Posted by Kristie Edwards on Tue, Oct 16, 2012 @ 10:18 AM
Download the white paper "Meet the Challenges of PCI Compliance" and learn more about ensuring the data you are protecting meets PCI compliance.
Click Here to Download Now
|
I went to my first ever kickboxing class the other night, and it kicked my butt, LITERALLY. I thought that because I work out on a daily basis and recently ran a 10K, that a 1-hour kickboxing class would be a nice cardio day for me. Boy was I wrong.
I can imagine that PCI audits can be like this for others, maybe even you. You think you have nothing to worry about (after all, you have been investing heavily for this day) and then WHAM, your auditor/kickboxing instructor knocks you down flat!
We hear this from companies as they go through their audits: “We thought we were doing everything correct. All our cardholder data was encrypted!”
What these companies fail to realize, and what the auditor will quickly point out, is that proper encryption requires encryption key management!
“But wait, we are a level two merchant and you want us to do what? Manage our encryption keys? Since when do you have to manage your encryption keys separate from your appliance? Doesn’t IBM offer a key store on your IBM i (AS/400, iSeries)?" I was shocked the exact same way when my instructor said, “We’re going to do 2 punches, 1 hook, and a roundhouse kick to the bag, and you need to repeat this for the next 2 minutes!” Are you kidding me?
Townsend Security works with you to meet PCI audit requirements. We assist organizations both large and small obtain compliance in sections 3 & 4 with our AES encryption and encryption key management solutions. We also address issues of section 10 by providing customers our Alliance LogAgent, the system logging solution for the IBM i.
Passing an audit, like kickboxing, is a lot of work and not something you can just wake up and do well. They both take an investment of time and resources - and at the end of the day, you will be stronger and able to defend yourself.
If it weren’t for the great support and expertise of my teachers, I would not have survived my first class. Cheers to them and cheers to Townsend Security helping companies of all sizes meet their PCI audits.
For more information on passing your PCI audit, download our white paper “Meeting the Challenges of PCI Compliance” and learn what will your auditor look for, how you can ensure your PII is secure, and why auditors are looking specifically at encryption key management.
Posted by Patrick Townsend on Fri, Jun 15, 2012 @ 03:47 PM
Download the white paper "Meet the Challenges of PCI Compliance" and learn more about ensuring the data you are protecting meets PCI compliance.
Click Here to Download Now
|
Customers moving to a hosting provider or cloud provider are often confused about PCI DSS compliance regulations, and what their responsibilities are in that environment. Some companies feel that they can avoid compliance concerns by moving to a cloud service. Some feel that they are no longer under compliance regulations at all in that environment. I heard this comment just this week:
“I don’t need to worry about compliance because my hosting provider says they are PCI compliant.”
This is dangerously wrong. Let’s sort this out.
First, hosting providers who say they are PCI compliant are usually talking about their own systems, not about yours. Their credit card payment application is PCI compliant, they run the required vulnerability assessments on their payment processing applications, they collect system logs, and so forth. All of these things are required by the hosting or cloud provider for their own systems to be PCI compliant. They aren’t talking about your applications and data.
This does not make you automatically PCI compliant when you use their platforms or applications. You still bear the responsibility for meeting PCI compliance in your applications. Regardless of the hosting or cloud implementation (Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-Service, or a hybrid approach), you are always responsible for PCI compliance of your data.
What does the PCI Security Standards Council (PCI SSC) say about cloud environment?
The hosted entity (you) should be fully aware of any and all aspects of the cloud service, including specific system components and security controls, which are not covered by the provider and are therefore the entity’s responsibility to manage and assess.
And,
These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted (by you) only based on rigorous evidence of adequate controls.
As with all hosted services in scope for PCI DSS, the hosted entity (you) should request sufficient assurance from their cloud provider that the scope of the provider’s PCI DSS review is sufficient, and that all controls relevant to the hosted entity’s environment have been assessed and determined to be PCI DSS compliant.
Simply put, you are responsible for understanding which parts of PCI compliance a cloud vendor can help you with, and which parts they can’t.
There is no cloud implementation that relieves you of the responsibility of protecting your data. See section 4.3 in this PCI guidance.
What does this mean from a practical point of view?
