+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Working Remotely & Data Security - Needed Now More than Ever

Posted by Patrick Townsend on Mar 27, 2020 7:29:13 AM

We are all working from home now. At least, in the technology world that seems to be true. What does this mean from a security standpoint? Here are a few thoughts:

Data SecurityTechnology workers (programmers, project managers, customer support staff, pre-sales engineers, etc.) are generally pretty comfortable with remote work. This is the result of a multi-year trend driven by talent shortages, distributed organizations, and out-sourcing. However, traditional finance and administrative workers tend to be more office-centric. They are rapidly adjusting to working at home and figuring out how to balance work in a home environment. Kids in your space? Yup, it’s a big adjustment for everyone when you suddenly move from office to home.

With COVID-19, we are doing work-from-home to better protect our colleagues, our families, and our friends and community. It is critical that we do physical distancing and get it right. It is truly a matter of life and death. 

I believe that there are security implications to this change, too. Corporate systems are at more risk. 

When we move workers from the office to home, we expand the attack surface. Our home PCs and networks have probably not had the same security scrutiny that office systems have. But those home PCs now have access to the corporate network. There is a lot of use of VPN, Remote Desktop Protocol (RDP), and terminal emulators like GoToMyPC to get connectivity. I think in a lot of cases the security exposure has increased as we deal with the COVID-19 pandemic. 

We need to take this expanded threat to our corporate systems seriously. Cybercriminals will happily use any new weakness to access our sensitive data. It may be a lot easier to break into your home network and jump to the corporate network.  Here are some things you can do right away:

  • Start reviewing home PCs and networks like you would internal systems. And start with your system and network administrators. They often hold highly authorized credentials. Create a special team to get this done as quickly as possible. 
  • Make a prioritized list of your application databases that hold sensitive data. Or, if you have the list, do a quick review and update as needed. You probably have some databases that are easy to protect with encryption and good encryption key management.
  • These databases are fast and easy to protect: Microsoft SQL Server (TDE), MySQL, MongoDB, and Oracle Database. You can get these common databases under encryption protection very quickly. 
  • Do you use VMware for your IT infrastructure? You probably do. It is very fast and easy to implement encryption of VMs and vSAN. This is a fast and easy win.
  • Get management buy-in. We all know that we have an emergency on our hands. Enlightened management will get on board quickly. They are going to have to approve new human resource assignments and some new budget. 

We are in uncharted territory with COVID-19. Here at Townsend Security we are committed to helping you survive this challenge. We will help you get the data security you need. Just talk to us.

Patrick

The Encryption Guide eBook

Topics: Security Strategy

VMware Encryption for Data-at-Rest

Posted by Ken Mafli on Mar 23, 2020 7:00:00 AM

What is VMware Encryption for Data-at-Rest?

VMware vSphere encryption for data-at-rest has two main components, vSphere VM encryption and vSAN encryption. Both only require the vCenter vSphere Server, a third-party Key Management Server (KMS), and ESXi hosts to work. It is standards-based, KMIP compatible, and easy-to-deploy.

VMware Encryption for Data-at-Rest

 

Which Encryption Option Should you Choose, vSphere VM or vSAN?

Data security is paramount for sensitive data-at-rest. Fortunately, protecting your data in VMware is relatively easy with the introduction of vSphere VM encryption in version 6.5 and vSAN encryption in version 6.6. Even better, for most folks, you won’t have to choose between each option, you will likely use both as needed. That said, there are some times when you might prefer one over the other. With that in mind, here are some of the features for each and how they are the same/different.

 

  vSphere VM vSAN
AES-256 encryption Yes Yes
KMIP compatibility Yes Yes
FIPS 140-2 compliant Yes Yes
Common Criteria compliant Yes (ESXi 6.7) Yes (ESXi 6.7)
centralized encryption policy management Yes Yes
Centralized encryption key management (KMS) Yes Yes
Datastore encryption  No Yes
per-VM encryption Yes No
Each VM has a unique key Yes n/a
Encryption occurs before deduplication Yes No
Encryption occurs after deduplication No Yes

 

One of the most clear cut cases on preferring one encryption option or the other is in a multi-tenant situation. VMware gives these examples:

Engineering and Finance may have their own key managers and would require their VM's to be encrypted by their respective KMS. Or maybe your company has been merged with another company, each with their own KMS. Additionally, you may have a "Coke & Pepsi" scenario of two unrelated tenants. VM Encryption can handle this use case using the API or PowerCLI Modules for VM Encryption.

Encryption and Key Management for VMware - Definitive GuideSince each VM is encrypted by a different key, vSphere VM encryption may be better suited for multi-tenant situations. In this way, not only will each tenant be assured that their sensitive data is not commingled with other tenants data (separate VMs), but their data is protected by separate keys.

Beyond that, VMware notes that “vSAN has unique capabilities for some workloads and may perform better in those situations.” So, if you are protecting larger datastores with a single tenant, vSAN would be your best option.

