Nicor Gas is one of the largest natural gas distribution companies in the United States, serving more than two million customers in 643 communities. Nicor Gas operates a network of more than 34,000 miles of pipelines, connected to the largest underground storage facilities in the country. Nicor Gas adopted WAUSAU Financial Systems’ (WAUSAU) integrated receivables solution, ImageRPS®. The lockbox banking capabilities provided by WAUSAU’s ImageRPS solution enables Nicor Gas to accelerate the payment and deposit portion of its business by streamlining collection, processing and documentation for the approximately 80,000 payments Nicor Gas receives every business day.
In addition to the normal information technology best practices around security to minimize the risk of fraud and abuse, Nicor Gas needed to comply with the recently enacted Illinois state law protecting consumer information – the Illinois Personal Information Protection Act (PIPA). A multidisciplinary task force reviewed computing infrastructure including applications, databases and file shares that might contain Personally Identifiable Information (PII) affected by the Illinois PIPA. The internal task force identified the WAUSAU ImageRPS application performing lockbox work as a system requiring data protection.
Nicor Gas identified the ImageRPS production data as requiring remediation. The ImageRPS archives can be encrypted by the ImageRPS application, but the ImageRPS production data containing PII was “in the clear” and posed a data breach risk.
Nicor Gas required a transparent solution that would protect the sensitive data generated by the WAUSAU ImageRPS application while having a negligible impact on system performance. As Mark Guth, the Senior Manager of Information Security at Nicor Gas, explained, “We needed to encrypt information without interfering with the performance of the WAUSAU application. As you apply encryption to files that the WAUSAU system uses, the system cannot slow down.” Requiring significant system changes would be costly and time-consuming, so any security solution had to be transparent to the ImageRPS application.
Nicor Gas deployed Vormetric Data Security to protect the image data created by the WAUSAU solution. The ImageRPS application runs on a Microsoft Windows Server 2003 virtual machine in a VMware virtual environment with data residing on a Storage Area Network (SAN). The Vormetric Data Security agent resides on the Windows Server machine and is managed by the Vormetric Manager appliance for policy and encryption key management.
Nicor Gas was able combine the Vormetric deployment with an ImageRPS update required for the US Federal Check 21 Act. As Guth explained, “We had refreshed our test environment as part of the Check 21 process, and we were able to test both at the same time. We ran a subset of checks through the test environment without Vormetric and then with Vormetric, and the performance results came out equal. We tested response times of the systems and there was no recognizable difference in response time.”
After completing the test and staging process, Nicor Gas moved the configuration into production.
Nicor Gas lockbox data is now protected by the Vormetric Data Security. Commenting on the Vormetric interaction with ImageRPS, Guth observed, “The transparency turned out to be very positive. It really turned out to be as seamless as advertised. We know the data at rest is secure. It mitigated the risk we had with the Illinois Personal Information Protection Act.”
After proving the Vormetric solution protects lockbox data, Nicor Gas is now considering expanding its deployment of Vormetric file encryption to protect fileshares containing sensitive information.
Vormetric provides a proven approach to securing lockbox banking data that meets rigorous data governance and compliance requirements. Vormetric Data Security can be quickly deployed to secure data without changing to the Lockbox banking application or the underlying hardware infrastructure. Utilizing high performance encryption, this transparent approach enables enterprises to meet data governance requirements with a rigorous separation of duties without changing the application performance characteristics.