This means that you must meet all of the PCI DSS requirements for your cloud implementation. You may be able to take advantage of some PCI compliant services provided by the hosting or cloud vendor, but you must have the cloud vendor provide you with guidance, documentation, and certification. You are not off the hook for responsibility in these areas.
Please note the chart on page 23 of the PCI cloud guidance. There is no hosting or cloud implementation that covers your data. You are always responsible for protecting your customer’s cardholder data. This means complying with PCI DSS Section 3 requirements to encrypt the data and protect the encryption keys.
There is no magic bullet. You have to do this work.
Living through a data breach is no fun, and I would not wish this experience on anyone. In hosted and cloud environments, ignorance is not bliss.
Stay safe. For more information, download our whitepaper Meet the Challenges of PCI Compliance and learn more about protecting sensitive data to meet PCI compliance requirements.
Patrick
Posted by Chris Sylvester on Tue, Dec 27, 2011 @ 01:21 PM
At Townsend, we have a lot of conversations with customers and prospects about data privacy, compliance requirements and best practices for IT security in general. We have written numerous articles on these topics and posted them on our blog. As the end of 2011 quickly approaches, we thought it would be worthwhile to list out our most read articles of the year.
Listed below are the top five read articles from the past year:
We aren’t surprised that the articles on these topics; encryption, key management and PCI compliance are some of the most read on the blog. We spend the majority of our days talking to people about these topics and helping them solve challenges around data privacy and compliance. In fact, many of the conversations we have lead to new products and product enhancements.
In 2012, we encourage you to talk to us about what you need and what you are doing at your company to protect sensitive data. Subscribe to our blog, like us on Facebook, follow us on Twitter or join us on LinkedIn.
We hope you find the articles listed useful and that it inspires you to think of topics you would like us to write on for 2012. Thank you for your readership in 2011!
We are already preparing and looking forward to sharing more about data privacy in 2012.
Happy Holidays!!
Posted by Kristie Edwards on Tue, Sep 13, 2011 @ 02:26 PM
Lately we are seeing an increase in questions around PCI requirements for encryption key management. We are hearing from Level 2 merchants who are preparing for the June 30, 2012 deadline for companies that accept Mastercard. These companies are beginning to realize that they can’t just encrypt data to meet PCI requirements, they also need to securely manage their encryption keys.
To summarize the deadline, which is effective June 30, 2012, MasterCard Level 2 merchants have 2 choices for complying with PCI-DSS requirements.
Option 1: They can complete an annual self-assessment questionnaire AND prove that a member of their organization has attended and successfully passed PCI SSC-offered merchant training program.
Option 2: Businesses can elect to complete an annual onsite assessment conducted by a PCI SSC approved QSA.
Download the white paper "Meet the Challenges of PCI Compliance" and learn more about ensuring the data you are protecting meets PCI compliance.
Click Here to Download Now
|
Whether a business elects to certify a member of their team or undergo a PCI audit by a QSA auditor, they are becoming better educated about PCI-DSS requirements. Additionally, they are asking questions internally about how to meet requirements and seeking out answers to questions they can’t answer themselves. These Level 2 merchants are now starting to understand the NEED to be PCI complaint and realize how much they need to do. Townsend Security can help answer questions businesses have about data privacy and security because we focus on encryption and key management, which are discussed in section 3 and 3.5 of the PCI-DSS.
I talk to merchants on a daily basis around this topic and people understand the importance of encrypting data, but many don’t understand the need to securely manage their encryption keys. Storing your encryption keys on the same server as your data is problematic. Before these new regulations Level 2 merchants weren't aware that PCI DSS requires separation of duties and dual control. Quite simply, you don’t want the same person who has access to the encrypted data to have access to the encryption keys. Think of your encryption key as the figurative “key to the kingdom” - it unlocks the data that you have secured with encryption. You wouldn’t lock your front door and leave a note saying the key is under the mat. You take your keys with you and only give keys to trusted people – the same philosophy should apply to the way you secure your encryption keys.
Level 2 merchants are realizing they need a secure server to protect their keys. They are researching encryption key management solutions and discovering our FIPS 140-2 certified Alliance Key Manager may be the solution they need.
If your company is struggling with understanding PCI requirements for key management, download this whitepaper to learn more. If you need a solution for key management and want to talk to a security advisor about the specifics in your IT environment, send me an email. I am happy to answer your questions and schedule a 15 minute technical overview.
I'll also be at the PCI Conference next week in Scottsdale, AZ so make sure to stop by our booth and say "hi".
Posted by Luke Probasco on Thu, Aug 18, 2011 @ 03:31 PM
As “The Encryption Company,” we often blog about meeting PCI DSS with encryption and key management. Our NIST-certified technologies will help your organization satisfy Section 3 of PCI DSS, as well as other privacy regulations. But there is another section of PCI DSS that Townsend Security can help you with – Section 10.
Section 10 states the requirements for tracking and monitoring access to network resources and cardholder data. Some things that this section speaks on is procedural – daily reviewing logs for all system components and retaining an audit trail history for at least one year. Section 10 also specifies how your logging solution needs to perform. This includes automating audit trails for all system components and securing audit trails so that they cannot be altered.
This regulation is especially important for organizations using IBM i’s. The state of logging on most IBM i’s is not good. The IBM i doesn’t log information like your other systems and the security logs that it does produce are often an enclave inside the IT organization.
So what does this mean? Only the IBM i administrators can know what is happening on that machine – all the valuable logging information is sequestered on the IBM i. Network originated threats to the IBM i are often not noticed or responded to by the security team. This puts a lot of sensitive data at risk and your organization not meeting compliance regulations.
There is an answer. Townsend Security has been helping customers meet section 10 of PCI DSS with Alliance LogAgent.
Alliance LogAgent
- A complete solution that can capture and forward all IBM i security events
- Built by IBM i experts specifically for SIEM integration
- Robust filtering capability minimizes network impact
- Strong encryption between IBM i and SIEM console
- Seamless integration with ANY SIEM console
- Integrated User Monitoring and log forwarding
To learn more, we recently recorded a webinar titled “Understanding Log Management on the IBM i.” View this 30-minute webinar and learn how to meet compliance requirements with real-time security event logging across your Enterprise.
Posted by Patrick Townsend on Tue, Aug 16, 2011 @ 02:56 PM
The generation of tokens is an important part of the new PCI SSC guidance on tokenization. Tokens can be generated using a number of techniques including random number generation, encryption, sequential assignment, and indexes. Using tokens to recover the original credit card number must be “computationally infeasible” according to the new guidance.
In this area, I think the tokenization guidance could be much stronger. To the cryptographic community it is well understood how encryption and proper random number generation can produce results that can’t be feasibly reversed using computational methods. The use of indexes and sequential assignment is a lot more “iffy” in my mind. Here is an example: I have a table sorted by the credit card number that contains 100,000 rows. I read the table and assign tokens in a sequential manner. Are these tokens as strong as tokens generated by a random number generator? Obviously not. Merchants and QSA auditors need to be very careful about a tokenization solution that uses indexes or sequence numbers for token assignment.
The use of encryption to generate tokens should also give merchants some pause for extra thought. First, using encryption may produce tokens that are indistinguishable from normal credit card numbers. The guidance discusses distinguishability of tokens, and if you use encryption to generate tokens you are probably going to have additional work in this area. Secondly, it is not clear yet if tokens generated in this manner will be subject to additional encryption and PCI SSC guidance. The work released today holds open the likelihood that there will be additional guidance for these types of tokens. In other words, the jury is still out on the use of tokens generated by encryption. Lastly, tokens generated by an encryption method almost certainly have to meet all of the PCI DSS requirements for encrypted PAN. It is hard to imagine any other outcome. Merchants will want to be extra careful when deploying a solution that uses encryption to generate tokens.
Lastly, we can expect to see an increase in the number of cloud based tokenization solutions coming to market. The new guidance only touches on this in a tangential way when it discusses the need to carefully review all aspects of a tokenization solution. Since most clouds are based on virtualized environments, I suggest that you read the PCI SSC virtualization guidance from the PCI SSC. It is very hard to see how any of the most popular cloud environments can meet the recommendations of that guidance.
Big kudos to Troy Leach and the members of the tokenization SIG and Working Group who’ve been laboring on this document! The council and advisory committees also deserve praise in nurturing this process. The stakeholders are a diverse community with sometimes conflicting interests. The result speaks well to the management team. I know that we’ll be seeing more work from this group in the future.
