Superconductor

 *** Only 23 spaces left ***

Voltage Security invites you to "Voltage Security Live 2011" at Bridgewaters in New York City on November 9, 2011. This customer summit will focus on data-centric security and will feature several leading Voltage customers, such as American Express, Wells Fargo, State Street and others, who will discuss how they have implemented encryption projects for email encryption, data-centric encryption and end-to-end payment encryption. Also presenting will be Eric Ouellet, research vice president with Gartner Group, who is currently working on a new analysis of how companies use encryption. The goal of the summit is to enable Voltage customers to network with each other and pick up valuable best practices.

Stop Press: Thanks to our sponsors - Coalfire, OpenPath, Teradata and Thales, we are able to offer registration for eligible particpants at no cost.  Register now at www.voltage.com/live

Join Voltage customers including: ADP, American Express, Bank of America, AT&T, Citigroup, Deloitte, Deutsche Bank, Elavon, Fidelity Investments, Heartland, JPMorgan Chase, McGraw-Hill, UBS and Wells Fargo. 
.
Highlights of the agenda include:

• CxOs Panel – Business dynamics for data-centric encryption security – How to get your security project funded
• Key Note – Eric Ouellet, Vice President Research, Gartner Group                      
• How to maximize customer adoption – Kim Mroczkowski, Wells Fargo
• 4. How to structure a data-centric encryption project – Emily Mossberg, Deloitte
• 5. “Birds of a Feather” Networking lunch
• 6. Tracks: Customer and Best Practices – American Express, State Street, Thales, PwC, Coalfire 
• 7. Security Leadership Panel – Gartner Group, State Street, American Express, Wells Fargo

Stop Press: Thanks to our sponsors - Coalfire, OpenPath, Teradata and Thales, we are able to offer registration for eligible particpants at no cost.  Register now atwww.voltage.com/live 

It looks like our marketing people are having another webcast. This one’s sponsored by HealthInfoSecurity.com, and it might be particularly useful to information security and compliance professionals who work in the health care industry. It’s aimed at helping people understand the HITECH Act and what its implications are for people working in the health care industry. That’s something that’s not as well as understood as it should be. And attending this webcast is definitely cheaper that paying a consultant to cover this material for you.

The title of the webcast is "New Strategies for securing personally identifiable information: Protection Beyond Health Information Portals," and here’s a quick overview of what it will cover:

• Key regulations and their impact of how to secure and disseminate data
• What is required to enable protection of sensitive health information including key patient requirements
• How to augment a low profile portal with pro-active communication with patients – and save considerable sums of money – e.g. electronic explanation of benefits
• Leveraging the success of secure consumer communication from the financial services industry
• How to dramatically save costs associated with business processes such as Explanation of Benefits

This webcast will be held next Tuesday, June 28. It will last 60 minutes and will start at 12:30 pm Pacific/3:30 pm Eastern.

You can find more about this webcast here, and sign up for it here.

Carl Ellison has an interesting story that may give some insight into how people in the business world really view the maze of data security and privacy laws that they have to navigate these days. Here's his story (told with his permission, of course):

I remember being in a workshop with health-care IT pros. We were talking
security - especially access control.  I asked what their #1 threat was.
The answer:  HIPAA.  They weren't worried about whether a patient's records
were disclosed to a wrong person. They were worried only if they might go to
jail.  They wanted a security solution that kept them out of jail with the
minimum effort and disruption for them.

In other words, the regulation itself is seen as a bigger threat than any disclosure of any Protected Health Information! I wouldn't be surprised if you can hear similar discussions at meetings where other compliance issues are discussed.

There's a post on McAfee's web site that answers the question "Is information security compliance really a cost center?" like this:

No. Absolutely and unequivocally not. I am drawing the line in the sand. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period).

Properly implemented information security provides business process improvement, technology improvement and threat reduction. Compliance controls that cover each of these areas to accepted “best practices” will save your organization money by the truckload and provide for expansion of your business tenfold if not more.

