Papa Gino's Pizzeria Adds Encryption to Menu

The restaurant chain is prepared for data breach laws, which are increasing in number and complexity

November 14, 2008

3 Min Read
Network Computing logo

New consumer data security regulations keep rolling in. Already, about 40 states have some sort of data breach disclosure laws in place that require organizations to inform customers whose personally identifiable information -- usually bank account, credit card, or Social Security numbers -- may have been breached. Coming this January are the new Standards for The Protection of Personal Information of Residents of the Commonwealth from the Massachusetts Office of Consumer Affairs and Business Regulation.

This new set of rules, for the first time, will add a requirement that companies properly protect data that is stored on portable drives, such as notebooks and flash drives, to the state's existing laws. Like similar data breach state laws, it applies to data about Massachusetts consumers even if that data resides in another state.

Papa Gino's and D'Angelo Sandwich Shops, a company based in Dedham, Mass., is already prepared.

Not too long ago, the restaurant chain's workers were using ad-hoc tools to protect sensitive information. "We had people using passwords to protect individual files, or they'd download third-party encryption applications from the Internet to protect their data," Chris Cahalin, network manager at Papa Gino's, told Byte and Switch. "They'd eventually forget their password, or lose their encryption keys."

That's not an uncommon story, and it's not a sustainable way to manage encryption on more than 170 desktops and notebooks. "We knew we needed to build a more manageable way to protect data," he said. For file and hard disk encryption, many companies have tried open source tools such as TrueCrypt and PGP Corp. 's Pretty Good Privacy, or the encryption built in to operating systems such as Windows XP, Vista, and OS X. But they quickly learn that the management burden for multiple systems is too high.Cahalin put a stop to that a few years ago when he starting acquiring systems from Dell Inc. (Nasdaq: DELL) equipped with the Trusted Platform Module. TPM is a specification for a cryptoprocessor that generates and stores cryptographic keys, and also has capabilities such as remote attestation -- a way of proving that a device has been encrypted.

While having the encryption capabilities of the TPM built in meant all new systems would come equipped with native encryption, that didn't solve the challenges of managing each desktop's security settings. Over the course of a couple years, Cahalin said he standardized on hard disks equipped with TPM directly on the drive, such as Seagate Technology Inc. (NYSE: STX)'s Momentus 5400.2 FDE drives.

Using TPM also lets each user create his or her own encrypted data vault to securely transfer data to drive or disc, or to and from portable storage devices such as MP3 players, smartphones, flash drives, and even burnable CD drives. One of the best features for Papa Gino's is the ability, should an employee lose a notebook or encrypted removable drive, to prove through TPM's "remote attestation" capabilities that the data was encrypted at the time of loss. "For the first time we can prove that a desktop was encrypted, and we have the ability to prove it's been encrypted," he said. "Weve built a single-trust infrastructure to protect all of our data."

Cahalin built that single-trust infrastructure with Wave Systems Corp. 's Embassy Trust Suite, which includes client applications to manage encryption settings, TPM-based password vaults, key and password management, as well as remote management capabilities. "I don't have to visit each system individually, I can manage everything remotely," Cahalin said.

That single-trust infrastructure has done more than improve security. It's also reaped significant savings. "We save roughly $10,000 a year for the [support] calls we do not get anymore. We additionally never experience lost encryption keys or ad hoc security solutions implemented by individuals and the downtime associated with that. That cost in the past has been "10s of thousands" of dollars, Cahalin said.0

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights