At Townsend, we have a lot of conversations with customers and prospects about data privacy, compliance requirements and best practices for IT security in general.  We have written numerous articles on these topics and posted them on our blog.  As the end of 2011 quickly approaches, we thought it would be worthwhile to list out our most read articles of the year.

Listed below are the top five read articles from the past year:

• AES Encryption Flaw - Calm Down
  
• PCI DSS 2.0 and Encryption Key Management
  
• Encryption and Key Management in a .NET World
  
• IBM i FIELDPROC Surprises
  
• RSA Encryption Key Size Requirements Change in 2011

We aren’t surprised that the articles on these topics; encryption, key management and PCI compliance are some of the most read on the blog.  We spend the majority of our days talking to people about these topics and helping them solve challenges around data privacy and compliance.  In fact, many of the conversations we have lead to new products and product enhancements.    

In 2012, we encourage you to talk to us about what you need and what you are doing at your company to protect sensitive data.  Subscribe to our blog, like us on Facebook, follow us on Twitter or join us on LinkedIn.

We hope you find the articles listed useful and that it inspires you to think of topics you would like us to write on for 2012. Thank you for your readership in 2011!

We are already preparing and looking forward to sharing more about data privacy in 2012.  

Happy Holidays!!

Yesterday, our partner, Symantec, released a survey on enterprise encryption practices.  The study contained both good news and bad shows when it comes to encryption and key management.  

First the good news, in a recent interview with eWeek Tim Matthews, senior director of product marketing at Symantec said, “About 48 percent of the survey participants reported their organization had increased their use of encryption over the past two years, with one third reporting "somewhat to extremely frequent" deployments of "rogue" projects without any centralized management oversight.”

Now the bad news, Tim Matthews goes on to say, “Business groups and employees are often independently encrypting the data without involving the IT department. While the move to encrypt is a good thing, these unauthorized deployments are a challenge for IT because the data is lost and irretrievable if the employee loses the key, forgets the passphrase or leaves the company without passing on custody of the encryption keys. If IT doesn't have the key, it also becomes harder to properly backup the data or to access the information as part of an e-discovery request”

We understand the difficulties in managing encryption keys and have been helping companies for years with this challenge, so when we saw this statistic about poor key management, it did not come as a big surprise to us, because we hear about the challenges first hand.  The study showed:   “About 52 percent of the respondents said they have had serious key management problems, with about a third claiming that keys were lost or misplaced keys and another third citing key failure. A little over a quarter, or 26 percent for the participants, said former employees refused to hand over keys when they left the company.”

We have posted several different checklists for companies to help them in their selection of key management vendor. One of our more popular lists is the 10 questions that you should ask your potential key management vendor. Given the news in the study, we thought it was worth showing this list again:

1. Is your key manager FIPS 140 certified?  What is the certificate number?
2. How would you describe the encryption key payload as retrieved from the key server?  Is it simple or complex?
3. Is there a common key retrieval application interface on all platforms?  What are the differences?
4. What platforms do you support for key retrieval?  (Note any gaps in platform coverage for your company)
5. Do you provide working sample code for the platforms I need? (Windows, Linux, UNIX, IBM i, IBM z)
6. Do you supply binary libraries for all Enterprise servers?
7. Do you have a Java key retrieval class and examples? Is it standard Java or JNI?
8. Do you charge separate license fees for each client operating system?
9. Do you require that we purchase consulting services from you?  Why?
10. I am an independent software vendor (ISV), can you brand the solution and certify the solution for us?

We encourage you to download and read the study from Symantec. We are sure you will find it very informative.  Then once you have read the study and have decided you need to learn more about encryption key management, listen to this informative 15-minute podcast.

In just one more day, we'll experience another first at Townsend Security,  we will be exhibiting for the first time at the PASS Summit.  The Professional Association for SQL Server (PASS) Summit is the largest conference of the year for SQL Server professionals.   Earlier this year we joined the Microsoft Partner Program and earned a competency in Business Intelligence, we visited the Worldwide Partner Conference and just a couple of months ago we launched our new HSM for SQL Server. I guess you could say exhibiting at the PASS Summit is the next logical next step for us.

