Category Archives: HP Security

  • 0

ICIT Calls for Legislation to Enforce Encryption on Government Agencies

Category : HP Security

The starting point for a new study from the Institute for Critical Infrastructure Technologyis not new: “There are only two types of networks, those that have been compromised and those that are compromised without the operator’s awareness.” Since it is impossible to defend the network, the solution is surely to defend the data. Here encryption can offer something more like a guarantee of security.

The study (PDF) is primarily directed at government networks, where it suggests “federal government breaches have eroded the public’s confidence in the federal entities’ ability to secure sensitive systems and data against adversarial compromise.”

But just as it is self-evident that networks are regularly breached, so it is self-evident that encryption is not always used. An example presented by the study, that both demonstrates the absence of encryption and the misguided argument for not using it, can be found in the massive OPM breach of 2015. Here a series of breaches led to the theft of 4.2 million personal records and 21.5 million SF-86 forms — the effect of which may be felt for many years to come.

OPM did not use best security practices. Most shockingly, the stolen data had not been encrypted. According to former OPM Chief Information Officer Donna Seymour, “Some legacy systems may not be capable of being encrypted.” It is this supposition and attitude that the report’s author, James Scott, says is not correct.

“Data,” he claims, “can be encrypted on both legacy and modern systems using advanced encryption methodologies such as the Format Preserving Encryption (FPE) derivative of the AES algorithm.”

But he takes his argument one step further: “Since agencies and other public entities have habitually failed to secure citizens’ data, legislators and regulators must intervene to ensure that local, state, and federal entities possess the resources to secure and eventually modernize their architectures, and they must mandate that organizations secure data at-rest, in-transit, and during-processing to the best of their capabilities, according to available technologies, such as Format Preserving Encryption, and according to established legislation and regulation.”

This is a complex issue. Security heads in government agencies are already required to update antiquated (legacy) systems, and to employ best security practices. Agency heads, says last month’s presidential cybersecurity executive order, will “be held accountable by the President for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes, in accordance with chapter 35, subchapter II of title 44, United States Code.”

It is noticeable, that the executive order never once specifies the use of encryption. Is this an oversight; is it not considered as important as the ICIT claims; or is it simply too difficult or too costly for government agencies? Or is the use of encryption already implied in this and other existing requirements for government agencies?

Certainly, it is already required. “Federal agencies are required to use encryption by the Cybersecurity Act of 2015,” Luther Martin, distinguished technologist at HPE, told SecurityWeek. “They use it, but not in meaningful ways. The main threats that they face are APT/malware. The main types of encryption that they use are TLS, full-disk encryption and transparent database encryption, none of which do anything useful against APT/malware.”

This could have been rectified in the executive order, but was not. “For the Trump EO,” continued Martin, “remember that encryption is a niche within a niche, security being a small part of IT spending and encryption being a small part of security spending. So, the most likely explanation is that it’s just too small of a part to worry about at that level.”

This view is supported by Ted Pretty, CEO and MD at Covata. “Encryption is a very powerful security tool, but is one part of an overall regime of security controls,” he told SecurityWeek. “There may be other ways of mitigating risk that better suit some systems — for example, better authentication and policy controls — and this is probably why the executive order did not specifically reference encryption. Perhaps the reference to systems also refers to system condition at the network, infrastructure, platform and data level.”

But the two basic arguments of the ICIT paper remain. Is FPE the right and adequate solution for legacy government databases, and should comparable encryption be explicitly required by law?

The advantage of FPE, suggests ICIT, is that it can granularly encrypt individual fields without altering the basic data format. This means that data can be moved between different databases while still encrypted. Furthermore, “FPE can leave a small portion of the data deciphered so that it can be used for identification and processing, but it cannot be used to compromise the user. A familiar example of this is being able to see the last four digits of the SSN or credit card number in private sector transactions. The government sector can similarly de-identify sensitive information without necessarily overhauling existing infrastructure.”

Is this the right solution? “Yes,” says Martin. “FPE really is as good as it sounds. Legacy environments are tricky and expensive to deal with. Perhaps very tricky and very expensive. Using FPE lets you adapt the data to the network instead of adapting the network to the encrypted data. If you’re lucky enough to have an all-post-dot-com IT infrastructure then FPE may not matter to you. But to most of the world, it’s a fantastic innovation.”

“Encryption is unique,” concludes the ICIT paper, “in that it is the only solution that definitely impedes an adversary’s ability to exploit exfiltrated data… For the sake of consumers, critical infrastructure, and national security, public and private organizations must at least encrypt their data; even if legislators and regulators have to mandate encryption requirements.”

According to Martin, the existing requirements of the Cybersecurity Act of 2015 are not sufficient. “This is unlikely to change without additional legislation,” agrees Martin. A combination of FPE and explicit encryption legislation, says the ICIT, is what is needed to restore the public’s faith in government agencies’ use of personal data.


Author: Kevin Townsend


  • 0

Trends in Cloud Apps APIs, Integration, Microservices & DevOps

Category : HP Security

CLOUD-CON: Integration & APIs features top experts in cloud app architectures to explore how APIs, containers and microservices become even more powerful thanks to modern integration.

