Week 10 - Security Protection Mechanisms

Security protection mechanisms cover a broad range of areas and technologies that are used to ensure the safety of both physical and logical assets.  Included in this discussion are things like access control methods, network and system firewalls, remote access options, intrusion detection, and data encryption.  Looking at this from a layered perspective outside to inside there is Internet, network, system, and data level controls that can be applied.  From this it is apparent that the last line of defense is at the data level.  A number of controls are available to protect data from theft and corruption, but one of the most interesting is encryption.

In the electronic payments industry data encryption has been in place for some time, however not consistently across the industry.  Until the last decade it was not uncommon to store some transaction information in the clear and even some of the transactions themselves were commonly sent over private networks unencrypted unless there was a regulatory reason to encrypt these.  Encryption of automated teller machine (ATM) and debit card transactions has been required for over twenty years as an example.  As the use of public networks, mainly the Internet, have expanded, the need to encrypt data both at rest and during transmission has increased.  As more data storage and processing moves to cloud based solutions, the need for data encryption has also increased.

In a standard cloud based data storage scenario the service provider provides encryption controls and also maintains the encryption keys for whatever method is used to perform the encryption.  Another concern is the encryption methods that cloud service providers employ to accomplish encryption.  This can easily be an open source solution and the customer has no control over the method that the service provider uses.  More recently though the possibility of Bring-Your-Own-Encryption (BYOE) has been proposed as a security model and has the potential to change the way companies control data stored on cloud based services.

Eduard Kovacs writes in SecurityWeek on the BYOE method in a July 15, 2014 article Bring Your Own Encryption: Is it the Right Choice for Your Enterprise that making use of BYOE allows companies to retain control of data encryption.  A company can define what encryption methods it wants to use and also retain control of the encryption keys.  Keys can be managed within the cloud service or can be retained in the company’s data center and lower the possibility of compromise further.  The latter scenario provides greater security even if the cloud provider is breached and also has the additional advantage of protection should the provider be subject to a court order to provide access to all information in the provider's systems.

There are some drawbacks and disadvantages to the BYOE method.  The company making use of BYOE must take responsibility for implementing and managing the selected solution.  Key management must be simple and readily available so that responses to server requests can be met quickly.  Finally, Software as a Service (SaaS) does not currently support this method, and this is a key point for the electronics payment industry.

As electronics payments move to cloud based offerings, the SaaS model is the most likely path currently available.  Data encryption of customer records and transactions is the utmost concern for creating this type of product.  Although BYOE looks like a promising solution, for the electronic payments industry it is not quite ready for deployment.  It does appear though that for other applications that this method should definitely be considered.