Profile: How nuBridges uses Tokens to guard databy Steve Ragan - May 7 2009, 00:24
Profile: How nuBridges uses Tokens to guard data.
During the RSA Conference this year, The Tech Herald held several meetings and company briefings. Our new 'Profile' series will introduce some of those companies and detail exactly what it is they do. Today’s profile centers on nuBridges, which offers an interesting method for data protection.
When The Tech Herald spoke to Gary Palgon of nuBridges, the expectation was something we are used to when it comes to briefings; namely, the same solutions to the same problems with little to no innovation. Often companies simply tell you they can address a problem with existing technologies and IP (Intellectual Property), but rarely do they actually back that promise up. Think of it as slapping a 'new and improved' sticker on the same old packaging.
We were mistaken. What nuBridges offers, called nuBridges Protect, focuses on PCI compliance by aiming at the data. It wants to protect the data, control access to the data and, even if it's in motion, control how much of the data is exposed. If the data needs to be used in testing, it’s still protected, and there is no gap in the availability, the data is simply there in either the testing environment or production environment.
So what makes nuBridges Protect so special? Did The Tech Herald drink the magic Kool-Aid? The fact that nuBridges can protect data is nothing special, but how the company protects data and its approach to handling the data once it’s protected is unique -- and, in our book, that makes nuBridges a standout.
Businesses know that they need to protect data, and they do protect it, despite what the news reports say. However, they have all this data for a reason and they need to access it. So, this is why they protect data when it moves about online from a Web interface to the backend database. This is why when a terminal sends credit information across the Internet to a processor it is encrypted.
Yet, if that same data needs to be accessed by the billing department, there’s no encryption. This is because that employee possesses a key to view it completely. This is one of the gaps in PCI, internal information does not need protected like it does when it's sent outside the network or into the network. While the newest draft of PCI, which is expected in the near future, addresses this gap, it exists now.
nuBridges Protect covers the bases pretty well. Like other vendors offering levels of PCI-related security, nuBridges will encrypt a company’s data, manage the keys, and allow the data to move off and on to the network encrypted. In addition to this, it also manages the data and protects it as it moves within the network, eliminating that gap mentioned earlier when you look at PCI compliance. Another aspect of the nuBridges offering that stands out from our meeting is Format Preserving Tokenization.
The format preserving process allows a business to secure data without altering the way the data is stored. So if a database has a field designed to hold only credit card numbers, then the company can encrypt that number and keep it the same length. Other solutions require some modifications to the database, as the encrypted data will often demand more space in the table than was originally allowed for.
Format preservation is not something that's brand-spanking new to the market. However, it is still an interesting aspect to data security because of the way it shelters data. The Tokenization process nuBridges offers is actually a module that’s a part of nuBridges Protect. What happens is that the Tokenization module will intercept the data that needs to be protected. After that, there are two steps that take place almost instantly with no other interaction needed. The data to be protected is encrypted and sent to a centralized data vault. At the same time, a Token is made that retains the exact format of the original data, and it is used instead.
The Token and the encrypted data retains a 'strict one-to-one' relationship. Even if keys are rotated, there is only one instance of the encrypted data in the vault. During the rotation cycle, the data doesn’t need to be re-encrypted. Key rotation happens with no downtime, so the Tokens remain legitimate at all times.
The bulk of the Tokenization process is managed by the Token Manager. For example, when 'John in sales' requests a customer's profile, he has no need to see the customer’s credit card information or any personal information other than a name and phone number. So when John calls the customer's record up to his screen, via a CRM in this example, the data needs to be accessed in the central vault, where it resides encrypted. Since John cannot read the information unless it is decrypted, he needs to decrypt the whole file in most cases. Using Tokens, this is no longer the case.
As John starts to access the customer’s record, the application he is using makes a request to the Token Manager and presents the Token itself. The presented Token is validated on various levels, one of which is the level of information someone in sales would need to have access to. Since company policy says sales should only see a name and phone number, the Token Manager uses this policy to seek the Token in the data vault and only decrypt the information that is permitted. After that, the requested customer profile is presented to John’s screen with only the information John has access to. The entire process takes only a few seconds to complete. John now has the access he needs to do his job, and the information is still protected.
If, for some reason during the process of requesting and presenting information to John’s screen, Malware or another threat captured the data, all that's actually captured is the information John sees. This is a good thing, but nuBridges is not an all-in-one company. It can protect your data and help you gain compliance in various areas, not just PCI -- although the company is not a network security solution. This point was made clear in the meeting. nuBridges is but one layer of the overall protection a company would need.
The final aspect to nuBridges Protect is the logging, and by that we mean if it was accessed there is a record of that request. Everything is logged. This can be a curse and a blessing. Anyone who's had to sift through logs knows sometimes it’s more like searching for a needle in a haystack. However, the granular details nuBridges collects can help things along when audit season rolls around or an investigation needs to be launched.
When it comes to platforms, nuBridges Protect will work with IBM mainframe, IBM i, Windows, UNIX and Linux, and databases including Oracle, DB2 and Microsoft SQL server.
All in all, nuBridges has something unique, which is why it caught our attention. Compliance vendors, format preservation, and key management with strong encryption are things almost every company can offer. Yet, once the data is encrypted there are still issues to worry about, such as key loss, which the Key Manager in nuBridges Protect addresses, along with availability of the data while retaining control.
The use of Tokens allows the data to be controlled and protected. The process is simple to apply to any data type, and deployment to an infrastructure is quick, measured in days, not weeks or months. If anything, if you are looking for something to protect data, or just want to see for yourself what nuBridges is up to, check it out.