While at the conference we look forward to getting to know this market personally by meeting several new SQL Server customers and business partners.  Attendees will be among the first to see our newly announced encryption key management hardware security module (HSM), Alliance Key Manager for SQL Server, which simplifies how organizations can meet compliance requirements and removes cost as a barrier for a professional key  encryption key management solution. We will get to discuss some of the key features of the product:

• Seamless integration with SQL Server 2008
• Uses Microsoft’s Extensible Key Management (EKM) interface to support Transparent Data Encryption (TDE) on SQL Server 2008.
• Automation of all key management tasks including rotation, retrieval, and generation in a central location.   
• Priced to meet the budget needs of every enterprise.  An entry level, 2-server bundle (primary and failover) is available for under $12,000 list.

We look forward to meeting SQL Server users, enthusiasts and developers at the PASS Summit -- If you are going to be there, be sure to stop by our booth #335.  It will be great to meet you!

If you aren't able to make it to the conference and would like to learn more about encryption key management on Microsoft SQL Server, view our webinar "Encryption Key Management with Microsoft SQL Server."  We think this webinar is informative and shows just how easy it is to implement encryption key management on your SQL server.

I recently returned from 5th Annual PCI Security Standards Council vendor expo in Scottsdale, AZ.  And rather than returning with a sunburn - after all it was 106 degrees there - I returned with a much better appreciation of what companies are doing to help protect cardholder data.  Every major company that accepts credit cards was at this event.  As a consumer at many of these companies, it made me feel good to know that they take this job seriously and are doing everything they can to keep my information and all of their customers’ information secure.

This was my first time at the event and I enjoyed meeting new people and learned a lot of interesting things. I met with QSA audtiors, customers, potential customers  and vendors.   When asked who Townsend Security was,  I recited my elevator pitch and said “we provide certified encryption and key management solutions to help mid-market customers meet compliance requirements.”  That message was well received, however, as the expo continued, I discovered that people “get” encryption and were more interested in discussing encryption key management.  Many knew key management was something they needed to do and for those that said they were doing something, they wanted to know how they could automate the process.

I spoke with one QSA auditor and asked his opinion on why so many people might be inquiring on this topic and his response, “I have yet to see key management done correctly.” And for companies working on staying compliant,  I think one lady’s response about key management at her organization may sum it up best -- a long pause, accompanied with a rolling of her eyes and a heavy sign saying “it’s not good.”

We know encryption key management isn’t easy, but it is necessary for compliance and to be honest, it is really a best practice for protecting data.  If you are going to go through all the work of encrypting data, then you really should make sure the keys safeguarding the data are also secure.  I talked a lot about our encryption key management solution, Alliance Key Manager (Enterprise and SQL Server editions), at the Expo and thought it would be worth recapping some of the discussion for those who couldn’t be there and are facing encryption key management requirements of PCI DSS.

1) Manage and store encryption keys on a certified appliance.  Our encryption key management solution ensures encryption keys are stored away from the encrypted data, it allows you to satisfy PCI requirements for dual control and separation of duties.  QSA auditors will look to make sure the same person who has access to encrypted data doesn’t have access to encryption keys (dual control).   It is important to restrict access to certain keys by certain users or groups (separation of duties).  You don’t want the same person who has access to encrypted data to have have access to keys that unlock that data.

2) Rotate encryption keys. PCI DSS states that you need to periodically rotate the encryption key. This can be a very time consuming task if done manually and may even be overlooked because it can be a very complex project, depending upon your encryption code. Our encryption key management solution allows you to schedule regular key rotations and enforce your internal security policies while meeting PCI requirements.

3) Log all encryption key activity.  Alliance Key Manager has built in logging, which allows administrators to track all key retrieval, management, and system activity. Reports can be sent automatically to central log management, alerting facilities, or SIEM products for a timely and permanent record of activity.

