Mare: Ron, I've been meaning to ask you a question, but I've been afraid to for fear you'll laugh at me.
Ron: Mare, you know there’s no such thing as a stupid question.
Mare: Okay, well, you've talked a lot about encrypting data-at-rest. I was just hoping you'd explain further, because I didn't realize that data could get tired or need any rest.
Ron: I take it back. There is such a thing as a stupid question.
Mare: (Punches Ron in the arm)
Ron: Ow! Data can be tiered, or retired, but it never gets just plain old “tired.” The term, “data-at-rest” refers to data that is being stored somewhere, whether it be on disk, tape, CD-ROM, or DVD. There are two other places that data can be: on a communications line or storage area network (data-in-flight), or in computer memory being accessed by an application (data-in-use).
Mare: Okay, so remember some 3-4 years back when TJ Maxx (TJX) made the news with headlines that screamed that they had lost customer credit card data for millions of customers?
Ron: Yes, what about it?
Mare: I was wondering if they ever figured out what happened in that situation, and whether the use of NetApp technologies could have helped prevent that leak?
Ron: That, on the other hand, is a good question.
Mare: (Punches Ron in the arm -- again)
Ron: Ow! The truth is, the whole story may never be known. But what we do know brings up a very important point: as we’ve said before in this blog, data security is more than just encryption, and certainly more than just encryption of data-at-rest.
In the TJ Maxx case, we believe that hackers broke into a wireless network at a TJ Maxx store in Miami and rode their internal network to their Framingham, MA data center, where they got information on 45.7 million cards that were used between January 2003 and Nov 23 of the same year.
The data appears to have been encrypted, but there were other problems. First of all, Payment Card Industry (PCI) regulations state that full magnetic stripe info, the card verification code, and PIN block data should not be retained, but apparently it was at TJ Maxx. The company said that they "generally" stopped storing Track 2 data for transactions after September 2003, and by April 3, 2006, they had begun to mask payment card PIN data.
Secondly, TJ Maxx also believes that the hackers had access to the decryption tool for the encryption software that they used to protect cardholder information.
Mare: So, back to my original question, if NetApp plays in the “data-at-rest” space, could NetApp storage encryption technology have helped prevent this leak?
Ron: I’m getting there! Well, if implemented along with other controls like securing wireless networks, not storing unnecessary information, and properly separating duties, the data-at-rest encryption offered by NetApp as well as our key management appliance might have helped protect TJ Maxx’s data from disclosure. You see, since our encryption and key management appliances store keys and encrypt data in a hardware module (as opposed to software), it might have been harder for the hackers to gain access to it. But it’s hard to say, since we’ll never know the whole story, nor will we know what information was actually stolen.
Mare: Gotcha. Well, it’s food for thought, anyway, for companies who need to comply with PCI.
Ron: It absolutely is! And Mare, that gives me an idea for our next topic – we’ll discuss PCI in our next post. Stay tuned.
Mare: Um, aren’t you forgetting to say something like, “Mare, you’re brilliant!”
Ron: Don’t push it.