With these distinctions in mind, here is the best news: They are equally easy to set up! We have put together two videos to highlight the steps to get encryption enabled in each environment:

vSphere VM Encryption

 

For a more detailed look at vSphere VM encryption, please visit our post: vSphere Encryption—Creating a Unified Encryption Strategy. Here is a partial list of steps for enabling vSphere VM encryption:

  • First, install and configure your KMIP compliant key management server, such as our Alliance Key Manager, and register it to the vSphere KMS Cluster.
  • Next, you must set up the key management server (KMS) cluster.
    • When you add a KMS cluster, vCenter will prompt you to make it the default. vCenter will provision the encryption keys from the cluster you designate as the default.
  • Then, when encrypting, the ESXi host generates internal 256-bit (XTS-AES-256) DEKs to encrypt the VMs, files, and disks.
  • The vCenter Server then requests a key from Alliance Key Manager. This key is used as the KEK.
  • ESXi then uses the KEK to encrypt the DEK and only the encrypted DEK is stored locally on the disk along with the KEK ID.
  • The KEK is safely stored in Alliance Key Manager. ESXi never stores the KEK on disk. Instead, vCenter Server stores the KEK ID for future reference. This way, your encrypted data stays safe even if you lose a backup or a hacker accesses your VMware environment.

vSAN Encryption

 

For a more detailed look at vSAN encryption, please visit our post: vSAN Encryption: Locking your vSAN Down. Here is a partial list of steps for enabling vSAN encryption:

  • First, install and configure your key management server, or KMS, (such as our Alliance Key Manager) and add its network address and port information to the vCenter KMS Cluster.
  • Then, you will need to set up a domain of trust between vCenter Server, your KMS, and your vSAN host.
    • You will do this by exchanging administrative certificates between your KMS and vCenter Server to establish trust.
    • Then, vCenter Server will pass the KMS connection data to the vSAN host.
    • From there, the vSAN host will only request keys from that trusted KMS.
  • The ESXi host generates internal keys to encrypt each disk, generating a new key for each disk. These are known as the data encryption keys, or DEKs.
  • The vCenter Server then requests a key from the KMS. This key is used by the ESXi host as the key encryption key, or KEK.
  • The ESXi host then uses the KEK to encrypt the DEK and only the encrypted DEK is stored locally on the disk.
  • The KEK is safely stored separately from the data and DEK in the KMS.
  • Additionally, the KMS also creates a host encryption key, or HEK, for encrypting core dumps. The HEK is managed within the KMS to ensure you can secure the core dump and manage who can access the data.

Final Thoughts

vSphere VM and vSAN encryption for data-at-rest is a powerful tool in protecting your sensitive data. It is standards-based, policy-based, and KMIP compliant. This makes it both powerful and easy to enable. While each has different strengths that make them a better choice in some situations; most of the time, it will just come down to needing to either secure data in a VM or vSAN datastore.

If you have sensitive data in VMware and are not encrypting, enable encryption today! We are happy to help.

 

New call-to-action

Topics: VMware, vSphere, vSAN, vSphere Encryption

Townsend Security Extends Free NFR Licenses for Key Management Server (KMS) to Microsoft MVPs and AWS Heroes

Posted by Luke Probasco on Mar 18, 2020 2:00:00 AM

Alliance Key Manager, Townsend Security’s FIPS 140-2 compliant encryption key manager, is now available free of charge to Microsoft MVPs and AWS Heroes.

Free NFR License for Encryption Key Management Server (KMS)

Townsend Security today announced that it is extending free Not for Resale (NFR) licenses to Microsoft MVPs and AWS Heroes for Alliance Key Manager, their FIPS 140-2 compliant encryption key management server (KMS). The NFR licenses are available for non-production use only, including educational, lab testing, evaluation, training, and demonstration purposes. NFR Licenses are available here.

Joining VMware vExperts in Townsend Security’s successful NFR program, Microsoft MVPs and AWS Heroes can protect databases, applications, and VMware images with a secure and compliant key management server (KMS). Additionally, the solution allows businesses to properly encrypt private data without modifying their business applications. Alliance Key Manager supports the OASIS Key Management Interoperability Protocol (KMIP) and Microsoft’s Extensible Key Management (EKM) found in SQL Server Enterprise 2008+ and SQL Server Standard 2019+. The solution is available as a VMware Virtual Machine or in the cloud (AWS, Microsoft Azure).

Additionally, Townsend Security provides Alliance Key Manager users with a wide range of ready-to-use security applications, SDKs, and sample code. With over 3,000 users worldwide, the solution is helping businesses achieve their security and efficiency goals in cloud and VMware environments.

“Protecting sensitive data continues to be a critical concern in IT, and an important part of both security and compliance efforts,” said Patrick Townsend, CEO of Townsend Security. “After launching with VMware vExperts, we are excited to extend the program to Microsoft MVPs and AWS Heroes. I believe they will be pleased to see how fast and easy encryption key management has become.”

Microsoft MVPs and AWS Heroes can request an NFR license of Alliance Key Manager here.