Click here for more information on Alliance Token Manager, our tokenization solution and learn how we can help your organization with a certified and comprehensive tokenization technology.
-Patrick
Posted by Patrick Townsend on Fri, Aug 12, 2011 @ 02:39 PM
Today the Payment Card Industry Security Standards Council issued some long awaited guidance on tokenization as a method of protecting credit card information (“PAN”, or Primary Account Number in PCI language). This guidance has taken a number of months to produce, and will be very helpful to merchants who want to deploy tokenization solutions to reduce the scope of PCI compliance efforts, for those who have already deployed solutions and need to assess if they meet minimum requirements, and for QSA auditors who have been looking for some guidance in this area.
The link to the guidance is here.
Here are some first thoughts on reading the guidance.
As I’ve been saying here before, a tokenization solution is always in scope for PCI DSS compliance. This means the merchant is responsible for insuring that a tokenization solution itself meets all of the PCI DSS requirements. Whether you create your own tokenization application, or you acquire one from a vendor, it is in scope for PCI DSS compliance and you are responsible for it. The guidance makes this point very clearly. In fact, the guidance makes the observation that tokenization solutions are likely to be the targets of attack because they become a centralized repository of credit card information. Merchants should be very careful that their tokenization solutions meet all PCI DSS requirements and are sufficiently hardened. In my opinion, there are very few merchants who would be up to the task of creating such a solution in-house.
Following on the previous point, a tokenization solution must have encryption and key management capabilities that meet PCI DSS requirements. This means special care in the deployment and implementation of key management. You should be very sure that your key management solution implements proper Dual Control, Separation of Duties, Split Knowledge, and separation of keys from protected data. When acquiring a vendor solution for tokenization look for FIPS-140-2 certification of the key management system – that should be a minimum requirement to indicate the proper implementation of encryption and controls.
Download a recent webcast I recorded that discusses the importance of tokenization and PCI compliance.
Today’s announcement by the PCI Security Standards Council on tokenization is certain to raise awareness about the importance of selecting the right tokenization solution for your organization and ensuring it meets the PCI DSS requirements. I will be post another article Tuesday that will discuss more thoughts on this new guidance.
I hope you find this helpful.
Patrick
Posted by Patrick Townsend on Fri, Feb 11, 2011 @ 03:33 PM
In our encryption practice we often help customers integrate the exchange of encrypted data between different applications within the organization, and between their own applications and a vendor’s or customer’s application. It is truly amazing to me how often we encounter non-standard encryption that makes this integration very difficult. The problem is not the lack of standards for encryption. Most compliance regulations provide clear guidance and references to encryption standards. Here is what the PCI Data Security Standard (PCI DSS) Navigation Guide says about encryption (my emphasis):
The intent of strong cryptography (see definition and key lengths in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or "home-grown" algorithm).
Strong Encryption:
Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or “one way”). Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher). See NIST Special Publication 800-57 for more information.
The problem seems to be a general lack of knowledge about encryption. And this applies to some vendors of encryption solutions. Here are a couple of examples:
One of our customers was having trouble decrypting a field with our software that was encrypted on a Windows server with “256-bit AES using CBC mode”. That seemed to be a pretty straight-forward task. Yet we couldn’t get the data decrypted properly. The output just looked like garbage. We spent a fair about of time with the customer verifying that they had the right decryption key, that the initialization vectors for the decryption were specified correctly, and that our software was being used correctly. But nothing was working. We then asked the third party software vendor to share their AES source code with us. In this case the vendor was very accommodating and let us review their source code implementation of AES encryption.
Voila! The source code showed that the implementation was using a 256-bit block size for the encryption algorithm. The AES standard (FIPS-197) requires the use of 128-bit block sizes. The use of the larger block size meant that this was not even AES encryption according to the industry standard. The vendor fixed their implementation and the project was successful. But our customer spent a lot of time and money resolving the problem.
