George Ayotte

Federal IT officials doubt that agencies can enforce the Obama administration's accountability and transparency rules as they spend funds allocated by the American Recovery and Reinvestment Act of 2009, according to a survey that will be released on Monday. The majority of respondents - 62% - said either that they don't know if agencies can enforce the ARRA transparency requirements (33%) or they don't believe agencies can meet these rules (29%). States scramble to track federal stimulus bucks The survey was commissioned by Serena Software, a provider of business process modeling software that sells tools designed to meet specific federal regulations. Only 38% of respondents said they believe federal agencies can enforce the transparency requirements of ARRA, according to an e-mail survey of 200 defense and civilian agency IT officials.

It was conducted in September. Three-quarters of respondents said their agency had put a medium-to-high level of importance on reaching transparency goals. Survey respondents agree that meeting ARRA's transparency goals is important. Meeting these requirements will take time, survey respondents said. Another 31% believe they could meet the requirements within a year, and 27% believe they can meet the requirements within two years.

Less than half of survey respondents - 43% - said they believe their agencies could meet the transparency requirements today. Agencies say they need new automated tools to meet the transparency rules. Half of the 64% said they have funds available in their budget to purchase these tools. More than half of respondents - 64% - said they could benefit from automated tools. A lack of automated tools to meet transparency rules may be one reason that federal agencies are taking their time to award ARRA funds. Only 11% of survey respondents said their agency had obligated or spent more than 80% of their ARRA money. "We've been working with federal agencies on process automation, transparency and accountability issues since before the new administration came into office," says Dave Dantus, federal director for Serena Software. "We had a strong suspicion that there was a gap between what [the Office of Management and Budget] and the administration were expecting and what agencies were able to deliver in terms of reporting and transparency." Dantus said that a significant number of agencies are using e-mail and spreadsheets to meet ARRA transparency rules, rather than automated tools such as those provided by Serena. "It's not easy to track or report on ARRA funds with e-mail and spreadsheets," Dantus says. "Certainly, this is an opportunity for our company." Serena Software is a privately held software company with $300 million in revenues.

More than half of the survey respondents - 51% - said their agency had obligated or spent less than 20% of their ARRA funds. The company's Business Mashups software allows users to quickly automate processes without having to write software code. Dantus says Serena Software has more than 200 federal customers that use its software to comply with regulations regarding information assurance, financial controls and requests for information.

Apple will probably drop its exclusive deal with AT&T next year and offer its iPhone to Verizon subscribers as well, a Wall Street analyst said today. But the Cupertino, Calif. company will make up the shortfall in volume, Brian Marshall, of Broadpoint AmTech, said in a research note to clients today. "AT&T's 'sweetheart' carrier subsidy (~$450) for the iPhone would not be attainable at Verizon," said Marshall in the note. "[But] diverse carrier support is a key element in driving global penetration of the iPhone. The move will mean the end of Apple's "sweetheart" deal with AT&T, which pays Apple about $450 for each iPhone it sells.

We believe the chances are high the iPhone will find its way onto the Verizon network in the second half of 2010." If Apple does drop its exclusive arrangement with AT&T, it wouldn't be the first time that the iPhone has been marketed, and supported, by more than one carrier in a market. On Monday, for example, Canada's TELUS announced it would start selling the iPhone 3GS on Nov. 5. But a move to Verizon will affect Apple's ability to squeeze dollars out of U.S. carriers; AT&T currently subsidizes iPhone sales to the tune of $450 per unit, Marshall estimated. "Apple will probably get $300 from Verizon per iPhone," Marshall said in a follow-up telephone interview today. "That's the ballpark figure for smartphone subsidies." If Apple sells iPhones to Verizon's subscribers, Marshall expects that AT&T will strike a similar subsidy deal, meaning it too will pay Apple around $300 per phone. During Apple's quarterly earnings call last week, Tim Cook, the company's chief operating officer, confirmed that Apple would soon expand its distribution deals in the U.K. and Canada beyond the exclusive arrangements it has with O2 and Rogers, respectively. In the long run, however, that will put more money, not less, in Apple's pocket. If Verizon matches AT&T's ability to move users, and attract new ones, to the iPhone, the former will have sold about 14 million of the devices by the end of 2011. "That's a huge incremental upgrade in sales for Apple.