New call-to-action

Topics: Alliance Key Manager, Press Release

Enterprise Key Management System (KMS) vs Cloud Key Service (KMS, Key Vault)

Posted by Patrick Townsend on Mar 16, 2020 3:38:00 PM

I am often asked about public cloud provider encryption key services like AWS KMS and Azure Key Vault. There are substantial differences between an Enterprise Key Management System (we have one) and the key services provided by Amazon and Microsoft (and Google has one, too). Enterprise Key Management Systems provide dedicated, full lifecycle key management under your exclusive control. Cloud key services provide a small subset of encryption key management support, in a non-dedicated, multi-tenant, shared environment. 

Perhaps the best way to show the differences is in a side-by-side table comparing our Alliance Key Manager for AWS and Azure, and Cloud Service Provider (CSP) key services:

Feature

Alliance Key Manager

Cloud Key Service

     

Standards

   

FIPS 140-2 Compliant

Yes

Back end only

OASIS KMIP compliant

Yes

No

     

Operational

   

Dedicated control

Yes

No, Shared Custody

Cross cloud

Yes

No

Mirror keys to on-premise

Yes

No

On-premise to cloud seamless migration

Yes

No

Backup off cloud

Yes

No

Key mirroring across regions/zones

Yes

No

Migrate to HSM

Yes

No

Automatic failover across regions/zones

Yes

No

     

VMware and Kubernetes

   

VMware encrypted VM support

Yes, certified

No

VMware encrypted vSAN support

Yes, certified

No

VMware vTPM support

Yes

No

     

Database & Application

   

SQL Server TDE support

Yes

No

MongoDB Enterprise Advanced support

Yes

No

MySQL Enterprise support

Yes

No

IBM DB2 support

Yes

No

Drupal

Yes

No

     

SDKs

   

Java

Yes

Yes

.NET (C#)

Yes

No

Python

Yes

Yes

C/C++

Yes

Yes

PHP

Yes

No

Perl

Yes

No

RPG

Yes

No

COBOL

Yes

No

 

Download Alliance Key Manager

Topics: Encryption Key Management

Microsoft SQL Server Standard Edition and TDE Encryption

Posted by Patrick Townsend on Mar 12, 2020 10:00:27 AM

Microsoft handed everyone a big gift with SQL Server Standard Edition 2019. The Standard edition of SQL Server did not previously support encryption. Surprise! Now it does. Prior to this new version, SQL Server Standard customers had to upgrade to the Enterprise Edition, or install a third party encryption solution. Upgrading to the Enterprise Edition was expensive for many small to midsize Microsoft customers, so bringing encryption to Standard Edition with 2019 is a big deal.

Let’s take a dive into SQL Server Standard Edition 2019 and the encryption support:

How Encryption is Implemented

SQL Server Standard Edition & TDEMicrosoft implemented encryption in Standard Edition by bringing the EKM Provider architecture from the Enterprise Edition to the Standard Edition. This means that Standard Edition users have access to the same encryption and key management capabilities that are available in the Enterprise Edition. This is great news for Microsoft customers as most are running both Standard Edition and Enterprise Edition in their IT infrastructure. You can now deploy the same encryption and key management solution across your Standard Edition and Enterprise Edition databases. If you are using Transparent Data Encryption (TDE) in the Enterprise Edition, you can now do the same thing in Standard Edition.

Earlier Versions of Standard Edition and Upgrades

The new encryption capability for Standard Edition is only in the 2019 release (version 15.x). Earlier versions of SQL Server Standard Edition will not be upgraded to support encryption. To take advantage of encryption in Standard Edition you have to upgrade to the 2019 release. You do NOT have to upgrade to the Enterprise Edition!

Encryption Key Management

How you manage encryption keys is crucial to your encryption strategy. SQL Server provides you with two key management options:

  • Locally stored on SQL Server
  • Deployment of a key management server through the EKM Provider interface

The only secure way to manage your encryption keys is through the use of a key management system that is registered and accessed through the EKM Provider interface. Our Alliance Key Manager for SQL Server solution implements support for the EKM Provider interface and provides you with all of the software you need to protect SQL Server encryption keys.

Compliance Regulations

Many Microsoft customers are rushing to implement encryption in order to meet the new California Consumer Privacy Act (CCPA) requirements. Your only protection from class action lawsuits in the event of a breach is through encryption of sensitive data, and proper protection of encryption keys. Storing encryption keys on the same server as the protected data will NOT provide you with CCPA protections. See California law AB 1130 for more information about encryption key management and data breaches.

Cloud Considerations

It is very common to deploy SQL Server Standard Edition in a virtual machine on a cloud platform. You can easily do this on Microsoft Azure and Amazon Web Services (AWS). When you deploy SQL Server Standard Edition 2019 in the cloud you have full access to the encryption key management using the EKM Provider interface. Be aware that many cloud service provider database services (AWS RDS, Azure SQL, etc.) do not support the EKM Provider interface and limit your ability to deploy key management. If you are concerned about cloud independence be sure to avoid these types of Database-as-a-Service offerings. 