Far too often businesses require “measurable” savings when the cost reductions and business enablement is as obvious as a freight train hitting you while you are siting on the tracks. Below I will detail a simple walk-through of a compliance driven organization versus a non-compliant organization which makes it obvious that it is better and more efficient to be compliant as a business.

In most situations, the term "compliance" means regulatory compliance, or being compliant with data security and privacy laws and regulations. If this is how we interpret "compliance," then compliance is definitely a cost center, at least in many cases. Here's why.

Businesses tend to make investment decisions that maximize the benefits that they receive from the investments. They might be maximizing profit, or something else like market share. This means that when they decide to use a particular security technology, there's probably a good reason for doing so. It also means that when they decide not to use certain security technologies, there's probably a reason for that also. This means that you'll almost never hear discussions like the following:

CSO: We should encrypt the hard drives on our laptops. Our model shows a 60 percent ROI over a three-year period for the total cost of deploying and supporting full-disk encryption software.

CFO: Bah! I don't care about ROI arguments. Instead, we should wait for the government to mandate that we use that technology.

So it's reasonable to assume that investments that are made purely as a requirement for regulatory compliance are ones that wouldn't have been made on the basis of the value of the investment alone. This means that they don't make sense from a business point of view, and that mandating them forces businesses to make investments that they really shouldn't make.

Passing data security and privacy laws may force some security spending, but it's probably at the cost of other security projects that deserved to be funded instead. This means that the net result of data security and privacy laws may be just to reallocate spending from projects that had a good justification to ones whose only justification is to become regulatory compliant. That's probably not a good idea.

There are cases where it makes sense to do some of the things that are also required by regulatory compliance. Data breaches can be extremely expensive, for example, so it's often the case that there's a valid business case for using encryption. This means that there's a strong business case for using persistent encryption of sensitve information. There's also a strong business case for using encrypted email.

If you're really curious about the details of these business cases and don't mind slogging through some detailed risk models, you can take a look at Kevin Soo Hoo's doctoral dissertation "How Much Is Enough? A Risk-Management Approach to Computer Security." He did a careful analysis of the cost-benefit analysis of several information security technologies and found that the case for encryption is strong. The business case for encryption is still valid in the absence of the need for compliance. Other security technologies aren't as lucky.

Compliance may not always be a cost center, but in many cases it is.

Over the weekend, I was talking to a programmer/researcher at a large research hospital. He was telling me how he was involved in rolling out and using PKI for the physicians, nurses, researchers, administrators, and anyone else working there. Unfortunately, the PKI they chose was not necessarily the same PKI used by patients, drug companies, labs, universities, and other institutions outside the hospital. Because of HIPAA, some (if not all) emails must be encrypted. However, if the "outsiders" are not using a PKI, or are using an incompatible one (which seems often to be the case), the hospital employee must either not send the email or risk breaking the HIPAA laws by sending the message in plaintext.

Apparently, most people are choosing not to send. This has had a detrimental effect on productivity.

If you think the medical industry should not be concerned about patient privacy, then the solution to the problem is to scrap the PKI and simply send and store everything in the clear.

But if you like patient privacy, with or without HIPAA, and if you think efficiency and productivity in the medical industry are important, then this story illustrates that the hospital needs to do something.

What should it do? Choose another PKI? Whichever they choose will still be incompatible with someone else's. Spend the money to make PKI workable? The crypto industry has been trying to do that for 20 years and is about as close to making client PKI work as we were 10 years ago.

Of course, I think they should use IBE. But I'm biased, I work for Voltage.

On the other hand, our customers have discovered that in the hospital scenario (and similar ones), IBE does the job. It is easy to roll out, easy to use, and most importantly, easy to use with outsiders who have no PKI or do have a PKI, just a different system. With IBE, there is no need to make a choice between sending in the clear or not sending. It is possible to always send encrypted.

This story points out that PKI has some serious problems. We either have to live with them, solve them, or come up with something else. Whatever system we choose will have advantages and disadvantages, so in comparing two systems, we have to weigh the plusses and minuses of each. I'd be interested in hearing what a nonbiased observer has to say.

--Steve Burnett