+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

IRI FieldShield Supports Townsend Security’s Alliance Key Manager

Posted by Luke Probasco on Dec 12, 2019 12:00:00 AM

Multi-Source Data Masking Software Now Encrypts and Decrypts with Keys in Cloud, VMware, or HSM Platforms

FieldShield AKM SchematicInnovative Routines International (IRI), Inc., a leading provider of data masking software, and Townsend Security, a leading authority in data privacy solutions, have enabled IRI FieldShield to use encryption keys stored and managed in Townsend Security’s Alliance Key Manager servers. The integration gives DBAs and “data security governance” professional a robust, compliant way to encrypt or decrypt data at rest in many sources.

A multi-year rise of hacking incidents and privacy law violations has driven demand for data-centric security. “Masking data in FieldShield using AES encryption, and protecting those encryption keys with Alliance Key Manager can help mitigate the risk of data breaches, and protect an organization’s brand and reputation,” observed Patrick Townsend, Founder & CEO of Townsend Security. “This is especially relevant given laws like the California Consumer Privacy Act (CCPA), which contemplates encryption of sensitive data in order to avoid class action lawsuits,” he added.

FieldShield classifies, discovers, and masks personally identifiable information (PII) in relational and NoSQL databases, and a wide range of structured file formats on-premise or in the cloud. Multiple encryption functions -- including format-preserving encryption -- are among its 15 masking categories. FieldShield users can assign a unique passphrase to serve as an encryption key for one or more data classes (columns or fields). The keys allow the restoration of original values from ciphertext when used with the corresponding decryption function.

Alliance Key Manager provides the security of TLS-authenticated access to FieldShield passphrases stored in VMware, Microsoft Azure, Amazon Web Services, or a private or dedicated Hardware Security Module (HSM). This assures that only authorized users can access the key server and obtain the keys to decrypt.

FieldShield users can generate the keys using either the native command line or web interface to Alliance Key Manager. “Centralizing storage of FieldShield passphrases through Alliance Key Manager not only gives our users FIPS 140-2 compliant key security, but also a more convenient way to manage their encryption keys,” according to IRI developer Devon Kozenieski.

About IRI
Founded in 1978, IRI develops fast data management and data-centric security software through 40 cities worldwide. IRI’s proven data manipulation engine -- and its free Eclipse job design environment -- provide uniquely price-performant and versatile data lifecycle solution software for big data and BI/DW architects, data security and compliance teams, DBAs, and developers. Gartner recognizes IRI FieldShield, CellShield, DarkShield as static and dynamic masking solutions for structured, semi-structured, and unstructured data sources.

Topics: Alliance Key Manager, Press Release, IRI FieldShield

Seamless Encryption Key Management for Microsoft SQL Server 2019 Standard

Posted by Luke Probasco on Dec 11, 2019 12:00:00 AM

Alliance Key Manager supports Transparent Data Encryption (TDE) in Microsoft SQL Server 2019 Standard Edition. 

Encryption & Key Management for SQL Server - Definitive GuideTownsend Security today announced Alliance Key Manager, its affordable FIPS 140-2 compliant encryption key manager, supports Microsoft SQL Server 2019 Standard Edition.  Users of Microsoft SQL Server Standard Edition can now easily meet compliance (PCI DSS, GDPR, CCPA, etc.) and protect private data like customer PII and intellectual property without modifying existing applications or the database.  By using the database’s Transparent Data Encryption (TDE), coupled with Townsend Security’s Alliance Key Manager for SQL Server, organizations can protect their private data at a lower cost.

Alliance Key Manager, a FIPS 140-2 compliant encryption key management solution, allows enterprises to effectively encrypt data and meet security requirements in less time with a flexible, centralized offering. The solution provides full life-cycle management of encryption keys for a wide variety of applications, including Microsoft SQL Server Enterprise and Standard editions.

“We were pleased to see Microsoft announced that SQL Server 2019 Standard Edition would support TDE and EKM, bringing encryption and proper key management without application changes to their popular Standard Edition. By lowering the technical and financial bar to protecting private data, companies of all sizes can easily protect private information,” said Patrick Townsend, Founder and CEO of Townsend Security.  “Since the initial release of TDE and EKM in Microsoft SQL Server Enterprise ten years ago, we have been proud to offer an affordable, industry leading solution - and now extend that to SQL Server Standard users.”

Microsoft SQL Server users can deploy Alliance Key Manager as a hardware security module (HSM), VMware virtual machine, or in the cloud as a native AWS EC2 instance or Microsoft Azure virtual machine. Alliance Key Manager supports seamless migration and hybrid implementations, providing Enterprise’s with options for their high availability strategy. 

“By providing both on-premise and cloud solutions, Enterprise's can easily rely on a centralized key manager to protect their data regardless of where it resides or will in the future. Further, while key management solutions offered by CSPs provide convenience, they leave an organization’s encryption keys accessible to third-party administrators - increasing the risk to their security posture,” continued Townsend. “Our simplified licensing model that avoids charging by the number of endpoint databases and number of keys, makes the upgrade to SQL Server 2019 Standard Edition a no-brainer for many Microsoft users. Microsoft has really done well by its customers.”

Alliance Key Manager for SQL Server is available for a free 30-day evaluation.

Encryption

Topics: SQL Server, Press Release

Living on the Edge

Posted by Luke Probasco on Dec 9, 2019 8:02:59 AM

As the world of edge computing becomes more distributed, billions of connected devices live on the edge, which need to be secured, managed and automated. For many businesses, this means deploying a VMware and cloud infrastructure and using VMware vSphere, for example, to encrypt private information.  While it is easy enough to encrypt data on the edge, key management has proven to be a challenge.

Podcast: Living on the EdgeI recently sat down with Patrick Townsend, Founder and CEO of Townsend Security to talk about deployments on the edge, achieving a strong security posture with key management, and other ways that businesses can better secure their private data. 

Patrick, Townsend Security has had key management solutions for VMware for a number of years. What is special about Edge computing?

Well, Edge computing is fascinating.  It isn’t really that different from how we currently think about computing and data security in the cloud or on-premise. By moving applications closer to the end user, Edge computing brings a better, faster user experience to the end user.  So, if you are running an application in the cloud, perhaps in a retail or healthcare environment, the delay over the network can degrade the experience or inhibit the ability to collect a lot of data, for example, from IoT devices. Edge computing is a natural evolution of making things more efficient with a better user experience.  However, Edge computing also brings new security challenges too. If we are collecting data that is sensitive in nature, it is just as sensitive out on the Edge as it is in our data center.

So what is special or different about Edge computing from a security point of view?

There are a number of challenges.  How do we deploy applications in a secure way?  How do we do application patching? One of the most important security efforts that we make is to keep everything patched and up to date.  When you have Edge computing, there are a lot more environments in distant locations. The security process really becomes more complex when we move to Edge computing.  Those challenges can be solved, but they represent things that we really need to pay attention to.

At the same time, as we are pushing applications out to the Edge, compliance regulations are getting more stringent.  Just look at the California Consumer Privacy Act (CCPA) and GDPR before it. Both of those are making the protection of sensitive data much more important.  The risks of data loss to an organization are escalating, and at the same time, we are pushing data to more and more places - so we have a big security challenge that we need to step up to.

Protecting data data in a centralized IT data center is a challenge, but one that we are used to.  Edge computing brings unique problems with it. For example, let’s say you pushed some data out to a dozen Edge computing environments.  You’ll need to encrypt that data to meet compliance, but where is the key manager? Is it back at your central on-site data center? If so, you may have just lost the advantage of pushing everything to the Edge.  Encryption and key management also need to be pushed out to the Edge in order to meet security best practices, just as you would in on-premise environments.

In terms of the cloud, can you give some examples of Edge environments?

Sure.  In the Cloud, we try to deploy applications close to the end-customer which gives us better response times and a better customer experience.  So, in AWS or Azure, we can move applications closer to where the end-customer lives. CSPs are making this easier by automating some of the deployment tasks.  By pushing applications to the Edge, you get really close to the physical location of the customer. For example, if you live in Sweden, you don’t need to connect to a key manager that is sitting back in Silicon Valley.  You should connect to a key manager that is near you. When moving to the Edge, encryption and key management need to move with you.  

By the way, you may have noticed that VMware has been working much more closely with Cloud Service Providers to provide true VMware infrastructure on cloud platforms.  For example, on Azure, you can deploy a full bare metal stack - VMware in the cloud and managed the way you want. But again, when you push those VMware environments to the Edge, what about the encryption key management?  The good news is, that with our new Alliance Key Manager for Edge Computing, we can make that easy and affordable to accomplish.

How about some examples of non-Cloud Edge environments?

Almost all of us use VMware on premise, and it isn’t really all that different to what we are currently doing.  Think of a medium or large retail organization with hundreds or thousands of storefronts. When you walk into the store, there is a very good chance that there is a local VMware node out there that is running many applications.  Think about a large box store with retail, pharmacy, and automobile services. The VMware environment in a single store might support dozens or hundreds of specialized applications. How do you protect data in that environment? Sometimes when we think of Edge computing we think of “just” the cloud, but this isn’t the case.  Again, just like with the Cloud, it doesn’t need to be difficult to push encryption and key management to the Edge, it just needs to get done.

How do compliance requirements impact Edge computing?

Well, compliance requirements, which are getting stronger as we speak, make the challenge of Edge computing even more important to address.  If you think about it, when we have centralized IT processing, we have one environment to protect. It may be a very data rich environment with sensitive data that cybercriminals may want to steal - but it something that isn’t that difficult to protect.  What if we have 500 of those environments out there across on-prem and cloud locations? The attack surface has been dramatically increased. The data is still important and still a target, but now we have a lot more to deal with. I think people are waking up to the security challenge and need to focus just as much effort on securing data at the Edge as we do at the centralized, on-premise data center.  We have to deploy all of our security defenses at the Edge in the same way that we do with core IT systems. The data is the same.

How is Townsend Security trying to help resolve this challenge.

The barriers to getting Edge data protection right are only party technical.  Key management vendors have not adapted to the new reality of the Edge. The huge expense of traditional KMS solutions is the primary barrier to protecting data at the Edge.  For small businesses, they can even be completely priced out of the market around doing encryption and key management right. Large organizations have been priced out as well.  When there are hundreds or thousands of endpoints that need protected, vendors need to step up to help these businesses secure their data.  

At Townsend Security, we have two distinct advantages.  First, our Alliance Key Manager for Edge Computing solution is virtualized, automated, and VMware Ready.  For example, our key management solution has been certified by VMware for vSphere key management - to protect VMs and vSAN storage.  We are seeing many organizations deploy VMware at the Edge. Second, we have the ability to flexibly license and price our solutions for the Edge.  Enterprises can now deploy full VMware VM encryption and key management at Edge with an affordable solution.

To hear this conversation in its entirety, download our podcast Living on the Edge and hear Patrick Townsend further discuss deployments on the edge, achieving a strong security posture with key management, and other ways that businesses can secure their private data.

Podcast: Living on the Edge

Topics: Encryption Key Management, Alliance Key Manager for Edge Computing

Press Release: Alliance Key Manager for Edge Computing

Posted by Luke Probasco on Dec 4, 2019 12:00:00 AM

New, scalable pricing for Alliance Key Manager customers running in edge computing environments.

Townsend Security is extending support of its cloud, container, and VMware Ready key management solution, Alliance Key Manager, to customers running applications and databases in edge computing environments. This new offering provides scalable pricing for customers running a large number of edge computing environments in remote cloud or on-premise deployments. The new offering is called Alliance Key Manager for Edge Computing and will make it easy and affordable for customers to take encryption and proper key management everywhere it needs to go.

Podcast: Living on the Edge“Edge computing requires that applications and infrastructure move closer to end users to achieve performance and availability goals. For edge computing customers, this often means that application deployments move to cloud or remote on-premise facilities. Think of a retail box store that may have hundreds of applications in every store. Or, think of an HMO with multiple hospitals, clinics, and remote providers. There is often a pain point around encrypting that information and deploying encryption key management at the edge to protect sensitive data,” said Patrick Townsend, CEO of Townsend Security. “Encryption key management solutions are too expensive and too difficult to manage in these highly distributed edge computing environments. Those are the problems that we are helping to solve with our new offering.”

Encryption and key management have become a critical aspect of security and compliance management. Edge computing deployments can involve VMware clusters, Cloud web services, Big Data IoT collection, and many other architectures. Protecting encryption keys mitigates the risk of data breaches and cyber-attacks, as well as protects an organization’s brand, reputation and credibility. Alliance Key Manager for Edge Computing addresses these needs by helping enterprises reduce risk, support business continuity, and demonstrate compliance with regulations like PCI DSS, HIPAA, GDPR, etc.

“With the California Consumer Privacy Act (CCPA) due to go into effect on January 1, 2020, it becomes more important than ever to protect sensitive consumer and household data with strong encryption. Strong encryption with proper encryption key management is the only protection from class action lawsuits under the CCPA. Wherever your data goes it is subject to a data breach. With edge computing, the data is in more places and is more exposed to loss,” continued Townsend. “Townsend Security’s new Alliance Key Manager for Edge Computing provides the technical support and affordability that businesses need to protect sensitive data at the edge for CCPA.”

Alliance Key Manager for Edge Computing is available for a free 30-day evaluation.

Podcast: Living on the Edge

Topics: Press Release, Alliance Key Manager for Edge Computing

Press Release: Alliance Key Manager Now Supports Encryption Key Management for MySQL Enterprise Edition Database

Posted by Luke Probasco on Nov 19, 2019 12:00:00 AM

Townsend Security’s Alliance Key Manager for MySQL offers unparalleled security, flexibility and affordability for all users of MySQL Enterprise Edition and MySQL Cluster CGE. 

What Data Needs Encryption In MySQL?Townsend Security today announced Alliance Key Manager for MySQL, an affordable FIPS 140-2 compliant encryption key manager to help users of the MySQL Enterprise Edition database meet compliance requirements (PCI DSS, GDPR, CCPA, HIPAA, etc.) and security best practices. Users of the MySQL database can now easily protect private data like customer PII and intellectual property without modifying existing applications or the database by using the database’s Transparent Data Encryption (TDE) coupled with Townsend Security’s Alliance Key Manager for MySQL.  

While MySQL offers industry standard 256-bit AES encryption, it is recommended to use an external encryption key management solution like Alliance Key Manager for MySQL to manage the encryption keys. Alliance Key Manager uses the industry standard Key Management Interoperability Protocol (KMIP) to access encryption keys and MySQL users can deploy the solution and install the PKI certificates on the database server to easily begin protecting encryption keys.

"MySQL is the world’s most popular open-source database, and consequently, stores enormous amounts of sensitive data," said Patrick Townsend, CEO of Townsend Security. "MySQL Enterprise Edition includes standards based encryption, along with KMIP support for key management, and MySQL users can be confident that they are protecting their private data against a breach and meeting compliance requirements.” 

MySQL encrypts data at rest in real-time using industry standard AES algorithms prior to writing to storage and decrypted when read from storage. As a result, hackers and malicious users are unable to read sensitive data from tablespace files, database backups or disks. By using native MySQL command line operations, encryption is easy to deploy and keys can automatically be protected by Townsend Security’s Alliance Key Manager. MySQL users can deploy the key management solution as a hardware security module (HSM), VMware virtual machine, or in the cloud as a native AWS EC2 instance or Microsoft Azure virtual machine. Alliance Key Manager supports seamless migration and hybrid implementations. 

“Encryption and key management is easier than ever and I think that MySQL Enterprise Edition users will be delighted to find how easy and affordable it is to deploy an enterprise-class centralized encryption key management solution,” continued Townsend. “Protecting PII, enterprise IP, and meeting compliance regulations are all things that enterprise’s are concerned with on a daily basis. MySQL databases are used in mission-critical applications by large and small organizations, so the real-time high availability failover capability of Alliance Key Manager will make IT administrators very happy. By pairing MySQL and Alliance Key Manager, security teams can rest a little bit easier.”

Alliance Key Manager for MySQL is available for a free 30-day evaluation.

What Data Needs To Be Encrypted in MySQL?

Topics: Press Release, Alliance Key Manager for MySQL

vSphere Encryption—Creating a Unified Encryption Strategy (Part 1)

Posted by Ken Mafli on Oct 22, 2019 6:00:00 AM

What is VMware’s vSphere Encryption?

VMware’s vSphere encryption, first introduced in vSphere 6.5, enables the encryption of virtual machines (VMs) and vSAN. vSphere’s encryption protects your existing VMs, new VMs, vSAN clusters, as well as associated files. It is relatively easy to set up and with the use of a compliant key management server—secure.

 

(Part one of this series deals with VM encryption. Part two will cover vSAN encryption)

A Unified Way to Encrypt VMs

VMware’s vSphere encryption

 

“Dance like nobody’s watching. Encrypt like everyone is.”
~Werner Vogels, CTO at Amazon.com

Data is a bedrock asset for today’s enterprise business. Its value is too great to ignore. Data security, then, is mission critical for those looking to maintain brand integrity, intellectual property confidentiality, and customer trust.

VMware vSphere 6.5 gave its users powerful data security tools; among them AES-NI encryption. The reason this is great news: instead of an ad-hoc approach to encrypting sensitive data where individual sources of encryption are found for each type of database or application, you can now encrypt directly in VMware’s hypervisor creating a unified source for encrypting and managing that encryption. And through their KMIP interface, managing your encryption keys is pretty painless. But more on that later.

vSphere encryption, then, allows the enterprise business to uniformly manage their encryption for both VMs and vSAN and ensure that all sensitive data within VMware is secured. This enables companies to create an encryption strategy for their sensitive data. Let’s look at some of the main advantages, specifically VM encryption, that vSphere encryption provides.

 

Expert Weigh-in:
The huge benefit of vSphere Encryption is the fact that data is encrypted when it leaves its source. This results in data traveling encrypted to its destination, allowing for the highest level of security, all while maintaining simplicity in terms of management and configuration.
~Duncan Epping, Chief Technologist HCI, VMware

 

Expert Weigh-in:
A major advantage of VM Encryption is that it is Guest OS agnostic. Whether the virtual machine is Windows, Linux or any of the other operating systems supported in vSphere, the encryption is the same. There’s no change to the guest OS and no “in guest” monitoring or configuration. Additionally, reporting on which virtual machines are encrypted or not is just one line of PowerCLI!
~Mike Foley, Staff Technical Marketing Architect - vSphere Security

 

The Advantages of Using VM Encryption

Advantages of VMware’s vSphere encryption

 

With VMware vSphere 6.5 and up, you are able to encrypt individual VMs. The main difference between VMware encryption and other encryption methods is ease

vSphere Encryption Key Management Webinarof management. As VMware puts it, because “VMs are treated as objects that can have a policy applied to them, there is no need to manage them individually.”

Here are some of the advantages that this brings:

  • Encryption is configured and managed at the hypervisor level, not within an individual VM.
    • vSphere encryption is agnostic in regards to what is stored within the VM.
    • There are not multiple encryption products for each guest OS, database, or application.
  • Encryption is policy based. Applying it, then, can be done to as many or few VMs that you want.
  • You can bring your prefered key manager to manage your encryption keys. Since vSphere encryption is KMIP 1.1 compatible, you are free to use a FIPS 140-2 compliant encryption key manager, like Alliance Key Manager.

Expert Weigh-in:
One thing few people think about with encryption is disaster recovery. Because of the reliance on an external KMS, you can place replicating Key Managers in various locations. vCenter will see them as a “KMS Cluster”. Should your primary site go down and you need to recover encrypted VM’s it’s as simple as connecting a new vCenter to the KMS cluster and adding the VMs to the inventory. The impact of IT operations is minimal. 
~Mike Foley, Staff Technical Marketing Architect - vSphere Security

 

Expert Weigh-in:
Policy Based encryption and Managed Encryption keys means the difference between an organization protecting their information and exposing their information. Removing the chance of end-users to not-encrypt information means the Business can have assurances they can take to the bank, which is essential in a world of compliance, GDPR, and not to mention security risks or exposure.
~Christopher Kusek, vExpert and Tech Evangelist

 

Now that we know some of the advantages of using VM encryption, let’s looks what is (and is not) encrypted. Why? VMware did a great job making sure all sensitive information can be secured. The list below will go to illustrate that.

 

What Is/Is Not Encrypted

What can be encrypted in vSphere

 

According to VMware, here are the items that can be encrypted (and those that can’t) with vSphere’s VM encryption:

What can be encrypted:

  • VM files
    • Note: Most VM files can be encrypted. This set of files can include the NVRAM, VSWP, and VMSN files. If you use the vSphere Web Client to create an encrypted VM, all virtual disks will be encrypted as well.
  • Virtual disk files
    • Note: Data in an encrypted VMDK file is never written in plaintext to storage or a physical disk, and is never transmitted in plaintext. The VMDK descriptor file, however, is not encrypted and contains a key ID for the key encryption key (KEK) as well as the encrypted data encryption keys (DEKs).
  • Host core dump files
    • Note: When you enable encryption mode on an ESXi host the core dump is always encrypted.

What is not encrypted (and why):

  • Log files
    • Why: these are not encrypted because they contain no sensitive data.
  • VM configuration files
    • Why: the VM configuration information, stored in the VMX and VMSD files, contains no sensitive data.
  • Virtual disk descriptor files
    • Why: the descriptor file is omitted from encryption/decryption functions to support disk management without a need for an encryption key.

 

Expert Weigh-in:
I like vSphere encryption because there’s nothing in the guest OS or at the user-level that might go wrong. vSphere encryption encrypts what needs to be encrypted - your company’s data - that’s stored inside the VM disk.
~David Davis, vExpert and vSphere video training author at Pluralsight.com

 

How it Works

Now that we know some of the advantages of VM encryption and what can and cannot be encrypted; here is the last reason to use vSphere to create a unified encryption strategy—it is easy to set up. Here is a quick video showing how easy it is.

 

Here are those steps for those that would like to just read it:

  • First, install and configure your KMIP compliant key management server, such as our Alliance Key Manager, and register it to the vSphere KMS Cluster.
  • Next, you must set up the key management server (KMS) cluster.
    • When you add a KMS cluster, vCenter will prompt you to make it the default. vCenter will provision the encryption keys from the cluster you designate as the default.
  • Then, when encrypting, the ESXi host generates internal 256-bit (XTS-AES-256) DEKs to encrypt the VMs, files, and disks.
  • The vCenter Server then requests a key from Alliance Key Manager. This key is used as the KEK.
  • ESXi then uses the KEK to encrypt the DEK and only the encrypted DEK is stored locally on the disk along with the KEK ID.
  • The KEK is safely stored in Alliance Key Manager. ESXi never stores the KEK on disk. Instead, vCenter Server stores the KEK ID for future reference. This way, your encrypted data stays safe even if you lose a backup or a hacker accesses your VMware environment.

 

Expert Weigh-in:
vSphere encryption makes securing your data easier than I think most of us thought possible. With vSphere encryption all you do is right-click on a VM and apply the encryption storage policy. Boom! Encryption is done!
~David Davis, vExpert and vSphere video training author at Pluralsight.com

 

It really is that easy. Not only can govern your encryption at the hypervisor layer, deploy standards based AES encryption on a per VM basis (allowing you to secure only those workloads that require it), but you can do so quickly. It is a great encryption option for any business.

Final Thoughts

VMware vSphere VM encryption creates a unified strategy for protecting your sensitive data within vSphere by using the hypervisor to perform the encryption. This means that you do not need to first consider what is in the VM (guest OS, specific databases, etc.) in order to encrypt it. According to VMware, this yields the following benefits:

  • No modification to OSs within VMs
  • No changes needed to existing applications
  • No specialized hardware or infrastructure required
  • Policy-based enforcement that is supported by vSphere

All this and more means that it is easier than ever to secure your company’s sensitive data. Once you have configured your vSphere vCenter Server to enable encryption, simply choose which VMs you want to encrypt and your data is secured. It’s that easy.

According to RiskBased Security, for the first half of 2019, over 3,800 breaches were reported, breaching over 4.1 billion records. When you compare that to the first half of 2018, “the number of reported breaches was up 54% and the number of exposed records was up 52%.” With the pace of breaches only accelerating, the time to create a unified encryption strategy for your sensitive data is now.

 

New call-to-action

Topics: VMware, vSphere, vSphere Encryption

California Consumer Privacy Act (CCPA) - Things You Need to Know

Posted by Patrick Townsend on Oct 17, 2019 4:00:44 PM

California Consumer Privacy ActThe new California Consumer Privacy Act (CCPA) is a really big deal. Almost no one is ready for it, so you are not alone if you are just getting familiar with the CCPA requirements. Let’s dig into it and try to translate the law (California AB 375 and related statutes) into understandable language. I will also make some recommendations on things you can do right now to get started.