You can run Alliance Key Manager as a dedicated key management server for your SQL Server Standard Edition database applications in Azure and AWS. You will find Alliance Key Manager in the Azure and AWS Marketplaces. You can even run Alliance Key Manager in your own data center and protect SQL Server in the cloud. You are never locked into a cloud platform.

ISV Solutions with SQL Server Standard Edition

Many software solutions are built on SQL Server Standard Edition. SQL Server is an affordable relational database and you will find it in both cloud-based SaaS solutions as well as on-premise solutions for the Enterprise. For our ISV partners we make it easy to embed our Alliance Key Manager solution into your software offering to achieve better security and compliance. If you are an end customer running an ISV application and you need encryption, talk to us about an introduction to your vendor. We will make it easy for your software vendor to upgrade and support encryption.

Alliance Key Manager for SQL Server

For more than a decade we have been helping Microsoft SQL Server customers achieve the best security for their database and applications. We now fully embrace encryption and key management for SQL Server Standard Edition. As an end user or an ISV partner, there is an affordable and easy-to-use solution waiting for you. You can learn more here.

SQL Server Standard Edition & TDE

Topics: SQL Server, Transparent Data Encryption (TDE), SQL Server encryption

Do You Have Encryption Key Management Server (KMS) Sticker Shock?

Posted by Patrick Townsend on Mar 10, 2020 9:11:45 AM

In any industry you will probably find a number of really responsible vendors, and of course, you will find the outliers and the outlaws. It is true in the security vendor community, too. There are a core group of responsible vendors, there are those that exaggerate the capabilities of their products, and there are those who just charge as much as they can get away with. I guess that is just human nature.

Download Alliance Key ManagerWhen I set out 15 years ago to bring encryption and key management solutions to market, I knew that the existing Key Management Server (KMS) products were highly priced and out of reach for most companies and organizations. A KMS vendor once told me that they did not want to work with any customer who did not want to spend at least $10 Million or more on their solution! I wanted to create a KMS solution that would be in reach for the average business, non-profit, and local government agency. Everyone deserves to deploy a really good security solution to protect their employees and their customers. We’ve now passed the 10-year anniversary of the first release of our Alliance Key Manager solution, and I am proud of the price disruption we created in every part of the KMS market – on-premise HSMs, VMware software appliances, and in the cloud (AWS, Azure).

I had a real shock this last week. Maybe things have not changed as much as I thought.

A prospective customer sent me a price quote from one of the mainstream KMS vendors. Their company wanted to purchase two key manager HSMs to protect 12 SQL Server databases. Look at how this was priced (numbers rounded):

Two key management HSMs:                                 $ 90,000

Annual software support for the HSMs:                  $ 16,000

 

12 Endpoint licenses for SQL Server                       $ 73,000

Annual software support for the endpoints:           $ 15,000

                                                                                 ========

Total:                                                                       $ 194,000

Unbelievable !!!

This company was going to pay $106,000 for two key managers, and THEN pay for each database that had to be encrypted. There is no reason on Planet Earth why this customer should have to pay so much to protect a small number of databases. I feel sorry for them if they have other databases they need to protect as they will have to pay for each of those, too. It is not hard to see how this cost would rapidly escalate as the company worked to protect more data - and it is clear that the average small business or organization could never afford this solution.

Let me show you how we would price our solution for the same requirement:

Two key management HSMs:                                 $ 30,000

Annual software support and maintenance:         $ 6,000

 

12 Endpoint licenses for SQL Server                     $ 0

Annual software support and maintenance:         $ 0

                                                                                 ========

Total:                                                                        $ 36,000

That’s right. For the same solution we would save this customer $158,000 out of the starting gate. Further, we would save them even more as they deployed encryption over additional databases - and the software maintenance costs would escalate, too.  How can we save you this much? Easy, we ask a fair price for our key management solution, and we don’t charge you at all for each database or application. If you purchase a key manager, we want you to use it for every security project you have. You don’t need to keep dredging up money each time you want to use the key management solution. With our pricing policy, it would be easy to envision saving this customer several MILLION dollars in KMS costs over a period of a few years!!!

Can you think of something you could spend that money on? Raises, new hires, new technology, business investment, and so much more. I am sure you can think of something useful to do with those funds. This kind of cost can drag a company down and reduce its competitiveness. This is outrageous.

You are not trapped and you have choices. Just talk to us.

In addition to being affordable, we make it easy to evaluate our Alliance Key Manager solution. You can now download it from our website, get access to documentation and quick start guides, and get access to full technical support.

You have options, just talk to us.

Patrick

Download Alliance Key Manager

Topics: Alliance Key Manager, Encryption Key Management

Microsoft SQL Server with Security Enclaves and Always Encrypted

Posted by Patrick Townsend on Mar 4, 2020 7:27:19 AM

Microsoft introduced Always Encrypted in SQL Server 2016 as a way to protect data in SQL Server databases. Always Encrypted runs on a client side system and encrypts data before it is stored in the SQL Server database. This provided some new protection for sensitive data stored in SQL Server - at least the server administrator and the DBA would not have access to the sensitive data. Or, that was the idea.

