Townsend Security Data Privacy Blog

Liz Townsend

Recent Posts

Fundamentals of MongoDB Encryption Key Management

Posted by Liz Townsend on Oct 10, 2017 9:11:00 AM

Encryption key management is the cornerstone of an effective encryption strategy. Without key management, encryption stands alone as only half of a solution. When you leave the keys to unlock your sensitive business and customer data exposed, then you expose your entire organization to the risk of data loss or theft. Luckily, MongoDB was born in the age of modern data security and developed their no-SQL database with the forethought and insight to incorporate strong encryption and key management solutions. This means that today, with MongoDB Enterprise, MongoDB customers can meet encryption and key management best practices fairly easily through implementing native encryption and deploying a third-party enterprise key management solution.

Introduction to Encrypting Data in MongoDB In order to enable customers to seamlessly implement enterprise encryption key management, MongoDB integrated a universal encryption key management protocol called the Key Management Interoperability Protocol (KMIP). Unlike many other legacy databases who have floundered over the years trying to help customers do strong key management, MongoDB enables customers to protect encryption keys out of the door with a number of tested and validated enterprise key management partners. To know if you’re encryption key management solution is compatible with MongoDB, check to see that it has implemented KMIP.

What is Enterprise Encryption Key Management?

Enterprise encryption key management includes both technological and policy-based controls that integrate to provide the highest level of security of an organization’s encryption keys. Both types of controls are important to protecting encryption keys.

On a technological and physical level, encryption keys should be stored in a logically or physically separate hardware or virtual key server, dedicated to performing key generation, storage, and distribution. Keys should be generated with a FIPS 104-2 validated pseudo-random number generator and stored in a secure key database. Keys used for encrypting data (data encryption keys, or DEKs) should be key-wrapped and encrypted using key encryption keys (KEKs)--these keys are only used to encrypt DEKs inside the secure key database.

Once encryption keys are generated and in use, they should be distributed for use over a secure Transport Layer Security (TLS) session using certificates to authenticate the user requesting the encryption key. An enterprise key management server should use the most recent, recommended version TLS--1.2--as vulnerabilities were discovered in TLS 1.1 and TLS 1.0.

Lastly, enterprise key managers should perform real-time backup and high availability functions to prevent downtime and ensure business continuity. This means that each key server should perform active-active mirroring to one or more high availability server as well as perform routine, automated backups to secure storage drives.

All of these functions are critical to meeting best practices and securing encryption keys. However, beyond the technology, an enterprise key manager should implement user rules and administrative options that enforce particular policies and policy-based best practices.

Encryption Key LifecycleA critical administrative component to encryption key management is the ability to manage the complete encryption key life cycle. The encryption key lifecycle is defined by the National Institute of Standards and Technology (NIST), which outlines all aspects of a key’s life including key generation, pre-activation, activation, distribution, revocation, post-activation, backup, and deletion.

The administrative console that allows access to these functions should also give the IT or security administrator the option to designate key users or user groups as well as set keys to automatically rotate after a certain number of days, months, or years. This is just one requirement for organizations who fall under security standards for some regulated industries such as the payment card industry. The Payment Card Industry Data Security Standard (PCI DSS) outlines key management requirements for card holders or processors that can typically only be met using an enterprise-level encryption key management solution.

To learn more about PCI-DSS and encryption key management, view this webinar.

Beyond managing the key lifecycle, an enterprise key manager should actively audit and log all activity and functions performed on the key management server and record these logs to an external event monitoring or logging server so that malicious activity can be detected in real time. Your key management solution should be compatible with common event monitoring solutions and export logs in standardized formats in real time.

Lastly, your key management solution should inherently enforce policy-based security functions that meet key management best practices such as separation of duties and dual control. Separation of duties ensures that no single person is in control of multiple key management procedures such as the client request and subsequent distribution of an encryption key. The person requesting the key and the person distributing the key should be two different people. Dual control prevents any key management process to be controlled by a single person; for example, two security administrators should be needed to authenticate access to the key server. While these policy-based controls are sometimes optional, they should always be available and easy to implement in your encryption key management solution.