Topics to include:

  • Cloud Native Apps 
    Learn how to use innovative integration patterns to make the big leap to mission-critical apps that are 100% born to run in cloud environments.
  • Microservices Best Practices
    Microservices should be written once and reused anywhere. Intelligent integration patterns and tools from the cloud are making this happen.
  • Intelligent DevOps
    Create agile, frictionless app lifecycles for most of today’s “must have” apps: Multi-cloud apps, Cross-SaaS data flows, Data-centric security, Steaming analytics, Serverless deployments and more.
  • API 2.0 – Event-Driven Integration & Analytics
    Move beyond APIs for point to point integration. Use APIs across multiple services that can trigger downstream actions – while utilizing real-time analytics to track complex events.
  • End-to-End Data Security 
    Secure data at rest and data in motion between on premise, cloud and mobile apps.
Title: CLOUD-CON: Integration &  APIs
Speakers IBM, Dell Boomi, HPE, Software AG, TIBCO 
Date / Time: June 22, 2017

Register now!

  • 0

Can I Trust My Vendor’s Security Claims? Peer-reviewed vs. self-certification methods

Category : HP Security , Uncategorized

Format-preserving encryption (FPE) is in the news recently, as two researchers demonstrated a cryptanalytic attack on one method that NIST had endorsed—FF3. NIST now expects to revise their endorsement of FF3 (Special Publication 800-38G) after details of the attack are published to either change the FF3 specification or withdraw approval. It’s important to be aware, this news is independent of NIST continued endorsement of FF1 format-preserving encryption (FPE).

However, this very review process—of a publication leading to expert analysis and subsequent revision for any newly discovered weakness—is precisely how we obtain trustable security systems. Without it, we must simply rely on obfuscation and hope from the words of sales reps, none of which is reliable for meeting the security requirements of today’s increasingly high-risk, technically-sophisticated world.

Nonetheless, since the FF3 attack was revealed a little over a month ago, fear, uncertainty, and doubt has started to emerge. Some of this is natural , as enterprises review options and understand impact. However opportunistic vendors might be attempting to re-direct the conversation to  often-confusing alternatives to FPE. Perhaps worse, some may be denigrating  the process of public review.

Proven in use by the largest organizations, FPE is an industry-defining breakthrough invention by HPE that has been securing the world’s most critical data, from financial information and health care data to sensitive identity records, and more. While HPE’s FIPS-validated FF1 implementation of FPE is not affected by the attack on FF3, it’s worth understanding a bit of the confusion about the NIST process impact.

For reference on HPE’s FPE position, refer to our last blog topic where we review HPE’s FIPS-validated format-preserving encryption, “At HPE, Strong AES FF1 Crypto and NIST Standards Matter

So what is the current status and what’s new since the attack was announced?

  • HPE customers using HPE SecureData based on FF1 encryption methods are not affected—it is still business as usual for the industry’s first FIPS-validated solution available for FPE that uses the robust FF1 method based on security proofs
  • No new compromises in the cryptanalytic attack status since April 12 for FF3, and
  • NIST has not yet determined next steps for FF3

With the above in mind, it’s worth looking at the reality of the current situation:

The NIST gold standard for security assurance helps determine vendor-independent trust
NIST standards and recommended best practices remain the benchmark of credible security assurance, both in federal markets as well as commercial. Notably, HPE continues to offer the only FIPS-validated FPE solution on the market with HPE SecureData with Hyper FPE based on FF1.

With heavy scrutiny and open challenges that are out in the public domain, security experts realize it’s more credible to be held subject to public peer review that helps remove the mystery of security compliance, than to simply take at face value vendors’ assurances . Trust should be earned and NIST remains the benchmark with public transparency in mind. Security vendors must welcome the critical public scrutiny of due process.

Alternatives to FPE may not be a relevant substitute
Traditional tokenization methods or AES encryption, for example, may not best offer the data masking flexibility, application usability with underpinned security, and similar values that make FPE best for data security applications where data in use protection is critical. And this assumes those alternative technologies are fully qualified as a starting point. Even so, relying on less flexible encryption approaches may not fit the needs of today’s modern application requirements, such as Big Data or IoT, where massive scale and usable data analytics are business concerns where FPE can help offer a perfect solution fit.

So with vendor credibility in mind, what should I consider to help ensure a trusted approach to FPE?
It’s important to understand how solutions are vetted to meet your needs vs. ambiguous claims that emerge:

Published methodology: Look for vendors willing to publish their methods for peer review and meet publicly-accepted standards. Peer review analysis helps ferret out methods and secrets, remove obfuscation, and avoid hiding behind claims, in hopes of achieving acceptable security methods.

Reliance on questionable expertise: Be leery if methods haven’t been analyzed by multiple, independent, expert third parties to help ensure credibility. Similarly, avoid methods that only examine security in terms of “brute force” risk. This is analogous to claiming, “the door can’t be broken,” when the lock itself is completely flawed. Whereas, NIST and similar industry standards bodies open up review to a wider audience who understand the credibility that these standards bodies have at stake.

The bottom line to remember is this—the cryptanalytic attack and review of FF3 is precisely welcoming of the wide scale and diverse scrutiny that ensures validation meets stringent security assurance criteria. Through process and procedure, potential technology adopters have an independent and trusted reference that supports maintaining a high bar for trustworthiness.

With HPE’s FF1 method, security was not compromised at the expense of performance shortcuts, as the design was prioritized to be secure against the variety of attacks, such as what compromised FF3. Nonetheless, public scrutiny is welcome, as it’s better to recognize exploits before they happen in the wild by more sinister actors.

While HPE customers using SecureData FPE solutions based on FF1 are not directly affected by the FF3 news, it’s easy to get caught up in the confusion of competing arguments and start to have doubts. We’re happy to continue the conversation by contacting us for more information to help guide you toward smarter, well-vetted, technology choices.

For more information, contact HPE Security – Data Security or your local HPE representative.

More info:

  • 0

Market Guide for Data Masking

Category : HP Security

Published: 6 February 2017 Analyst(s): Marc-Antoine Meunier, Ayal Tirosh
Security and risk management leaders should use data masking to desensitize or protect sensitive data and address the changing threat and compliance landscape. In 2016, data breaches have, once again, demonstrated the growing importance of this technology market.

Key Findings

  • The evolution of threat and compliance environments continues to fuel demand for data masking (DM) solutions. This demand is further sustained by data growth within organizations and the expansion of data analytics use to drive the business.
  • Buyers are increasingly concerned with the risk of reidentification of masked data, especially in complex big data environments, and facing regulations such as GDPR, which require an assessment of that risk.
  • Data masking is available in an increasingly broad array of deployment options to address new and evolving data management and application architectures.

REGISTER TO DOWNLOAD the Gartner Market Guide 


  • 0

Join HPE Security at the Gartner Security & Risk Management Summit

Category : HP Security

June is right around the corner, which means it is time for the Gartner Security & Risk Management Summit in National Harbor, MD.  This annual gathering of security and risk management leaders helps organizations prepare for and head off increasingly dangerous cyber threats. The Summit takes place from June 12-15 and this year’s theme is: Manage Risk. Build Trust. Embrace Change.

GartnerWho typically attends? Gartner reports that over 3,000 attendees such as CIOs, CISOs, security analysts and architects, and other related security professionals descend on DC for this annual event. The agenda addresses the latest threats, flexible new security architectures, data privacy, governance strategies and the role of the chief information security officer (CISO).

HPE Security at Gartner

HPE Security feels this show is so important to help educate security professionals that we are a premier sponsor, with a theme of “Fearlessly Innovate.” We are in a period of disruptive change, where success is achieved by innovating faster than the competition. Innovating means adopting technologies that increase productivity, lower costs and extend businesses into new markets. In this environment, organizations that rapidly design, deploy and adapt IT based on the needs of customers, partners and employees cannot be slowed down by security. However, not considering risk in an increasingly connected world jeopardizes innovation.

We feel that security must accelerate, not impede innovation.  We help you build security directly into your data and your apps. We provide the visibility, analytics and automation to rapidly detect, respond to, and remediate threats at scale.

There are many ways to interact with HPE Security and educate yourself in protecting your users, apps and data.

  • Stop by our booth
  • Set up 1:1 meetings with our Security Experts
  • Attend our Solution Provider Session
  • Visit our Learning Labs

Visit our Booth

Visit us at Booth #103 to see live demonstrations of our industry leading Data Security, ArcSight and Fortify product offerings. At the booth, you can set up your 1:1 meeting with our security experts.

Solution provider session:

Join the SIEM Revolution: Q&A Exploring Today’s Intelligent Security Operations 
Today’s Security Operations are facing new disruptors: the sheer scale and variety of data sources, persistent and adaptive threats, and shortage of cybersecurity experts. It requires a revolutionary transformation of SecOps. Join us for a provocative Q&A session with experts managing security operations for some of the world’s largest government and commercial organizations. Hear first-hand stories about how these pros are addressing the toughest security challenges and providing new levels of defense for their businesses.
Date: Monday, June 12
Time: 3:15pm – 4:00pm
Session ID: SPS14

Learning Labs:

New this year at the Gartner Security & Risk Management Summit are learning labs. HPE Security will host several learning labs to educate attendees on various topics including protecting against cyber threats, securing DevOps and data-centric protection for your most valuable data. See the detailed descriptions below and plan to attend the ones that are most relevant.

Data-Centric Protection for Your Most Valuable Data
Are you leaving your most important asset, your data, unattended? Discover how to neutralize breaches, comply with legislation and protect your most valuable data. Data-Centric security protects sensitive data at-rest, in-motion and in-use while powering Omni-Commerce, Cloud and Big Data. Join us to learn why AES FF1 is a strong, vetted, resilient NIST and FIPS validated mode of encryption that enables you to protect your most valuable data.

The new rules of engagement to protect against cyber threats
While organizations agree that protecting against cyber-threats is a top-priority, it is becoming increasingly difficult to pin point what EXACTLY needs to be done to achieve that. In this session, we will look at the three underlying disruptors that are responsible for today’s cyber-attacks and then dive deep into the strategies that intelligent SOCs are adopting to fight against it.

Advances in application security: harness the power of machine learning
As the software environment becomes more complicated, can your app sec program actually become more simplified? See how machine learning can streamline your app sec process by highlighting vulnerabilities that are most critical to your unique enterprise, allowing you to focus on issues of most risk to you. 

Practical advice for securing DevOps: how to code securely without slowing down developers
As enterprises move towards DevOps, deployment cycles get squeezed.  How do you balance speed with security?  The two do not have to be mutually exclusive. In this session, we will share best practices from customers of market leading HPE Security Fortify. See how the best app sec programs deliver more secure code, faster.

2017 Hot Topics at Gartner

Gartner also has many sessions filled with content for security professionals. Some of the hot topics this year include privacy and data security, enabling safer cloud computing, risks and opportunities of the Internet of Things, data security and risk governance, and mobile security for digital business. HPE Security can help you navigate and leverage these topics to make you and your business successful.

Haven’t registered yet? Our customers and prospects can register here with promo code SECSP60 for a discounted full conference pass, courtesy of HPE Security! Looking forward to seeing you at the show.

  • 0

The Great Divide: Bridging the Cloud with On-Prem Systems

Category : HP Security

The information landscape now spreads to the farthest corners of earth, and sky. On-prem systems are increasingly tethered to cloud-based platforms. In between all these touchpoints, a tremendous chasm must be traversed efficiently and safely. With a mountain of sensitive data flowing back and forth daily, a new era of durable, secure data delivery systems must evolve.

Register for this episode of The Briefing Room to learn from veteran Analyst William McKnight as he discusses the evolution of enterprise cloud adoption. He’ll be joined by cloud security expert Dez Blanchfield, who will explain why aging infrastructure cannot handle the stress of today’s workloads. The two analysts will then be briefed by Farshad Ghazi of HPE Security – Data Security, who will explain how his company addresses secure data movement to and from the cloud.

Farshad Ghazi
Global Product Management
HPE Security – Data Security

Analyst: William McKnight
McKnight Consulting Group

Analyst: Dez Blanchfield
Independent Consultant

Watch Webcast

  • 0

Data Masking Addresses the Changing Threat and Compliance Landscape

Category : HP Security

HPE Security – Data Security is pleased to be recognized in Gartner’s Market Guide for Data Masking, Published: 6 February 2017, Analyst(s): Marc-Antoine Meunier, Ayal Tirosh. As a leading visionary in the prior Magic Quadrant for Data Masking Technology, Worldwide, published: Dec 2015, underpinned by of our 10 year leadership in Format-Preserving Encryption technology that is now a recognised NIST standard, we welcome the new guidance from Gartner analysts Meunier and Tirosh.

The Market Guide defines Data Masking as a technology aimed at preventing the abuse of sensitive data by providing users fictitious yet realistic data instead of real and sensitive data while maintaining their ability to carry out business processes. The Data Masking market has been growing steadily for years, and Meunier expects it to grow even more in 2017, and beyond in our opinion.

The market guidance is timely – new privacy regulations such as the General Data Protection Regulation (GDPR) put additional compliance cost pressure on enterprises around the world. Massive growth in data consumption that is powering the next generation of businesses has to be balanced with the risks of sophisticated attacks to sensitive personal data. The recommendation is to look beyond traditional static masking at the approaches such as those available in HPE SecureData, enabling organizations to build a hybrid data de-identification, pseudonymization, and production protection strategy. This strategy can span traditional databases, cloud, big data ecosystems, data warehouse and mission critical platforms through powerful, dynamic Format-Preserving Encryption that reduces risk, increases data utility, and simplifies compliance.

This important Market Guide comes on the heels of another Gartner publication, How Data Masking Is Evolving to Protect Data From Insiders and Outsiders, published: 28 November 2016, Analyst: Marc-Antoine Meunier. That report has specific recommendations for security and risk management leaders concerned with application and data security. The report advised that organizations should “consider using format-preserving encryption and tokenization. Together, they cover a broader spectrum of use cases and software life cycle phases.”

Format-preserving Encryption:

Format-preserving encryption (FPE) is an encryption technology that protects sensitive data by preserving the data format. It transforms data that is formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data (e.g., 9 digits for a social security number, 16 digits for a credit card number). Since no changes are needed in the data format, retrofitting to legacy applications is very simple and easy as opposed a conventional encryption that would change the data format and make the integration complex. FPE also preserves the context value, relationships and meaning, enabling business process and secure analytics.

Our HPE SecureData encryption product utilizes HPE FPE and secure stateless tokenization technologies that can be used to created masked data for use by developers in test and development to avoid the need for live data in testing. This powerful platform uses advanced HPE FPE technologies to transform live data into a neutralized, yet useful encrypted form that can still execute applications, and still be used in analytics – without unnecessary encryption which can lead to exposure and risk.

Security and risk management leaders should use data masking to desensitize or protect sensitive data, the market guide advises, and should address the changing threat and compliance landscape. In 2016, data breaches have, once again, demonstrated the growing importance of this technology market.

Key Findings:

The Market Guide for Data Masking lists these findings:

  • The evolution of threat and compliance environments continues to fuel demand for data masking (DM) solutions. This demand is further sustained by data growth within organizations and the expansion of data analytics use to drive the business.
  • Buyers are increasingly concerned with the risk of reidentification of masked data, especially in complex big data environments, and facing regulations such as GDPR, which require an assessment of that risk.
  • Data masking is available in an increasingly broad array of deployment options to address new and evolving data management and application architectures.


These are the recommendations from the Market Guide for security and risk management leaders responsible for data security and compliance:

  • Mitigate data risk and enable your organization’s digital business transformation by adopting data masking and complementary technologies such as format-preserving encryption and tokenization as a key strategy.
  • Achieve an effective and sustainable deidentification of sensitive data by assessing the reidentification risks throughout the life cycle of your data masking implementation, and favor vendors that offer tools and expertise to establish the reidentification risks.
  • Mitigate risk in applications where traditional DDM approaches have struggled by taking advantage of innovative DDM solutions at the data virtualization or alternative application tiers.

Use this link to read the full report: Market Guide for Data Masking.

  • 0

Beyond the Red and Blue Pill – Maintaining Data Usability while Protected

Category : HP Security , McAfee

Many of us remember, or have at least have seen the meme, presented by the movie The Matrix, where Morpheus offers Neo a choice between a red pill and a blue pill. The decision is to either live in a harsh reality or choose blissful ignorance. Neo takes the red pill, preferring to explore the harsh reality of the Matrix.

Now, if you’re a security administrator working with an application team or line of business owners, you may not realize that you offer your business a similar choice each day:

  • Do you encrypt sensitive data and leave it blissfully unusable, happy to remain at rest within your storage and servers, free from potential abuses? Or,
  • Do you make data available in the clear to applications within the harsh Matrix-like reality that exists in IT with the potential insider misuse and external threats to steal it?

In the Matrix, Agent Smith wants to attack your data, Neo!

Back in IT reality, it’s a tough call when weighing the trade-offs between business continuity and reliable access to data with the need to protect sensitive data. The “red pill” of open data usability must be considered as a risk trade-off with the “blue pill” of constant protection where one need not worry.

But what if I told you there was a Purple Pill compromise for usable data protection and it has a name? It’s format-preserving encryption and offers the best of both worlds—data usability with security.

Let’s stay in Wonderland and go further down the rabbit-hole with format-preserving encryption…

Traditional encryption forces a risk decision to encrypt or to leave data exposed in clear text. This creates gaps in security controls when data moves from at-rest, in-motion, to in-use. Instead, format-preserving encryption (FPE) maintains data in an encrypted state, while also making it useful to applications with limited or discretionary risk exposure. If data needs to be exposed for a particular use, it can be limited to specific elements of the data, such as partial masking of a phone number (think, XXX-XXX-3265). But how does FPE do it?

HPE SecureData’s FPE implementation, as an industry-leading example, are based on standardized AES encryption to protect data reliably, while keeping the format of the data unmodified. A social security number looks like one to a database without requiring schema modifications, and a date field will still look like a date to an application, and so on. At the same time, referential integrity is preserved for the data class, so Big Data analytics or database joins can be run on the encrypted data, just like normal, without an application choking on the operation.

This is a game changer when compared to traditional encryption that lacks this dynamic and is a differentiator that HPE can offer for today’s high-volume, data-intensive applications that act on protected information, without exposing unnecessary risks, such as Big Data data lake mining and IoT applications.

By addressing both utility and security, FPE doesn’t need to compromise on either aspect. Security is transformed from a business inhibitor to now the opposite—an accelerator of new initiatives while still mitigating risks. Encrypted data that retains its format looks and acts the same to applications, making it possible to avoid revealing it in clear text unless absolutely required for a specific use case.

Unleash the power of your data initiatives without the fear!

What a boring movie it would have been if Neo simply chose to live in harsh reality, but never needed to use his amazing bullet-time martial arts as a defense. He simply got on with his day without worries, while Mr. Smith gave up against a proven competitor. Now, any security administrator can be a hero to their line of business owners!

Consider today how your data can be afforded the same luxury using the data-centric approach of format-preserving encryption. If an authorized application requires data to be revealed, it would be a situational choice if required for that application, rather than a constant risk when data moves from storage, across the network and into various applications. To learn more about format-preserving encryption, products and solutions, swallow the purple pill and visit these links:

  • 0


Category : HP Security

When discussing the focus for data security at Hewlett Packard Enterprise (‘HPE’), it becomes apparent that the worldwide news and headlines of cyber-attacks over recent years, remains a prime motivator for treating the risk of a data breach. Based in Silicon Valley, Tammy Schuring, Vice President of Sales for HPE Security – Data Security, came into the role in 2015, having dedicated over a decade to growing a loyal customer base. Tammy continues to evangelise a fundamental security approach, protect ‘the data’.

Tammy was in Australia meeting with customers to provide her own insights into the capability of monetising data—be it personally identifiable information, healthcare, financial or similar sensitive information. Tammy asserts, “unfortunately, companies the world-over are faced everyday with the daunting realisation that it’s not a matter of ‘if ’ they are breached, it’s a matter, ‘are’ they being breached now, have they ‘already’ been breached or are they ‘about’ to be breached. It’s a change in mindset. Whether it’s an insider threat, or a cybercrime organisation that’s patiently looking for a way to get in or that is already syphoning off data. It’s stepping out and saying at the outset: it’s not a matter of whether we can keep them out, we need to start seeing through the lens of its already happening.”


HPE is attacking the data protection problem right at the heart of a much-needed solution. Tammy explains, What we do at Data Security inside HPE is inoculate sensitive data, so when it’s in the wrong hands, it cannot be used against the customer, be it a company or person. The ability to take sensitive data that the cyber criminals can use, to create money, be it a fraudulent tax return, or credit information, and protect it yet have the data retain its format and its logic inside the company, is huge. This way, if the protected data gets stolen, it cannot be monetised. It cannot be used somewhere else – it’s not actually the real data.”

Typically, when encryption or tokenisation is applied, it transforms the data into an unusable, very long string—be it a 256-bit or 128-bit string; and applications cannot function with de-identified data. HPE SecureData has enhanced the cryptology in such a way that when the data is de-identified, what comes out the other side retains that expected format. It retains the logic, as a random set of numbers or letters would otherwise not present. For example, HPE’s Secure Data will pass Checksum, in the case of PAN (primary account number) data.

“The other key element,” Tammy highlights, “is it can also retain data relationships, with what in technology is
called, ‘referential integrity’. By preserving the referential integrity—your relationship to your address, phone number, your credit card data, your account number, your health data—all of those relationships are preserved, even when we are encrypting or tokenising those elements. Metadata can also be preserved, and that’s an aspect of its logic. The ability to retain as much of the principals of the data. Companies can start to operate on the de-identified data and you will find companies typically have 50 and up to 120 data types that are viewed to be sensitive data.”