4) Certification.  Our encryption key management solution is FIPS 140-2 Level 1 certified, ensuring you are effectively managing keys to industry standards.   

5) Don’t let cost be a barrier to meeting compliance requirements. If you have looked at key management solutions, you know they can be costly.  Alliance Key Manager (enterprise and SQL Server editions) are priced with the mid-market customer in mind. I think this was the fact that resonated with people I spoke with the most.  They were happy to hear about a solution that is easy to implement, as well as cost-effective.

We handed out this useful PCI DSS and Key Management matrix at the conference, several people found it useful. Download your copy to learn more about key management requirements. And if your company knows you need an encryption key management solution, give us a call. We are happy to spend a 15-minute technical overview with you and your team to find out how we can help you.

The color silver symbolizes glamor and distinction. This year, the color silver symbolizes accomplishment for those of us at Townsend.  We have recently obtained Silver Business Partner status in Microsoft’s business partner program and the company just celebrated its 25th Silver anniversary.

Earlier this month we announced that we became a silver level business intelligence partner with Microsoft.  This new alliance will help us with the launch of our encryption key management solution for Microsoft SQL Server 2008, later this quarter.   We just returned from Microsoft’s Worldwide Partner Conference where we met with several different partners about this opportunity.   We talked with many companies who had similar interests in compliance and data protection, it was a great introduction into a new community that is very important to us.

July 14, 2011 marked Townsend’s silver anniversary – what a milestone! We owe this accomplishment to our customers, partners and our dedicated team. The company has evolved a lot over the last 25 years; we have undergone a few name changes (Patrick Townsend & Associates, Patrick Townsend Security Solutions and now Townsend Security) and a few different logos.  Our name and our look may have changed over the years, however, our mission and vision have remained the same - Townsend Security creates, sells and supports professional encryption solutions that protect data and simplify compliance.

The solutions we have introduced into the market over the years, AES Encryption, FTP Manager, Key Manager, LogAgent, XML/400 and TokenManager align with our vision. Our commitment to provide world-class support to our hundreds of customers worldwide will always be our number one priority.  And we are proud to say that a few members of the Townsend team have been with the company for over 10 years and several more are quickly approaching their 10 year anniversary, not many companies can say that in today’s economy.  As we pour that glass of bubbly and toast our silver anniversary we will be sure to thank our customers, partners and ourselves for an incredible 25 year run and set our sights on the next 25 years.  I can’t wait to see what it holds!

Be a part of our next 25 years, follow us on Facebook, Twitter, and LinkedIn.

Companies of all sizes feel the increasing pressure to protect sensitive customer information to meet PCI-DSS Standards.  Here are five ways to help ensure your database meets PCI requirements: 

1) Use certified encryption solutions to protect cardholder data

A standards-based encryption solution safeguards information stored on databases. Encryption methods approved by the National Institute of Standards and Technology (NIST) provide assurance that your data is secured to the highest standards.  

2) Encrypt cardholder data that is sent across open, public networks
Transmit sensitive files over the internet using trusted encryption technologies. (AES, SSH, SSL, and PGP).

3) Store encryption keys from your encrypted data on a certified encryption key management appliance
The most important part of a data encryption strategy is the protection of the encryption keys you use. Encryption keys safeguard your encrypted data and represent the keys to the kingdom. If someone has access to your keys, they have access to your encrypted data.

4) Enforce dual controls and separation of duties for encrypted data and encryption keys
Make sure people who have access to your encrypted data are restricted from accessing the encryption keys and vice versa. If someone can access your encrypted data and access the keys, your data is compromised.  You shouldn’t lock your door and leave the key under the mat for easy access to your home, the same precautions should be taken with your sensitive data.

5) Use tokenization to take servers out of the scope of compliance
Tokenization replaces sensitive data with a token. The token maintains the original data characteristics but holds no value, reducing the risk associated sensitive data loss. When you store tokens on a separate token server it eliminates the need to store the original data in an encrypted format, and may take the server out of scope for compliance.

