The Future of the Stadium – IOT, Big Data and Cloud

C24 Stadium Technology


The Internet of Things, Big Data, Cloud and Sport.  All massive industries which are growing and evolving daily.

Yet they are all converging to create a deeply analytical solution for sales teams, arenas and stadiums, and an immersive experience for fans and broadcasters alike.

Cisco is talking about the era of the ‘Connected Athlete’, where sensors are placed on athletes, from body sensors which monitor heart rate and distance travelled, to sensors on football boots to measure movements and impact when making contact with the ball.  Previously, pundits had player position data to discuss in halftime, or during tennis matches Hawkeye has enabled the analysis of ball location and journeys.  In the future, will commentators be instead assessing player heart rate trends and in-game fitness levels during halftime discussions?  Or will managers be substituting players based on body sensor data in the near future?

Cisco’s dream is to ‘connect the unconnected’ by turning the athlete’s body into a ‘distributed network of sensors and network intelligence’.  Or a “wireless body area network” as they like to call the human body.

The proliferation of devices and sensor technology has suddenly made the Internet of Things into a ‘now’ rather than a ‘future’ technology.  Fans’ use of mobile devices during matches means that sports clubs have a way to directly communicate with their consumers; providing real-time match and athlete data direct to mobile phones.

We are also seeing the development of ‘intelligent buildings’ – where all devices are connected, from intruder alarms, to stadium ticketing systems through to thermostats and more.  Data can be collated across the entire stadium, to measure where spectators are congregating, which queues are taking longer to service and which crowds need to be monitored.

Digital signage is also coming into the IOT fold, by providing real-time information to stadium visitors to keep them updated.  This could be in the form of providing data about match statistics, or queue information to ease congestion.

Aside from providing a more immersive and interactive experience to fans, the Internet Of Things and big data is allowing stadiums to improve their operations and reduce their running costs.  For instance, real-time monitoring of thermostats paired with data on where spectators are within the stadium could allow facilities managers to turn down the heating or air conditioning to suit, rather than having a one-size fits all temperature management solution that can only be adjusted once the heat or cold becomes a noticeable problem.

On the ticketing front, sensors monitoring crowds entering venues can alert stadium management to how many ticket booths they need to open, which entrances require more ticket booths for the next hour and which can be closed due to a smaller than expected number of visitors.  Being able to make decisions in real-time and create data pictures of a venue should help stadiums to make their operations more efficient based on real insights, rather than previous (and out of date) match data or intuition.

The Internet of Things in sport goes beyond the stadium and into fans’ homes.  Stadiums can now connect into fans who may be viewing matches remotely to share data (and from a commercial point of view: share offers, tickets and merchandise) directly with fans, whether they are in the stadium or not.  And as only one third of the world is connected to the internet, there is huge potential for stadiums to connect with new customers in the future as they gain connectivity.

On the pitch, data usage is becoming the norm.  An article in the Guardian highlights how last year’s Six Nations Championship produced 2 million rows of data per game (that’s 1,400 actions such as tries, tackles, passes, kicks etc).  And the NFL is starting to arm players with a set of RFID sensors to track their activity on the pitch.  This can potentially provide real-time biometric data to managers and fans alike during matches to encourage spectators to continue visiting live games, alongside helping coaches to understand how to improve training methods to produce better results.

And Cisco sees this as just the beginning.  The next step on their horizon is the Connected Patient, by bringing sensor technology to patients in hospitals to track patient lifecycle throughout the hospital process.

Underpinning the Internet of Things is the ability to quickly collect, process and share data.  And underpinning that movement of data is cloud.  Cloud enabled technology allows stadiums to track data from thousands of sensors, hundreds of applications and millions of fans.

From our datacentres in the Midlands, C24, a Six Degrees Company, delivers cloud hosting solutions that underpin business analytics technologies within some of the world’s leading sports clubs and stadium.

We believe the Internet of Things in the arena and stadium space is an exciting and innovative industry to be in, and we look forward to working with some of the most ambitious sports and stadium clients on the planet who want to use analytics to take their businesses stratospheric.


