IT Compliance Institute, December 14, 2004:

Trends and Technologies

Data Compliance? ZIP It Up

The challenges of data protection must include all levels of competency in the chain of deployment.

By Mathew Schwartz

When it comes to meeting regulatory-related data security requirements, should companies just zip it? In fact, some companies are using a new, secure ZIP format from Milwaukee, Wis.-based PKWARE Inc. to meet compliance requirements.

The company’s founder, Phil Katz, invented the ZIP format in 1986. Since then, it’s become ubiquitous, with the latest Microsoft and Macintosh operating systems including the built-in ability to compress and open files using the ZIP format.

The latest product, SecureZIP Server, which includes RSA’s BSAFE, can automatically encrypt data, hash verify, and digitally sign ZIP files, or just secure them with passwords. It also ties into antivirus to vet incoming ZIP files. In other words, companies can ZIP their compliance problems away. To learn more, ComplianceNOW spoke with Steve Crawford, chief marketing officer at PKWARE.

What does the regulatory landscape look like for securing data?

You’ve got regulations dealing with data integrity—Basel II, Sarbanes-Oxley. You’ve got regulations dealing with the confidentiality of the data—HIPAA and the Gramm-Leach-Bliley Act. And you’ve got similar types of drivers at the state level, with California getting into the act. So the number of regulatory drivers is growing.

And I’ve even heard analysts saying this will be the new Y2K for organizations … Well to a certain extent, [today’s regulations] will be far more far-reaching, because this has to do not only with the technology, but also the process side of things.

So because of things like this, data protection—integrity of information—is becoming a much more important issue with companies: …knowing financial data, for example, hasn’t been changed, as well as the confidentiality—that only people with the need to know have access to information.

How big a shift is this shift to data protection?

There’s actually a recent report from Gartner that says “by 2006, 40 percent of enterprise security spending will be directed toward content security issues, not perimeter security.”

What challenges do organizations face as they transition?

Some challenges are ease of use and interoperability across different platforms. But probably the harder nut to crack is interoperability outside of the organization itself. How do you exchange data securely with partners when you have little or no control over outside partners?

Take HIPAA. Some of the challenges are, you have lots of different types of organizations and a huge range of competencies when it comes to skills and usability as an organization. As an example, you might have a large hospital, and the hospital might want to secure the results of a blood test and transmit the information to your insurer … and maybe your physician. While your hospital may have secured its systems, your typical doctor is probably running his practice, if he has one, on AOL or Hotmail … and tends to be very technology averse. So the question is, how do you deploy a data protection solution not only to partners but also to people who don’t have the same level of sophistication in their environment?

To solve this problem, are organizations evaluating overall return on investment, or looking for a quick fix?

It’s more of the latter. It’s funny—we originally played up the benefits of compressing data over the encryption process. [Yet] as we’ve spoken to director-level folks, they say … "My users already use ZIP products. They’re easy to use. I’ve probably never had to train them to use PKZIP or WinZip on the desktop." Ninety-five percent of all corporate desktops and 25 percent of all corporate data centers use ZIP.

So I’ll come back to HIPAA as an example. Before, I saw a lot of attempts to deploy very expensive and sophisticated solutions, and they never really got off the ground. We’re seeing now a lot of customers who are taking SecureZIP and deploying this. … It’s pragmatic, and easy to deploy and use.

Do you have any customer examples?

We have a large credit-card processor. They have something like 700,000 merchants they’re sending transaction reports to on a daily basis. A key driver for them was Visa’s CISP. (The Cardholder Information Security Program mandates how organizations store, process, or transmit cardholder information.)

So what they’ve done here is, they’ve got a central server, and [using SecureZIP] on a daily basis it e-mails out transaction reports to merchants, simply using password encryption, via RSA BSAFE. Then for deploying, we have a free ZIP reader utility, ZipReader. … This allows an external recipient to not only receive it but also to decrypt a digital signature if it was signed. Now in phase two of this, they will migrate the solution [to] use digital certificates to encrypt the files they’re sending out to merchants.

So is the credit-card processor rolling out PKI?

The neat thing about this is they didn’t have to do full PKI to get the full benefits … but as they roll out PKI, they can then implement the digital certificate version, or even run in mixed mode. Today there’s a need to do long-term archiving of information, so they’ve also deployed that. … They’ve also rolled out PKZIP onto desktops so they can do ad hoc security of files being transferred to merchants over e-mail.

How much smaller are encrypted ZIP files than normal files?

Typically you’re seeing compression ratios that are up around 50 percent, and again your mileage will vary by file type … even with strong encryption … Now typically with strong encryption you’re having four or five times the overhead, with SecureZIP, you don’t have that.

How do you avoid the overhead?

Because we’ve built the whole encryption process into the compression process itself, so you’re actually encrypting the information after you compress the information.

Do regulated organizations face an impending data-storage boom?

Sarbanes-Oxley is going to drive people to need to archive a lot more information than they typically would have had to in the past. We’re seeing companies that are wanting to archive all of their e-mail for the past seven years, so that’s a huge amount of storage people will be doing as part of these regulatory drivers.

Are there any drivers for using this particular type of secure encryption?

Some of the key issues are around usability. It’s funny—with regulations such as Sarbanes-Oxley and HIPAA, they’re all technology-neutral. They don’t come out and say thou shall encrypt, or thou shall sign. What they do set is very broad, and for IT organizations, that’s a challenge. Sometimes they’re too broad and open to interpretation. … So how do I implement them into practice?

What we’re finding is people … don’t want to just have a point solution. And when I say solution, it’s a combination of security policy, technology, and training. The drivers are, how do I ensure the confidentiality of key information, how do I ensure the data hasn’t been altered, then obviously how do I do this efficiently in a way that isn’t going to require me to do a complete revamp of my IT storage side?

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.