Encryption & Key Management for SQL Server - Definitive GuideAlways Encrypted suffered from severe limitations and did not achieve wide acceptance and deployment. The types of SQL queries and operations you could perform were minimal. You could not do basic SQL query operations that most businesses rely on. So Always Encrypted has not been deployed much.

Microsoft is attempting to address these limitations in a facility called Secure Enclaves. Secure Enclaves is a special operating environment that runs on SQL Server itself. You can think of it as a special virtual environment that can’t be accessed by a server administrator or DBA, but which can decrypt sensitive data from the database and perform those more complex SQL operations. SQL Server runs in one environment, and Secure Enclaves is a separate, more secure environment on the same server that runs those SQL requests against decrypted data. 

Processing data in a Secure Enclave means that the encrypted data has to be decrypted. How does that happen if the encryption key is on the client-side system and not on the SQL Server system? There are now special drivers on the client-side system that will send the encryption key to the Secure Enclave when needed. 

So, is this more secure? That is a hard question to answer. Here are some things to think about:

  • Protected execution environments, like Secure Enclaves, have their own security concerns. The operating system hypervisors that manage these secure environments bring their own attack surface. Adding new attack surfaces brings more risk.
  • The client-side implementation of Always Encrypted also adds an attack surface. Again, the more places that are potentially open to an attacker the more risk you bear.
  • In many cases, client-side systems are not as well protected as core SQL Server systems. Think of a user PC in your organization, or think of a remote office server. User and remote systems are notoriously hard to protect well. 
  • Encryption key management is the linchpin of your encryption strategy. Unfortunately, Always Encrypted has limited options for deploying industry standard key management. Always Encrypted supports storing encryption keys in the Windows Certificate Store and in Azure Key Vault. It does not support the industry standard Key Management Interoperability Protocol (KMIP). This means you are very limited in terms of your key management options. 
  • Using the Windows Certificate Store to protect your Always Encrypted encryption keys may not be compatible with the California Consumer Privacy Act (CCPA) -and using Azure Key Vault may violate PCI Data Security Standards (PCI DSS) cloud guidance. 
  • A core aspect of your encryption key management strategy is monitoring who has access to encryption key credentials, and reporting on access failures. When the encryption is performed on the client system by Always Encrypted, you may have limited ability to monitor activity and detect unauthorized access attempts. That further complicates your security posture.

My thoughts:

One of the primary goals of Always Encrypted and Secure Enclaves is to protect sensitive data by implementing Separation of Duties. That is, ensuring that system administrators and DBAs do not have access to both protected data and the encryption keys. This is a core security principle when protecting data-at-rest. 

You can achieve Separation of Duties by using a proper key management solution like our Alliance Key Manager. By assigning key management duties to a security professional, and isolating key management responsibilities from DBAs, you achieve the heart of the Separation of Duties goal. I believe that when properly implemented, a SQL Server Transparent Data Encryption (TDE) implementation with good key management gives you a very strong security posture without the risks involved with Always Secure and Secure Enclaves. Of course, you have to do a lot of other things to secure your Windows server and SQL Server. Proper encryption and key management is only one part of your overall security strategy.

Microsoft is doing a lot of things right in the area of data protection. The recent implementation of encryption for SQL Server Standard Edition 2019 is exactly the right thing to do. It puts encryption and key management in the hands of a lot of SQL Server users who have not had access to this technology. I hope that Microsoft will eventually embrace open standards for encryption key management in Azure and in other Microsoft products. This will be a great step forward for Microsoft customers.

Patrick

Encryption

Topics: SQL Server, Security Enclaves

Microsoft SQL Server Encryption in AWS - Without Cloud Lock-In

Posted by Patrick Townsend on Feb 28, 2020 10:00:14 AM

Interest in Microsoft SQL Server database encryption is booming! What is driving the sudden rush to encrypt sensitive data? Certainly the new California Consumer Privacy Act (CCPA) is a part of this. Just a few days after the CCPA became law the first class action lawsuit was filed. No business wants to deal with a class action lawsuit, and encryption is the only safe harbor from class action lawsuits.

Encryption & Key Management for SQL Server - Definitive GuideWe have to give some credit to Microsoft, too. In the past, database encryption was only available in the Enterprise editions of SQL Server. Upgrading from SQL Server Standard, Express and Web editions was an expensive proposition. Then (... SURPRISE! ...) in November 2019 Microsoft announced that SQL Server Standard Edition 2019 would also support encryption in the same way that the Enterprise edition does. It was a great Holiday gift to the many thousands of SQL Server users and ISVs who need to meet compliance regulations.

And the continued publicity about data breaches, ransomware, state actors, and new zero-day exploits continued to elevate everyone’s awareness of the threats to their sensitive data. So encryption is suddenly hot.

Let’s take a look at using SQL Server encryption in Amazon Web Services (AWS). 