Image provided courtesy of Clintus.


Partnering For Success: EPOS with Analytics

I thought it might be interesting for contacts in the retail, EPOS, analytics and hospitality sectors to learn about how C24 work with an industry leading EPOS vendor and has helped them to move away from purely EPOS offerings to a holistic, analytics-integrated service for clients.

We can’t reveal the name at this stage but the outcomes and challenges resonate with other partners and customers who we work with.

C24 EPOS Hosting 2


Prior to engaging with us, our EPOS partner was facing a number of challenges when engaging with their retail clients.  Although they were already offering a market-leading EPOS solution, they were keen to move into other areas and expand the value they delivered to clients.  This is what their EPOS analytics looked like prior to engaging with C24:

  • – Their EPOS tool had a degree of reporting built into the platform, yet it was static in nature and reporting wasn’t flexible.
  • – Reports were based on historical data generated from the EPOS system.
  • – Reporting was confined purely to the data generated within the EPOS tool, not taking into account the other applications that interacted with the till point.
  • – The reporting wasn’t very visual or graphical in its representation of data, so wasn’t being interrogated by non-data or IT users.
  • – The EPOS vendor was confined to the EPOS share of the customer spend, rather than branching out into other areas to offer potentially revenue-generating solutions for their retail clients.

From a technology point of view, each till point required various pieces of hardware to be installed – creating service headaches if there were any hardware malfunctions, and increasing support costs for the client as any faults would require onsite IT assistance.


Strong partnership

By engaging with the EPOS vendor, we have built a strong partnership in which we combine our business analytics solution with their EPOS application to deliver a service that is holistically bigger than its parts.  Working hand in hand, we have helped to change the conversation from being EPOS-focused, to being centred instead on how the EPOS vendor can help to generate more revenue for the client.

The partnership between the EPOS vendor and C24 has enabled their customers’ EPOS reporting to be:

  • – More visual and graphical representation of data, by dynamically showing data in different formats and word clouds, in order to spot trends easily.
  • – The information is easy to extract from the EPOS tool (providing the user has the correct access levels) – so that data can be shared quickly and easily for swifter reactions to events.
  • – Reporting is more flexible, enabling the integration of non-EPOS applications into the wider reporting environment, so that EPOS data can be shown alongside other apps for increased visibility and an organisation-wide view of the information.
  • – Reporting is now in real-time; users don’t have to wait to extract information.
  • – The reporting functionality was easy to access and adopt for business and IT users alike, due to its ‘search engine’ type style.
  • – Onsite hardware was removed and virtualised, so that the apps were instead delivered from a central hosting datacentre, reducing on-site costs and support expenses.


Business outcomes

The EPOS vendor has experienced a number of commercial benefits as a result of the close partnership with C24.  They have been able to grow their share of wallet in each account by expanding their sale through the addition of our analytics solution.  This has given their sales teams a new message to take out to customers; away from the traditional EPOS sale, to looking at how EPOS technology can maximise revenues for the retailer.

The hosted nature of the new solution means that new customer deployments have much lower timescales to deliver, as installation does not now require the many days onsite work to deploy the hardware and set the systems up, making it a more profitable service to deliver.  Furthermore, this hosted approach has meant that the vendor can move from a CapEx payment structure to a monthly recurring revenue model, which is commercially more sustainable for their business.

This story demonstrates how partnering closely to deliver a combined solution (rather than reselling a bolt-on product) can deliver huge commercial benefits for both parties involved in the partnership – helping each other to reach new markets and offer a more compelling and valuable message for clients.



Find out more about C24’s partnerships with EPOS vendors at or follow C24 on LinkedIn.



About C24 Ltd

C24 is a specialist applications hosting provider, with particular expertise in hosting and analytics for the manufacturing, legal and hospitality sector.

C24 helps retailers and hospitality providers to take their EPOS, and other hospitality applications, to a new level; integrating apps with insightful business analytics and tailored cloud hosting services for a seamless, customer experience.

Find out more about our EPOS hosting and analytics solutions at:


Image provided courtesy of Kai Schreiber.