Another example of getting into trouble occurred with a customer who deployed an AES encryption solution that used the CUSP mode of encryption. This rang alarm bells right away. We knew that CUSP was not one of the NIST approved modes of encryption, and we had never encountered it before. We quickly learned that CUSP stood for “Cryptographic Unit Service Provider” and was implemented by IBM in a couple of their server products. This customer had a couple of problems. CUSP mode was not a standard mode of encryption, and data encrypted with CUSP was not going to be decrypted by any of the standard open source or commercial products in the market. So this customer was locked into an incompatible encryption strategy.
The second problem is that the CUSP mode of encryption is a proprietary protocol. The PCI DSS clearly states that strong encryption must be based on industry standards and not proprietary protocols (see above). As I interpret the PCI DDS requirements for encryption, a customer using CUSP mode would be out of compliance. That’s going to hurt the next time a QSA takes a hard look at your encryption implementation. We recently published a white paper on the weaknesses of the CUSP mode of encryption. Click here to download it.
One way to insure that your AES encryption software is compliant is to look for a NIST certification. A NIST AES Validation certificate, or a NIST FIPS-140 certificate, is pretty good assurance of compliance. The FIPS-140 certification process requires AES Validation, so that certification is incorporated by reference. That’s why either certification will give you the assurance that AES encryption is being done according to the standard. Lacking certification, you are relying on the promises of a vendor or developer who may be ignorant, or have a motivation to be less than forthcoming. Not a good situation to find yourself in.
Both of these customers spent a fair amount of money fixing the problem. An entirely avoidable expense.
Patrick
Posted by Patrick Townsend on Fri, Feb 11, 2011 @ 01:46 PM
The new PCI Data Security Standards (PCI DSS v2.0) are here and I’ve gotten a lot of questions about the changes related to encryption key management. Because we work with a lot of companies going through PCI compliance audits and reviews, the new standards just confirm the trends we’ve seen over the last few months on how QSA auditors and security professionals view encryption key management, and what they see as the minimum requirements for managing keys. The clear trend is to require that encryption keys be stored separately from the data they protect, and to make sure that the people who manage encryption keys are not the people who manage the protected data. Let’s look at why this is happening.
While most of the largest merchants in the Level 1 category are already using professional key management solutions to protect encryption keys, the trend over the last 12 months is to require smaller merchants in the Level 2 and Level 3 categories to also use better key management practices, too. So, what are the parts of PCI DSS that are driving this change? It all has to do with industry best practices for encryption key management, and the concepts of Dual Control, Separation of Duties, and Split Knowledge. These best practices and concepts work together to form the basis for determining if your approach to key management will pass muster.
First, what is the source of industry best practices for key management? Here in the US, the National Institute for Standards and Technology (NIST) is the most common source for guidance on best practices. The NIST special publication SP-800-57 provides specific pointers on how best practices for both procedurally managing encryption keys, and what to look for in key management systems. In these documents you will find the genesis of most standards regarding encryption key management, including the concepts in PCI DSS 2.0 Section 3.
Next, it is important to understand Dual Control, Separation of Duties, and Split Knowledge. These are all clearly defined in the PCI DSS standard and in the accompanying PCI DSS glossary. I’ve extracted the exact definitions below, but I’ll recap them here from the point of view of key management.
Dual Control means that no one person should be able to manage your encryption keys. Creating, distributing, and defining access controls should require at least two individuals working together to accomplish the task.
Separation of Duties means that different people should control different aspects of your key management strategy. This is the old adage “don’t put your eggs in one basket”. The person who creates and manages the keys should not have access to the data they protect. And, the person with access to protected data, should not be able to manage encryption keys.
Split Knowledge applies to the manual generation of encryption keys, or at any point where encryption keys are available in the clear. More than one person should be required to constitute or re-constitute a key in this situation.
What are the practical implications of these best practices and core concepts? One of the practical implications follows from a common fact of system administration. On all major operating systems such as Linux, Windows, and IBM System I (AS/400) there is one individual who has the authority to manage all processes and files on the system. This is the Administrator on Windows, the root user on Linux and UNIX, and the security officer on the IBM System i platform. In fact, there are usually multiple people who have this level of authority. In one study by PowerTech, the average IBM System i customer had 26 users with this level of authority!
That’s why storing encryption keys on the same system where the protected data resides violates all of the core principles of data protection, and that’s why we are seeing auditors and payment networks reject this approach. If you haven’t faced this issue yet, your day is probably coming. Now is the time to start planning on how to deal with the problem.
