Ensuring Privacy through Security Best Practices
Increasingly, hotels are collecting, analyzing, using, and storing guest data, including personally identifiable data (PII), to facilitate guest engagement and great service. Personal data is being harnessed in conjunction with loyalty, CRM, PMS, and other technology—and the more it is leveraged, the more vulnerable it becomes. With both the Las Vegas Hard Rock Hotel & Casino (www.hardrockhotel.com) and Omni Hotels & Resorts (www.omnihotels.com) becoming the latest hotel companies falling prey to POS breaches, hotel operators once again were reminded of the importance of vigilance in protecting POS data. Beyond the POS, however, it is just as vital to safeguard the privacy and security of guest information—from data such as birthdays and anniversaries, to social security numbers. Here lodging experts share six keys to not sacrificing security while leveraging customer data for improved service and operations.
1 Practice data and network segmentation
Starwood Hotels & Resorts (www.starwood.com) segments data from different applications and different types of data (e.g., PII, PCI) into separate zones to bolster its security and add a measure of privacy, notes Edward C. (Ted) Hopcroft, director, property IT, North America. Each corporate-operated property has its own firewall, and franchisees are encouraged to deploy their own firewalls as well to “secure the perimeter,” Hopcroft explains.
Ensuring that all integrated systems—i.e., loyalty, CRM, PMS, and POS—are secure at every touchpoint also necessitates isolating solutions from corporate or open networks, notes Chris Bucolo, senior manager, partner relations at Sikich LLP (www.sikich.com), a professional services consulting firm whose areas of expertise include technology and data security. Bucolo advises implementing an intrusion detection/prevention solution at the network and host levels, once technologies have been isolated or segmented.
Jeff Parker, vice president, hotel technology, Interstate Hotels & Resorts (www.interstatehotels.com), corroborates Bucolo’s comments. In aiming to protect guest data collected for marketing (as well as payment) purposes, he observes, Interstate also utilizes “appropriate network segmentation to isolate areas against cascading breaches,” in which a breach of data from one system trickles over to become a breach of data in another system.
On the network side, Bucolo and other sources noted that wired network traffic should not “run” through the same “pipe” as wireless network traffic. Rather, it should be isolated on its own VLAN (virtual LAN).
2 Tap into tokenization and point-to-point encryption
“We’ve learned from credit cards that point-to-point encryption, coupled with tokenization, is a best practice (in securing POS data),” states Michael Blake, CEO, Hotel Technology Next Generation (www.htng.org). Blake, whose organization serves hotel operators and technology vendors, says savvy lodging players will take the same approach to safeguarding PII and the applications that contain it.
Vendors are developing solutions that fit the bill for point-to-point encryption and tokenization of guest data in integrated and single systems. Some solutions allow for the encryption of data in transit and at rest. Others encode individual pieces of information—like names, social security numbers, and program membership numbers—and store them as irreversible tokens, so hackers cannot access anything other than strings of characters that lack a relationship to the sensitive information. Yet another cadre of solutions let hotel operators import PII into their PMS in encrypted, rather than plain-text, format. Elavon (www.elavon.com) incorporates tokenization—along with EMV—into the PMS through its Fusebox payment gateway and Simplify payment security software application.
Even PII in big data analysis conducted with tools like Hadoop should be tokenized and, ideally, encrypted, Bucolo says. Newer solutions meld tokenization with format-preserving encryption, which allows plain text in a specific format to be encrypted into a ciphertext of identical format.
3 Practice self-detection and monitoring
According to the Gartner (www.gartner.com) report, Designing an Adaptive Security Architecture for Protection From Advanced Attacks, “there is a general consensus that advanced attacks are able to evade traditional security controls and remain undetected for a long period of time” unless self-detection and monitoring technology is brought into play. Specifically, Gartner recommends endpoint detection and response solutions, which work by recording copious volumes of network and endpoint events and storing this information locally on the endpoint in question or in centralized databases.
Databases comprising known indicators of compromise, behavioral analytics, and machine learning techniques are then used to proactively search the data for breach indicators (including indicators that an “inside job” is in progress), report what is happening so it can be addressed as proactively as possible, and begin to remediate the problem.
For its part, Interstate Hotels & Resorts facilitates self-detection and monitoring, which both Parker and other sources say has a strong potential for decreasing the interval between the start of breaches and the time they are discovered, with unified threat monitoring and file integrity monitoring. Internal and external penetration testing are conducted periodically. “We also test our user base against hacks that leverage social engineering,” which has become an increasingly popular practice among hackers, Parker states.
