Friday, January 30, 2009

Fines and lawsuits - data breaches and the bottomline

Am not sure if the costs of data breaches are considered "soft-costs", or prevention is not sexy enough - but the recent $20M settlement from the VA and news about the lawsuit filed against Heartland seem to an interesting precedent.

Will this shake up the companies and have them start thinking that prevention is significantly less expensive than the headache and costs of settling stuff, post-breach?

Time will tell...

Sunday, January 25, 2009

I disagree with Bruce Schneier - but ask for his help!

Some more interesting feedback on our guarantee, the most recent one if from Bruce - I love his blog and read it quite often. This one he tackles the BitArmor guarantee head on :) I respect his opinion on a lot of things, but in this case I think he may have been a bit off the mark.

In this litigious society that we live, in putting yourself out there and standing behind your product is not a simple task. It takes some serious product capability to think about offering something like this - one would have to be, as an executive, completely irresponsible to open up BitArmor if this were not the case. Ergo, Bruce, please give us a little credit - this is not just a PR stunt.

There obviously is a PR element to this, but without product capability to back it up, no company can do this. It would have been nice of you to have at least acknowledged that possibility and asked insurance companies to step up, instead of “pooh-poohing” the whole thing.

What we do as security companies is reduce risk - what an insurance company does is transfer risk or normalize it across a large set of customers. Big difference there. I bet if insurance companies feel security products work, they would be able to better quantify the liability and offer affordable premiums! It takes the foundation of good security for insurance to work - buying and selling liability will be easier if this foundation is strong.

And to your point below:

“So if BitArmor fails and someone steals your data, and then you get ridiculed by in the press, sued, and lose your customers to competitors -- BitArmor will refund the purchase price.”

Here is the rub – this process is not exclusive to BitArmor protected data! If you lose your data, protected by any security product (or not protected at all), you will still be ridiculed, sued and lose your customers! We are not claiming that our product is unbreakable – what we are saying is we are willing to shoulder some responsibility for its failure to do the task it was bought for, i.e. protect data.

And we think we can do a better job than any product out there - hence our confidence in putting forth a guarantee.. If we can make this better and more workable for the industry, we welcome a conversation with Mr Schneier and ask for his help.

We have, we believe, the right product for this. Help us take the security industry forward.

Wednesday, January 21, 2009

One hundred million! A breach of staggering proportions

This is unbelievable - and sounds almost like Dr Evil asking for ransom before threatening to blow up something. In spite of all the PCI regulations and best practices to protect data both at rest and in flight, about 100 million records were breached at payment processor Heartland. I'd be interested to know if Heartland was indeed PCI compliant.

The challenge, I think, is that lots of folks think about compensating controls to get around actually protecting the data. And surprisingly, in spite of the TJX breach that happened across the wire, most folks think that just encrypting their laptops is enough! And the Heartland case has proven otherwise - one also needs to protect data in flight!

How many such network pathways can one protect? How many are there to protect? This is why the informaiton-centric approach makes sense. Protect the data itself - dont worry about the pathways as much. Ensure that the data is persistently and continously protected at all times - this will ensure device independence and network independence.

And breaches, massive or small, can be cost effectively avoided.

Friday, January 16, 2009

Warranty versus a no-breach guarantee.

Not surprisingly, we got some questions on our recently announced No-Breach Guarantee. One specifically I would like to address today is the notion of a software warranty versus the No-Breach Guarantee. Are they not the same?

Well, we think not. Most software warranties are for 30-60 days and basically say the vendor is not responsible for anything. The application will have errors, bugs and might not install or perform as indicated :) Check out this interesting eWeek article titled "Software Warranty Woes" on the subject.

A few excerpts from the article:

"GM couldnt sell a car using the [current] software model," in which the buyer assumes the risk of making sure the product works reliably, says Scott, whose company is a large SAP and Electronic Data Systems customer.

Software vendors typically provide a 90-day limited warranty that promises the application will conform to published specifications. The supplier usually adds that the software may have errors and notes there are no guarantees that an installation will be successful.

Thats not good enough, Scott says.

And some more..

I read with interest the comment on CNet by Phil Dunkelberger, CEO of PGP, on our guarantee. I am not sure if Mr. Dunkelberger has read his own EULA - PGP has a very limited 60 day software warranty - terms used are "PGP Corp will, at its own expense and as its sole obligation and your exclusive remedy for any breach of this warranty,... " etc etc..

Not the same, I would contend.

We don't claim to have the perfect answer, but we do think the BitArmor guarantee better reflects what the customer is purchasing data protection software for - to prevent data breaches! And we stand by our capability and responsibility to provide that protection.

Thursday, January 15, 2009

Introducing a no data-breach guarantee

Usually we do not talk much about our product or company in this blog. However, today might be an exception :)

This is an exciting day for us at BitArmor - we are announcing a guarantee against data breaches for organizations looking to protect sensitive data and avoid the massive expense of a data breach. We feel proud in being the first vendor to do so!

