Time for an old joke: during the war, an Italian spy was captured, tied to a chair, and interrogated -- unsuccessfully -- for hours. The spy’s captors finally gave up and threw the spy into a jail cell. Fellow prisoners were impressed and asked how the spy could withstand interrogation. The Italian replied, “Well, I wanted to tell them everything ... but I couldn’t move my hands!”
In the world of data security, keeping secrets is no joke. In espionage, your agent might be captured. In business, your data might be captured. Both are bad, whether you’re in Italy or anywhere else.
If your company collects, stores, or processes sensitive information, including payment data, personally identifiable information (PII), health records (PHI), etc, it has a legal obligation to protect it, as specified by a quickly evolving library of legislation such as the California Consumer Privacy Act (CCPA), Europe’s General Data Protection Regulation (GDPR), Brazil’s General Personal Data Protection Law, Japan’s Act on the Protection of Personal Information, and more.
Data Breaches in 2021
Like our Italian spy, your organization is partially constrained by external forces such as legislation and compliance. Beyond that, likely, your organization is already devoting significant resources, including personnel, time, and effort, to learn the discipline of information security.
But as we welcome in the new year, and begin to look back on 2021, it is already clear that last year was another ‘good year’ for data thieves and malicious hackers. The frequency and size of data breaches continue to rise, and they have affected even the richest and most successful companies.
Here are just a few of the most prominent breaches in 2021:
- A 21-year-old hacker stole personal data from 50 Million T-Mobile customers by exploiting an unprotected router.
- Researchers discovered that over 1 billion Apple products were vulnerable to spyware.
- Twitch was breached, and hackers stole an unknown quantity of personal data, payment information, and possibly source code.
- Attackers exploited 250,000 Microsoft Exchange Servers worldwide, which affected 30,000 organizations in the United States alone.
- The U.S. Department of Health and Human Services maintains a “Breach Portal” that details the loss of millions of personal health records from hundreds of companies in 2021.
Information Security Strategies
Information security is a deep subject, and there is always more to learn. In the world of e-commerce, some of the primary guidelines are written by the Payment Card Industry Data Security Standard (PCI DSS), which details no fewer than twelve (12) technical and operational requirements. They serve as a baseline for an organization’s validation process during a compliance assessment.
Check out the Essential Guide to PCI DSS to help you navigate the nuance and complexities of protecting payments data with PCI DSS.
In this article on VGS data aliasing, it may be helpful to define three of the most common ways that businesses protect sensitive information -- encryption, tokenization, and aliasing -- and note the difference between them.
Encryption: the process of transforming original “plaintext” information into unreadable “ciphertext,” via a unique algorithm, which can be transformed back via decryption.
Tokenization: the process of substituting original “plaintext” data with a non-sensitive value, such as a random number, that can be systematically mapped back to the original data.
Aliasing: the process of replacing original “plaintext” data with a secure pseudonym for business operations, then replacing it with the original when required.
Each of these information security strategies is valuable for particular use cases, and any of them can help you to meet the security and compliance requirements of PCI-DSS, CCPA, GDPR, HIPAA, and more. However, each of these information security strategies is also a highly complex technology that is difficult to master and fraught with technical challenges – as witnessed by the data breaches cited above.
Here is another key point: if your entire solution, including your original data, resides on your corporate network, your data may be vulnerable to hackers, even if it has been encrypted, tokenized, or aliased. The reason is that all of your eggs are in one basket, so to speak, e.g., the cryptographic keys are within reach of the encrypted data.
Long story short, sensitive information is vulnerable in its original, “plaintext” form at numerous points within your business operations, from the point of collection to your data vault, as well as during transfer and data processing. That is why all of these system components fall within the scope of your PCI-DSS requirements.
VGS Data Aliasing: A Superior Strategy
VGS offers a new and better option for corporate information security. Instead of sensitive data touching your network, VGS intercepts the data, stores it in an encrypted vault, and sends you an alias for it. Our aliases are unique IDs that retain all of the essential information about the original data, without compromising its security, keeping it safe from hackers, data thieves, breaches, and accidental leakage.
VGS aliases are like code names for a spy or pseudonyms for sensitive data. They can take the place of any type of data, and solve the puzzle of safely collecting and storing payment and cardholder data, including Primary Account Numbers (PAN), credit card numbers, Card Verification Numbers (CVN), personally identifiable information (PII), passwords, and Social Security Numbers (SSN).
How does VGS Aliasing Work?
VGS clients determine exactly what to alias – and how to alias it. Our platform works with many different file types (CSV, XML, JSON, regex, etc), archives, encrypted data, and more. We can read protocols such as HTTP and SFTP, and even redact/reveal sensitive data in emails. For example, with a PDF, you can alias specific text, specific types of information, or simply the entire file.
Every VGS alias is unique, and entirely opaque. They retain no information about the underlying data (unless you choose to preserve part of the format, such as the last four digits). This is a critical aspect of VGS data security: you cannot decrypt a VGS alias via brute force, and there is no encryption key to leak. Your alias can only be transformed to its original value via secure VGS protocols and procedures.
You can choose between numerous alias formats. Our global alias works on all data types, from strings to arrays. Other basic formats include Generic, Payment Card, SSN, and Account Number.
VGS clients manage their own inbound and outbound connections. You can use VGS Collect, VGS Proxy, or Vault API. VGS Collect (which includes iOS and Android SDKs) is the easiest way to gather sensitive data from any end user interface. VGS Collect.js is a JavaScript library that allows you to securely collect data via any form, and create custom forms that adhere to PCI, HIPAA, or GDPR security requirements.
With VGS aliasing, you can “fingerprint” your sensitive data. Every time you submit the same piece of sensitive data, in the same format, to the same VGS Data Vault, you receive the same alias in return. This means that you can do data correlation, analytics, and reporting with aliased data, just as you would with the original sensitive data.
Interested in learning more about data security? Visit our Resource Library or Blog to see how aliasing sensitive data increases security and minimizes compliance risk. Or take a deep dive in our guide on VGS Aliasing Technology.
Data Security, Compliance, and Enrichment
With VGS as your trusted data custodian, your company does not have to store or protect sensitive data. Let VGS handle 100% of your sensitive data collection, transfer, encryption, and vaulting.
You can use VGS aliases for any business purpose, including complex operations and advanced intelligence. Your business opportunities quickly multiply, because you are not forced to work on raw, sensitive data. A prime example of data enrichment is VGS Payment Optimization.
VGS aliases are a core component of our Zero Data™ Platform, which offers your company numerous benefits, including:
- Descope your technical environments
- Retain full control of your data
- Operate on sensitive data without possessing it
- Shift the liability for data security to VGS
- Inherit our best-in-class security posture
- Mitigate the risk of a data breach
- Increase your level of PCI-DSS compliance
- Save up to 75% on data security costs
VGS saves its customers a mountain of time, personnel, budget, and effort, which otherwise must be devoted to mastering the discipline of information security. With VGS, you can devote all of those resources into growing your business!
For more detailed technical information on aliases, please see our guide to VGS Alias Technology, or set up a demo.