How EPOS technology can maximise retailer revenues

As a specialist in EPOS (electronic point of sale/tills) and hospitality application hosting and analytics, C24 has
worked with EPOS vendors to take their solution from an onsite, hardware-based proposition to a cloud-enabled, agile service for retail and hospitality clients – keen to make the most out of their investment through business analytics and seamless delivery.

We have seen EPOS vendors move from offering C24 EPOS Hosting 1straightforward EPOS solutions to retail clients that facilitate payment, through to offering a more holistic, analytics-driven solution that provides organisations with visibility across their organisation.

So how can retailers look to harness their EPOS technology to increase customer spend in-store?

Powerful analytics can give you more control over data, enabling you to collate information across your operations that is more visual and easy to digest.  Through data maps, word clouds and graphical representations of complex data, EPOS users can quickly gain insights from their information in real-time.

This enables stores to potentially make changes on the fly, rather than waiting for reports to be produced.  For instance, if certain products are selling more rapidly over a period of time (rather than stock levels just running low), then that could trigger an order for more inventory and increased marketing.

In-store offers could be suggested on the day through recommendation analytics, based on certain factors (i.e. weather, day, trends from previous year, number of customers in-store).  The casinos sector is seen as the market leader in this respect, constantly combining data feeds about their customers from all of their till points across the hotel, restaurants, casino and gambling machines, to build a picture of their customers’ behaviour.

The true value comes when analytics services don’t just focus on EPOS, but instead incorporate all of the applications across the business; combining data from multiple feeds for maximum visibility of how end consumers are interacting through EPOS tills and other points of contact across clients’ businesses.

This helps retailers to start looking at the entire customer experience and interaction points that consumers have with their brand.  Being able to understand how they acquired customers, what marketing worked, what offers failed to impress and who spent what on which day, helps the retailer to build a more accurate picture of where to focus their efforts.

I will be publishing a series of articles focused on how EPOS technology can help drive revenues fo
r retailers and hospitality providers through analytics, so please follow me to read more.

Also, find out more about C24’s partnerships with EPOS vendors at or follow C24 on LinkedIn.



About C24 Ltd

C24 is a specialist applications hosting provider, with particular expertise in hosting and analytics for the manufacturing, legal and hospitality sector.

C24 helps retailers and hospitality providers to take their EPOS, and other hospitality applications, to a new level; integrating apps with insightful business analytics and tailored cloud hosting services for a seamless, customer experience.

Find out more about our EPOS hosting and analytics solutions at:




Image courtesy of Nate Grigg


TextBlade magnetic device overturns how we do mobile typing with sensory approach

At coffee shops, in business meetings and on public transportation, we type on our smartphones as often — if not more often — as on our laptops. We’ve seen many companies introduce improvements to the touchscreen keyboard for more efficient, predictive typing on-the-go, but there is still a need for the multi-sensory experience of typing on a physical keyboard.

Post by PSFK.

Magnetic, Multi-Touch Keyboard Will Change Mobile Typing

Westfield Malls: How Connected Glass & Electronic Windows Engage Shoppers

Courtney Lapin talks about the power of digital interactions in retail environments

PSFK was privileged to have Courtney Lapin speak at our Future of Retail Event in San Francisco. As the Head of Retail Partnerships for Westfield Labs – the innovation arm of Westfield Malls – Lapin shared how new technologies in malls are helping online brands engage with customers in real world settings.

Great presentation – for more details please visit


After posting our IT predictions for next year, we decided to assign ourselves an even more challenging task. Using recent headlines from the tech press as a baseline, we tried to extrapolate ahead to the year 2025. Where might today’s stories about technology and privacy lead to in ten years if we don’t change how we manage IT security today?

In 2014, we saw many ideas more at home in sci-fi movies and novels become an everyday reality—Star Trek-like replicators in the form of 3D printers, James Bond-ish smart cars, and advanced machine intelligence courtesy of IBM’s Watson. Hold these thoughts as we now present privacy and security related news items from the future along with the questions raised by these emerging threats from our own time in 2014.