Some sources claim a new tendency among perpetrators to personalize malware attacks carried out using social engineering is making it easier for hackers to fool unwitting employees, making internal and external penetration (and earlier detection) even more critical.
4 Educate, educate, educate
Both Starwood and Interstate Hotels & Resorts have implemented employee education policies around data security, including PII and credit card data security. Starwood leverages what Hopcroft calls a “massive education campaign” aimed at letting employees know about new attack vectors as they develop and occur. Interstate Hotels & Resorts employees undergo security training at on-boarding and, like their Starwood counterparts, are given refresher courses when new threats pop up.
“The big challenge here isn’t tools and technology, but rather, social engineering and phishing,” Hopcroft states. Accordingly, in addition to being kept abreast of emerging attack patterns, employees are charged with “questioning everything.” For example, if a front desk staff member receives an email inquiry about a Starwood property, and the origin of the email is unclear, protocol dictates validating that origin before clicking a link or opening any attached file.
5 Exercise due diligence when selecting and working with third-party vendors
Never make the common mistake of assuming that any solution or service—whether for guest engagement or any other purpose—is secure, Blake advised. Engage a security professional to “run through the operation of the software” and ensure that it does not introduce “any vulnerabilities to an already fragile ecosystem.”
Brian Garavuso, executive vice president and CIO, Diamond Resorts International (www.diamondresorts.com) concurred, adding that when a vendor of any kind is being engaged to host a hotel operator’s data in an off-site location, no contract should be signed unless the service provider’s data center is certified as SSAE 16- and SOC2-compliant. SSAE stands for “Statements on Standards for Attestation Engagements,” and SSAE 16 compliance entails presenting each customer (i.e, hotel operator) with a written statement that attests to the data center’s system design, controls, and operational effectiveness.
SOC 2 stands for “Service Organization Control,” and is a mechanism for service organizations to report on the design and effectiveness of their security policies, communications, procedures, and monitoring. SSAE- and SOC2-certified providers have been audited by third-party organizations to assess and ascertain that their data centers are protected against unauthorized physical and logical access alike, and that their systems are available for operation and use as agreed with clients.
“Review their data backup and redundancy procedures to ensure compliance,” Garavuso advises. Additionally, “when negotiating a contract with a vendor that will be hosting your data, be sure to document how your data will be protected and how you will get it back from the vendor when the contract ends.”
Ongoing risk assessments of partner operations should also be conducted where possible, according to the 2016 Global Security Report from Trustwave (www.trustwave.com). Ninety-seven percent of applications tested by Trustwave for the report were found to have one or more security vulnerabilities.
6 Run periodic attack simulations
These simulations will “tease out all the senior leadership roles and which authorities need to be notified,” Blake says. They will also clarify which potentially problematic areas need to be addressed, before they become security issues.
1 Practice data and network segmentation
Starwood Hotels & Resorts (www.starwood.com) segments data from different applications and different types of data (e.g., PII, PCI) into separate zones to bolster its security and add a measure of privacy, notes Edward C. (Ted) Hopcroft, director, property IT, North America. Each corporate-operated property has its own firewall, and franchisees are encouraged to deploy their own firewalls as well to “secure the perimeter,” Hopcroft explains.
Ensuring that all integrated systems—i.e., loyalty, CRM, PMS, and POS—are secure at every touchpoint also necessitates isolating solutions from corporate or open networks, notes Chris Bucolo, senior manager, partner relations at Sikich LLP (www.sikich.com), a professional services consulting firm whose areas of expertise include technology and data security. Bucolo advises implementing an intrusion detection/prevention solution at the network and host levels, once technologies have been isolated or segmented.
Jeff Parker, vice president, hotel technology, Interstate Hotels & Resorts (www.interstatehotels.com), corroborates Bucolo’s comments. In aiming to protect guest data collected for marketing (as well as payment) purposes, he observes, Interstate also utilizes “appropriate network segmentation to isolate areas against cascading breaches,” in which a breach of data from one system trickles over to become a breach of data in another system.
On the network side, Bucolo and other sources noted that wired network traffic should not “run” through the same “pipe” as wireless network traffic. Rather, it should be isolated on its own VLAN (virtual LAN).
2 Tap into tokenization and point-to-point encryption
“We’ve learned from credit cards that point-to-point encryption, coupled with tokenization, is a best practice (in securing POS data),” states Michael Blake, CEO, Hotel Technology Next Generation (www.htng.org). Blake, whose organization serves hotel operators and technology vendors, says savvy lodging players will take the same approach to safeguarding PII and the applications that contain it.
