Wednesday, January 21, 2009

One hundred million! A breach of staggering proportions

This is unbelievable - and sounds almost like Dr Evil asking for ransom before threatening to blow up something. In spite of all the PCI regulations and best practices to protect data both at rest and in flight, about 100 million records were breached at payment processor Heartland. I'd be interested to know if Heartland was indeed PCI compliant.

The challenge, I think, is that lots of folks think about compensating controls to get around actually protecting the data. And surprisingly, in spite of the TJX breach that happened across the wire, most folks think that just encrypting their laptops is enough! And the Heartland case has proven otherwise - one also needs to protect data in flight!

How many such network pathways can one protect? How many are there to protect? This is why the informaiton-centric approach makes sense. Protect the data itself - dont worry about the pathways as much. Ensure that the data is persistently and continously protected at all times - this will ensure device independence and network independence.

And breaches, massive or small, can be cost effectively avoided.

No comments: