Encryption: What, Why and Especially How
Since January, critics of the Heartland Payment Systems data breach have called out for tougher encryption standards for financial institutions and their third-party service providers. Applications for encryption are all around us from encrypting email traffic to board communications, remote access and mobile & Internet banking.
In an exclusive interview, Matthew Speare of M&T Bank discusses his webinar on the topic, touching upon:
Speare oversees security for M & T Bank Corporation, the nation's 17th largest bank holding company, based in Buffalo, New York. He is responsible for developing and sustaining an information risk program that effectively protects the personal information of millions of M & T Bank customers. His responsibilities include information security management, IT compliance and risk management, corporate emergency and incident response, and business continuity management. Matt is also a Major in the Army National Guard, serving as the 42nd Infantry Division Aviation Operations Officer, and is a AH-64 Apache Attack Helicopter pilot.
TOM FIELD: How important is encryption to banking institutions in general, and to yours in particular, these days?
SPEARE: There have been a couple of regulatory changes in the last few years that really have driven the adoption of encryption. Certainly, encryption is not new. However, the solutions around encryption were very much point solutions, and didn't look at a holistic environment. What we have seen with the FFIC change in the rules deals with the only national notification rule around security breaches. If you feel, as an institution, that your encryption methodology for a lost item mitigated that risk, you don't have to get in the notification business. Banking is a trust relationship, and so you do not want to be on the front pages of a newspaper that says you lost 10,000 customer records on a laptop that was stolen. It has been an opportunity for the solution to become more holistic overall. We want to do everything that we can to protect customer information from falling into the wrong hands. And encryption is a key driver in allowing that to occur.
FIELD: What are some of the trends that you are seeing in banking? What are institutions choosing to encrypt?
SPEARE: Bank institutions as a whole have gotten a lot smarter about being able to lay out a data classification methodology that makes sense and is workable. What are the key data elements that you need to protect under the law? And if you are a credit card processor or provider or issuer, do you also have PCI requirements? Being able to map those out, where they exist and how are they transported in an environment is very important. It is also important to take the time to nail down the types of environments that you have to encrypt, as well as the transport mechanisms. One thing that has been overlooked is e-mail. E-mail has become so ubiquitous over the years that everyone gets used to operating and e-mailing spreadsheets around that may or may not have nonpublic personal information in it. You need to make sure that you have encryption mechanisms for those as well. We are all spending a lot more time, effort and money in encrypting anything that is going to leave our environment. This allows us to have a high level of assurance that if something is lost in transport, we are not going to have to turn around and start notifying customers about a loss of financial information.
FIELD: What would be an area where you would make the decision to encrypt or not?
SPEARE: Take backup tapes, as an example. We all use them. We back up our systems and then we use a service, like Iron Mountain or others, to safeguard those tapes offsite, so that if something happens to one of our facilities we can at least get to the data and rebuild our systems, as well as customer information files. But every time they leave your doorway, you are no longer in control of them. A prime goal is the ability to encrypt those tapes before they actually leave the environment and then decrypt them when they come back in.
FIELD: What are the key issues dealing with encryption that you are going to attack in your Webinar?
SPEARE: I want to build and layout a framework that allows an institution to build the foundation of policy and process around encryption and where it is appropriate. I want to layer through the ways of being able to segment data, and then, what solutions are possible. What are some of the pitfalls of going with point solutions and not looking at it holistically? You will find one piece of data that you need to encrypt and you are going to find that same piece in a lot of other spots that you weren't expecting as you are cataloguing. Where does your data reside?
FIELD: With the Heartland Payment Systems breach, encryption has come up in conversations a whole lot more. What would you advise institutions that are starting to take a more serious look at encryption now? Where should they start?
SPEARE: Number one is to do a risk ranking of the types of data you have in your environment, where you believe it occurs, and then prioritize what you need to go after, based upon what the potential risks are for your organization. Where do you have high concentrations of data, private or confidential, that you need to protect? Otherwise you'll get in trouble with the regulators and with your customers. You want to go after those first. Go for that low hanging food. Then build upon the process that you are working on, go through and continue to prune the tree back. Develop a process to go through, so that every time you're bringing in a new system, you are applying consistent encryption standards to that overall framework.