis can continue uninterrupted.
* Provides complete control of the token-generation strategy.
* Supports multiple classifications of sensitive data, with each classification having its own policy.
* Integrates with nuBridges Protect Key Manager for full-life-cycle, PCI DSS-compliant key management, and the ability to rotate keys without having to re-encrypt old data.
* Web Services interface enables diverse client platforms and languages to consume the services of the Token Manager.
* Browser-based interface for system administration and policy management.
* Generates Syslog-compliant security event logs that are easily integrated with Security Incident and Event Management (SIEM) and log management solutions.
* Scalable for high-volume, high-availability environments.
Merchants that want to tokenize their cardholder data can choose from a range of service providers that integrate with the payment processing flow. In this case, both the token server and the secure data vault are operated and managed by a third party. Using a third party provider is actually an advantage for companies that are trying to attain or maintain PCI compliance, as it means that the merchant is no longer storing any sensitive data -- it's all on the third party's servers.
Some of the service providers are:
* Shift4 Corporation, whose tokenization service is part of Shift4's Dollars on the Net payment processing solution.
* Merchant Link with its TransactionVault service.
* Electronic Payment Exchange as a service called BuyerWall in which a token is called a BRIC: BuyerWall Recognized Identification Code.
There are many more third party service providers that cater specifically to the merchant market.
If your organization is looking for ways to complement data encryption to protect your most sensitive data, look into tokenization.