Any parallels to Orwell’s 1984 are (we hope) purely coincidental.

Hackers Uses 3D Printed Eyeball to Fool Retinal Scanner

2014: Many data points were created when President Obama got 3-D printed. Whether it’s the president’s or just an ordinary citizen’s biometrics, who should have access to the data points of heads, arms, finger, retinas, etc.?

2025: Interpol’s Cyber Security Division yesterday arrested a gang of biometric cyber thieves. They were caught using an eerily life-like plastic eyeball encased in a super-clear glass block. The thieves had previously hacked into idVault, one of the world’s largest data brokers, and 3D rendered the physical eye structure from stored retinal digital signatures …

Cyber Carjacking Ring Foiled

2014: Automakers know how you roll, but how will they use, store and protect the data collected from our increasingly smart vehicles?

2025: Working from a high-rise office building in Los Angeles, a ring of hackers had been stealing cars remotely by exploiting a new vulnerability found in automakers’ Microsoft-based telemetric controls. After owners parked their self-driving vehicles, the thieves used bots to crawl the IOE (Internet of Everything), insert special code into the navigation module, and then drive the cars to a special garage owned by the hackers. Police say they had never seen …

Data Broker idVault Sued

2014: Personalization has simplified how we locate products and services. With highly targeted advertising and content selection, are we as consumers being secretly penalized and denied access to an alternative world of ideas and options?

2025: idVault, one of the world’s largest personal information brokers, was sued in federal court yesterday. This is the largest ever class-action brought against a data broker. The suit came about when consumers in several states noticed sudden rises in their auto insurance and credit card rates soon after they had installed a free children’s game app in their car’s operating system. The app secretly was secretly sending GPS and other navigation data to idVault, which was then selling the data to financial companies …

Cell Phone Hackers Caught Impersonating Bank

2014: In today’s cellular networks, how can we ensure that we are not being monitored by third parties (private and governmental).

2025: With the cost of cell phone transmission electronics having plummeted over the last few years, 5G equipment is now within reach of ordinary citizens. Beside the new wave of private pop-up cell phone carriers offering free streaming video, hackers have also gotten into the cell phone business. Recently a hacker collective was caught using their own pirate cell phone tower to intercept calls. Their software filtered out connections to banks and brokerage house, handing off the rest to Verizon. The FBI said the hackers appeared to callers as personal bankers …

Clothes and 3D Masks Make the Hacker

2014: With the help of 3D printers and the ability to render various images when shopping, how can we realistically authenticate ourselves for even the most basic services?

2025: The smart mirror technology has improved greatly since department stores began using them in their dressing rooms a few years ago. These special mirrors now allow store customers to view inventory, select clothes, and then render images of the shopper in different virtual outfits. However, hackers were found to have penetrated one high-end department store’s firewall, stealing images and data about its customers from the embedded file servers in the smart mirrors. Using 3D printers, they generated realistic masks, and then dressed in similar outfits to their victims. Police say they almost got away with opening an enormous credit line ….


Great article from the guys at Varonis

I had the chance to talk with cyber security expert Justin Cappos last month about the recent breaches in the retail sector. Cappos is an Assistant Professor of Computer Science at NYU Polytechnic School of Engineering. He’s well known for his work on Stork, a software installation utility for cloud environments.

In our discussion, Professor Cappos has a lot to say about weaknesses with our current approach to password-based security as well as new technologies that can be applied to credit card transactions. He’s worked on his own password hash protection algorithm, known as PolyPasswordHasher, which would it make it very difficult for hackers to perform dictionary-style attacks. Cappos offers some very practical advice on securing systems.

Metadata Era: It looks like Backoff malware was implicated in the Staples attack. Though we don’t know too much about the exploit, but if it’s like other recent attackers, the hackers found it relatively enter the system through phish mail, guessing passwords, or perhaps injection attacks.

Justin Cappos: I did look around for this information, and I see a lot of people reporting, but I don’t see anybody specifically saying or speculating that perhaps it’s similar to Target or some of these breaches. Nothing concrete yet.