Some history might help

The law itself (AB 375) passed in June of 2018 is a pretty easy read. Interestingly, it directly points to the social and political factors that lead to the creation of the law. The increasing number of data breaches and the Cambridge Analytica scandal are specifically mentioned in the law - but if the law seems a bit rushed and incomplete, that’s because it is!

California is one of those states that make it relatively easy for citizens to gather signatures and put initiatives directly to the people. In early 2018 that is exactly what happened. An initiative related to consumer privacy gathered enough signatures to make it on the California ballot and this proposed new law frightened the technology companies located both in California and outside of the state.

In response to the initiative, the California legislators struck a deal with the initiative proponents. If the legislature could pass a strict new consumer privacy law in short order, the initiative proponents agreed not to put the initiative on the ballot - and that is what happened. Probably breaking speed records for such legislation, the California legislature created the new law in just a few days, and the governor signed it. The initiative was not placed on the ballot.

The speed of the passage of the law had one unfortunate side-effect: There is a lot of ambiguity in the law. You are going to be scratching your head about some of the requirements and definitions in the law. What is missing or undefined is almost as significant as what is in the law. The law goes into effect on January 1, 2020 but the legislature has promised to provide additional guidance in the Fall of 2019, and new clarifying law by June of 2020. More on this below.

The CCPA law, where to find it.

Podcast: CCPA - What You Need to KnowReading regulations will usually make your eyes roll back in your head. In this case the California law is a pretty easy read. I highly recommend that you do this. I read several summaries of the law in business and technology journals, but learned some important facts when I subsequently read the law directly. Here is the link (there is a PDF version available for download).

Just remember my previous comment about future clarifications of the law. There will be changes and I will try to keep you up to date. You should also check the CCPA website for updates.

Is my Organization required to meet the law? 

If you collect data on people who are in California, and meet the minimum criteria (see below), and are not explicitly excluded, you must meet the requirements of the new law. Notice that I did not say “California citizen”, but people who are in the state at the time of data collection. You are not exempt if your organization resides outside of California. If you collect data on people in California, assume you are covered by the law.

If you meet any of these criteria, you are required to meet the new CCPA law:

  • You have $25 Million or more in annual revenue
  • You collect information on 50,000 or more people
  • You derive 50 percent or more of your revenue selling personal information to third parties 

The law applies to both public and private organizations. I often hear people tell me that they are not covered by regulations because their company is “private.” Don’t make this mistake. Being a private organization does not exempt you from the new California law.

There are some exclusions in the law: If your organization is already covered by equivalent privacy regulations such as HIPAA, GLBA, and others, you may be exempt. Don’t be fooled into a sense of complacency about this. The CCPA has privacy regulations that are not covered under those laws. If you think you are exempt, I would highly recommend that you get legal advice on this point.

When does it take effect?

The law takes effect on January 1, 2020. Here are some important points to consider:

  • The law covers data collected for the previous 12 months (from January 1, 2019).
  • There will be clarifying guidance in the Fall of 2019.
  • The law is likely to be amended for clarification by June of 2020, but it is not likely to be less restrictive.
  • The law covers a much broader set of information than any other regulations, including GDPR.

I’ve heard people say that they are not worried because they meet GDPR requirements. That is a big mistake. There is certainly some overlap with GDPR, but some of the CCPA requirements are different and much broader. For example, what is considered “personal information” includes more and different information than GDPR.

What rights are granted to consumers?

Here is a short list of the rights granted to consumers under the new law (please read the law directly):

  • The right to opt-in to data sharing BEFORE you collect and share the information, and the right to opt-out of data sharing at any time. The option to opt-out of data sharing must be respected for 12 months, and subsequently there must be an explicit opt-in process before sharing.
  • The right to opt-out of data sharing using a web page or phone number (other methods may be added to these).
  • The right to a clear privacy statement on your website that specifically addresses the CCPA.
  • The right to know the intended uses of the information that is collected.
  • The right to know the categories of information you collect.
  • The right to know the specific information you collect.
  • The right to know the sources of the information that you collect (websites, third parties, etc.).
  • The right to know to whom you sell or share information.
  • The right to receive a copy of the information you collect in a user friendly format.
  • The right to have you delete their information.
  • The right to deletion of their information from any third party service providers with whom you shared the data.
  • The right to non-discrimination in terms of your services if they opt-out.
  • The individual and class action right to sue if sensitive data is lost and is not encrypted, and for other reasons (please read about encryption below).

You have 45 days to respond to a consumer’s request. With proper notice this can be extended another 45 days (90 days in total).

Try to make a sincere effort to understand the nature and intent of these requirements. The law is written to address those who try to be “cute” about meeting the requirements, and the penalties go way up for intentional avoidance of the requirements.

Note that you have the obligation to verify the identity of the consumer who is exercising these rights. Unfortunately, there is not enough guidance on the proper ways to do this. Be aware, however, that you cannot use any information provided by the consumer that is a part of the privacy request for any other purposes! 

What information does it cover?

The personal information covered by the CCPA is quite broad and extends into areas not covered under GDPR and other regulations. The current definition of sensitive consumer data includes:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
  • Personal and commercial behaviors, and inferences from them.
  • Characteristics of protected classifications under California or federal law
  • Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
  • Biometric information
  • Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory or similar information
  • Professional or employment-related information
  • Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
  • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

 This is an amazing list of data items that goes far beyond what we see in other regulations. Many companies have done a lot of work using Artificial Intelligence and Machine Learning to make inferences about consumer behavior. I hope you are not missing the fact that this type of inferential and derived data is covered under the CCPA!

What are the penalties?

The potential penalties fall into two categories: Those imposed by the California Attorney General, and those imposed by newly enabled consumer litigation.

First, let’s look at the penalties that can be assessed by the AG. The penalty range starts at $2,500 per violation. Many people think this amount is for each record that is lost or in non-compliance. It is easy to see that this could expensive very quickly. However, if the AG finds that you are “intentionally” in violation of the CCPA the penalty increases to $7,500 per record. One way to trigger this level of penalty is to ignore a formal notice by the AG that you are in violation of the CCPA. Never ignore this type of notification! The higher level of penalty can trigger an existential crisis for many companies.