Vendors are developing solutions that fit the bill for point-to-point encryption and tokenization of guest data in integrated and single systems. Some solutions allow for the encryption of data in transit and at rest. Others encode individual pieces of information—like names, social security numbers, and program membership numbers—and store them as irreversible tokens, so hackers cannot access anything other than strings of characters that lack a relationship to the sensitive information. Yet another cadre of solutions let hotel operators import PII into their PMS in encrypted, rather than plain-text, format. Elavon (www.elavon.com) incorporates tokenization—along with EMV—into the PMS through its Fusebox payment gateway and Simplify payment security software application.
Even PII in big data analysis conducted with tools like Hadoop should be tokenized and, ideally, encrypted, Bucolo says. Newer solutions meld tokenization with format-preserving encryption, which allows plain text in a specific format to be encrypted into a ciphertext of identical format.
3 Practice self-detection and monitoring
According to the Gartner (www.gartner.com) report, Designing an Adaptive Security Architecture for Protection From Advanced Attacks, “there is a general consensus that advanced attacks are able to evade traditional security controls and remain undetected for a long period of time” unless self-detection and monitoring technology is brought into play. Specifically, Gartner recommends endpoint detection and response solutions, which work by recording copious volumes of network and endpoint events and storing this information locally on the endpoint in question or in centralized databases.
Databases comprising known indicators of compromise, behavioral analytics, and machine learning techniques are then used to proactively search the data for breach indicators (including indicators that an “inside job” is in progress), report what is happening so it can be addressed as proactively as possible, and begin to remediate the problem.
For its part, Interstate Hotels & Resorts facilitates self-detection and monitoring, which both Parker and other sources say has a strong potential for decreasing the interval between the start of breaches and the time they are discovered, with unified threat monitoring and file integrity monitoring. Internal and external penetration testing are conducted periodically. “We also test our user base against hacks that leverage social engineering,” which has become an increasingly popular practice among hackers, Parker states.
Some sources claim a new tendency among perpetrators to personalize malware attacks carried out using social engineering is making it easier for hackers to fool unwitting employees, making internal and external penetration (and earlier detection) even more critical.
4 Educate, educate, educate
Both Starwood and Interstate Hotels & Resorts have implemented employee education policies around data security, including PII and credit card data security. Starwood leverages what Hopcroft calls a “massive education campaign” aimed at letting employees know about new attack vectors as they develop and occur. Interstate Hotels & Resorts employees undergo security training at on-boarding and, like their Starwood counterparts, are given refresher courses when new threats pop up.
“The big challenge here isn’t tools and technology, but rather, social engineering and phishing,” Hopcroft states. Accordingly, in addition to being kept abreast of emerging attack patterns, employees are charged with “questioning everything.” For example, if a front desk staff member receives an email inquiry about a Starwood property, and the origin of the email is unclear, protocol dictates validating that origin before clicking a link or opening any attached file.
5 Exercise due diligence when selecting and working with third-party vendors
Never make the common mistake of assuming that any solution or service—whether for guest engagement or any other purpose—is secure, Blake advised. Engage a security professional to “run through the operation of the software” and ensure that it does not introduce “any vulnerabilities to an already fragile ecosystem.”
Brian Garavuso, executive vice president and CIO, Diamond Resorts International (www.diamondresorts.com) concurred, adding that when a vendor of any kind is being engaged to host a hotel operator’s data in an off-site location, no contract should be signed unless the service provider’s data center is certified as SSAE 16- and SOC2-compliant. SSAE stands for “Statements on Standards for Attestation Engagements,” and SSAE 16 compliance entails presenting each customer (i.e, hotel operator) with a written statement that attests to the data center’s system design, controls, and operational effectiveness.
SOC 2 stands for “Service Organization Control,” and is a mechanism for service organizations to report on the design and effectiveness of their security policies, communications, procedures, and monitoring. SSAE- and SOC2-certified providers have been audited by third-party organizations to assess and ascertain that their data centers are protected against unauthorized physical and logical access alike, and that their systems are available for operation and use as agreed with clients.
“Review their data backup and redundancy procedures to ensure compliance,” Garavuso advises. Additionally, “when negotiating a contract with a vendor that will be hosting your data, be sure to document how your data will be protected and how you will get it back from the vendor when the contract ends.”
Ongoing risk assessments of partner operations should also be conducted where possible, according to the 2016 Global Security Report from Trustwave (www.trustwave.com). Ninety-seven percent of applications tested by Trustwave for the report were found to have one or more security vulnerabilities.
6 Run periodic attack simulations
These simulations will “tease out all the senior leadership roles and which authorities need to be notified,” Blake says. They will also clarify which potentially problematic areas need to be addressed, before they become security issues.