Doing tokenization and cloud computing the PCI way

Grazed from CSO. Author: Ben Rothke.

When we wrote our first PCI application security article Who's Guarding the Data Bank? in 2008, commercially available cardholder tokenization was in its infancy. Generally speaking, data tokenization usually refers to a process through which cardholder data (usually the Primary Account Number or PAN) is replaced with a substitute cyphertext value known as a token.

The token is typically generated via a strong, one-way publicly known mathematical hashing algorithm. If the one-way cryptographic algorithm is suitably strong and utilizes a known publicly validated mathematical algorithm, the resultant cyphertext is no longer considered to be cardholder data as defined by the PCI SSC. It does not require additional obscuring or encryption as the process cannot be reversed to reconstitute the original data (in this case the PAN) short of a brute force ‘dictionary’ based attack...

How Cyber Security Needs Are Driving Cloud Adoption

Grazed from TechWeekEurope. Author: Duncan Macrae.

Cloud computing was by all accounts inevitable – we can see its steady adoption all around us. According to Goldman Sachs spending on cloud computing infrastructure and platforms will grow at a 30 perecnt CAGR from 2013 to 2018, compared with overall enterprise IT’s five percent. It forecasts global security-as-a-service revenue will reach $106bn in 2016, growing 21 percent over 2015.

Disruption to business

Earlier this year CEO of British insurance company, Lloyd’s said that cyber-attacks cost businesses as much as $400bn a year, including the damage caused by the attack and consequent disruption to the normal course of business. CIOs and their Infrastructure Management teams have historically been concerned about security in the cloud. Lack of trust, relative lack of control, fear of not knowing where the data resides, and complex regulations in different countries have only made this more difficult...

Read more from the source @

Cloud Computing: Google Drive Gains Security Upgrades, Certifications

Grazed from eWeek. Author: Jaikumar Vijayan.

With the number of paying organizations using Google Drive crossing the one million mark earlier this year, Google appears to be ramping up its efforts to bolster the cloud storage service's security features. The cloud services giant introduced new features on Sept. 21 that are intended to give organizations more visibility and control over business files stored and shared by workers in Google Drive.

The new features add retention and legal hold capabilities to the existing collection of e-discovery capabilities available with Google Drive. The new functions are similar to those available from Google for email and chat, and they’re designed to help businesses fulfill their legal obligations pertaining to data archiving and removal...

Microsoft acquires Adallom to advance identity and security in the cloud

Grazed from Microsoft. Author: Editorial Staff.

I’m pleased to announce today that Microsoft has acquired Adallom, an innovator in cloud security and a leader in helping customers protect their critical assets across cloud applications. This acquisition is the latest example of Microsoft’s commitment to delivering innovative identity and security capabilities to our customers, across both on-premises and multiple clouds.

With more frequent and advanced cybersecurity attacks continuing to make headlines, customer concerns around security remain top of mind. These concerns pose real challenges for IT, who are charged with protecting company data in this rapidly evolving mobile-first, cloud-first world. In this world, identity is a critical control plane for managing and protecting access to applications and data...

Cloud Computing: Should governments be able to look at your data when it is abroad?

Grazed from The Economist. Author: Editorial Staff.

SUPPOSE FBI agents were to break into the postbox of an American company in Dublin to seize letters which might help them convict an international drug dealer. There would be general uproar, if not a transatlantic crisis. But that is essentially what the FBI wants to happen, albeit in the virtual realm: it has asked a court to order Microsoft, in its capacity as a big e-mail provider, to hand over messages from a suspect in a drugs case which are stored in a data centre in Ireland.

On September 9th an appeals court in New York will hear oral arguments on whether Microsoft has to comply. The case has many wrinkles, mainly due to the fact that the relevant American laws were written before the internet took off. In a sense, the court has to guess what lawmakers would have written into legislation if the global network had already been around...

5 Channel Ops: Dell, Oracle Surveys Show Security, Cloud Good for Your Bottom Line

Grazed from ChannelPartners.  Author: Lorna Garey.

As back-to-school shopping levels off, your retailer customers’ thoughts inevitably turn to the holiday season. If your base includes local chains or specialty shops, check out this article by Evan Schuman on the best way for bricks-and-mortar stores to take on Amazon. TL;DR version: Exploit its two weak spots, delivery and live customer experience.

Security is also on consumers’ minds, and retail is one of the verticals we’re discussing in our Cloud Partners session titled “The Cloud Specialists Are In."  Verizon’s chief security evangelist, Mark Rasch, will join a panel of your peers, moderated by me, to discuss the challenges around PCI and much more...

Cloud Computing: DoD new cyber security reporting rules for contractors

Grazed from Lexology. Author: Davis Wright Tremaine.

In a move that highlights the changing winds of federal cybersecurity policy, the Department of Defense (“DoD”) has issued an interim Rule (“Rule”) that imposes new security and reporting requirements on federal contractors, and new requirements for DoD cloud computing contracts.

The Rule requires federal contractors to report cyber incidents that result in an actual or potentially “adverse affect” on covered defense information (CDI), a covered contractor information system (a federal contractor’s information system that handles CDI), or on a contractor’s ability to provide operationally critical support. CDI includes “controlled technical information, export controlled information, critical information, and other information requiring protection by law, regulation or Government-wide,” but does not include classified information which is governed by a separate rule. The Rule also imposes restrictions on cloud computing contracts, including that data covered by the contracts be maintained within the 50 states...

DoD implements stricter cyber incident oversights, cloud computing guidelines

Grazed from FierceGovernmentIT. Author: Robert Bartley.

The Defense Department Wednesday initiated two sets of policies to enforce stricter guidelines when dealing with about 10,000 contractors the department trusts with offsite cyber information. One part of the interim rule, called "Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services," will amend the DFARS to include mandates passed in recent Defense funding bills for stricter contractor reporting rules on cyber incidents.

According to the issuance, this is part of a greater effort to streamline contractor incident reports. For their part, the National Defense Authorization Acts from two of the last three years sought to require more DoD oversight on contractor systems during potential cyberattacks. The NDAA from fiscal year 2013 (pdf) requires that cleared defense contractors report network penetrations to DoD...

Why cloud storage needn't be a security headache

Grazed from ITProPortal. Author: Barclay Ballard.

Even in computing terms, the cloud is relatively new and as with any new phenomenon there are stumbling blocks and naysayers. For cloud computing, this has often centred on security issues and claims that it is less secure than local storage. While it is true that, when poorly implemented, the cloud can be at the root of some nasty security headaches, to state that on-premise solutions are always more secure is an oversimplification.

Improvements to cloud security, including the implementation of end-to-end encryption, has been one of the key reasons why more and more businesses are taking advantage of third-party suppliers. The flexibility provided by cloud computing is often used to explain productivity benefits, but it is also at the heart of recent security improvements...

Cloud Computing: Check Point, VMware Expand Security Partnership

Grazed from The Var Guy.  Author: Michael Cusanelli.

Check Point Software Technologies (CHKP) recently announced an expanded partnership with VMware (VMW) to combine the security vendor’s vSEC virtual network security with the VMware NSX network virtualization platform.
Check Point’s vSEC is a software-defined data center offering that resides inside the NSX platform. The collaboration is designed to help joint customers protect their enterprise private cloud environments by providing security controls within the data center, giving users increased ability to monitor and prevent internal breaches...