|
nuBridges Targets Identity Theft with New Solution
Published: January 31, 2006
by Alex Woodie
nuBridges this month announced truExchange Data Secure, a new software and services offering that provides field- and file-level encryption of data residing on iSeries servers. Data Secure is aimed squarely at preventing the type of accidental loss of customer data that leads to identity theft, which is becoming increasingly difficult for companies to stomach as a result of new state and federal laws, as well as consumer lawsuits and financial punishment enacted by shareholders.
One doesn't have to look any farther than ChoicePoint to see the effect that identity theft can have on corporations and consumers. When ChoicePoint unknowingly sold criminals information on 163,000 consumers last year, it led to 800 cases of identity theft. Last week, the Atlanta data broker agreed to a $15-million settlement, including $10 million in fines to the Federal Trade Commission, and $5 million in restitution to consumers whose data was violated. However, those numbers are a pittance compared to the $300 million in value the company's stock has lost since the episode began.
In the same way the Enron and WorldCom debacles led to new accounting system controls with Sarbanes-Oxley, the scandals of ChoicePoint and others have become rallying points for state and federal regulators and consumer protection activists who are looking to prevent identity theft. In fact, right now, we're in the middle of the activation of new state laws regarding identity theft, according to Gary Palgon, director of product management at Atlanta-based nuBridges.
California was the first state with such a law--SB 1386, which was passed in 2003 but got enforcement teeth last year--and since then at least 20 other states have followed suit, Palgon says. On January 1, the states of Connecticut, Illinois, Louisiana, and Nevada enacted laws requiring companies to notify consumers when their data has been put at risk. Maine's law is scheduled to go into effect today, and Montana and Rhode Island follow with their laws in March. What's more, a dozen other states are considering similar laws, and there are four additional federal laws currently making their way through Congress, not to mention similar laws in Japan and the European Union.
In short, the message to companies is clear: Protect your customers' identity-related data, or face serious financial consequences.
Get Encryption
nuBridges' answer to the identity-theft prevention mandate is truExchange Data Secure, a new solution launched two weeks ago that combines professional services and OS/400 software.
The software component of Data Secure is a utility that turns normal RPG reads and writes into on-the-fly, field- or file-level encryption and decryption functions. The functions are designed to work on areas of OS/400 applications that contain sensitive information, such as names, addresses, social security numbers, and credit card numbers. The software does not require users to change the field sizes or file layout of their OS/400 applications, nuBridges says, and works with a variety of encryption algorithms, including 3DES, AES, Idea, RSA, and Diffie/Hellman. Encryption can be controlled using passwords of PKI infrastructure. The software also logs all encryption activity.
The services component of nuBridges solution involves a thorough examination of a company's specific needs, which vary by state and country, and a recommendation for which data types should be protected. nuBridges has done an admirable job of keeping track of the whirlwind of legislation and compiling meaningful information about specific laws, including when the laws were passed, and if there are actual penalties yet for violating them. (Like people, companies will generally ignore a law, until the consequences become painful.)
Data Secure is largely based on a similar nuBridges offering called truExchange PCI Secure that the company unveiled last May (see "nuBridges Tackles PCI Security Mandate with New OS/400 Offering"). PCI Secure is aimed at helping retailers to comply with the new Payment Card Industry (PCI) requirements put in place by Visa and MasterCard last year to protect consumer's credit card numbers.
While PCI Secure provided a way for retailers to encrypt OS/400 application fields holding 16- or 20-digit credit card numbers, which in turn helped them avoid fines (up to $500,000 per incident in the Visa network beginning June 30, 2005, and up to $100,000 for MasterCard), Data Secure has a much wider potential audience, Palgon says. Potential users include companies in the banking and financial services business, hospitals and health insurance companies, government agencies, and schools. The software only runs on OS/400 (V4R5 and up), which is a very popular platform for back-office processing in many of these industries and public institutions.
Data Secure will see use with practically any type of identifying data, including the aforementioned data types, as well as passport numbers, birthdates, maiden names, medical history and employee records, and even ZIP codes. While nobody would worry much about the accidental disclosure of a customer's ZIP code by itself (just stand near the checkout line in any sporting goods store and you'll hear a dozen of them), the problem becomes magnified when other types of customer data are lost at the same time. The more pieces of the identity puzzle that are lost, the easier it becomes for identity thieves to put them back together, Palgon says. That's why it's important to limit the exposure of any piece of identifying information.
For Data at Rest, or On the Go
Data Secure can be applied to data at rest and on the move, Palgon says. Data is vulnerable when it's being transported to an offsite backup or archive facility, and the rash of lost backup tapes by high profile organizations in the last year (read: CitiGroup, Bank of America, Time Warner, and Ameritrade) serves as a potent reminder of the vulnerability of unencrypted backup tapes. DataSecure provides facilities for ensuring the integrity of backups, provided the customer doesn't transport the key or password with the actual data, which is more common than one would like to believe.
However, data is vulnerable even when it's sitting on the server. While IBM has delivered one of the world's most hacker-proof and secure server platforms with the iSeries, even the venerable OS/400 server has few defenses when it comes to disgruntled employees and other ne'er-do-wells who have been given keys to the database in the form of a user name and password. It is for this reason that nuBridges recommends that OS/400 shops protect sensitive data from internal threats even when the threat of an external break-in is slim to none.
truExchange Data Secure is available now. Traditional tier-based software licenses are available, as well as a monthly software-as-a-service (SaaS) license. nuBridges refused to provide specific pricing details and recommend potential users to inquire with the company. For more information, visit www.nubridges.com.
|