Download the whitepaper Meet the Challenges of PCI Compliance and learn more about protecting sensitive data to meet PCI compliance requirements.

Townsend Security is heading to LA in July to attend Microsoft’s Worldwide Partner Conference (WPC).   Our attendance at the conference will support the release of a new security appliance (coming later this summer) that seamlessly integrates with Microsoft SQL Server 2008 R2 to manage encryption keys.

While at WPC we will meet with Microsoft Business Partners who focus on selling and supporting Microsoft SQL Server to discuss an exciting revenue generating opportunity. We will introduce the companies to our Microsoft Business Partner Program and show how our new security appliance will help boost new sales and upgrades to SQL Server 2008 R2 and enable Microsoft Business Partners to help their customers comply with PCI-DSS, HIPAA/HITECH and other regulations.

Companies of all sizes feel the increasing pressure to comply with data security requirements and protect sensitive customer information.  We have listened to small and mid-size companies and heard from Microsoft that the biggest challenge these companies face is access to a cost-effective comprehensive solution. 

In August, we will release a hardware security module (HSM) that will enable Microsoft Business Partners to provide their mid-market SQL Server 2008 R2 customers with an external key management appliance that is cost-effective and comprehensive.  The HSM easily integrates with SQL Server 2008 R2 and leverages existing data protection functionality, transparent data encryption (TDE) and extensible key management (EKM).

We want to talk to partners who serve the SQL Server mid-market, so let us know if you are attending WPC this year and would like to schedule a meeting to discuss this opportunity.  If you aren’t going to be at the conference and this sounds like a business objective for your organization, let us know and we will arrange a time to discuss the opportunity in more detail.

Click here to learn more and contact us.

Simplify your encryption project.  Encrypting data easily, automatically and securely on the IBM i is possible using the new encryption capabilities with V7R1 and AES/400. I recently sat down with Patrick Townsend, Founder and CEO of Townsend Security to ask, what are the five things customers need to know to help their organization automatically encrypt sensitive data on IBM i V7R1 with AES/400?  For even more information on automatic encryption on the IBM i, view our webcast below!

1.What is FIELDPROC?

In release V7R1 of the IBM i operating system IBM enabled it’s customers to implement automatic encryption using a new column-level API called FIELDPROC. FIELDPOC is an exit point that sits at the column level of the database and enable IBM i users to implement encryption and decryption without making any changes to their application source code.

2. We’re at V7R1, now what?

Upgrading your operating system is a start, however, IBM doesn’t provide the actual exit point software IBM i shops need to automatically encrypt and decrypt data - third party vendors and customers must do this.  Townsend Security’s AES/400 solution enables organizations to implement automatic encryption.

AES/400 and the FIELDPROC exit point in V7R1 give companies to easily encrypt sensistive data.  We call it automatic encryption, because it is the easiest, fastest and most secure way to encrypt data on the IBM i.

3. What types of data can be encrypted?

IBM i database applications use a variety of fields to store sensitive information. Encrypt fields that store data such as credit card numbers, SSN, birth dates, address, account numbers and other PII instantly without impacting applications.

Alliance AES/400 FIELDPROC support will protect any of the above mentioned fields without changing your database or your business applications. There is no need to reformat your database, or expand field sizes.

While most IBM i customers will use FIELDPROC encryption with legacy RPG and COBOL applications, FIELDPROC support also works with SQL applications, and Alliance AES/400 supports both program models concurrently. Your ILE and OPM applications will work well with FIELDPROC data protection. You do not have to have the source code for your application to implement Alliance AES/400.

4. Are there any security risks with automatic encryption using FIELDPROC?

Native IBM i object or user authorities will not protect encrypted data.  Automatic encryption and decryption works for all users and applications. Administrators cannot rely on native IBM i object or user authorities to control access to protected data, additional controls and policies must be put in place.