MongoDB Likes Centralized Key Management

When MongoDB decided to implement KMIP, the decision was likely a deliberate strategy to help users to either leverage the enterprise key management solution they already have, or to use common key management solutions that are KMIP-compatible. The power of KMIP is that it enables users to truly achieve centralized key management. A historical problem surrounding key management was the difficulty of an organization to store and manage encryption keys across multiple platforms, operating systems, and often departments. By implementing KMIP, MongoDB continues to make implementing key management across an organization more and more easy and effective, and therefore more user-friendly, which is what MongoDB is best known for.

Without deploying a strong encryption key management solution, encryption of sensitive data on its own is considered ineffective. In the age of the cloud, deploying a key management solution alongside your data is equally important, and therefore having options for where you deploy it is an important factor in your key management strategy. An effective key management solution should not only be centralized across your organization, but it should meet your data where it’s at, whether that is the cloud, a virtual environment, or on-site hardware.

KMIP also enables MongoDB customers to choose their own KMIP compliant key management solution and maintain complete custody of the key management server, and therefore the keys. Whether deploying the key manager in the cloud, in a virtual environment, or on-site, owning a third-party KMIP compliant key manager allows users to retain total control of their keys without sharing access with cloud service provides or software vendors.

Lastly, when researching professional or enterprise key management solutions, check to see if the vendor has validated their solutions with NIST such as to the NIST FIPS 140-2 standard, uses standardized technology, and has been validated to meet PCI DSS or other regulatory certifications. These validations ensure that the technology has been tested by independent labs to the highest security standards.

In combination with a robust database encryption solution from MongoDB, your encryption key management solution will elevate your security position and total level of control.

Introduction to Encrypting Data in MongoDB

Topics: MongoDB Encryption, MongoDB Encryption Key Management, MongoDB

State of Encryption Key Management

Posted by Liz Townsend on Nov 24, 2015 9:32:00 AM

Looking into 2016, what is the role encryption key management will play in securing sensitive data?

Encryption and key management are the Fort Knoxes of security technologies for organizations wanting to protect sensitive data from hackers and data breaches. While commonly used by retail and financial institutions (and gaining even more traction after the onslaught of retail data breaches we saw in 2014), we still see major gaps and problems with implementation of these technologies across multiple industries. In 2015, with over 181 million records exposed in data breaches by mid November, we ask ourselves, what are the challenges of implementing encryption and key management, how widely are they used today, and what can we expect from encryption and key management vendors looking forward? eBook The Encryption Guide

While encryption has become an easily accessible technology, it remains a major point of struggle for most companies. Since organizations have multiple departments with siloed technical infrastructure, many different tools must be used to manage data across the enterprise. From HR to Accounting to stored customer data, many different platforms, operating systems, databases, and applications are used to store and process sensitive information. This makes locating this data extremely difficult as well as achieving consistent data encryption that can be managed from a single, central location.

Boards of directors and executives are becoming more aware that data security is not just a technical problem, but a governance, risk management, and compliance problem that deserves the same level of attention to risk as financial, legal, and corporate aspects of their business. However, employees at the IT level still hold the most buying influence over encryption and key management technologies.

These sorts of buying decisions have historically landed in the wheelhouse of IT Operations; however, the primary issue that arises in these decisions is that  complicated data security projects are often perceived as a threat to operational continuity. When an IT professional feels they must choose between security and functionality, they will always choose function to avoid the dreaded business-down scenario. Companies should not have to chose between security and continuity, and today, security professionals advocate that executives assign an IT security team to advocate for security solutions and work with IT Operations to implement these technologies.

According to the Ponemon Institute 2015 Global Encryption & Key Management Trends Study, meeting compliance requirements such as PCI-DSS remains the primary driver for encryption and key management implementation. PCI-DSS and federal and financial regulations such as FISMA and GLBA/FFIEC also continue to set the strictest data security regulations. However, despite compliance with industry regulations, organizations still experience breaches, often by a hacker accessing their network through a third party vendor or through employee mistakes. Sadly, often these breaches reveal that data was not encrypted, despite industry compliance.

This flagrant lack of encryption begs the question, will our data security ever get better, or will hackers continue to be one or even two steps ahead?

The answer to that question may come from the fact that in many large corporations, about 80% of resources allocated for data security apply towards network and anti-virus security. This includes firewalls, malware detection, and other intrusion-prevention software. The problem with relying mostly on network security is that hackers continually succeed in breaking through these barriers, often using social engineering and phishing scams to achieve enough authority to open a door and walk right in. Once inside, they discover sensitive data stored in the clear and steal it.