Encryption Key Management

If you’ve been following this blog series you know how important key management is to an encryption strategy. That is even more true in the AWS environment. While Amazon makes available a proprietary key service, it can’t be used with databases like SQL Server that implement vendor or open standards. And AWS KMS is a shared encryption key service - both you and Amazon have access to your keys. So, before you start your SQL Server encryption project, be sure to get your key management strategy right.

Local Master Key Storage

When you implement encryption with SQL Server you have a choice about where you store the master keys. You can store them next to the SQL Server database (bad), or you can store the keys in an external key management system using the SQL Server Extensible Key Management (EKM) interface (better). Using an external key management system through the EKM interface is the only way to protect your data under CCPA, and it’s a best security practice. That is what we will focus on for the rest of this blog. 

SQL Server and Extensible Key Management (EKM) Provider

Starting in SQL Server 2008 Enterprise, Microsoft implemented database encryption and added the EKM Provider interface for encryption key management. This interface pre-dated the modern KMIP interface, but provides a similar architecture for integrating encryption key management for SQL Server. The EKM Provider architecture has been a part of SQL Server Enterprise since that release more than a decade ago. Our customers have performed many upgrades to SQL Server and the EKM interface has been stable and reliable. 

The EKM Provider architecture is essentially a set of rules for implementing a plug-in module for SQL Server to integrate with a key manager such as our Alliance Key Manager for SQL Server. You code a Windows DLL to the specification, register it to SQL Server, run an activation command in the SQL Server console, and you have encrypted your SQL Server database! It is fast, easy and straightforward.

Key Management in the Cloud

Now you need a key manager that implements the EKM Provider interface, and you need a place to deploy that key manager. Our customers usually deploy Alliance Key Manager directly from the EC2 console and the AWS Marketplace when they want a dedicated key manager that runs within AWS. Alliance Key Manager runs in an EC2 instance, is dedicated to you (not shared with Amazon or us), and provides the EKM Provider software at no additional charge. You just: 

  • Launch Alliance Key Manager
  • Answer a few configuration questions
  • Download the certificates that SQL Server needs
  • Configure the EKM Provider
  • And activate it

In a short period of time you can fully protect SQL Server with strong encryption and proper key management.

Key Management Outside of the Cloud

Some Microsoft SQL Server users want full control of their encryption keys outside of the AWS cloud. This is incredibly easy! You can deploy Alliance Key Manager as a VMware instance in your on-premise data center, then configure the SQL Server EKM Provider to connect to the on-premise key server. The EKM Provider interface is exactly the same in all Alliance Key Manager platforms. You will need to set network permissions in AWS, and allow a connection to the on-premise key server, but that’s it. You can get key management outside the AWS cloud very easily. Additionally, if you initially deploy in the cloud and want to migrate to your own data center, that is also fast and easy.

Key Management Across AWS Regions

Many AWS customers deploy their applications in different AWS regions in order to achieve a higher level of resilience and reliability for failover. Alliance Key Manager can fully support this approach. You can deploy the production key manager in the same region as your AWS application, and deploy the failover key manager in the remote AWS region where your failover runs. Once configured, they will automatically synchronize the keys and access policy, and will give you an optimal, real time failover across the AWS region boundary. 

Business Continuity and High Availability

The key manager you deploy with SQL Server has to match the high availability strategy you use with SQL Server and your applications. This means the key manager has to fail over in real time. Alliance Key Manager mirrors keys in real time in an active-active configuration. If your database and applications are designed for continuous operation, Alliance Key Manager will give you the immediate failover support you need - and that can be cross-region, outside the cloud, and even across cloud service providers.

Unlimited Databases

Most of our Microsoft SQL Server customers run multiple applications and databases. Alliance Key Manager does not restrict the number of SQL Server databases that you connect to it, and there are no client-side licenses per database. You can encrypt your first database with Alliance Key Manager, and then add any number of additional databases at no charge. Alliance Key Manager does not count or limit the number of databases you protect. You can even protect other databases like MongoDB and MySQL using the same key manager. This is the way enterprise key management should work!

Cloud Independence - It’s real

Amazon Web Services provides a great number of cloud services for applications and storage. Unfortunately, most of the AWS services implement a proprietary interface. The result is cloud lock-in restricting your ability to easily move to other cloud platforms. A business opportunity, merger, acquisition and other events can be painful when you have cloud lock-in. Alliance Key Manager runs in a number of cloud and virtualized environments and will help you avoid cloud lock-in. Cloud independence is real.

Evaluations and Proof-of-Concept

At Townsend Security we know that key management is a part of your critical infrastructure. We make evaluations and Proof-of-Concept projects extremely easy. You can launch Alliance Key Manager for AWS directly from the AWS Marketplace, get access to Quick Start guides for SQL Server, and be up and running quickly. Alliance Key Manager will automatically license for a free 30-day evaluation period, and you will have access to our technical support group for assistance.

HINT: When you launch Alliance Key Manager from the AWS Marketplace, be sure to register with us. Amazon does not share your company information with us, so we won’t be able to help unless you register. Here is the link to register.