Data masking simplifies access control for security administrators.  It allows administrators to define which users and applications should have access to data and exclude users or applications that should not.  Security administrators can define users who should have access to the data, and define a default policy that masks the data for others

5. Will automatic encryption impact performance?

The IBM FIELDPROC exit point works by calling the exit program for each database insert, read, or update. The exit point program is also called on certain query and file positioning operations.  The right encryption solution can help minimize impact to system performance. Alliance AES/400 FIELDPROC support has been optimized for performance. The Alliance AES/400 encryption APIs are capable of encrypting 1 million credit card numbers in less than one CPU second. They are highly optimized for performance, and perform up to 100 times faster than equivalent IBM APIs on the IBM i platform. These same Alliance AES APIs are used for FIELDPROC encryption.

For more information on automatic encryption using FIELDPROC on the IBM i, view our webcast.

We have made our plans to be at COMMON in Minneapolis. Have you?

It’s almost here, that time of year when IBM System i (AS/400, iSeries) customers gather as a community to learn and collaborate about what is new with the platform.  It's almost time for COMMON, the largest gathering of IBM i users in the US.  This year the event is in Minneapolis, not too far from Rochester, MN – best knows as the "home of the AS/400".   You could say the AS/400 faithful are returning to the mothership.

Of course we are planning on being at COMMON,  we look forward to attending it every year.  It’s a great opportunity for us to visit with many of our customers,  catch up with our peers and meet new members of the IBM i community.   In addition to exhibiting at COMMON, John Earl and Patrick Townsend will be presenting sessions on data privacy.  John and Patrick are regulars at COMMON and their sessions are always well attended.  Here are some details about what they are presenting and when.

Encryption 101, John Earl 
May 1, 11AM – 12:15PM
101 H Minneapolis Convention Center

Security Challenge: Let's Break In!, John Earl
May 3, 2PM – 3:15PM
101 H Minneapolis Convention Center

Tokenization, Patrick Townsend
May 3:  5PM – 6:15PM
101 H Minneapolis Convention Center

So, as you make your plans on who to visit in the Expo be sure to include us on your list -- booth #511.   We are anxious to talk to our customers and old friends and look forward to making a few new friends as well.  

There are a lot of exciting things happening with Townsend in 2011, new products are on the horizon and updates to our most popular products; AES/400, FTP Manager and Key Manager will be coming soon.  Be sure to stop by and learn more!   If you would like to schedule a one-on-one with John or Patrick, send an email to marketing@townsendsecurity.com and we’ll make sure to accommodate your request.

See you in Minneapolis.

Your Encryption Project Just Get Easier!!

No one wakes up in the morning and says they want to encrypt their data, other than those of us at The Encryption Company.   We   love to help companies get started with encryption and we love to talk about it.  Those facts aside, much of the IT world views encryption as an onerous project and one they will avoid until an auditor says they have to meet a compliance requirement for PCI, HIPAA,  etc.

The good news for IBM i shops is that the latest release of the O/S, V7R1, just made it easier for them to embrace an encryption project, instead of avoiding it.  The most significant update in V7R1 is the introduction of the FIELDPROC exit point, which provides for an exit point at the column level of the database.  We were so excited about what FIELDPROC does for IBM i customers that we updated our AES encryption solution, AES/400 to support FIELDPROC. This enhancement enables future and current AES/400 customers to implement automatic database encryption on the IBM i.

AES/400 version 6.0 allows administrators to apply instant field (or column level) encryption routines without impacting applications.  Administrators can also enforce what users and what applications are allowed access to the protected data.  Rather than rely on native IBM object level security, which is often not implemented correctly, simply specify which user and which program has access and exclude all others.  That’s it!   Around the office we are calling it push button encryption because it really is that simple to implement encryption at the database level.

To paraphrase Staples (a long-standing Townsend Security customer), Automatic encryption – that was easy! 

Request a demonstration today and let us show you how your company can be encrypting and decrypting data in a matter of hours rather than weeks.