The concept is simple - we believe we have superior Smart Tag technology that can protect data persistently - using an information-centric approach. The data remains protected at rest, in flight and is device independent - therefore giving us the ability to protect data on multiple devices, especially the ones that are most vulnerable; i.e. laptops (we use disk encryption here in addition to our persistent file encryption), USB devices and email attachments among others..

This gives us the confidence (well, we also derived a lot of it from government agencies and crime labs beating up on our software!) to make this bold statement and back our product with a money-back guarantee in case a publicly announced breach is the result of someone breaching BitArmor controls.

While we understand that a breach may cost the company more than our promise, we want organizations to know we have skin in the game to ensure that their data is protected. In some sense, we also shoulder some of the responsbility :)

Tuesday, January 13, 2009

Financial firms - poor security or valuable data?

Since the recent PricewaterhouseCoopers report came out, there has been a lot of discussion on why financial firms are coming up short on data security.

While I think there is some truth to the story - for example, it is staggering to think that organizations do not have incident response processes or defined methods to address a data breach, I am not convinced that financial firms are behind anyone in terms of approaching data security.

For one, they have the most valuable data in the world and are often the target compared to any other vertical, save the government. In spite of being such a huge target, they don't seem to have a massive share of the breaches - according to the new report from the ITRC in San Diego. In fact this is the statement from that report, "The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years."

And from my experience as a vendor working with many financial firms, almost all of them have good processes, encryption and data security products deployed and some of the most security savvy employees. I would love to know more about the types of financial institutions that did not perform well. Are they the small regional banks or are they larger ones that might have huge amounts of data?

Hmmm.. So I am a bit skeptical about parts of the report... I think, while there might be some truth to it, being custodians of such valuable data, banks are overall quite responsibile in terms of data security.

Friday, January 9, 2009

Thats what we need - 2 terabyte memory cards!

This seems more like a giant leap by mankind - rather than the more predictable Moore's law. Seems like new SD card standards could bring about memory cards that have a 2TB capacity!

Imagine all the credit cards and personnel records that can be saved in one of those - image the fun we will be having in a few years when the entire SSN list of over 300M Americans are found in one of those! Even though I am an optimist, it is hard not to see bigger (literally) breaches ahead - unless we get our act together. Time to make these cards more secure - can we get some security standards also into the new SDXC standards?

Of myths and security

Very interesting set of articles by Erik Larkin about the last few days of the enduring myths of security - check them out here. He talks about hacking for fun and brownie chops, malware, etc. Fun stuff..

I think one enduring myth beyond what Erik has touched upon is "doing the same thing and hoping for a different result". Einstein said it with more color! I think many organizations are using the same old techniques for preventing losses or breaches with the hope they will produce better results - this might be wishful thinking. The game is far ahead and we have to develop new techniques and change our approach a bit.

Being an information-centric security cheerleader, I think this is one of the changes we as an industry have to move forward with. Thinking that the old, device-centric approach will work every time, since that feels like comfort food, might turn out to be not true...

Thursday, January 8, 2009

30 years jail time for 90M records!

Looks like the chicken has finally come to roost - apparently the mastermind behind the TJX hack, Maksym Yastremskiy, is sentenced to serve 30 years for his act. By a Turkish court no less!

I always believed that deterrent is crucial in preventing such acts - organizations obviously should protect their data, but if you know that you could get jugged for 30 years, that ought to put a damper in your enthusiasm to sell some stolen records :)

I like the sentence term as well - however, it is approximately only one year for every three million records stolen! I would recommend 1 year for every 100,000 record and move it down with a sort of volume discount :)

In any case, nice going Turkey..

Wednesday, January 7, 2009

Devolution and data-centric security

Forrester has been covering the data-centric security space for a while - Paul Stamp has had some good articles and now Andy Jaquith has an new report out as well - "Data-Centric Security Requires Devolution, Not A Revolution". The bottom line is to not think of this approach as revolutionary - While I agree with Andy to a certain degree, I would like to characterize this approach as being more the "logical" way to really protect data. You don't need to devolve to do this, but approach it logically :)

There are no complete solutions out there yet that fulfill the promise of data or information-centric security completely - and as in the case of all technology, there will always be work to be done! Therefore, one will be working with some sort of hybrid solutions for a while. There will still be areas where protecting the device or the network will make sense - these tools are widely available and have become mature. However this mistake that is made is to assume this is sufficient.

Andy has blogged about his report. He mentions that all data needs to be secure - no doubt. But we have to start thinking beyond those data elements at rest and think of data as a flowing medium - protect it everywhere. In this case, the only logical way appears to me to be the information-centric approach.

Tuesday, January 6, 2009

Two data breaches a day!

And to think that the numbers might be even higher! According to the Identity Theft Resource Center in San Diego, some 656 breaches were reported in 2008, up almost 50% from the previous year. This is almost two breaches a day - and according to the article in the Washington Post, many breaches do not even get reported. So this could be even higher!

I wonder if folks are getting blase about these breaches. To borrow a often-used Indian saying "Chalta hai!" - meaning "its okay, it happens" etc. :)

Hopefully the companies (and their customers) that have been affected don't have this sense of chalta-hai and pull up their collective socks to fix their data protection issues...