True Enterprise Key Management for SQL Server, dedicated to you, is a couple of clicks away right from the AWS Marketplace

Patrick

Encryption Key Management for AWS

Topics: Amazon Web Services (AWS), SQL Server

How MySQL Enterprise Transparent Data Encryption Works

Posted by Ken Mafli on Feb 25, 2020 12:11:46 PM

What is MySQL Encryption for Data-at-Rest?

MySQL Enterprise encryption for data-at-rest enables the encryption of tablespaces with transparent data encryption (TDE). It is relatively easy to set up and with the use of a compliant key management server (KMS)—secure.

MySQL Enterprise Transparent Data Encryption (TDE)

InnoDB, MySQL’s storage engine, offers transparent data encryption (TDE) for your sensitive data-at-rest. It secures the tablespaces via a “two tier encryption key architecture” that consists of:

  • Tablespace encryption keys that encrypt the tablespaces.
  • A master encryption key that encrypts the tablespace keys.

Encrypting Everything in MySQL EnterpriseThe only thing that you must add is a trusted, third-party encryption key manager. But more on that later.

With these items in hand, the system works like this:

  • A tablespace is encrypted, generating a tablespace encryption key.
  • The tablespace key is encrypted via the master key.
  • The encrypted tablespace key is stored locally in the tablespace header.
  • The master key is stored in a trusted, third-party encryption key manager.
  • The master key’s full lifecycle is managed via the encryption key manager.

In this way, when a user or application needs to access the encrypted data, they just need to authenticate that they are authorized to access the data. From there, InnoDB uses the master key to decrypt the tablespace key and tablespace key is used to decrypt the data. The end user never sees this process, it is transparent to them.

Advantages of Using MySQL Encryption

Advantages of MySQL Enterprise Encryption

Meets Compliance Regulations

Organizations are under increasing pressure to comply with a patchwork of compliance regulations. The good news, MySQL Enterprise edition uses standards based AES encryption for data-at-rest and is also KMIP compatible, so centralized key managers can plug-in to properly manage the master keys. Here are a few compliance regulations that MySQL Enterprise encryption helps you comply with:

Payment Card Industry Data Security Standard (PCI DSS)

Nick Trenc, IT Security Architect at Coalfire Labs, had this to say about encryption and PCI DSS compliance:

One of the key components to the protection of cardholder data at any merchant location is the use of strong cryptography along with just-as-strong cryptographic key management procedures. PCI DSS Requirement 3 outlines what the PCI council believes to be the baseline for strong cryptographic key management procedures and is a key element of any PCI DSS audit.

General Data Protection Regulation (GDPR)

According to GDPR, your security controls must be adequate to account for the risk of accidental, unlawful, or unauthorized disclosure or loss of personal data. If you are not adequately prepared to fend off attacks from hackers or unscrupulous employees and prevent a data breach, you could face stiff fines and lawsuits. Only proper encryption and centralized key management will ensure that should an attack occur, the data will be useless to the attacker.

California Consumer Privacy Act (CCPA)

Here is what Patrick Townsend said about encryption and CCPA:

If you want to avoid the risk of direct or class action litigation related to data loss you should encrypt the sensitive data. Individual and class action litigation only applies to unencrypted sensitive data that is disclosed or lost, for whatever reason. The CCPA is clear on the need for encryption. If you lose unencrypted sensitive data this is direct evidence that you violated your duty to provide reasonable security procedures and practices to protect the sensitive information.

The good news: enabling MySQL Enterprise encryption, coupled with encryption key management, will help keep you in compliance with these regulations. If you are protecting cardholder data, consumer data, or just internal HR records, encrypting that data with MySQL’s TDE will help you meet compliance and keep that sensitive data safe.

Easy to Deploy

MySQL encryption is easy to configure. Entire databases can be encrypted with just a few command line edits. Here are some selected examples from MySQL’s Reference Manual:

  • To enable encryption for a new file-per-table tablespace:
    • mysql> CREATE TABLE t1 (c1 INT) ENCRYPTION='Y';
  • To enable encryption for an existing file-per-table tablespace:
    • mysql> ALTER TABLE t1 ENCRYPTION='Y';
  • To disable encryption for file-per-table tablespace:
    • mysql> ALTER TABLE t1 ENCRYPTION='N';

Alliance Key Manager also makes this process easy. Since we are fully integrated with MySQL Enterprise, the configuration process is pretty straight forward. Many times, you can be up and running in a matter of minutes.

KMIP Compatible

As MySQL Enterprise encryption is KMIP 1.1 compatible, you can easily deploy your prefered key manager to manage your encryption keys. This means you are able to use a FIPS 140-2 compliant encryption key manager, like our Alliance Key Manager.