That’s not to say there isn’t anything a company can do to protect infrastructure—for example, to harden things, to train users not to open phishing mails, and have people choose reasonable passwords especially on sensitive systems. The problem with any of these defenses is that the attacker has to only succeed once.

Once they get in, typically they can move around, get access to other things. So businesses need to do a few different things to try to protect themselves effectively. Some of which they may already being doing, but there needs to be a strong emphasis on compartmentalization.

You mean …

So the person who does PR for the organization doesn’t, say, have direct access to financial records.

Also, it’s extremely important to have good network monitoring. You need to have a way to detect whether data is moving off our servers—is it going to places we wouldn’t expect it to be going to. Looking for things like, for example, an HVAC subcontractor who occasionally accesses the corporate network but has now suddenly found to be hoovering up data. That should be a red flag!

So once they’re in through phishing or injection, they have the credentials of an existing user, and as you pointed out, you have to start monitoring for unusual behaviors. This internal monitoring function becomes very important. Although it’s not something necessarily that companies focus their resources on.

Exactly. So imagine a quarantine. If you were to quarantine something like a thousand people, you wouldn’t put them all in the same big area, where they’d all interact. Ideally you’d want to isolate them.

At a minimum, you want to cut down on interactions. So when you do a data analysis in your organization, you want to keep track of how these isolated pockets are able to communicate and look for suspicious patterns and behaviors.

How can this be done—is this part of your research?

Not specifically for me. But it is good best practices for lots of different organizations. So the military and government use this compartmentalization approach. As do banks. They will segment information off and in some cases, have isolated networks that are not even connected to the Internet. It really depends on the sensitivity of the data and how it will impact the working style of the people.

So you’re really talking about a data governance function, in terms of what is more valuable and what requires more restrictive permissions.

I consult with lots of startups. And one of the first things I do is I say, “Tell me your worst nightmare about somebody breaking in and stealing something. What is that thing?”

For some companies, it’s data about their customers, for some it’s information about an algorithm. It varies a lot depending on the monetization strategy and what the secret sauce of the organization is.

You want to find that thing, and for larger companies, it’s probably many things, and isolate them as much as possible so it’s as hard as possible for an attacker to get that information.

Sometime it means separating functionality out across multiple servers. So for instance, if your password data is one of the most sensitive things your organization has, you can very easily have a separate server whose only function is to handle password requests, and it did this through a custom protocol that your company wrote.

You would monitor the network and if it got anything other than a password request and returned anything other than a “yes or no”, then you would know immediately that something has happened.

That takes time and takes energy, and you have to implement something a little different to make that happen. If you’re going to protect a really valuable asset, they should do this!

And if you don’t spend the time and effort for say your legacy systems, what would your recommend?

For legacy systems, there’s certainly never an excuse not to follow best practices. They absolutely should be using salting and hashing of passwords, if not something stronger, such as hardware-based authentication or PolyPasswordHasher. They need to be using strong protections for user passwords and data.

They need to be encrypting credit card information. If they’re not really in the security business, they really shouldn’t be storing credit card information, they should consider working with a 3rd party payment processor that will make it so they effectively only have tokens on their server instead of raw credit card data. They can outsource the risk and security concerns with storing credit card information in many cases.

Sure, for some companies it would make sense to outsource to payment processors. But clearly the big box retailers are doing their processing in house.

You mentioned multi-factor authentication. In theory that would have made some of the attacks we’ve seen over the last year much more difficult. Is that a fair statement?

It is. It’s not a panacea—it doesn’t solve all problems. It raises the bar for simple password attacks. It doesn’t necessarily stop people from getting in other ways—SQL injection and other vulnerabilities. Two-factor authentication will not help in that context.

Another way it often does help is to prevent the spread. So if you have a sensitive server that users have to log into with two-factor authentication, even if the attacker figures out the password for users on that server, if they don’t have the second factor they will be unable to get in. That can sometime contain the attack.