Marshall pegged the additional revenue to Apple at around $7 billion. "Verizon has a 30% larger post-paid base than AT&T, 81 million versus about 63 million for AT&T," said Marshall. And it's additive for the most part." AT&T will lose sales if Verizon enters the iPhone market in the U.S. - to the tune of about a half million units per quarter - but the increase from Verizon will more than make up for AT&T's decline. "Everyone is dissatisfied with AT&T on the iPhone, not only on voice, but data as well, especially in congested cities like New York and San Francisco," said Marshall, echoing complaints that go back more than two years to the launch of the original iPhone in the summer of 2007. "If Verizon starts selling the iPhone, AT&T is going to have an issue on their hands." AT&T seems to see the same writing on the wall as Marshall. Other analysts, however, have countered that Verizon's move into handsets powered by Google's Android mobile operating system makes it less likely it will forge a deal with Apple and the iPhone. Last week, AT&T Mobility CEO Ralph de la Vega hinted that his company expects its rumored three-year exclusive deal with Apple will end next year . "iPhone sales won't go away at AT&T, but the majority will be sold by Verizon," argued Marshall, if Apple does bring Verizon into the fold. For its part, Verizon remains puzzled why Apple went with AT&T in the first place.

When Apple launched the iPhone, most analysts credited AT&T's willingness to bow to Apple's demands over the iPhone, including those that prevented the carrier from selling music or add-on applications, both traditionally carrier money makers, as a deciding factor for its selection as Apple's iPhone partner. On Monday, Verizon CEO Ivan Seidenberg told analysts that Apple "wasn't interested" in striking a deal with his company two years ago. "I have no thoughts on why they did what they did," he said.

In a move designed to avoid the time and costs associated with a protracted legal battle, Certegy Check Services Inc. has offered to settle a class-action lawsuit ?filed on behalf of 8.5 million people whose personal data was compromised by an insider theft that the company disclosed last July. It currently is under review by a U.S. District Court judge in Tampa. The 52-page settlement was proposed by St. Petersburg, Fla.-based Certegy on Jan. 9 but just came to light this week.

Certegy, a check-processing company that is a subsidiary of Fidelity National Information Services Inc., said last summer that a rogue database administrator had? illegally accessed and then sold the personal data of about 2.3 million consumers to data brokers. If accepted, Certegy's proposed settlement would give qualifying members of the plaintiffs class one year's worth of free credit monitoring services, plus up to two year's worth of free bank account monitoring services for individuals whose banking information might have been compromised in the incident. The company later upped the number of compromised accounts to 8.5 million in filings made to the U.S. Securities and Exchange Commission in August. In addition, consumers who can show that they were victimized by identity theft as a result of the breach will be eligible for certain "out-of-pocket" costs, such as those resulting from bank overdraft fees, according to a copy of the settlement sent to Computerworld by Certegy. For instance, Certegy has capped the total amount of money it will pay for identity theft claims to $4 million, which will be disbursed on a first-come, first-served basis.

But there are several caveats to that particular offer. Claims have to be filed within 90 days of the discovery of an identity theft incident or before March 31, 2011, - whichever comes first. And the maximum amount that an individual can recover is $20,000.

Last week's article covered the topic of protecting data in databases from the inside out. This week's article takes look at data masking, which another way to protect sensitive data, especially as it is being copied and used in the development and testing of applications.  Data masking is the process of de-identifying (masking) specific elements within data stores by applying one-way algorithms to the data. That is, watching every action involving data as it happens, and promptly halting improper actions. The process ensures that sensitive data is replaced with realistic but not real data; for example, scrambling the digits in a Social Security number while preserving the data format.

If you don't think this is important, consider what happened to Wal-Mart a few years ago. The one-way nature of the algorithm means there is no need to maintain keys to restore the data as you would with encryption or tokenization. 10 woeful tales of data gone missing Data masking is typically done while provisioning non-production environments so that copies of data created to support test and development processes are not exposing sensitive information. Wired.com reports that Wal-Mart was the victim of a serious security breach in 2005 and 2006 in which hackers targeted the development team in charge of the chain's point-of-sale system and siphoned source code and other sensitive data to a computer in Eastern Europe. Wal-Mart at the time produced some of its own software, and one team of programmers was tasked with coding the company's point-of-sale system for processing credit and debit card transactions. Many computers the hackers targeted belonged to company programmers. This was the team the intruders targeted and successfully hacked.

According to Gartner, more than 80%t of companies are using production sensitive data for non-production activities such as in-house development, outsourced or off-shored development, testing, quality assurance and pilot programs. Wal-Mart's situation may not be unique. The need for data masking is largely being driven by regulatory compliance requirements that mandate the protection of sensitive information and personally identifiable information (PII). For instance, the Data Protection Directive implemented in 1995 by the European Commission strictly regulates the processing of personal data within the European Union. U.S. regulations such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) also call for protection of sensitive financial and personal data. Multinational corporations operating in Europe must observe this directive or face large fines if they are found in violation.