“We’re taking the threat surface and drastically reducing it.” As an analogy, Tammy commonly likes to use, “it is gold versus fool’s gold – we are figuratively transforming the gold into fool’s gold. It looks like gold, it acts like gold. The data ‘shimmers’ throughout the system; but when the bad
guys steal it, they spend a lot of money and time trying to monetise it and they simply can’t—because it’s not real data, but it absolutely looks like data.”

Typically, when encryption or tokenisation is applied, it transforms the data into an unusable, very long string—be it a 256-bit or 128-bit string; and applications cannot function with de-identified data. HPE SecureData has enhanced the cryptology in such a way that when the data is de-identified, what comes out the other side retains that expected format. It retains the logic, as a random set of numbers or letters would otherwise not present. For example, HPE’s Secure Data will pass Checksum, in the case of PAN (primary account number) data.

“The other key element,” Tammy highlights, “is it can also retain data relationships, with what in technology is
called, ‘referential integrity’. By preserving the referential integrity—your relationship to your address, phone number, your credit card data, your account number, your health data—all of those relationships are preserved, even when we are encrypting or tokenising those elements. Metadata can also be preserved, and that’s an aspect of its logic. The ability to retain as much of the principals of the data. Companies can start to operate on the de-identified data and you will find companies typically have 50 and up to 120 data types that are viewed to be sensitive data.”

“We’re taking the threat surface and drastically reducing it.” As an analogy, Tammy commonly likes to use, “it is gold versus fool’s gold – we are figuratively transforming the gold into fool’s gold. It looks like gold, it acts like gold. The data ‘shimmers’ throughout the system; but when the bad
guys steal it, they spend a lot of money and time trying to monetise it and they simply can’t—because it’s not real data, but it absolutely looks like data.”



HPE SecureData has built a loyal customer base across a wide range of industries, with the standards-based
technologies of HPE Format-Preserving Encryption (FPE) and HPE Secure Stateless Tokenization (SST).

HPE FPE is an encryption technology that preserves the original data format in the encrypted state, as well as context value, relationships and meaning, enabling business process and secure analytics.

HPE SST provides advanced data security without token databases. HPE SST improves speed, scalability, security, and manageability over conventional and first-generation tokenization solutions. These technologies protect the data, and the protection is carried with the data itself – wherever it goes – in-motion, at-rest, and while in-use.

Tammy described how customers have the ability to decide, from a rules perspective, how they want the deidentified data to appear, either once it’s been encrypted or decrypted, she said, “One of the things customers can do is called ‘obviously protected’. They can choose to transform it, perhaps as an example, add letters and visually see that this is in fact not the real data, so there are ways to decide, for a particular attribute of the use case or bi-product of the system.”


There are a number of regulations that companies must comply with, such as PCI DSS (Payment Card Industry Data Security Standard) through to the emerging regulation of GDPR (General Data Protection Regulation), and a wide range beyond that. Tammy notes, “At the end of the day, interestingly, regulations and audit compliance may be only pointers in the right direction. Just ask any compliant company that has still experienced a data security breach.” Tammy assured, saying, “If anybody believes that compliance equals security, just go read the news any day of the week. Customers are able to leverage our solution to greatly reduce their compliance scope and save personnel hours, and that’s not even the best part of the story.”

“The best part of the story,” Tammy says, “is where they end up at the other side. It is truly addressing the risk. The risk that even if you were compliant, and have reduced the compliance footprint, like we do with PCI so dramatically, and you still suffer a breach. If that data is stolen, that data itself cannot be monetised. The ability to leverage the format preserving encryption and format preserving tokenisation, that we bring to the market, enables them to protect the data at capture and keep it protected throughout its lifecycle. There’s no longer a need to decrypt it to determine where it goes next. It ends up staying in its protected state.”

GDPR will greatly impact how companies will deal with data, going beyond just fines and protecting personal information, but opening avenues to a world of lawsuits and empowering the individual to take action. Up to four percent of a company’s annual turnover (Article 83, GDPR) is potentially at risk, so the stakes are tremendously high.

Tammy explained, “There are specific aspects within GDPR that deal with data protection, and I am talking about pseudonymization. If you leverage this, to a great extent, it is almost the “get out of jail free” card.” Tammy said, “If you are taking this personally identifiable information as defined by GDPR, and you’re leveraging a data protection solution such as HPE SecureData, you’re keeping all the benefits of the data but you’re leveraging pseudonymization. Such that, should something happen to the data, and it is lost or stolen, the data is useless to the attackers, and is therefore a nonevent and that is the ideal scenario.”


One of the big innovations is around data itself. Tammy notes, “If you go back just a few years, the amount of data that we could consume and do real-time analytics on pales in comparison to what we can do today. There is so much value in being able to take not only the data a company has, but bringing in data from other sources. Working with some of the car manufacturers and their belief there should never be a recall on a car again, because these cars are so instrumented and with so much data coming out of them, they should get ahead of any problem that would come up. But it wasn’t until ‘big data’ that they could see the patterns light-up in real time, in order to determine where they needed to make adjustments. Once they figured out with these innovations in technology, there was a major inhibitor standing in their way – and that was security.”

“The proposition was there, but how could you take so much sensitive data about just one person? Their personally identifiable information, the vehicles’s identification number or VIN, where they’re going, GPS data, how fast they’re driving, you name it. How many times are they are hitting the breaks, and to put that essentially into a huge soup pot that’s based on Hadoop, innately probably the most insecure platform on the planet right now. The risk was too high.”

