Vaas: Therere so many layers of ironic and nasty its hard to even bite into that pie. Greenberg: It is, but it points to the core of the issue, which is that while this initiative is good, PIRG is good, what has been done here is good. We are using technologies to manage an individuals identity and their attributes that do not scale to the networked world that we are in. Numbers in the clear, long strings of credit card numbers and the like dont work ultimately within our infrastructures. So there is technology out there that solves a lot of these issues in the form of smart cards and, you know, Unisys has deployed more smart cards worldwide, I mean, to entire countries, so, you know, we have an investment in that. But that type of technology solves this problem by holding your identity in a cryptographic safe and only proving that you have something in that safe but not divulging whats in it. Thats the basis of public key infrastructure, PKI. And thats what provides a way through this. But from the credit card companies all the way through to Social Security and so forth, business decisions have been made which use your Social Security number not a smart card; a credit card number not a smart card.Greenberg: And they want to take it for insurance purposes. Its what the insurance companies use. This data is spread everywhere. How are we going to herd the cats now? Were not going to get the smart card infrastructure we need out there. What are new technologies and new things that we can do on the retail side, on the commercial side, on the government side? One of the things were working on, and actually have available, is a content loss and privacy management service offering which uses new technologies which crawl and intercept the movement of data through an infrastructure down to a USB thumb drive. As it moves through the infrastructure, it looks at the velocity of data, watches it and determines if data that shouldnt be there is there, and if it is there, it stops it. So, for example, imagine an agent that intercepts data, intercepts your ability and prevents you from copying over a file onto a thumb drive that has Social Security numbers but will let you copy to your thumb drive your calendar. Vaas: What else can businesses do to ensure theyre not turning into TJX? Greenberg: Given the current confines, I mean, adhering to Visa PCI is important. I would encourage them to not just try to get compliance, but to try to get at the meaning of it. Let me give you an example: Visa PCI, which is a standard that the credit card issuing companies have said you must follow in varying degrees if you handle credit cards. Visa PCI has a requirement in there for an intrusion detection system. It says thou shall put an IDS or an Intrusion Detection System in your infrastructure. I cant tell you how many times Ive seen Intrusion Detection Systems placed on a segment that has no meaning. But its there. Ive actually seen IDSs deployed, again, outside of Unisys. Im relatively new to Unisys; Ive only been here for three months. IDSs need to be placed, you know, you need to not just be compliant, you need to be meaningful in your security because Visa and increasingly the states now, the states are now requiring PCI compliance and putting laws in that put the liability down to the retailer or the merchant. So, if you argue compliance, but it is proven that there was gross negligence or a misrepresentation you will, you can be held liable. So what you need to do is put a quality program in place along with your PCI compliance that says Im not just getting the check mark, how effective is it? Do some tests. Determine what you can detect or not detect. Try to move data in and out of the organization in a way that shouldnt be and see what happens.
Vaas: Just this week I was filling out a medical form that asked for my Social Security number as an identifier. I cant even count how many times I just write, "why?"