Linoma Adds Tokenization to i/OS Encryption Tool
March 9, 2010 Alex Woodie
Linoma Software last week announced Crypto Complete version 2.2, a new release of its i/OS encryption utility that now features cross-platform tokenization capabilities. With the new offering, customers can centralize the storage of sensitive data, such as credit card and Social Security numbers, on a secure System i server, while enabling applications running on other i/OS, Windows, Linux, or Unix servers to access that data using tokens and HTTPS.
Linoma unveiled Crypto Complete in 2007 to provide i/OS shops with an easier route to encryption and decryption that bypassed working with IBM APIs, which can be difficult to learn and use. The configuration-based approach offered by Crypto Complete reduces the amount of manual work required to set up encryption in DB2/400 databases, the IFS, and tape backups, and to keep the encryption routines up-to-date, even as the data changes. The utility, which supports AES and 3DES encryption algorithms, also offers encryption key management, logging, and alerting features.
Now, the addition of tokenization capabilities makes Crypto Complete an even more well-rounded utility for encryption, particularly for mid-size to large organizations struggling to comply with the Payment Cardholder Industry (PCI) industry mandate.
To enable tokenization, Linoma built an i/OS-based token server that communicates with applications running on Windows, Linux, Unix, and other i/OS servers. Instead of storing sensitive data locally, these applications request a token (a gibberish string of numbers or letters) from the token server.
That token takes the place of the sensitive data, which has been encrypted and stored on the i/OS server, thereby minimizing the risk of losing the data. To retrieve the data, the application submits its token and accompanying authentication information, and the sensitive data is then unencrypted and sent, via HTTPS, to the requesting application.
Used in this manner, tokenization can minimize the scope of PCI audits, according to Bob Luebbe, chief architect for Linoma Software. “If you have a PCI auditor come in and say, ‘We’re going to look at all the systems that store credit card data,’ you can say, ‘Oh, it’s just this one system that stores credit card numbers. All our other systems are clean,'” Luebbe says. “So the auditor will only look at that system, and it can save a lot of money by not having them digging around on all those other systems that used to store credit card data.”
Linoma incorporated a new HTTPS transport mechanism to support the new tokenization capabilities (alternatively, customers can transmit tokens via SQL and ODBC or JDBC). Using HTTPS is the easiest and safest way to exchange data in a tokenization environment, Luebbe says. “You just tell it your token server’s IP address, what user name and password to use, and we do all the underlying communication protocol work,” he says. ‘You don’t have to know how to do HTTPS or the intricacies of it. Our APIs do all that work for you.”
Linoma decided to build tokenization into Crypto Complete, instead of building a brand new tokenization tool (as some of its competitors have done), for a couple of reasons. First, the two security disciplines are very closely related. “We were able to use a lot of the existing framework,” Luebbe says. “We didn’t have to change our key management at all to support this. You can use the same keys to encrypt tokenized data as you can to encrypt local data. We were also able to keep auditing the same.”
Another factor for piggy-backing tokenization onto the encryption tool was the relatively small pool of potential customers for tokenization. Luebbe estimates about 10 percent of prospective customers for Crypto Complete have shown an interest in tokenization.
“They’re mainly hearing it from industry articles or their PCI auditors,” he says. “They’re just trying to figure out how to make life simpler ultimately, and tokenization has the promise of making it simpler.”
Customers’ desire for simplicity also meshes with the fact that Linoma’s token server runs exclusively on i/OS and leverages the legendary security and reliability of the System i server. Luebbe foresees offering a tokenization appliance, with Crypto Complete packaged onto System i servers.
“The iSeries is just such a naturally secure machine in the first place,” Luebbe says. “That’s something we’re aiming for, to come into a non-iSeries shop and actually sell them Crypto Complete as kind of an appliance, packaged right onto an iSeries system. I think that would be really cool.”
There are some caveats to tokenization. For starters, application response times will be slightly slower when data isn’t stored locally. Linoma found tokenization added 5 milliseconds to application response times when running Crypto Complete on a System i Model 520. There’s also the matter of access to data. While the System i server is one of the most reliable servers in the world, an organization that has moved all its sensitive data in production to a System i server would probably want to protect that data with a high availability solution, Luebbe says.
Despite the new tokenization features, Linoma has not raised the price of Crypto Complete. Licenses are tier-based and start at around $4,000. For more information, visit www.linomasoftware.com.