Over two years ago we saw this trend developing and took action to help merchants be prepared for proper key management. We created the Alliance Key Manager solution and released it to our partner channel in 2009. This year we released it for direct sale, and last week we received our FIPS-140-2 certification from NIST. Over 1,000 customers are now using AKM to protect their encryption keys with a solution that provably meets industry standards. Our encryption products have been updated to use this new key management solution, and we are moving customers forward to compliance. It’s been a long, hard slog to NIST FIPS-140 certification, but I think our customers will benefit from the effort.
I hope this has been helpful in clarifying key management best practices. For more information on PCI and key management, download our podcast titled "Key Management Best Practices: What New PCI Regulations Say." Please let us know if you have any questions.
---
From the PCI DSS version 2.0 Glossary:
Dual control
“Process of using two or more separate entities (usually persons) operating in concert to protect sensitive functions or information. Both entities are equally responsible for the physical protection of materials involved in vulnerable transactions. No single person is permitted to access or use the materials (for example, the cryptographic key). For manual key generation, conveyance, loading, storage, and retrieval, dual control requires dividing knowledge of the key among the entities. (See also Split Knowledge).”
Separation of Duties
“Practice of dividing steps in a function among different individuals, so as to keep a single individual from being able to subvert the process.”
Split knowledge
“Condition in which two or more entities separately have key components that individually convey no knowledge of the resultant cryptographic key.”
Source documents are available online at www.pcisecuritystandards.org
Posted by Patrick Townsend on Wed, Dec 15, 2010 @ 01:29 PM
One clear direction I’ve observed over the last few months is the focus of QSA auditors and other security professionals on the protection of sensitive data AFTER it traverses the Internet and then lands in a database on a hard disk drive. We have really good ways of protecting data in transit using 128-bit SSL encryption. For example, the web protocols HTTPS and FTPS provide for the ability to encrypt the data in transit, and Secure Shell SSH also provides strong encryption. But after the data reaches the end point of its journey it lands on a hard drive somewhere, and it is often exposed to loss at that point. I believe that’s why security auditors are putting a lot of emphasis now on making sure that data is encrypted when it hits a hard drive.
Many companies have implemented web services in combination with the XML data standard to take advantage of low cost, real time integration with their customers and vendors. When you combine the ubiquity of the web HTTPS protocol with the W3C XML standard you get a power incentive to use this platform for business integration.
But care should be given to what happens to data when it leaves the realm of encrypted transit and lands on server hard drives.
Of course, the right thing to do is encrypt sensitive data before it lands on the hard drive. This means that the tools you are using have to support encryption as a natural part of the process of converting XML data. Standard XML processing tools such as Xerces and Xpath do not have built-in encryption. The same is true for XML toolkits and APIs provided by IBM, Microsoft, and others. This leaves it to developers to try to intercept data after it is transformed from XML and before it lands in a database table or on a hard drive. That’s a real challenge.
In our Alliance XML/400 web services product on the IBM platform we built encryption right into the data transformation process about four years ago. Alliance XML/400 customers can protect sensitive data by just enabling the encryption option on a translation map. The solution does the rest. The data is encrypted before insertion into the database and there is no exposure as the data lands in the database on the hard drive. Our customers are taking advantage of this feature to meet PCI and other compliance regulations.
For non-IBM System i environments we now provide an easy way to retrieve encryption keys and perform encryption in a variety of development languages such as Microsoft .NET, Java, and C/C++.
Encryption can help protect against another common threat, too. At the annual PCI SSC standards council meeting in Orlando this year, forensics expert Chris Novak of Verizon talked about how more than 75 percent of data loss events begin with a well known weakness that hasn’t been patched, and half of these are based on SQL injection attacks. With SQL injection, the attack on your servers starts with bad data inserted into a database in the clear, leaving open a later exploit. There are ways to prevent SQL injection through programming techniques, but encryption will also help defeat them.
Will encrypting your data provide all of the security protection you need? Certainly not. I like to think of it this way: Wearing a parachute on a skydiving expedition is no guarantee that you won’t be hurt when you land. But that doesn’t mean you wouldn’t wear one, right? I think of encryption in the same way.
To view a replay of a recent webinar we presented on XML & Web Services, click here.
Patrick