A Guide for Understanding the New Paradigm

Executive Vice President – CertainSafe

Email:   srusso@certainsafe.com



The New Reality

The ever present threat of cyber-attack underscored by the recent array of mass-data breaches in most sectors of the economy are forcing business of all sizes to take action. Most of all, companies are rushing to buy insurance coverage against the expense of losing sensitive customer information. Cyber insurance has graduated from a faraway thought to somewhat of a necessity; however, obtaining insurance should not be the only line of defense. You would not insure your property without first making a reasonable effort to protect it from disaster. Good business sense tells us that we should be protecting customers and our credibility by implementing the best security solution available today. The current need is for new ways to secure data at rest and data in motion from cyber-attack, mass data loss, and internal as well as external criminal exploitations.


A Bold New Architecture to Protect Data

There is a time tested saying that generally applies to the realities of today: “The best defense is a good offense.”  As it applies to cyber security, the premise is that new ways to secure data are required to enhance and support existing defenses utilizing data-centric security solutions that protect data at rest and data in motion, even when a security breach of an existing network and data center occurs.

Protecting data is not an easy problem to solve, given the talent level of the advanced State sponsored hackers and motivated criminals of today. Nevertheless, technology is making great strides and there is reason for optimism.  Secure, reliable and robust “encryption type” schemes are essential to secure sensitive information held by individuals, entities, organizations and governments. Such encryption methods are mandatory to safeguard against potential cyber threats, with several that can be considered. The first piece to the puzzle is the encryption portion. The Advanced Encryption Standard (AES) algorithm-based bulk encryption technique is what is most widely used today. This typically constitutes a symmetric block cipher with 128-bit, 192-bit and 256-bit cipher keys, though at times 512-bit, 1024-bit and even 2048-bit are utilized.

AES bulk encryption has been providing, what many believed to be a safe and effective method for protecting sensitive and valuable data from being compromised or stolen. Bulk encryption technology is a method in which large amounts of data are encrypted all together.  The quantity and size of the data being protected simultaneously tends to cause long delays and exceedingly slow response times to open and use the information contained in the files. It also offers an opening for a potential “mass breach” opportunity, because once inside an interior infrastructure, the actor has access to the “bulk” of the data.

Today, AES “Bulk Encryption,” combined with firewall protection, is the primary protection scheme for cyber security on the back end. The emergence of new threats associated with this widely used technology opens the door for innovation on the back end to protect the crown jewels.

A New Paradigm

A new approach to cyber security on the back end involves the use of an innovative technology known as MicroEncryption® and MicroTokenization®. These advancements work off an entirely different premise and methodology relative to current cyber security processes.

It has been repeatedly proven that “Bulk Encryption” does not appear to be efficacious in securing data. This is due to the fact that once intruders are in they have access to the “Bulk” or most all the data/records. The MicroTokenization approach protects sensitive data individually, down to the byte level if that is what is desired within the system design. This methodology is revolutionary in that speed and accessibility are not sacrificed when utilizing this platform architecture. This is critical when considering the effects of additional latency with regard to the user’s experiences, in and around “the cloud.”

Tokenization has existed since the emergence of the world’s first currency systems. It was developed as a means to minimize risk in handling high value financial instruments by replacing them with placeholders. For example, coin type tokens, bank notes, and casino chips have been used to replace cash, which mitigates the risk of theft.  In the digital world, substitution techniques have been used for decades to isolate sensitive data elements from exposure to exploitation. Surrogate key values, or “tokens” have also been utilized for decades in a variety of ways.

Today, MicroTokenization concepts are now providing a security mechanism for both small and larger scale data protection, exceeding 2 GB in size – a feat never before accomplished. MicroTokenization creates the ability to facilitate an end-to-end encryption, securing data at rest as well as in motion. For example, a MicroToken® is implanted to replace an individualized data element(s), down to the field level of a record, within a database. The non-sensitive data would remain in place. The concept of protecting only that which requires protection is one of the secrets to maintaining near real-time speed.

Once MicroTokenized, all that would reside is non-sensitive data field elements along with MicroTokens, which are placeholders that do not contain any piece of the original sensitive data. Therefore, if a breach were to occur through perimeter defenses, there is no sensitive data within that system to be exploited because it is no longer there. It has been removed.

