Member Login What is your e-mail address? My e-mail address is: ____________________ Do you have a password? (_) I am a new member (_) I have a password ____________________ Sign In Forgot your password? Click here close * Our Sites + Defense Systems + FCW - Federal Computer Week + Federal Soup + Federal Employee News Digest + Government Health IT + Washington Technology * Events + 1105 Government Information Group Events + FOSE + GOVSEC + Industry Events * Training Exchange * Jobs + Job Search + Post a Job ____________________ Search * About Us * Email Us * Free subscription Government Computer News * Magazine + Current Issue + Archives + Free Subscription + Subscription Services * Subscribe + Magazine + Newsletters + RSS Feeds * Lab Reviews * Blogs + Tech Blog + FCW Fed Tracker + FCW Forum + FCW Insider + Get a Life! + The Lectern + Work in Progress * eSeminars * Webcasts * White Papers * Industry Solutions + Special Report: Data Center Transformation + Special Report: Defense Training and Simulation + Special Report: Service Oriented Architecture * Research Store * HOT TOPICS * COOP/Telework * Data Record Management * Defense IT * Enterprise Architecture * GCN Lab Reviews * Geospatial * Green IT * Hardware/Peripherals * High Performance Computing * Homeland Security * Identity/Authentication Mgt. * IPv6 * IT/Cybersecurity * Mobile and Wireless * Networks Communications Systems * Open Source * Storage * State and Local * Software/Web Applications * Training/Certification * Web Strategies and Design * Virtualization * INDUSTRY SOLUTIONS * Special Report: Defense Training and Simulation * Special Report: Service Oriented Architecture * Special Report: Data Center Transformation * Snapshot Special Reports * Printable Format * E-Mail this page CYBEREYE Lock down that data * By William Jackson * Jan 05, 2009 Continued exposure of data through inside threats shows need for improved security Another example of the insider threat to personally identifiable information has surfaced. This time it was not just a matter curious employees browsing through celebrity records but a scheme to steal identities and open fraudulent credit card accounts. In December, an employee in the human resources department of the Library of Congress was charged with conspiring to commit wire fraud for a scheme in which he stole information on at least 10 employees from library databases. He passed the information to a relative, also charged in the case, who used it to open the accounts. Together, the two are alleged to have bought $38,000 worth of goods through the accounts. The incident is not surprising, said Mark Bower, director of information protection solutions at Voltage Security Inc. “Human resources [data] is the crown jewel for personally identifiable information,” Bower said. “Because this data has a monetary value these days, this type of source is going to get attacked more and more.” HR systems contain everything you need to establish an identity — all in one location that is frequently unprotected. Because employees have legitimate reasons for accessing that data, it requires more than security technology to protect it. It requires good policy and administrative oversight. But technology is a necessary starting place, and there are tools that can help. Format-Preserving Encryption is a potentially powerful tool that can help protect the information stored in HR databases. Developed at Voltage, it lets you encrypt specific data fields while keeping the data in the same format so that it remains usable in existing databases. Credit card, ID and Social Security Numbers, which are considered personally identifiable information that must be protected under some laws and regulations, often are used as unique identifiers to link records within databases. Applications also use them as indexes to retrieve records, even when the actual numbers are not necessary to the application. Format-Preserving Encryption “solves the problem of having to make changes to your back-end systems,” Bower said. “You could eliminate that threat to things like Social Security numbers very easily with this approach.” That is not just Bower’s opinion. Morris Dworkin, a mathematician at the National Institute of Standards and Technology, said the technique could be valuable in protecting format-specific data. “To make sense of these databases, we need to preserve the relationships that the numbers enable,” Dworkin said. “They are the keys that make the different records in the databases hang together.” The idea of Format-Preserving Encryption goes back to at least 1997, and a number of cryptographers in this country and France continued working on the idea for a decade. Voltage cobbled together the results of that work in 2006 and 2007, building on modifications to cryptographic techniques then applying the Advanced Encryption Standard algorithm to produce a practical commercial tool. The technique is not tied to any algorithm, but Voltage uses AES with a 256-bit key, a very strong method of encryption. It cycles the field to be encrypted multiple times, disposing of some digits in each cycle until it arrives at an encrypted field in the same format as the original. No security tool, regardless of how strong it is, should be expected to work without being backed up with the proper policies, enforcement and monitoring. But a strong first line of defense can help save you from having to respond to a breach after the fact. About the Author William Jackson is a senior writer for GCN. Related Articles * Keeping personal information personal12/29/2008 * Navy computer specialist sentenced for theft12/23/2008 * U.S., EU agree on data protection framework12/17/2008 * Microsoft releases IE8 blocking tool01/09/2009 * SSA needs better data exchange management01/08/2009 Share this Page * del.icio.us * Newsvine * Digg * Reddit * Fark * Slashdot * Google * Technorati * Yahoo! * Yahoo! Reader Comments Please post your comments here. Your Name:(optional) ____________________ Your Email:(optional) ____________________Invalid Your Location:(optional) ____________________ Comment: __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ Comment required Your comment has exceeded the maximum length of 3,000 characters. Please shorten your comment. [Captcha.ashx?id=53b8] Please type the letters/numbers you see above ____________________ Submit * Most Popular Articles * Most Emailed Articles SSL certs busted NIST spells out security requirements for wireless access Livermore Lab pioneers debugging tool Lock down that data Mirroring is not backup; backup is not archiving SSL certs busted Mirroring is not backup; backup is not archiving NIST spells out security requirements for wireless access InfiniBand goes the distance Lock down that data Related Webcasts * Toward a More Perfect RHIO * Providing Secure and Reliable Satellite Communications for Overseas Operations * Aligning Strategy and Performance to Comply with Defense Performance Initiatives Related White Papers * EMC Documentum Information Rights Management Extends Security and Control * 10 Keys to Bid and Proposal Management * Cloud Computing: Insights and Impact Related Research * Creating a Success of Biometrics in Government Related Industry Research * Security Directives and Compliance Special Report * SNAPSHOT: ACHIEVING DATA CENTER TRANSFORMATION GCN eNewsletters * Sign up for our free eNewsletters Subscribe Government Computer News delivers the latest news to your inbox. eSeminar * It's a Green New World Kevin Donovan Kevin Donovan, data center manager of the National Renewable Energy Laboratory, discusses the use of green IT and how to improve your Data Center Efficiency (DCE. Read more More eSeminars Sponsor Message * Current issue * The outer limits of embedded systems [gcn_cover_12152008.ashx] Embedded systems are becoming increasingly sophisticated, as their use on the Mars Rover and at the South Pole attest. And they’re becoming more integrated with larger information technology systems. Read more * Full coverage * A secure strategy for online services * The few, the proud, the best * ABOUT * ADVERTISE * CONTACT * CUSTOM MEDIA * EDITORIAL CALENDAR * EVENTS * LIST RENTAL * PRIVACY POLICY * REPRINTS * SITEMAP * SUBSCRIBE * 1105 Government Information Group * Defense Systems * E Gov Institute * Federal Computer Week * Federal Employee News Digest * FederalSoup * FOSE * Government Computer News * Gov Sec US Law Ready * Government Health IT * Washington Technology 1105 Government Information Group Logo 3141 Fairview Park Drive, Suite 777, Falls Church, VA 22042 703-876-5100 © 1996-2008 1105 Media, Inc. All Rights Reserved.