Friday, November 05, 2010

Tokenization and Encryption Solutions

RSA, the Security Division of EMC, has announced its RSA Data Protection Manager to provide comprehensive application data protection capabilities that combine tokenization and application encryption, two popular application-based controls, with advanced token and key management to deliver end-to-end data security.

By protecting data at the source, within the application that’s creating or using it, RSA's product helps ensure seamless data protection throughout the information lifecycle.

"The majority of on-line data breaches happen within the server or application, so mitigating this risk is critical for overall data protection," said Jon Oltsik, principal analyst, Enterprise Strategy Group. "Application-based data security provides a high-level of protection because data is protected at the point of capture and then remains protected throughout its lifecycle. Application-based encryption and tokenization can be quite effective for this type of data security."

"Compliance and key management continue to burden our customers," said Dan Schiappa, senior vice president, Products, RSA, The Security Division of EMC. "They want to protect all of their sensitive data using a robust protection method like encryption, but also want to limit the impact on compliance and environment changes by using a cost-effective solution like tokenization. Combining encryption, tokenization, and key management in the same product provides flexibility and reduces management overhead."

Tokenized values maintain their original format, which limits the deployment impact while still providing a high level of protection. In addition, tokens can maintain certain portions of the original data (i.e., the last four digits of a social security number) so other applications can potentially make business use of tokens without ever having access to the real information.

RSA said the Data Protection Manager targets larger merchants who don't want to use a third-party provider for tokenization services. DPM does not require a professional services team to implement, but RSA said it frequently gets requests to tune the DPM server for performance. "A hardware appliance is also available for enterprise key management use cases, which makes for easier deployment with customer resources," RSA said.

RSA also offers a point-to-point encryption and tokenization service with payment processor First Data Corp., an option that may be popular with small and midsized merchants attempting to reduce the scope of PCI DSS by moving all payment data out of company systems. RSA has a similar arrangement with San Jose, Calif-based point-of-sale systems vendor, VeriFone Systems Inc., incorporating tokenization and encryption into VeriFone's secure payment systems software (see "VeriFone, RSA to Offer End-to-End Payment Card Security Service").

Also offering off-the-shelf tokenization/encryption software are Protegrity Corp. and Voltage Security Inc., which offer format-preserving encryption, something RSA does not do (although it does do it for tokenization). This allows you to keep the same format as the unencrypted data, such as a credit card number string. In addition, nuBridges offers nuBridges Protect, an integrated encryption, tokenization, key management and logging solution. nuBridges Protect supports field, file and database level encryption.

No comments:

Web Analytics