The second area of penalty relates to newly enabled litigation by individuals. Under the CCPA individuals have a right to bring direct legal action against an organization. This includes the ability to bring a class action against a company. Other than fully meeting the privacy requirements of the CCPA there is no way to limit your exposure to this type of litigation. The CCPA explicitly prohibits the use of arbitration clauses and other means of contractually reducing your exposure. You have to be notified about an impending action, and you have 30 days to correct the action and respond.

These two areas of exposure should motivate you to get a plan in place to fully meet the CCPA privacy requirements, and start executing on the plan. Time is short. 

Am I required to encrypt sensitive data? 

If you want to avoid the risk of direct or class action litigation related to data loss you should encrypt the sensitive data. Individual and class action litigation only applies to unencrypted sensitive data that is disclosed or lost, for whatever reason. The CCPA is clear on the need for encryption. If you lose unencrypted sensitive data this is direct evidence that you violated your duty to provide reasonable security procedures and practices to protect the sensitive information. See section 1798.150(a)(1). 

Most modern relational and Big Data databases provide an easy path to encryption. Find where your sensitive data is stored, prioritize an encryption strategy, and move it forward. This effort may require an upgrade to your database systems to a version that supports encryption. Understand the budget requirements and add the costs for encryption key management.

What should I do now? 

Although there will be additional guidance in late 2019, and there will likely be clarifying legislation in early 2020, you should not wait to get started. There are a lot of things you will need to do to meet the CCPA privacy regulations. Here is a short list that should help you get started. There is more to do, but these will be critical steps:

  • Identify and document all of the sensitive information that you collect or derive from interpretations of the data. Document the sources of this data, how you collect it, the individual items, and then classify the data.  Pay special attention to the categories of data outlined above. In addition to your internal IT systems be sure to include your hosted and cloud applications, and your web-based SaaS systems.
  • Identify all of the third parties with whom you share information. Be sure to document exactly what information is shared.
  • Review your website to ensure you meet the explicit requirements of the CCPA. You will need to update your privacy statement per the CCPA requirements. 
  • Institute processes for handling consumer privacy requests. This will probably require new IT reporting applications as well as human processes for responding to requests. Be sure to keep an audit log of all requests from consumers, and your response.
  • For all service providers who receive information that you share, review your service agreements. Revise those agreements to bind the service provider to the new CCPA regulations. If service providers resist new contract terms, or are non-responsive, have a plan to replace those service providers. Since many service contracts renew on an annual basis, start this process now.
  • Encrypt the data and use good encryption key management. Your only safe-harbor from litigation in the event of a data loss is encryption. The time to get started is right now.

 Disclaimer

 Nothing in this article constitutes legal advice in any way. Consult with a qualified attorney for any legal questions or advice. The new California Consumer Privacy Act will have new guidance before the activation date of January 1, 2020 and is likely to be modified by additional legislation. Please refer to the official California state website for more information. 

Podcast: CCPA - What You Need to Know

Topics: Compliance, CCPA

Saving Money with VMware vSAN Encryption

Posted by Patrick Townsend on Oct 16, 2019 7:30:02 AM

You may be using VMware’s vSAN technology and not even know it. vSAN is the core technology in most of the Hyper-Converged Infrastructure (HCI) solutions on the market today. If you are running VMware for your on-premise or cloud infrastructure, you have vSAN at your fingertips. So, how can you leverage vSAN to meet compliance regulations and save money? Let’s take a deeper dive.

First, why is it important to encrypt our data?

Encryption and Key Management for VMware - Definitive GuideAlmost all compliance regulations require that you protect the sensitive information of your customers, employees, and service providers. This includes the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), the EU General Data Protection Regulation (GDPR), the New York Department of Financial Services act (23 NYCRR 500), the Gramm Leach Bliley Act (GLBA), and many, many others. As we now know a major data breach that loses unprotected sensitive data will have severe impacts on any organization whether public or private. Encryption is now a core requirement of any security strategy, so how do we get there?

Can’t I use the native encryption facility in my database?

Almost all commercial and open source databases provide a path to using encryption that is built right into the database. Unfortunately, getting access to the encryption feature usually means upgrading to the Enterprise version of the database—and this can be an expensive proposition. This is true of Microsoft SQL Server, Oracle Database, MySQL, and many others. Of course, an upgrade to the Enterprise version usually gets you a lot more capability than encryption. An upgrade brings a lot of additional value, but the reality is that a database upgrade is beyond the budget of many small to midsize companies. So what can you do?

How can vSAN encryption help?

Beginning with version 6.6, VMware vSAN provides for built-in encryption support and a link to vSphere for proper encryption key management. By default, vSAN virtual disks are not encrypted. However, it is really easy to configure a vSphere KMS Cluster, deploy a key management server (KMS), and turn on vSAN encryption. You don’t need to reload your vSAN virtual disks and it is fast to deploy. With very little time and effort you can achieve encryption at rest for your database and other files.

To enable vSAN encryption you only need a key management system that supports the OASIS standard Key Management Interoperability Protocol (KMIP). Our Alliance Key Manager fits the bill perfectly, and there are other solutions. You just deploy the key manager, grab the key manager certificate and private key, install them on your vCenter cluster, configure a KMS Cluster in vSphere, and enable encryption. Voila, you are done in a short period of time.

Do you know what else is cool? You can use the same KMS Cluster configuration to encrypt your VMs and to enable VMware vTPM in your virtual machines. That’s a lot of capability with very little time, effort and expense.

Is it risky to run my database in a vSAN volume?

The VMware vSAN facility is mature and now trusted by large and small Enterprises. As mentioned above, vSAN is a core component of almost all of the major Hyper-Converged Infrastructure (HCI) solutions. You may be using vSAN and not even be aware of it. There is also some good news—VMware has published a number of solution briefs and architecture guides to help you deploy Oracle Database, Microsoft SQL Server, and other databases directly on vSAN. Of course, you need to be aware of high availability requirements for both vSAN and for your KMS, but the existing vSAN documentation is quite good on this front. And deploying a high availability instance of our Alliance Key Manager solution is easy, too. More information here.

Today, you can confidently deploy your relational and NoSQL databases onto encrypted vSAN virtual disks safely and easily.

