Home>>  Products>>Encryption and CISP, GLBA, HIPAA, etc.

Encryption and CISP, GLBA, HIPAA, etc.

While this section was originally written for VISA online credit card merchants, it is relevant to anyone who is concerned about data security. This includes anyone who is trying to come into compliance with many other current and coming guidelines such as HIPAA, GLBA, SDP, etc.

VISA has been in the forefront of data protection and information security with their 12-point Cardholder Information Security Program guidelines (CISP). (PDF)

We believe that Encryptionizer will be an important tool for merchants trying to come into compliance with the Cardholder Information Security Program. This is because of its stong encryption, ease-of-use and low administrative overhead.

The Cardholder Information Security Program guidelines include requirements that data is encrypted while stored and when sent across open networks. We have created this document to discuss and illustrate how NetLib Encryptionizer can address CISP Requirement 3 and Requirement 4 in those guidelines.

CISP Requirement 3: Encrypt Stored Data.

This CISP requirement may be among the most difficult for merchants to comply with. While there are hundreds of products that can generally be described as encryption software, most lack one or more of the requirements outlined in CISP Requirement #3. Most require that the user decrypt the files before they are used, making the products unsuitable for large files, and leaving files unprotected when in use or after a sudden program crash. Many require that the user memorize and enter a file password (in addition to their login password), further compromising security and making the product suitable only for a single user. Other products require extensive program modifications which is a problem if the merchant doesn’t have source code or if the developers are long gone. Still others require such elaborate administration that they end up going unused, or even worse, not maintained as people come and go in the organization.

We believe that NetLib Encryptionizer provides the best fit for merchants running applications on Microsoft platforms who are looking to become compliant with VISA CISP Requirement #3.

Cryptographic systems must not rely upon any one particular approach.

It might seem curious to list as one of the advantages of Encryptionizer that it does not stop the merchant from using other techniques at the same time. However, NetLib Encryptionizer is completely seamless, requires very little administration, and requires no changes to the merchant applications. Most other techniques require extensive modification of programs and/or extensive administration. NetLib’s design allows merchant's to use it on its own, or in combination with any other techniques they choose to employ. The fact that it requires no program changes and little or no administration, makes it an attractive addition to a merchant's security arsenal regardless of the level of their expertise.

In addition, Encryptionizer allows the administrator the flexibility to change they keys on any or all of the encrypted files. So, for example, company policy might dictate that keys be changed every month during a standard maintenance cycle.

Cryptographic processing isolation must ensure that no secret data can be disclosed.

There are a number of points in cryptographic processing that keys or encrypted data can be unintentionally disclosed. The weakness of most conventional file encryption products, other than Encryptionizer, is that files must be decrypted on the media before they are used. While this may be suitable for very small files or single-user systems, this is not suitable for a large database application with many users, as files are unprotected whenever they are in use. (Some encryption products try to mask this by decrypting files into a "hidden" directory.) With NetLib Encryptionizer, files are always encrypted on physical media (e.g., hard drive, CD, tape, etc.) NetLib decrypts data only in RAM and only data that the application (*) requests. Data is reencrypted if and when it is written back to media. Thus, data is always protected and degradation in performance is negligible.

Another source of accidental disclosure of data is through "temporary" or "work" files created when generating reports, running queries, etc. Even if the original data files are encrypted, these temporary files are almost always cleartext, and often are not deleted, especially if the application terminates unexpectedly. NetLib Encryptionizer allows you to specify that all such temporary files are automatically encrypted. This way, even if the application crashes or neglects to delete the files, data is still protected.

Finally, NetLib always encrypts keys on disk, and immediately garbles or erases keys in RAM.

Use Triple-DES encryption or other strong cryptography.

Encryptionizer currently uses AES, DES or Triple DES with a key length of up to 256 bits. These are industry standard algorithms used by banks and other financial institutions.

Use only approved devices to process cryptographic material, such as keys.

Encryptionizer is very flexible as to the method of key delivery. It is currently a software-only mechanism that stores keys in a strongly encrypted file, or in an encrypted registry entry. The design of Encryptionizer easily allows the integration of new key delivery methods, such as PKI or "smart cards". If you are interested in these alternate key delivery methods please contact us.

Don't store keys in a public place.

One of the most important features of NetLib Encryptionizer is that it does not require users to know or enter the data keys. Only the administrator originally encrypting the files needs to know the key (or administrators in the case of "dual control"). Therefore, there are no keys to lose or compromise.

Ensure all cryptographic systems conform to applicable international and national standards.

Currently, Encryptionizer is a software solution using industry-standard encryption algorithms and techniques. However, the design of Encryptionizer easily allows the integration of new key-delivery and encryption methods, including through hardware such as smart cards.

Best Practice – Use "Split Knowledge" or "dual control" to preserve system security.

Encryptionizer includes an optional SSP feature (secret sharing protocol) for maximum password protection. Two different administrators can choose half of a file's encryption key without letting the other know their half.

(*) The "application" is SQL Server, in the case of Encryptionizer for SQL Server, or the desktop application, such as MS Access, in the case of Encryptionizer DE.)

Home Products Evaluate Resources Support Contact Us About NetLib Sitemap
"NetLib" and "Encryptionizer" are Registered Trademarks of Communication Horizons
US Pat. 7,069,591. International patents pending.
Are you looking for netlib.org? "Collection of mathematical software, papers, and databases"