Prime Factors Blog

The Fall of Rome, Home Depot, and Key Drivers for PCI Tokenization

Posted by Jeff Cherrington on Sep 5, 2014 9:49:00 AM

I have a small hobby (or character fault, take your pick) of comparing the current challenges of data protection with significant historical events and trends. The same fundamentals of human nature that impacted the world in the past are still present today. The number of large scale organized data breaches of significant retail and financial institutions, including the most recent alleged breach of retailer Home Depot, has an amazing parallel to the fall of the Roman Empire.


Consider the following contributors to that fall:

  • The empire centralized large hoards of wealth collected from its expanse into walled cities, with the capital Rome the largest and wealthiest
  • The barbarians who ultimately overthrew Roman rule had been invited into the empire out of its need for additional sources of income and labor
  • They were given access to the environs of the empire right up to and, in some cases, even within the walls of the large Roman cities
  • The Roman empire had grown so large that its communications, decision making, and coordinated action were difficult to maintain

Anything in that list sound like parallels to the large enterprises and their data management today?

  • Wealth, in terms of electronic data such as Personally Identifiable Data (PII) and payment card data (literal access to consumers’ funds), are aggregated into centralized enterprise data stores
  • The enterprises place great reliance on the logical walls placed round their perimeters – firewalls, IDS, IPS, etc. – for protection of this wealth of data
  • At the same time, enterprises are working hard to ensure that it is easy for third parties (“barbarian” generally in this example) to have access to their electronic systems both for the purposes of increased revenue (online marketing and sales) and labor (taking advantage of the global economy for the lowest costs of the resources required)
  • The most appealing targets to today’s cyber-criminals are the largest enterprises holding the largest caches of centralized easily resalable data while having the most complex and unwieldy infrastructure for securing it

The recent Target data breach seems to be a perfect example of this. While all details are not public, the consensus is that the credentials of an outside third party contractor (a “citizen barbarian”, if you will) were obtained by malicious cyber barbarians. That group then used the credentials to gain access inside the electronic walls of the retailer. They then proceeded to extract the company’s wealth, in the form of sensitive data that can be easily sold on black markets. The employees and stockholders of Target, Home Depot, and other targets of such attacks can only be thankful that, unlike historical parallels, these attacks were bloodless, in the literal sense. While each breached organization may see impact on valuation, the “empires” of the retailers are not expected to completely fall.

So what value does this overwrought metaphor have for data protection professionals working with retailers and financial institutions? One clear thought is that aggregated high value data will always draw the interest of “barbarians” – those outside the enterprise who seek to gain wealth with the lowest investment of effort. This is a historical constant of human nature that is not likely to change. Second is that complexity is the enemy of security, and leaving fungible data broadly available throughout the enterprise increases risk. Third is that, while enterprises must have expansive practices for hiring personnel for reasons both economic and of equal opportunity, access to valuable data is best limited to only those who have absolute need for access to it.

Combined, these become key drivers for PCI tokenization to reduce the attack surface of amassed sensitive, easily sold data. Just as there is a need to protect data exchanged between organizations with tokenization, tokenization can be applied internally within enterprises to reduce the attack surface exposed to cyber-barbarians. With tokenization, sensitive PII and payment card data elements are replaced with non-sensitive surrogates that look  like the values they replace. These surrogates, however, have no intrinsic or extrinsic value, cannot be used with the payment networks and, consequently, have no interest to data thieves. Once tokens have replaced sensitive data in the infrastructure, the complexity of protecting that data declines radically. The effectiveness of any effort spent protecting the smaller collection of valuable data goes up in ratio.

This is one take on the parallels that might be drawn between the current challenges of data protection and historical events. What other historical parallels do you see?

Learn more about security analyst Securosis' thoughts on the key drivers for PCI tokenization by clicking on the image below.

Download paper to learn more about key drivers for PCI tokenization