Jointly owned by the Bulgarian National Bank and the country’s major commercial banks, Borica-Bankservice AD develops and maintains the primary IT infrastructure for the Bulgarian payment industry. It focuses on ensuring high-quality and innovative disbursement services for retail and card payment transactions. A component of this responsibility involves interfacing with global card providers, such as MasterCard, Visa, and American Express.
As well as being a formally stipulated mandate from the major payment card vendors, encryption is one of the fundamental business requirements for handling confidential information. Valeri Ivanov, head of information security for Borica-Bankservice, described, “We were already looking at data encryption technologies but the imperative for us to become PCI DSS compliant was a compelling reason to expedite our investigations into finding the optimal solution.
“Although they were protected by traditional security measures, many of our existing applications – including several from the actual card providers themselves – needed to be encrypted to become fully PCI DSS compliant.“
Ivanov continued, “We take great pride in our ability to innovate; so in addition to meeting functional expectations, any solution we bring in has to be able to accommodate any changes we want to make to the environment and without imposing restrictions on our creativity.”
The constant evolution of services developed by the company drove a need for finesse: “We looked at several encryption products that took an ‘all or nothing’ approach where there was zero ability to differentiate between systems, applications, or even users,” remarked Ivanov. “Our environment is predominately Windows-based but we have some Linux and are considering introducing UNIX systems, so we needed something that was operating system neutral, as well as being compatible with both client- and server-based operating systems.”
“We looked at a lot of different encryption-related solutions,” recalled Ivanov, “and evaluated each one against a very structured set of measures that included criteria in areas such as functionality, flexibility, ease of use, and performance.
“Our efforts culminated in a strong recommendation to purchase Vormetric Transparent Encryption. I presented this to our executive team, along with a side-byside comparison against the ‘number two’ contender, and we received an enthusiastic approval to proceed with the investment in Vormetric.”
Performance was an important factor in the selection phase. “We tested many different products using a series of gigabyte files and saw zero degradation in response times or throughput with the Vormetric solution: Nothing else even came close to this level of transparency,” Ivanov reported.
The implementation of Vormetric Encryption proved to be very straightforward. “We especially liked being able to initially run the solution in learning mode: It doesn’t block anything but you get a really good feel for how the systems will behave in the production environment. This was a very unique feature that made it extremely easy to transition into being fully operational and to avoid any surprises,” noted Ivanov.
The enhanced granularity for file access levels was immediately obvious, “We really liked the fine control we had over each of the file operations; far superior to anything else we had looked at. And the ability to customise individual application access to files is just not available in other encryption solutions,” commented Ivanov. “Another major plus was that, despite repeated attempts, we just couldn’t compromise the keys in any way; this wasn’t the case with some of the products from Vormetric’s competitors.”
He continued, “We take full advantage of the ‘separation of roles’ capabilities that are inherent in the Vormetric solution. We have several different key custodians and are able to ensure that we don’t have single points of exposure.
“We discovered that Vormetric is one of the very few solutions that supports both client-based and server-based operating systems; most of the other options we researched only offer one or the other. We currently use Microsoft Windows® Server and Windows 7 and 8 clients but we know that Vormetric can accommodate any platform that we choose in the future and that we can continue to be in compliance with all prevailing mandates.”
“Threat actors will inevitably get through even the most robust defences, so having a world-class encryption solution is especially critical for us. We had all the traditional security measures in place but adding Vormetric Encryption really is the key element in ensuring that our data remains secure,” stated Ivanov.
Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, virtual and cloud environments. Data is the new currency and Vormetric helps over 1,600 customers, including 17 of the Fortune 30 and many of the world’s most security conscious government organizations, to meet compliance requirements and protect what matters—their sensitive data—from both internal and external threats. The company’s scalable Vormetric Data Security Platform protects any file, any database and any application—anywhere it resides—with a high performance, market-leading data security platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence. For more information, please visit: www.vormetric.com.