fhs
Volume 10, Number 9 -- March 2, 2010

nuBridges Calls for Tokenization Standards

Published: March 2, 2010

by Alex Woodie

Security software vendor nuBridges yesterday called for the formation of an industry group to create official standards for tokenization. The company says standards are needed to ensure the security of data, to reduce vendor lock-in, and to ensure the long-term viability of this relatively new form of data security. nuBridges, which is exhibiting and presenting at the RSA Security conference this week, also unveiled a new release of its tokenization product, called Protect Token Manager.

Tokenization is advanced form of encryption that is gaining traction among retailers, payment gateways, and banks as a result of the PCI security mandate. The technology works by replacing sensitive data, such as a credit card number, with randomly generated index keys, or "tokens," that point toward the actual credit card number stored in a central database. Organizations that adopt tokenization reduce the risk of unintended information disclosure by storing sensitive data in fewer places, and also lower their storage requirements (because keys are smaller than encrypted data).

While the concept behind tokenization is well accepted, the actual implementations of tokenization vary from customer to customer, and vendor to vendor, according to Gary Palgon, vice president of product management at nuBridges.

"There are different models developing out there for tokenization, and it's causing the beginning of difficulties for companies that actually are implementing it," Palgon tells IT Jungle.

Palgon has two main concerns about the course that tokenization is taking. For starters, the lack of interoperability among tokenization providers decreases a customer's ability to adapt its systems in the future, and increases vendor lock in. Palgon's second big concern is that the way some vendors are implementing tokenization is not secure.

The fact that tokenization could cause data to be less secure should set off alarm bells for anybody considering this technology. According to Palgon, companies that use algorithms to generate tokens en masse may be defeating the whole purpose of tokenization.

"Let's suppose that you're generating tokens, and lets suppose the algorithm that you use to generate the tokens would add 1. So the first token was 1, the second token was 2," Palgon says. "That may seem well and good. But what happens if I'm a company that's generating credit card numbers? As I tokenize those credit card numbers, I'm getting a pattern, 1-2-3-4, and a pattern defeats the whole purpose of a token. The whole concept behind tokenization is to make information worthless. If there's a pattern behind it, it's worth something."

It's somewhat rare for a company that is at the forefront of an industry, as nuBridges is with tokenization, to call for open standards. After all, the company is doing a decent business writing one-off connections between customers' business applications and Protect Token Manager. Changing from a black-box, proprietary connection model to an open standards model could jeopardize nuBridges' foothold and allow customers to leave for another provider.

But as Palgon sees it, without standards in place for the breadth of tools in this category--encryption, key management, and tokenization--customers will not be happy with the results, and overall health of this segment of the security business will falter.

"What we're trying to do, effectively, is get together with our competitors and say, 'For the success of our joint customers, certain things over time need to be interoperable,'" Palgon says. "Then we can differentiate on different features and functionality outside of that."

While PCI is driving the adoption of tokenization today, the data security technology is expected to be much more widely adopted in the future, as organizations realize they must protect all personally identifiable information (PII), not to mention personal health information (PHI).

"From a long term strategic standpoint, we need to iron this out here in the next two years before the massive adoptions," Palgon says. "Credit card data only represents about 6 percent of the breached data out there. We're putting all this money and effort into protecting credit card numbers, but the bigger pot of gold of information out there is all this other data. We need standards in place to go after the bigger problems out there, which is the overall PII and PHI."

The working name nuBridges has given to this group is the Tokenization Standards Organization. So far, nuBridges has invited about 15 vendors in the business to join the group, which the company envisions being hosted by one of the popular standards bodies, such as IEEE or OASIS. Palgon will be busy meeting with prospective members this week at the RSA conference, and hopefully the formal group and its founding charter members will be announced sometime this spring.

So, what does Palgon expect to come out of a standards body? For starters, a solid definition of tokenization would be nice. "Even the basic definitions aren't out there. There are multiple definitions" of what constitutes a token, he says. "None of us will have the exact answer. We'll have to work it though together."

A new tokenization protocol, per se, is not in the mix at this point, as existing protocols such as Web services and message queuing technologies will likely suffice for interoperability and integration needs, Palgon says.

nuBridges also announced Protect Token Manager release 1.3, which added more granular control over the encryption key lifecycle; consistency with Key Management Interoperability Protocol (KMIP) standards; pre-configured templates for UK National Insurance Numbers and Canadian Social Insurance Numbers; enhanced surveillance of client, user, and administrative activities; and better LDAP integration.