Security is almost never about perfect solutions. It’s pretty much about making it harder for the hackers, and buying yourself some time and just making it difficult enough that you no longer become a good target

Right, so it becomes too much of an investment for them and the attackers will move on to an easier victim.

In our blog, we’ve been focused lately on the flaws in authentication systems, mostly as result of SSO or Single Sign On that distributes the hash of the password throughout a system. We’ve written about Pass the Hash wherein once they attackers get the password hash they essentially can become that user. Any recommendations for this authentication problem, and are there longer term solutions?

Sure. There are three things to know about in this area.

The first is that if your organization has a good password policy and makes users choose passwords that have a reasonable degree of randomness, then breaking those passwords—through say dictionary attacks— still can be implausible. What really happens is that if you get those hashes and those passwords behind them are not amazingly well chosen, then one can break them. If they are very strong passwords—like 8 character, randomly chosen and not from a dictionary—those are pretty strong.

If you’re trying to generate passwords as a human, there are tricks you can do where you pick four dictionary words at random and then create a story where the words interrelate. It’s called the “correct horse battery staple” method! [Yeah, we know about it!]

Strong passwords do help a lot. Organizations should be encouraging their users to choose strong passwords. I think that—many experts believe—requiring users to frequently change passwords, say, every three or six months, does much more harm than good. Because users get frustrated by this and are more likely to forget their password, and so choose passwords that somewhat fit the criteria but are easy enough to remember. I wish organizations would do away with this policy, and instead choose a good initial strong password. That would dramatically increase the time it takes for hacker to crack the passwords.

By the way, should we be relying on those password strength meters?

Unfortunately, password strength meters can be fooled—you can give it a poor password that it thinks is a good password. Use it with a grain of salt!

There are lists out there of commonly used passwords—even those that use upper and lower case with symbols—and organizations should be really positive that users are not choosing anything in the popular password list. They should actively block the passwords.

That’s the first thing—focus on passwords.

The second is that organizations like Microsoft, should be really spending more time designing and improving the security of their systems with respect to password storage. The threat model and landscape has really changed in the last few years where hacker are much more aggressively going after password databases.

So I would like to see much better support from operating system vendors for things like hardware protection of passwords. I’d like to see some of the new techniques for password protection—like PolyPasswordHasher and other things like this—integrated more broadly. Anything that will slow or stop attackers.

Microsoft, by and large, has very good security—they have an excellent security team. I would just love to see them have a focus in this area, and do this in a realistic way and even provide patches for older versions, which companies like banks are still using.


It’s a password storage and protection scheme. It’s actually something that’s been done by myself and one of my students. It makes it so you have to crack multiple password in a database simultaneously to know if any of them is correct. It’s much harder for hackers to crack passwords from the hash. It’s simple to deploy–it’s a software change in the server—and it makes things exponentially harder. It’s open-source and free—available for different frameworks.

And the third part of your recommendations?

There’s something called EMV, which is a standard way to handle credit card numbers that’s commonly used everywhere else but the United States.

So there’s a chip on an EMV-based card that protects information—a tiny security computer if you will. If you swipe your card at a terminal, then all you’re doing is authorizing a transaction—you’re not giving any card information. But if you swipe a magnetic card—like what we use in the US—they really have all the information. The nice thing about EMV cards, you have to steal the cards to take advantage of it. The bar is much higher.

What information does the EMV chip give?

A way of thinking about it is that the magnetic strip technology is almost like giving someone your wallet. Basically, every time you hand someone a credit card or credit card number, you give them the ability to make transactions on your behalf. With EMV, you not giving the ability to make transactions in the future, you’re giving an authorization for the current transaction—almost like a ticket for a movie. You can’t reuse it.

Ah, so you use it once and it can’t be replayed in an attack.


If the EMV solution becomes widespread, would that prevent the retailer attacks from succeeding—there wouldn’t be anything the attackers could use again?

No security is perfect, but EMV makes it much harder. It’s not impossible, though. The amount of work you’d have to do is substantial. I wouldn’t anticipate we’d see millions of credit card stolen. It’s not a panacea, but it works well.