Saving money with vSAN encryption

We all live with constraints on our IT budget and our management team wants to see a good return on our IT investments. If you find that you don’t have the budget needed to upgrade your database for native encryption, deploying vSAN encryption is a great alternative. vSAN is a VMware facility that you already have and adding a key management solution is now very affordable. You can deploy our affordable Alliance Key Manager solution and avoid future upgrade and build-out costs. vSAN encryption and good key management is within the reach of every IT budget.

Ouch, I have vSAN but I don’t have a place to run a KMS

VMware vSAN is popular in many cloud and edge computing environments, but you might not be deploying VMs in that environment. Our key manager runs as a VMware virtual machine, so this can be a bit problematic in these environments. But there is an elegant solution to this—run the key manager in the cloud. For example, you can launch our Alliance Key Manager as an EC2 instance in AWS, or as a virtual machine in Azure, and use it to protect your vSAN volumes in edge environments. Alliance Key Manager works the same way in the cloud as it does as a VMware VM. And you can use one key management instance to serve multiple vSAN edge deployments. Problem solved!

Some precautions

There are some common sense precautions related to vSAN encryption. One is to be sure that you don’t deploy your KMS virtual machine onto a vSAN volume that it is protecting. If you have issues with the vSAN volume you don’t want it to impact the KMS, and vice versa. Also, as in all production environments where you deploy encryption and key management, be sure to deploy a failover key management server. It is easy to do with Alliance Key Manager and it will help you recover quickly and easily.

Alliance Key Manager for vSAN

Alliance Key Manager is certified by VMware for use with vSAN and vSphere encryption. All versions of vSAN and vSphere that support encryption are certified. In addition to VMware certification, Alliance Key Manager is validated to meet the PCI Data Security Standard (PCI-DSS), is KMIP compliant, and is FIPS 140-2 compliant. You can run Alliance Key Manager as a VMware virtual machine, as a cloud instance (Azure and AWS), in a Docker container, or as a hardware security module (HSM). No charge evaluations are available directly from the Townsend Security website, and we welcome partner inquiries. More information here.

New call-to-action

Topics: Encryption, VMware, vSAN

Don’t Let Your Application or Database Limit Your Encryption Strategy

Posted by Luke Probasco on Sep 23, 2019 8:37:27 AM

Historically, encryption and key management have been deployed at the application or database level. There are even several databases who’s “Enterprise” edition (like Microsoft SQL Server or MongoDB, for example) include options for encryption and external key management built right in the database. Unfortunately, these types of databases are the exception, rather than the rule. If you were to examine an organization's IT infrastructure, you are more likely to find a wide variety of databases and applications, some natively supporting encryption, some not, and many containing unprotected private information or personally identifiable information (PII). Simply put, their encryption strategy has been limited due to cost and resources required to properly protect private information. 

Podcast: Don't Let Your Application or Database Limit Your Encryption StrategyFortunately, these same enterprises have deployed VMware infrastructure, and starting with vSphere 6.5 and vSAN 6.6, are able to encrypt sensitive workloads in VMware using the advanced cryptographic features in vCenter. To put it a little more simply, businesses can protect their sensitive information in their internal applications and databases that don’t natively support transparent encryption with tools offered by VMware.

I recently sat down with security expert and CEO, Patrick Townsend, to talk about how enterprises can leverage VMware’s vSphere and vSAN to encrypt private data - regardless of whether their applications or databases support encryption. 

Hi Patrick. Let’s jump right in. With the introduction of vSphere encryption in 6.5 and vSAN 6.6, it has become much easier for businesses to encrypt private data. In the past they have relied on encryption at the application level or used the encryption that comes with their database. With so many enterprises deploying VMware, they no longer need to let their application or database limit their encryption strategy.

That’s absolutely correct. There are databases like Microsoft SQL Server and MongoDB EA, for example, that have encryption built right in - which makes it easy. But there are other times when encryption can be much more difficult. SQL Server Standard edition and the Community edition of MySQL, for example, do NOT support encryption. So, you have these widely used databases, with lots of unprotected data because that can be a challenge to encrypt. Using vSphere and vSAN encryption is a great way to address these gaps in an organization's encryption strategy with industry standards-based encryption. 

Sometimes the barrier to encryption is the cost of upgrading databases to “Enterprise” editions. Almost all of us are running VMware in our infrastructure anyway, so in many cases we already have the tools we need - the encryption support is there, we just need to use it. VMware even provides excellent guidance for encrypting databases, like Oracle and SQL Server, for example.

So, one of the most obvious questions. How is performance?

This is always a concern that people bring up. I can say that VMware has done a great job with performance in both encrypted VMs and vSAN - and performance continues to improve. These days, you can even deploy a large database on vSAN. This is a technology that has matured and gained the trust of customers, and they are adopting it at a rapid rate. There is also some really good material from VMware about performance expectations - white papers, solutions briefs, etc. Furthermore, both vSphere and vSAN take advantage of the Intel AES-NI on-chip accelerator for encryption, which provides a great performance boost.

Of course the key manager is the critical component that ensures the encrypted data stays encrypted. Without proper key management, it is like leaving the keys to your house under the welcome mat. What should our readers be looking for in a key manager?

Here is something that I think VMware did right. You must use a key manager in order to activate vSphere encryption of VMs or vSAN encryption. Within vSphere you are able to create a KMS cluster, define failover key managers, multiple KMS clusters, etc. They did a great job. Furthermore, VMware based their interface on the Key Management Interoperability Protocol (KMIP) industry standard. Other databases vendors, for example, allow local storage of encryption keys. That is really such a BAD security practice, so I am glad that VMware saw implications of that. If you are going to use VMware encryption, you are going to use proper encryption key management and that will be much better from a security perspective. I also think that this reflects on VMware as a company and their concern for their enterprise customers.

What to look for in a key manager? All enterprise level key managers are validated to FIPS 140-2 by the National Institute of Standards and Technology (NIST). Be absolutely sure you key management vendor has completed this validation. Secondly, your key manager should support the KMIP protocol. Finally, if you are taking credit cards for payments, look for a PCI validation. We validated our Alliance Key Manager with both Coalfire and VMware, as a joint project. This helps our customers easily get through an audit, which can be quite difficult.

While I have you, I was hoping you could also offer some clarification on the term KMS. For example, VMware defines KMS as a Key Management Server. Amazon defines their KMS as a “Key Management Service.” How should our readers be thinking about a KMS in regards to VMware encryption?