Worldwide, the Payment Card Industry Data Security Standard (PCI DSS) requires strict security for cardholder data. That means companies must address their use of cardholder data for quality assurance, testing, application development and outsourced systems - and not just for production systems. In order to achieve full PCI compliance, organizations must protect data in every system that uses credit card data. In the Wal-Mart case discussed above, the retailer failed to meet the PCI standard for data security by not securing data in the development environment. A lack of processes and technology to protect data in non-production environments can leave the company open to data theft or exposure and regulatory non-compliance.

Many large organizations are concerned about their risk posture in the development environment, especially as development is outsourced or sent offshore. Data masking is an effective way to reduce enterprise risk. And while encryption is a viable security measure for production data, encryption is too costly and has too much overhead to be used in non-production environments. Development and test environments are rarely as secure as production, and there's no reason developers should have access to sensitive data. Many database vendors offer a data masking tool as part of their solution suites. An alternative solution is to use a vendor-neutral masking tool.

These tools, however, tend to work only on databases from a specific vendor. Dataguise is one of the leading vendors in the nascent market of data masking. So, even if someone has copied data to a spreadsheet on his PC, dgdiscover can find it. The dataguise solution has two complementary modules. dgdiscover is a discovery tool that searches your environment (including endpoints) to find sensitive data in structured and unstructured repositories. This can be a valuable time-saving tool as data tends to be copied to more places, especially as virtual environments grow and new application instances can be deployed on demand. dgdiscover also can be used to support audits and create awareness of data repositories.

Dgmasker works in heterogeneous environments and eliminates the common practice of having DBAs create masking techniques and algorithms. The second dataguise module is dgmasker, a tool that automatically masks sensitive data using a one-way process that can't be reverse engineered. The tool preserves relational integrity between tables/remote databases and generates data that complies with your business rules for application comparability. Instead, dgmasker obfuscates the real data so that it cannot be recovered by anyone - insider or outsider - who gains access to the masked data. In short, you have all the benefits of using your actual production data without using the real data.

Data masking is an effective tool in an overall data security program. Each of these technologies plays an important role in securing data in production environments; however, for non-production environments, data masking is becoming a best practice for securing sensitive data. You can employ data masking in parallel with other data security controls such as access controls, encryption, monitoring and review/auditing.

While it used to be common for every enterprise to have its own data center for delivering and receiving Web traffic, a new study from security vendor Arbor Networks suggests that this is no longer the case. For instance, Arbor estimates that Google alone accounts for 6% of all Internet traffic in the world. 12 cool ways to donate your PC's spare processing power Arbor Chief Scientist Craig Labovitz says that there are several reasons for this migration of traffic from individual enterprise data centers to "hyper giants" such as Google, Facebook and Microsoft, including the rising costs and recourse demands of maintaining a data center and the aggressive efforts by large companies to buy up video, mail and other Web service companies. In its Internet Observatory report, Arbor notes that consolidation of content providers has led to the rise of  "a small number of very large hosting, cloud and content providers" that generate and consume an estimated 30% of all Internet traffic. Additionally, he says companies that built their own data centers years ago found them quickly outdated and that they didn't have the money to properly upgrade them. "Until a few years ago, there had been an overabundance of data centers," he says. "The data centers built five years ago are now out of date and there are entire generations of data centers where there's no way to upgrade them." The solution for companies, he says, has been to consolidate their infrastructure through virtualization or to outsource many of their IT operations to the cloud. "Starting with outsourced Web e-mail, we have seen a large migration of Web traffic out of small enterprise data centers and toward these large players," Labovitz explains. "The cost of data centers had started to affect companies' bottom lines and that has set the stage for what's starting to happen in the transit market." Arbor says that another consequence of content providers and content delivery networks becoming larger has been the decreasing importance to Tier-1 transit providers such as Verizon Business, AT&T and Level 3 in delivering Web traffic.

This price competition drove down IP wholesale market prices and forced many Tier 1 networks to pursue higher-value product offerings such as CDN, cloud computing and a greater focus on private enterprise offerings." Arbor conducted its study of global traffic patterns by analyzing nearly 3,000 peering touers across nine Tier-1, 48 Tier-2 and 33 consumer and content providers in four different continents. And because these companies have lost some of their profitability in the transit market, Arbor says that they've turned themselves more toward value-added services. "Over time, IP connectivity services became indistinguishable from one provider to the next," says Arbor in its research brief. "In response, providers started competing chiefly on price. Arbor said that at its peak, "the study monitored more than 12 terabits-per-second of offered load and a total of more than 256 exabytes of Internet traffic."