Tokenization Without Technical Expertise? Townsend Says It’s Here
September 28, 2016 Alex Woodie
Tokenization has emerged as a favorite technique for protecting sensitive data without the heavy performance, storage, and productivity hit that encryption entails. However, implementing a tokenization solution has typically required advanced development expertise, at least on the IBM i platform. Now Townsend Security has introduced a new IBM i-based tokenization solution that it says delivers the benefits of tokenization without involving programmers.
Tokenization is an advanced form of encryption that’s gaining traction among banks, retailers, and payment gateways. The technique works by replacing the value of sensitive database fields, such as a credit card numbers, with randomly generated index keys, or “tokens.” When the application needs the actual clear text value, it can submit a request for the data stored in a secured and encrypted database, which then “detokenizes” the value and sends it to the requesting system over a secure network connection.
In this manner, tokenization has become an acceptable way to reduce exposure to PCI requirements, which means less expense. As a side benefit, tokenization also makes life easier for quality assurance (QA) engineers, since the tokenized data maintains the shape of the original data, and therefore is useful for testing purposes.
Townsend Security is among the providers of IBM i security software that has embraced tokenization. The company has provided IBM i-based tokenization capabilities via its Alliance Token Manager product. While the software streamlined some aspects of implementing tokenization initiatives, it left some work up to the developer.
Earlier this month, Townsend Security unveiled a new release of its Alliance Token Manager that it says will further automate the process of setting up a tokenized environment.
“We have long had a tokenization solution in the market that was designed as a developer’s toolset,” Patrick Townsend, CEO and the company that bears his name. “Once we heard from our customers a desire to simplify tokenization, we just needed to roll up our sleeves to create something that was user friendly. The underlying cryptographic work was already complete.”
Townsend says the automatic tokenization feature can be used by technical and non-technical members of the IT team alike. “You can completely set up tokenization without doing any programming,” he tells IT Jungle via email. “That being said, we do provide commands and samples that programmers might like to help automate the process. No modifications to existing databases or application code is required.”
Tokenization actually can be more difficult to implement in IBM i than encryption because core tokenization capabilities have yet to be built into the database. IBM has done a lot of work over the years to simplify encryption in DB2 for i, such as the release of the field procedure (“field proc”) that simplifies calls to encryption algorithms.
That sort of work has yet to be done for tokenization, Townsend says. “Unlike encryption, where there is existing support by IBM in the operating system, tokenization requires that you license a solution from a vendor or write it yourself,” he says. “Additionally, there are very precise ways of doing tokenization correctly and this generally involves using cryptographic libraries in the proper manner.”
While some technically savvy IBM i shops are comfortable working with IBM technology, like the Secure Hashing Algorithm, that work is beyond the comfort level of many shops, that will opt to have somebody else develop the software, or buy a third-party product. Additionally, tokenization as a service is also available, Townsend adds.
With the latest release of Alliance Token Manager, Townsend Security has focused on enabling the use of databases by developers and QA teams.
“We’ve been hearing from IBM i customers about the need to automatically cleanse production data for some time,” he says. “It was pretty straight-forward to leverage the existing tokenization technology in Alliance Token Manager to create a solution.”
Townsend’s tokenization solution enables the creation of so-called “non-recoverable” tokens, which cannot be redeemed from protected databases for clear-text values. The use of non-recoverable tokens to shield what the PCI refers to as primary account numbers (PANs) is becoming a favored way for QA teams to test their applications with real data, without the risk of potentially exposing the data.
In addition to application testing, IBM i shops are interested in shielding sensitive data while moving their DB2-resident data offsite, often for the purposes of analyzing it. For example, some Townsend customers have asked for ways to move DB2 data into MongoDB‘s NoSQL databases or IBM Watson, the cognitive platform from Big Blue. That data can’t go anywhere until the sensitive parts are stripped out, and tokenization provides a relatively simple way to do that, Townsend says.
Alliance Token Manager supports more than 20 different field types out of the box, including credit card, date, zip code, social security number, address, and many others. For more information, see www.townsendsecurity.com.