Sometimes the problem isn't deciding whether to do encryption, but how to do it across a variety of systems and environments. For one travel industry service supplier, that question has recently been answered.
TRX, based in Atlanta, supplies services, such as online booking, reservation processing, and data intelligence, to travel agencies, corporations, travel suppliers, government agencies, and credit card organizations. Each year, the firm, which has 1,000 employees in eight locations, processes 150 million transactions for its customers.
As new regulations, such as Payment Card Industry Data Security Standards (PCI DSS), were being enacted, the travel industry service supplier decided to take a close look at its security practices. We had confidential data sitting in some of our databases that needed to be encrypted, said Chris Mauer, director of security and controls at TRX.
While the problem was clear, the potential solution was not. Because the service supplier had grown via acquisitions throughout its history, TRX found itself in a highly heterogeneous environment. The company supports multiple operating systems (Microsofts Windows, Linux), database management systems (Oracle, SQL Server, IBMs DB2), and programming languages (Java, Microsofts Visual Studio).
Because the systems had evolved in a haphazard manner, the companys encryption mechanisms were inefficient. The corporation stored data that was not encrypted, used different encryption products, stored keys in different locations (some in the applications and others by the users), and had a hodgepodge of key management systems.
