Branden Williams' Security Convergence Blog

This episode of What Do Other Companies Do is typed before a live studio audience. The question comes from Bill of Jack's Joke Shop (Remember, "If it ain't funny, it ain't worth jack!"), and he asks:

"We're looking for a large file transfer solution that will secure data in-transit. We have a small I/T shop and Help Desk and do not have the capacity to handle user provisioning & management for a solution, and really don't want to start managing a file repository with aging requirements. Like most companies, we are subject to various compliance initiatives such as PCI, HIPAA, and GLBA, but our top management has asked us to exceed compliance baselines where possible.

What do you see other companies doing to attack this problem?"

Excellent question Bill. Many companies struggle with file transfer systems for various reasons. Most large file transfers are automated and handled with various forms of secure file transfer like SFTP/SCP (which requires software on both ends of the connection) or Pretty Good Privacy (PGP). For those tranfers that are ad-hoc or smaller, email is a dangerous solution by itself. It's very easy to drop a file as an attachment to an email, but unless you add additional security features to the message, the information is no longer safe. You should only put things in email that you would be comfortable telling someone face to face in a crowded Starbucks.

Several companies have created solutions to assist in providing secure file transfer solutions that are low maintenance. Some solutions started with a focus on email such as Tumbleweed, Voltage's SecureMail, and ZixCorp's ZixMail. That said, most of those companies also offer non-email based file transfer solutions. Another company of note is Accellion that provides a combined product that hooks into Outlook or Lotus Notes with a plug in and also focuses on secure file transfer management with an appliance for files that just don't need to be sent via email (think size constraints).

Some of these solutions can exceed SOME baseline requirements (these solutions just appear to meet PCI Requirement 4, not exceed), but your mileage may vary depending on exactly how it is implemented.

There are other products as well (thank you Google!), but the ones mentioned above are ones that this consultant has seen in use at various companies, large and small.

Thanks for the question Bill! And here's a guy that needs to visit your shop!

Posted by Branden Williams at 08:00 AM | Permalink | Comments (0) | TrackBacks (0)

For our VERY FIRST installment of "What Do Other Companies Do" (WDOCD), Randy Smith has asked the following:

"What specifications do other companies require for Secure Tape Destruction (especially for older tapes that could have pre-encryption account number data). To my understanding PCI does not provide a specification.

Do you feel that standard is OK to relax when all the account number data is encrypted?"

Excellent question Randy! Virtually every company we work with has some sort of destruction policy for media, and it varies from using a bulk eraser, to pulling out the DeWalt and drilling a hole right through it (yes, one company we have done work for does exactly this after a bulk erase), to enlisting a third party media destruction firm, to transferring the media back to the manufacturer for analysis and destruction. A quick search on YouTube will show you many more creative methods to destroy these devices (though not recommended by this humble security consultant).

Specific to PCI, the only destruction standards mentioned are ISO standards that have nothing to do with destruction at all. Slight oversight that we hope will be corrected soon.

What is actually required is some method to destroy the data or media such that the data cannot be recovered. Small tape strips are minor risk, but incineration or shredding seems to be the best method to ensure the data is not recoverable.

For tapes where the account number is encrypted, I do believe a relaxed method would be appropriate. In fact, if you filled a FedEx truck with tapes of encrypted data, and then left it in the open for people to take those tapes, you would not be required under state laws (today) to notify the affected individuals! The card associations might take a different view of this of course.

The answer: For unencrypted tapes, be sure you do a very thorough degaussing before taking them to your vendor for physical destruction. This will ensure that any leftover fragments will not have any data on them to recover. For encrypted tapes, shredding with 3 to 6" tape strips left over should be acceptable.

Thanks for the question Randy! For your time, keep your eyes open for a little gift from us!

Posted by Branden Williams at 10:06 AM | Permalink | Comments (0) | TrackBacks (0)