“What we’ve been able to do with the SecureData technology is apply it into the world of big data analytics. For
example, with the car manufacturers, that ability to protect the data in a way that the format is preserved, the logic is preserved, and most importantly the relationships. It is not important to know all the individual pieces of information and details. What is important is ability to detect the patterns. There is so much data there, the problem really isn’t an ability to associate with one particular person, but the ability to see those patterns.”



Tammy highlights, “One of the key aspects that is shining a light on this technology’s evolution is access to the cloud. The ability to embrace public cloud can save companies a tremendous amount of money by giving them access to things that they didn’t have access to before.” Referring to a large car brand as a customer, Tammy said, “they discovered they can save 40 per cent, per application, per year, if they moved their .NET applications to Microsoft Azure. This value proposition is potentially tens of millions, if not hundreds of millions of dollars in some cases, over a five-year period. When this was realised in one of the business units, the CEO
was naturally very excited with such an innovative, costsaving measure. Before proceeding, Security asked one simple question—is there any sensitive data, including PAN data, involved? The answer was, ‘yes’. Yet before objecting to the project, someone on the CISO’s team had recalled our ability to secure the data and preserve the format. Without creating a bigger processing footprint in putting this data into the cloud, in these .NET applications, the concerns the customer had around the data were addressed. The applications did not
have to change their data model. With the data format and data relationship integrity staying intact, there was no need for any rule changes.”

“We match the elasticity model in the underlying platform,” Tammy continued, “so most of our customers decide they want this data-centric protection model across their entire organisation. They don’t want to have to decide if it will only be in the Hadoop environment, or only in their mainframe, or .NET, or J2EE (Java Platform Enterprise Edition) applications, or open system applications. What we do is match to the acuity model of that environment. Such as in Hadoop, that is a node-based environment and we can sell our product based on the node count; for a smaller organisation with 10-20 nodes, through to some of the largest customers in the world, with tens of thousands of nodes, we have a model that can be adapted for all.”

IoT is an exciting paradigm and the wave is just starting to hit. However, Tammy asserts, “there is so much data and this can be used very maliciously. Be it a driverless car or a medical device, should someone manipulate that, the impact is no longer how much data can I monetise, the impact is on people’s lives.”

The HPE SecureData technology comes packaged as either an API (Application Programming Interface) or an
SDK (software development kit). HPE has a mobile SDK which allows companies to build right into their mobile
applications. The capture of data and format preserving encryption paradigm, as we’re all out on the go, entering various information into our devices, right at capture, can be protected. Tammy explained, “It’s not sitting in memory in clear text. The vulnerability aspect of what these mobile devices bring is addressed. We’re seeing with IoT, the power, scale, innovation, is exponentially improving, not in years now but in months. What could be done a year ago, pales in comparison to what will be done a year from now. The ability to build in this
encryption, right at capture from inside these IoT devices, is there in many cases, or on the verge of being there.”

“When you look at the difference in the innovation, in regards to encrypting and keeping the format the same, versus bloating it into a 256-bit string, that impact is minimal. We’ve been deployed with two of the biggest card brands in the world, with every single card transaction related to them. The ability to be in every single transaction means it has to meet requirements in performance and scale. SecureData has the ability to take any production data, like transaction information, be it per second information, latency information, and then turn it around and apply it in the world’s top financial institutions, healthcare and retailers. We can show
that at scale, so the customer’s requirements are often so much lower than we’re already being applied to.”

“One of the key elements of what powers a lot of what HPE SecureData does and why this is being adopted so
broadly now, is that the technology has format preserving encryption, now a mode of AES (Advanced Encryption Standard). We have received our NIST (National Institute of Standards and Technology) certification as FFX1, and our FPE technology provides accelerated encryption performance up to 170 per cent in conservative scenarios. Building on today’s proven high-speed FPE technology, while aligning to the high-volume needs of next generation Big Data, cloud, and IoT scenarios. With the power of what this algorithm
can do in terms of enhancing the encryption footprint, the US Federal Government fast-tracked it to make it a standard and now, as we’re finalising our FIPS 140-2 and Common Criteria, this opens up many areas. Where it was already being leveraged before that certification, it is now able to be used by government entities and other entities who set the bar and this standard is a requirement.”

  • 0

End-to-end Protection for Payment Data

Category : HP Security

In today’s environment of heightened regulatory requirements and increasing risk of cardholder data breach, it is critical for merchants, payment processors, and acquirers to protect payment data anywhere it moves, anywhere it resides, and however it is used. In payment acceptance systems, including EMV (Europay, Mastercard and Visa) terminals, payment data is commonly left unprotected during the authorization and settlement processes. Payment data is also left unprotected during routine and necessary back-office business processes such as fraud screening, chargeback processing, and recurring payment processing. Traditional methods for protecting payment data are often inflexible, expensive, and difficult to implement.

HPE SecureData Payments securing sensitive data end-to-end
HPE SecureData Payments protects payment data at all points, from swipe/dip through to the payment processor, end-to-end. It eliminates the traditional complexities associated with payment device key injection, key management, payment application changes, and enables a true end-to-end architecture that can be rapidly deployed even in the most complex environments.

PCI Compliance Alignment
HPE SecureData Payments can reduce the cost of complying with PCI DSS—a direct result of reducing the number of changes necessary to implement payment data protection while eliminating payment data from databases and applications. By incorporating HPE Secure Stateless Tokenization with HPE SecureData Payments, service providers, merchants, and enterprises are able to secure back-end data, removing data from PCI audit scope while complying with the latest PCI DSS requirements for cardholder data protection. HPE Secure Stateless Tokenization maintains token schemes across regions with no communication between them, eliminating the need for a central key management database as well as database replication. By tokenizing card numbers immediately at the source, clear data is eliminated from the transaction process.