EMV raises the barriers and eliminate the easy hacks, which is essentially what we’ve been seeing the last year– retails hacks that required very basic techniques.

Yes, it would no longer be a problem of hackers stealing and then at their leisure moving files. Instead they would have to do real-time, live changes to the transactions. EMV is not perfect, but it makes it harder. And often times in security, harder is enough.

That’s a good way to end this. Thanks Professor Cappos.

Thank you!



A legal hold is a written directive issued by attorneys instructing clients to preserve relevant evidence – such as paper documents and electronically stored information – in an anticipated litigation, audit, or government investigation. However, as businesses increasingly store data in electronic formats, it’s becoming ever more important to be able to manage, preserve, classify, and search electronically stored information (ESI).

A legal hold includes the following steps:

  • Issuing a written hold notice
  • Identifying the right stakeholders
  • Coordinating data identification and preservation
  • Monitoring the implementation of the hold

Who Needs to Comply

Any organization that can potentially come under litigation should educate employees on the company’s legal hold policy as well as how to respond to any legal hold notice they may receive. When a legal hold is issued, attorneys should ascertain that the recipients listed in the legal hold understand their responsibilities. Also, working within the organization’s legal framework, attorneys and the IT Department will take all appropriate steps to retain and preserve ESI.

Risks in Non-compliance

When evidence is destroyed, lost, or altered, the ramifications can be detrimental as it becomes virtually impossible to prove or defend a case. An organization’s failure to prevent spoliation of evidence can result in court-ordered sanctions as well as fines, especially if ESI is found to have been destroyed because a legal hold was not effectively carried out.

Below are consequences and regulations set forth by each association and regulating party.

Title 18 of United States Code Sections

Under Title 18 of United States Code Sections, the individual responsible will be fined and/or face jail time.

“Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.” 18 U.S.C. Sec. 1519.

Federal Rules of Civil Procedure

Under Federal Rules of Civil Procedure Rule 37 possible sanctions are as follows:

  • dismissal of the wrongdoer’s claim
  • entering judgment against the wrongdoer
  • imposing fines on the wrongdoer

How Varonis can help with Legal Hold

1. Finding Evidence

DatAnswers maintains an index so that files containing specific terms can be found at any time.

The Varonis IDU Classification Framework is a data classification engine that can incrementally scan file servers and intranets for documents based on a multitude of criteria: keywords, patterns, date created, date last accessed, date modified, user access, owner, and many more, making it possible for IT to find and preserve relevant evidence.

The IDU Classification Framework is efficient and performs true incremental scans, knowing exactly which files have been modified and require rescanning without checking every single location.

The IDU Classification Framework is an automated classification engine. It does not rely on users to manually flag or tag data (though that is possible). It classifies data across multiple platforms (Windows, NAS, SharePoint, etc.).

Also critical to preserving evidence, DatAdvantage can identify and locate all ESI, show which users and groups have access, and provide an audit on all ESI, such as when the file, directory services object, and email was open, edited, deleted etc.

2. Holding Evidence

Once relevant evidence has been found by the IDU Classification Framework, the Varonis Data Transport Engine can automatically migrate or copy documents into a secure location designated for legal hold where the files cannot be modified or deleted.


During a recent visit to Brazil, I encountered many customers and partners who faced a similar challenge – providing their clients with a safe, secure and genuinely easy way to share files and collaborate with data.  All faced a number of barriers and none were happy with the current offerings of cloud based file sharing solutions.  Generally speaking:

  • All required a secure way to share files with internal and external people– partners, vendors and employees
  • All tried to block access to file sharing sites and no one thought they were successful in doing so
  • All were concerned about the additional resource requirements to manage and control cloud file shares
  • Many wanted the same user experience and processes  for internal  and external collaboration
  • Not one had a plan to fulfill these requirements
  • All were required by the business areas to provide a solution in the near term

The following 5 criteria summarize their requirements, which are not currently fulfilled by cloud based file sharing solutions:

1. Ongoing guarantee of rightful access

Customers clearly state that the security of cloud based file sharing solutions is a primary concern.  They require a comprehensive audit trail of all usage activity, the ability to ensure permissions are granted and revoked at the appropriate times by the appropriate people, and the ability to develop different profiles for different data and people based on data sensitivity, customer location, and role.