How It Works

 

MySQL Enterprise has made protecting your sensitive data easy. What’s more, setting up Alliance Key Manager for MySQL is easy as well. Here’s how it works:

  • First, install and set up the primary and failover Alliance Key Manager servers.
  • Download the admin authentication certificates from the Alliance Key Manager server to create a secure TLS connection and perform authentication.
  • Then, create a directory to store your KMIP config file and store certificates needed for the Alliance Key Manager admin / client connection.
  • Next, you will need to specify your primary key server and high availability failover key server.
  • Finally, create a master key in Alliance Key Manager and use that to encrypt your tablespace keys in MySQL.

That's it, you have successfully encrypted your MySQL Enterprise database and properly managed the keys! To learn how Alliance Key Manager can help you easily protect your sensitive data in MySQL.

Final Thoughts

Encrypting your sensitive data in with MySQL’s Enterprise encryption has these advantages:

  • It’s standards based AES-256 encryption. This means that your data is secured with the encryption algorithm that NIST recommends.
  • It’s KMIP compliant. Your encryption is only strong if your keys are secure. With a trusted third-party key manager protecting your master keys, your encryption will remain strong.
  • The encryption is transparent to users and applications. No manual processes are needed to access the databases. The data is there, on demand, for all authorized users and applications.

If you haven’t taken advantage of MySQL encryption, now is the time. MySQL encryption makes it simple. Alliance Key Manager makes it secure. Talk to us today.

 

What Data Needs To Be Encrypted in MySQL?

 

 

Topics: MySQL, Alliance Key Manager for MySQL

California Consumer Privacy Act (CCPA) and Lawsuits

Posted by Patrick Townsend on Feb 10, 2020 10:39:44 AM

Well, that did not take long.

34 days after the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, a lawsuit was filed against retailer Hanna Andersson and cloud service provider Salesforce for a data breach where sensitive information was not properly protected. Information about approximately 10,000 California customers were exposed on the dark web. The information apparently included customer names, addresses, credit card numbers, CVV codes, and card expiration dates. Everything a cybercriminal needs to execute financial fraud. What a haul!

Encryption and Key Management for VMware - Definitive GuideThe fine under the CCPA can be up to $750 per record, making the liability cost in this case about $7.5 million - and that is only a part of the picture. Litigation costs will be large and there may be fines from the California Department of Justice and from other governmental entities. Hanna Andersson is a relatively small retailer with approximately 60 stores, 400 employees and annual revenue around $140M. Losses of this size are painful.

Here is a good article about the data breach, and it has a link to the actual lawsuit:

CCPA Cited in Hanna Andersson/Salesforce Breach Lawsuit 

Let me share a few thoughts with you.

First, let’s not forget that the villains in this case are the cybercriminals who perpetrated this crime against Hanna Andersson and Salesforce, and ultimately against the individuals who will experience identity theft and financial fraud. Could Hanna Andersson and Salesforce have done more to prevent this data breach? Certainly yes. But in the early years of my IT career I worked for companies like Hanna Andersson. I worked with wonderful, amazing, dedicated IT professionals and my sympathies are with them, too. Salesforce has been a moral leader in an industry that has seemed at times to lack a moral compass and I admire the values that Marc Benioff and his company have promoted over these last few years.

But this lawsuit is a harbinger of things to come. Ignoring the new landscape of regulatory compliance is dangerous.

Here are some takeaways that I hope will be helpful:

  • We are all moving our IT infrastructure to the cloud. The financial and operational benefits are overwhelming and this migration to the cloud will not change. However, we have not properly accepted responsibility for the security of our applications and data in the cloud. Our cloud service provider, whomever it is, will not protect us. Own and embrace your security posture now, no one else will do it for you.
  • The California Consumer Privacy Act puts the onus on businesses to protect consumer sensitive data. This may not be fair, but it is now a fact of life and other states will certainly follow California’s lead. The CCPA mandates that businesses protect consumer information with encryption if they want to avoid these types of lawsuits. That’s where we are, and that is what you need to do.
  • We have fully arrived in the land of Zero Trust. All of your systems in the cloud and on-premise are at risk. If you haven’t done an inventory of your systems with sensitive data, this is the first thing to do. Knowing where sensitive data resides provides you with a map to address adding the protections that are needed.
  • Prioritize the systems based on risk. Which systems have the most sensitive data? Which are more exposed to a data breach? Which databases will be the easiest to mitigate? The prioritized list does not have to be perfect, but you need one as soon as possible.
  • Get started with your encryption projects. Some databases make this easy to do. If you have Microsoft SQL Server, MongoDB, or MySQL, you have a clear and fast path to add encryption through native database support. If you have databases or storage that do not support native encryption, consider migrating them to VMware vSAN encrypted storage for these applications. 
  • On your way to encrypting your sensitive data, don’t forget about encryption key management. One of the changes that came with CCPA is the requirement to store encryption keys away from the sensitive data. Most databases give you the option of storing the encryption key on the same server as the data. Don’t do this, you will lose all of the protections you need under CCPA.

Here at Townsend Security we help organizations large and small achieve the highest level of data protection. It won’t cost you an arm and a leg, either. The days of overpriced encryption and key management solutions are over. Talk to us about our Alliance Key Manager solution for protecting your data.

Patrick

New call-to-action

Topics: CCPA

The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all