Additionally, unlike “Bulk” encryption, each data element would be secured and protected as if it were its own database with its own sets of keys. For example, a database with 100,000 records, in which 10 sensitive fields were to be protected, would be treated as if it were 1,000,000 individualized databases. With respect to MicroEncryption technology, it’s a known fact that it is never a good practice to “keep all of your eggs in one basket.” Simultaneously, as a MicroToken is implanted to replace original sensitive data elements within the confines of a securely hardened architecture, the individual data elements are encrypted with the customer’s algorithm of choice.

Immediately after MicroEncryption occurs, the data is further broken apart into multiple encrypted pieces or sliced up. The individualized micro-pieces of encrypted data are then distributed through an array of varying and randomized hard drives. The sensitive MicroEncrypted – MicroTokenized data remains fully protected until the very last moment that its use is called upon by an authorized action. The data is not only ultra-secure, but also readily accessible at near real time performance so as to have very little impact on the user experience. At the time of need, as the fields are secured and protected individually, they are typically minuscule in size making them available to be returned in sub-second(s).

In the digital age tokenization technology was originally intended to prevent the theft of the credit card numbers while they were being stored. In the payment card industry (PCI), tokens are utilized to replace only cardholder account numbers, that are managed in a process in which tokenization is deployed. This includes both applications on or off-site. MicroTokenization has created a paradigm shift so that tokenization can now be applied to any type of data type, including all the data around the card transaction.

With the advent of MicroTokenization combined with MicroEncryption, information remains usable while exceeding industry security standards and regulations. For the first time, these processes make the possibility of a mass data breach mathematically improbable if not impossible. To illustrate how this technology empowers the user, you must first imagine a phone book from a large metropolitan area. Separate each individual by first name, last name, street name, address, phone number, and zip code. Next, encrypt each piece, then chop up those encrypted pieces. Now, imagine taking those millions of separate encrypted pieces and shaking them up in a bag, then giving the bag to somebody to reassemble into the original phone book. Even if somehow the data could be unencrypted, at that point the challenge would not look much different and the outcome would remain unchanged. Essentially, this is what the MicroTokenization and MicroEncryption technologies do in a cyber-setting.  Even if the hackers are able to pierce the firewalls, they will only find meaningless MicroTokens.  One can see how these technologies take the cat and mouse game to a whole new multi-dimensional level.

These technology solutions are applicable on a global basis across dozens of industries including healthcare, financial services, hospitality, retail, energy/smart grid, supply chain management and government service sectors. These innovative processes make data stored in any cloud fully usable and accessible while maintaining the highest levels of security. MicroEncryption and MicroTokenization processes provide enterprise accounts, as well as individuals with the flexibility and security required to maintain the highest levels of protection today. In addition to database solutions, a front end GUI interface has been created on top of the MicroEncryption technology. This modular interface is referred to as CertainSafe Digital Safety Deposit Box.

CertainSafe users can store HIPAA, PCI, PFI, PHI, PII as well as other types of sensitive data requiring compliance, proving that data protection doesn’t have to be complicated for organizations that have an ongoing need for ultra-secure data storage.

Continuous Innovation and Architecture

CertainSafe advanced data-centric cybersecurity methods go beyond DSS PCI Level 1 standards to include proprietary MicroTokenization and MicroEncryption (MTE) capabilities. The MTE engine is an extremely configurable processing mechanism that converts sensitive data into MicroTokens.

Once converted, MicroTokens are combined with various AES algorithms, (up to 1024-bit cipher keys, RSA-2048, or client preferred algorithms) to ensure levels of security unattainable with traditional network defenses. These levels of security ensure that a mass data breach is a mathematical improbability. In short, CertainSafe will ultimately change the way data is stored.


A new security paradigm is required to secure sensitive data in the event of a perimeter defense breach.  Twenty-first century information sharing requires trusted, self-sufficient secured data backed by the best technology. This technology must provide clients with full assurance that the information is genuine, unaltered and completely trustworthy and unavailable to internal or external exploitation. This new paradigm must ensure that only the right people get access to the right information at the right time. MicroTokenization and MicroEncryption capabilities ensure that data at rest and data in motion remain BLACK and unavailable to both external as well as internal exploitation even in the event of traditional network defense breach.