As providers move to point-to-point encryption (P2PE) validations, HPE SecureData Payments enables service providers to expand their reach by offering a complete P2PE v2 validated solution. With HPE SecureData Payments cardholder data is protected from the earliest point of entry in such a way that decryption keys are not available at POS devices or any other intermediate systems, significantly reducing potential attack areas. HPE SecureData Payments communicates with validated, authorized payment terminals sending secure payment transactions for processing to the back-end system. The back-end host incorporates an integrity check on the cryptographic functions, creating host logs based on crypto changes. This enables management and control of the complete system and payment transactions.

Innovation in cryptography provides end-to-end encryption without massive changes
HPE SecureData Payments is a complete payment transaction protection framework, built on two breakthrough technologies encompassing encryption and key management: HPE Format-Preserving Encryption (FPE) and HPE Identity-Based Encryption (IBE). These two technologies combine to provide a unique architecture that addresses the complexity of retail environments with high transaction volume.

HPE Format-Preserving Encryption
With HPE Format-Preserving Encryption (FPE), credit card numbers and other types of structured information are protected without the need to change the data format or structure. In addition, data properties are maintained, such as a checksum, and portions of the data can remain in the clear. This aids in preserving existing processes such as BIN routing or use of the last four digits of the card in customer service scenarios.

HPE Identity-Based Encryption
HPE Identity-Based Encryption (IBE) is a breakthrough in key management that eliminates the complexity of traditional Public Key Infrastructure (PKI) systems and symmetric key systems. In other words, no digital certificates or keys are required to be injected or synchronized. HPE IBE also enables end-to-end encryption from swipe-to-processor and swipe-to-trusted-merchant applications.

With point-of-sale (POS) solutions that use legacy symmetric encryption, encryption keys must be reset annually for each POS device through a process called key injection. This procedure is expensive and cumbersome, as merchants must take POS devices offline while new keys are injected. With HPE SecureData Payments, because encryption keys are securely generated on demand and not stored, POS devices are not subject to key injection and key rotation. This function happens systematically, eliminating labor-intensive key management processes and costs.

HPE SecureData Payments compatibility

  • Robust host side capabilities and broad platform support: HPE SecureData Payments Host SDK can be deployed on a wide variety of platforms including HPE NonStop, Windows®, Linux®, UNIX®, z/OS, and Stratus. HPE SecureData Payments is the only data protection solution available that natively runs on Nonstop (OSS and Guardium) and Stratus VOS, enabling maximum protection and efficiency.
  • Unified, complete end-to-end data security: HPE SecureData Payments enables merchants and service providers to protect their entire payment stream and reduce PCI audit scope from the end-user to back-end systems by offering a variety data protection needs for m-commerce (in-app) payment data (mobile), e-commerce/in-browser payment data, device-based encryption of payments data (P2PE), and protect PCI data stored for post-authorization needs.
  • Stateless key management: HPE SecureData Payments does not require digital certificates or keys to be injected or synchronized with the host. Because encryption keys are securely generated on demand, POS devices sufficiently protect card data without the need for key injection or key rotation, which can be labor-intensive and expensive to administer.
  • Integrated with an industry-leading pioneer: HPE SecureData Payments is the only off-the-shelf integrated solution with a PCI-HSM and FIPS validated secure root of trust (HPE Atalla HSM) to protect payment data, payment authorization and fraud prevention. The integrated solution extends end-to-end data protection through the combined, integrated solutions of HPE SecureData Payments and HPE Atalla Hardware Security Module (HSM). By joining data-centric data protection with a tamper-reactive hardware security module, companies are able to neutralize data breaches by protecting data, rendering it useless to attackers.
  • Multiple integration options: Processors and merchants can choose to integrate using SDKs, Web services, and/or command line tools for quick and simple deployment. End-to-end encryption can easily be combined with HPE Secure Stateless Tokenization (SST) to provide merchants with a complete solution for PCI audit scope by protecting data stored for post-authorization needs.
  • Integrated POS systems: HPE SecureData Payments solution is integrated into a variety of payment terminal devices and platforms, giving organizations the flexibility to select one or more payment vendor(s) for the required business needs. For a complete list of payment partners, visit com/partners.
  • Scalability and performance: Flexible, scalable architecture that handles quickly scales eliminating the need for merchants to self-manage payment transactions. The platform delivers complete control over end-to-end payment security stream for the omni-channel business requirements.

How secure is secure?
To ensure compliance with PCI DSS best practices and requirements, Coalfire, a well-known cyber risk management and compliance organization, conducted independent technical assessments of HPE SecureData Payments to verify HPE SecureData Payments meets the current PCI DSS standards.

End-to-End Data Security for the Payments-driven Market
HPE SecureData Payments is part of the HPE SecureData portfolio for protecting sensitive data in-motion, in-transit and at-rest. HPE SecureData Payments is a complete payment transaction protection framework built on a flexible and highly scalable architecture, including a common back-end infrastructure that protects system and device payment transactions for ecommerce (mcommerce), mobile payments, card on file (CNP) and the associated PII payment stream data.

Protect the full payment stream—more than just the credit card number—and the associated PII payment stream information, including payment data from POS devices, terminals, browsers and mobile devices. By incorporating data-centric endpoint protection with HPE SecureData Web and HPE SecureData Mobile, enterprises and service providers are able to protect the full payment lifecycle.