2. Ability to leverage existing infrastructure and processes

Customers want to leverage their existing infrastructure and processes instead of purchasing a new solution, and have no wish to reinvent their processes for managing data on a third-party cloud solution.  Customers have processes and applications to perform backup, archival, provisioning and management of existing infrastructure, and they are confused about how to perform these functions within a cloud-base file sharing solution.

3. Ensuring Reliability with Accountability

IT organizations have defined service levels for their internal clients,  and are accountable for the delivery of each service. If they don’t deliver, there is no question about whose responsibility it is.  Service levels associated with cloud based file sharing must be negotiated like other third party services – there are typically few guarantees of performance and remedies for non-performance are limited.

4. Providing an intuitively simple user experience

Regardless of the solution, IT Managers are very concerned about a new user experience for their clients.  Most indicate that a different user experience will require training, impact the number of calls for support, and reduce productivity at least temporarily.  Ultimately, IT Managers would like leverage the user experience that their user population has already mastered.

5. Predictable expense

Typical cloud based file sharing solutions are priced based on amount of storage— storage requirements often grow at a surprising rate. Customers may need to negotiate storage costs with cloud providers on an ongoing basis.


To get a sense of where the PCI Data Security Standard (DSS) is heading, it helps to take a look beyond the actual language in the requirements. In August, PCI published a DSS 3.0 best practices document that provided additional context for the 12 DSS requirements and their almost 300 sub-controls. It’s well worth looking at. The key point is that PCI compliance is not a project you do once a year just for the official assessments.

The best practice is for DSS compliance to be a continual process: the controls should be well-integrated into daily IT operations and they should be monitored.

Hold that thought.

Clear and Present Dangers

One criticism of DSS is that it doesn’t take into account real-world threats. There’s some truth to this, though, the standard has addressed the most common threats at least since version 2.0—these are the injection style attacks we’ve written about.

In Requirement 6, “develop and maintain secure systems and applications,” there are sub-controls devoted to SQL and OS injection (6.5.1), buffer overflows (6.5.2), cross-site scripting (6.5.7), and cryptographic storage vulnerabilities (6.5.3)—think Pass the Hash. By my count, they’ve covered all the major bases—with one exception, which I’ll get to below.

The deeper problems are that these checks aren’t done on a more regular basis—as part of “business as usual”—and the official standard is not clear about what constitutes an adequate sample size when testing.

While it’s a PCI best practice to perform automated scanning for vulnerabilities and try to cover every port, file, URL, etc., it may not be practical in many scenarios, especially for large enterprises. Companies will then have to conduct a more selective testing regiment.

If you can’t test it all, then what constitutes an adequate sample?

This question is taken up in some detail in the PCI best practices. The answer they give is that the “samples must be sufficiently large to provide assurance that controls are implemented as expected.” Fair enough.

The other criteria that’s supposed to inform the sampling decision is an organization’s own risk profile.

Content at Risk

In other words, companies are supposed to know where cardholder data is located at all times, minimize what’s stored if possible, and make sure it’s protected. This information then should guide IT in deciding those apps and software on which to focus the testing efforts.

Not only should testing be performed more frequently, it’s also critical to have a current inventory, according to PCI, of the data that’s potentially hackable—let’s call it data at risk—and users who have access.

For Metadata Era readers, this is basically the Varonis “know your data” mantra. It becomes even more important because of a new attack vector that has not (yet) been directly addressed by PCI DSS. I’m referring to phishing and social engineering, which has been implicated in at least one of the major retail incidents in the last year.

Unlike the older style of injection attacks that targeted web and other back-end servers, phishing now opens the potential entry points to include every user’s desktop or laptop.

Effectively, any employee receiving a mail—an intern or the CEO­­—is at risk. Phishing obviously increases the chances of hackers getting inside and therefore raises the stakes for knowing and monitoring your data at all times, not just once a year.