Protect Token Manager runs natively on i/OS as well as other platforms, and starts at around $50,000. For more information on the Tokenization Standards Organization or Protect Token Manager, contact nuBridges through its Web site at www.nubridges.com.


RELATED STORIES

i OS Security Vendors Tap nuBridges for Encryption and Tokenization

nuBridges Pushes 'Tokenization' with New Encryption Tool


                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
DRV TECHNOLOGIES

SpoolFlex - Automatically converts your reports to user friendly PC formats such as PDF, XLS, CSV, RTF, HTML and TXT. Reports can be sorted, burst and/or combined. Reports can be delivered via eMail, Fax. Print or stored on your file server.

FormFlex - Replace your pre-printed forms and checks with electronic forms on most standard laser printers, convert them to PDF, and electronically file and e-mail the forms. Use FormFlex to design any form directly on your IBM Power Systems (IBM i, System i, iSeries, AS/400). The FormFlex print process will take care of finding the spooled files and corresponding Electronic Forms, merge the two together and print the Electronic Forms directly on your existing laser printers.

ReportFlex - Reformats reports without any programming. Reports that are hard-to-read can now be reformatted so they are easy-to-use, easy-to-convert, and easy-to-merge with electronic forms. Reports that were originally written to support 132 column line printers can now be reformatted for the more common laser printer paper size. ReportFlex software allows you to reformat reports into easy-to-read and easy-to-manage reports without having to program.

MessageFlex - MessageFlex monitors for system and program messages and sends notifications via e-mail, text message or instant message when these messages appear providing you with proactive system management to avert disaster before it happens.

Download a Free Trial Today!
www.drvtech.com/freetrialitj

www.drvtech.com
866 378-3366
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Northeast User Groups Conference:  20th Annual Conference, April 12 - 14, Framingham, MA
DRV Technologies:  SpoolFlex automatically converts reports to user friendly PC formats - FREE trial!
COMMON:  Join us at the annual 2010 conference, May 3 - 6, in Orlando, Florida
 

IT Jungle Store Top Book Picks

Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
The iSeries Express Web Implementer's Guide: List Price, $49.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
Can the AS/400 Survive IBM?: List Price, $49.00
Chip Wars: List Price, $29.95
 
The Four Hundred
X64 and Blade Servers Lead the Server Recovery

Custom Baby Data Centers Coming from Big Blue

System Automation, VTL, and Security Linked in Help/Systems, Crossroads Deal

Mad Dog 21/21: It's i or Die for Power in the Midrange

Hackers Escalate Web Site Attacks, Despite Decline in Security Vulnerabilities

Four Hundred Guru
Naming Idiosyncrasies with the DB2 Storage Engine for MySQL

How To Use the Inhibit Write Keyword?

Hunting Down Storage Hogs

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

System i PTF Guide
February 27, 2010: Volume 12, Number 09

February 20, 2010: Volume 12, Number 08

February 13, 2010: Volume 12, Number 07

February 6, 2010: Volume 12, Number 06

January 30, 2010: Volume 12, Number 05

January 23, 2010: Volume 12, Number 04

TPM at The Register
Citrix goes virtual with more appliances

Chip biz to grow 10% in 2010

HP slips Intel's desktop Cores into biz laptops

Marathon reels in another $6.5m

Windows server revenue outpaced Linux in Q4

Novell: Linux finally breaks even

EMC shuffles Ionix to VMware

Novell flirts with Citrix

HyTrust nets $10.5m in funding

Cray inks $45m super pact with DoD

Gartner report card gives high marks to x64, blades

Netezza to bake analytics into appliances

THIS ISSUE SPONSORED BY:

New Generation Software
PowerTech
DRV Technologies
Profound Logic Software
VAULT400


Printer Friendly Version


TABLE OF CONTENTS
CNX Offers Free Community Edition of Valence Web 2.0 App

Altova Adds DB2/400 Support to XML Development Tools

nuBridges Calls for Tokenization Standards

InstallAnywhere Utility Updated with Significant New Features

TN5250 for Android Available from Mochasoft

News Briefs and Product Shorts:
The 400 School Takes to the Web with 'Virtual Classroom' for i/OS . . . Pat Townsend Now Shipping Encryption Key Software . . . IBM and Ricoh Unveil Printer Management Tool . . . Capitalware Provides Encryption for WebSphere MQ Connections . . . VAI Lands Two More Customers for S2K 5.0 . . .

Four Hundred Stuff

BACK ISSUES




 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2010 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement