"A number of the other products we explored required you to modify your applications in order to use them and that was something we definitely wanted to avoid. We also wanted to avoid having to do any additional development. The Sybase Encryption Option did not require that."
Larry Gillen Principal Systems Database Administrator Phoenix Newspapers
Phoenix Newspapers, publishes a variety of information products in Arizona. A pioneer in the electronic publication field, Phoenix Newspapers adopted an early client-server architecture leveraging the strengths of Sybase Adaptive Server Enterprise (ASE). ASE is the heart of the newspapers' IT enterprise, powering its circulation system, accounts receivable and retail advertising applications. With many sensitive data elements in its databases and the requirements brought by regulatory changes (Sarbanes-Oxley, Payment Card Industry), Phoenix Newspapers implemented the Sybase ASE Encryption Option.
Phoenix Newspapers has been able to protect the sensitive personal information stored in its databases in a way that doesn't interfere with the running business.
Achieves compliance with the regulatory requirements quickly and without disrupting business operations
Ensures ongoing customer trust by protecting sensitive data
Securing Sensitive Personal Data for Millions of Customers Over 218 million data records of U.S. residents have been exposed due to security breaches since January 2005, according to The Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization. Determined to protect cardholders' sensitive personal and financial data, VISA and MasterCard International created the Payment Card Industry Data Security Standard (PCI DSS). This standard comprises 12 requirements that must be met by merchants and service providers that store, process or transmit cardholder data. Failure to comply with these requirements can result in substantial financial penalties and even revocation of the right to accept credit card payments. More important still, companies that have failed to protect themselves against data breeches have experienced a loss of trust among their customers and business partners and have seen their reputations tarnished.
Key among the PCI DSS requirements is the responsibility of merchants and service providers to protect cardholder data – specifically to protect stored data and to encrypt transmission of cardholder data and sensitive information across public networks.
Phoenix Newspapers is an information company publishing content in both print and on-line editions with primary business operations in Phoenix, Arizona. To comply with the PCI DSS, Phoenix Newspapers needed to find a way to encrypt data residing in its business systems. This data represents newspaper subscriber and advertiser information.
As a pioneer in the electronic publication field, Phoenix Newspapers adopted an early client-server architecture leveraging the database strengths of Sybase Adaptive Server Enterprise (ASE). ASE powers Phoenix Newspapers' circulation, advertising and accounts receivable systems. It was in the context of this infrastructure that the company addressed the PCI DSS security requirements.
"Compliance with PCI DSS was never an option for us, it's an imperative" says Jon Van Treese, Phoenix Newspapers' senior manager of IT Operations and Infrastructure. "Our challenge was to encrypt the data elements that needed to be encrypted and to do that quickly and effectively with as little impact on day-to-day operations as possible. We wanted a solution that we could install on the server or within our databases – a solution that would handle the encryption without our having to modify our applications."
"Sybase Adaptive Server Enterprise Encryption Option – The Best Solution for Us" Phoenix Newspapers researched a number of encryption solutions including products from Protegrity and RSA. "Of course, having been a Sybase customer for more than 10 years, we also looked at Sybase's encryption solution for ASE," says Van Treese.
"I think it's fair to say that we looked at every possible option and concluded that the Sybase Adaptive Server Enterprise Encryption Option was the best solution for us," explains Larry Gillen, principal systems database administrator at Phoenix Newspapers. "A number of the other products we explored required you to modify your applications in order to use them and that was something we definitely wanted to avoid. We also wanted to avoid having to do any additional development. The ASE Encryption Option did not require that."
Sybase ASE's Encryption Option provides several distinct advantages for protecting data:
It requires no application or schema modifications, which means that data encryption can be implemented quickly without disturbing existing implementations.
It has intrinsic key management for easy management and protection of encryption keys from unauthorized access by internal and external users.
It features a permission-based system for access control.
It uses column-based encryption, which makes it easy to encrypt sensitive personal information (such as social security numbers) without having to encrypt less sensitive data (such as the state in which a customer resides), which minimizes the performance impact.
Straightforward and Seamless Implementation "Implementing the ASE Encryption Option was fairly straightforward and seamless," Gillen explains. "It was just a matter of doing an upgrade to our ASE server and applying the latest patches. Next we assigned permissions, specifying which users would be allowed to decrypt the protected data. The final step was pointing our applications at the upgraded databases and the implementation was complete."
Phoenix Newspapers first implemented the Sybase ASE Encryption Option in a test environment. It tested the solution over a period of about a month, during which time it experienced no problems. Finally, the ASE Encryption Option was put into production. Gillen describes the process, "Implementing ASE encryption into production was smooth and painless. We performed the implementation during a pre-scheduled four-hour maintenance window. However, the process took us less than two hours to complete."
From an application perspective, the implementation was transparent. From the perspective of end-users, they didn't notice a thing.
Sybase Enables Compliance with PCI DSS Standard For Phoenix Newspapers, it was critical that it comply with the PCI Data Security Standard. This was not only because of the downside consequences set forth by the credit card industry in the event of non-compliance, but because the company values its customers, and is committed to protecting their personal information.
"We've been using ASE for a long time, and we've been very satisfied with its performance and functionality," says Van Treese. "So, it really hasn't surprised us that the Sybase ASE Encryption Option has been highly reliable and effective as well. We've been able to protect the sensitive personal information stored in our databases and to do it in a way that doesn't interfere with the running of our business. Our systems are operating efficiently with less than one percent unscheduled downtime. Based on our experience, we would definitely recommend the Sybase ASE Encryption Option to other organizations that need database encryption."