Voltage shocks new life into information based security

by Steve Ragan - May 6 2008, 11:34

Databases are wonderful things; they are also evil things that if not secured properly could land your company in hot water with compliance regulators and consumers. Thanks to the endless reports of lost or stolen data, often housed in databases, IT departments large and small are worried about their data.

Compliance and protection are two words that IT executives know. It doesn’t matter if the company has to conform to PCI DSS (Payment Card Industry Data Security Standard), EU Data Protection, Gramm-Leach-Bliley Act (GLBA), HIPAA (Health Insurance Portability and Accountability Act), Personal Information Protection and Electronic Documents Act (PIPEDA), California SB1386 or the new Identity Theft Red Flag regulations, they still have to deal with auditors looking over their shoulders.

In February, HIMSS attendees, including a cross-section of healthcare providers ranging from community hospitals to multi-hospital systems, said that the top security concern to their organization was compliance and user access.

While policy and encryption will help with both issues raised by those at HIMSS, often they are neglected because of resource restrictions or cost. There is also the time it takes to roll some systems into a more secure environment. Often the “Time to Implement” can take months, if not longer.

During RSA, as mentioned in previous reports, there was a strong surge in compliance and encryption offerings. Likewise, attendees were glad to see these offerings, as most of them were worried about those exact issues. Tech Herald sat with one vendor who did something different, while the cost is a little steep for some smaller IT shops, the Voltage SecureData offering fits well within most Enterprise budgets.

Voltage SecureData offers security for databases that is unlike other offerings. The process is called Format-Preserving Encryption (FPE). FPE allows for data encryption without altering the structure of the data.

Traditional algorithms, such as the widely used AES, turn structured data, such as 16-digit credit card numbers, into larger, binary fields. The problem this leads to, as many IT shops can confirm, is a massive re-engineering of databases and applications in order to accommodate the modified data sizes and formats. This is often touted on quarterly statements as the reason why compliance efforts were delayed, thus the “Time to Implement” problem. Keeping the structures intact and avoiding all the extra work for implementation speeds up the time it takes to complete compliance regulations.

Voltage marked other benefits during the meeting at RSA, including, QA enhancement when testing. The ability to de-identify production data offers QA access to the same tools and information as before, only the data remains secured. Outsourced data is protected as well, using the same processes that QA would.

If this is something you are looking at in your company, you might be aware of some direct competitors to Voltage SecureData. Some of the products  that Voltage said they often end up competing against include RSA BeSafe Toolkit, Oracle Encryption API, DB2 encryption, and Ingrian DataSecure.

For complete research on database and data security each company is worth your time and effort. Just remember to weigh the cost along side the cost of resource usage when rolling out any one of these offerings.

The cost for Voltage SecureData is about $35,000. You can get more research material over at voltage.com.

Around the Web