Ah, the chaos of three letter acronyms. KMS, in general terms, means Key Management Server. It is a broad term covering key management devices that manage the entire lifecycle of a key - from creation to destruction. You are right, Amazon does call their key management service KMS, which can lead to some confusion. This service is NOT to be confused with a key management server - and does not give you full control over the entire key lifecycle. It is a shared administrative environment where you share access to the keys with Amazon.

You need to approach cloud service provider (CSP) implementations of key management services with trepidation. It is important for YOU to hold exclusive access to your keys and that only you have the only administrative control. Cloud lockin can be another concern as well.

To hear this conversation in its entirety, download our podcast Don’t Let Your Application or Database Limit Your Encryption Strategy and hear Patrick Townsend further discuss Encrypting applications and databases that don't natively support encryption, encryption performance, and other fundamental features of an enterprise grade key manager.

[Podcast] Don't Let Your Application or Database Limit Your Encryption Strategy

Topics: Encryption Key Management, VMware, vSphere, vSAN

Are Encryption and Key Management Critical to Blockchain and DLT?

Posted by Patrick Townsend on Sep 16, 2019 6:51:24 AM

As blockchain technologies make their way towards general acceptance in private and public sector IT systems, the critical issues of governance, risk management and compliance come into play - and blockchain teams are maturing to address these areas. One important gap to fill involves the proper protection of sensitive data in a blockchain deployment. It seems odd to discuss data protection in the context of blockchain. Isn’t blockchain based on cryptography? Yes, it is, but there remains a gap in the area of data protection. Let’s delve into this in more detail.

What Data Needs to be Encrypted in the Blockchain Ledger?Blockchain’s innovative way of linking transactions and guaranteeing their immutability in a distributed ledger is based on well known and respected cryptographic algorithms and processes. The ability to extend this level of assurance across a large number of widely distributed nodes is clearly an amazing extension of modern computing. While there have been security lapses in public blockchain implementations, these have generally been related to improperly securing credentials and mistakes in implementing chaincode. Blockchain methodologies are standing up well to external attacks.

One important aspect of blockchain is its transparency. That is, everyone has perfect visibility into the transactions on a ledger and their current validity. This transparency is a core feature of blockchain - and that leads to a problem:

Some data that we want to put on the blockchain is sensitive, and we may not want to expose it to others.

There are lots of reasons why we might not want some information on the blockchain ledger to be transparent:

  • An organization’s reputation suffers when they lose or expose sensitive information. This is true for both public and private organizations and a significant loss of reputation is difficult to mitigate.
  • Even little bits of data in blockchain transactions needs to be protected. When sensitive data in a blockchain ledger are aggregated, it can indicate the direction of a business’s activity and leak important information about strategic developments to it competitors.
  • Compliance regulations prevent storing sensitive personal information in the clear. The PCI Data Security Standard mandates that credit card (Primary Account Numbers) be encrypted. The New York Department of Financial Services (23 NYCRR 500) requires the encryption of certain sensitive information. The EU General Data Protection Regulation (GDPR) mandates the protection of sensitive information of “Data Subjects”. here are other regulations that require or recommend protection of sensitive data.
  • Digital assets that represent intellectual property need to be protected from cybercriminals and state actors. The loss of key intellectual property can be devastating to a startup or mature enterprise.

Therefore, it is critical for organizations to design proper data privacy into blockchain projects from the very beginning. It is painful and potentially impossible to fix data privacy gaffs after the fact.

Blockchain SecuritySome blockchain advocates suggest that the solution to this conundrum is to not place sensitive information on the blockchain at all. But this is an impossible goal. Data on a blockchain may not specifically identify an individual, but may contain enough information that it can be combined with previously leaked information to form a full picture of an individual. Remember that hackers are really good at data aggregation. Losing a little sensitive information can lead to an embarrassing loss of a lot of information.

Other blockchain advocates suggest that the answer to this problem is to store sensitive data off of the blockchain altogether. But does this really solve any problem? This approach loses the many advantages of blockchain technology, and doesn’t do anything to solve the data protection puzzle. “Out of sight, out of mind” is not a solution to any problem.

Some blockchain implementations attempt to achieve privacy through “add on” features. Hyperledger channels and collections are two examples of this. These facilities use access controls to attempt to achieve this. As good as these facilities are, access controls will not address the data protection requirements of compliance regulations, nor provide other protections that encryption provides.

For all of the reasons we encrypt sensitive data in traditional databases, we need to encrypt sensitive data on a blockchain. This doesn’t mean that we have to encrypt everything that we put on the blockchain ledger, but it means we have to have the same intelligence in regard to sensitive data on blockchains that we have in the most secure systems today.

Fortunately, we can accomplish data protection on blockchains and maintain their usefulness. In fact, not only CAN we accomplish this, we MUST accomplish this in order to preserve the usefulness of blockchain technology.

If we are going to encrypt data that we put on a blockchain, we have to address a few requirements that are specific to blockchains:

  • We have to use industry standard encryption algorithms, such as AES, to meet compliance regulations.
  • We have to manage encryption keys using industry standards and best practices. This means storing encryption keys away from the blockchain ledger and doing so in a provably standard and secure way.
  • We have to make encryption keys available to the users and smart contracts that need them. This is a challenge in a distributed blockchain environment.
  • We must authenticate user’s authority to use encryption keys.
  • We must have a mechanism for restricting access to encryption keys, and for granting and revoking access to those keys.
  • We know how to accomplish these tasks in a traditional, centralized IT system. Years of work have produced standardized approaches to encryption. But blockchain presents real challenges to meeting these challenges.

Fortunately, innovation in the area of protecting data on a blockchain ledger is advancing.

At BlockNKey we built a key orchestration system architected from the ground up for distributed ledger technology. NIST compliant encryption and key management, a key vault, and key access control are built into each registered blockchain node. Cryptographic keys grant permission to whomever is permitted access to the data, how it’s accessed and when it’s accessible. This enables multi-party access to the appropriate data in real time through verified and validated access points. BlockNKey is compatible with public and private blockchains while enabling proper data security with easy to use REST APIs. It will even help you if you are storing sensitive data “off chain”.

Townsend Security has partnered with BlockNKey to bring an encryption and key management solution to blockchain users. More information here.

What Data Needs to be Encrypted in the Blockchain Ledger?

Topics: Blockchain

The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all