Network security is always an important part of a data security plan, but time after time we see encryption, which is also a critical part of that plan, implemented after-the-fact. This comes back to the issue of sensitive data being difficult to locate inside an enterprise, but the sheer amounts of unencrypted data that hackers are able to discover leads one to believe that some organizations simply do not implement encryption very well. This may be backed up by the discovery that only 37% of companies in the U.S. deploy encryption extensively (as opposed to partially) across their enterprise.

Diving deeper into the challenges surrounding encryption, one of the most painful parts of encrypting data is managing encryption keys. Even if a company encrypts a database of customer credit card numbers, if they do not protect the encryption key, a hacker could easily find the key and decrypt the data, rendering the encryption useless. Unfortunately, protecting and managing encryption keys away from encrypted data is still something organizations fail to do.

As organizations begin to move into the cloud and virtualized environments, as many already have, another stumbling block will be lack of availability of hybrid (cloud and in-house) encryption and key management solutions.

Looking into 2016 and beyond, the key management solutions that will excel will be the solutions that can manage encryption keys anywhere your sensitive data is located whether that be in the cloud, virtual platforms, or hardware. A majority of companies believe that hybrid deployment in both cloud and on-premise is the most important feature of an encryption solution. Without strong hybrid key management, encryption of data spread across an enterprise and the cloud will become even more difficult. Key management vendors that follow their customers into virtual environments will, in the long term, deliver more comprehensive data security.

It’s hard to imagine that data breaches will begin to diminish any time soon, but hopefully organizations will learn from others’ mistakes. It is clear from the evidence that deployment of encryption is nowhere near complete across most organizations, and lack of encryption key management continues to be a challenge, but working with the right encryption key management vendor can ease this pain.

When looking for a key management vendor that can help you manage encryption keys across your enterprise, including the cloud, look for a key management vendor that has:

  • No hidden or additional fees for nodes or client-side applications
  • Commitment to innovation and development
  • Commitment to legacy products
  • Excellent reputation for customer support

 

The Encryption Guide eBook

Topics: Data Security, Encryption, eBook, Encryption Key Management, Defense-in-Depth

Reflections on COMMON Annual Meeting and Exposition 2015

Posted by Liz Townsend on May 8, 2015 1:59:00 PM

Last week, Townsend Security CEO Patrick Townsend and I made the trip to Anaheim, CA for the IBM COMMON User Group Annual Meeting and Exposition, a meeting that brought about one thousand IBM users from around the world together to learn and network. Both Patrick and I gave classes on IBM i security. This was a great opportunity for us to learn what the top security concerns of IBM i users are today, and what strategies are most common for implementing defense-in-depth security on the IBM i.

Two Factor Authentication on the IBM i First, it was great to learn that most IBM i users with sensitive data are encrypting. FIELDPROC, the field procedure exit point available on V7R1/V7R2 has made column-level encryption easier than ever, and many users are moving towards FIELDPROC-based encryption solutions. There was also greater interest in encryption key management, which is a critical part of any encryption solution.

One of the top questions we received regarding encryption and key management was, what are the benefits and challenges of IBM i native encryption libraries and key management? The IBM i native encryption and key management capabilities can be an easy way of protecting sensitive data on your IBM i. However, some companies who must encrypt and decrypt large amounts of data in short periods of time, or who must meet compliance regulations such as PCI-DSS or FFIEC, often run into performance issues when using the native encryption libraries and compliance issues if they must use a NIST-compliant key management solution. If a user needs to manage encryption keys in a multi-platform environment, then using a third-party key management solution that can manage keys in multiple operating systems and platforms is critical.

Greater interest in system logging was also evident. A strong system logging solution will collect security events in real time and detect a data breach as it happens. Many IBM i users were already using a log collection solution such as Splunk, AlienVault, or IBM’s QRadar SIEM solution; however, many users were also facing the challenge of collecting security events that are generated in many different formats, and need to be converted to a common format for collection, analysis, and alert management. The ability to convert these events and manage them in a cohesive way falls entirely on the capabilities of your system logging solution. We recommend IBM users focus on solutions, such as our Alliance LogAgent, that can convert logs from multiple formats into standards formats that can be read by your SIEM solution.

Lastly, Patrick presented on the importance of two-factor authentication on the IBM i. The importance of two-factor authentication has become more evident since many security experts deduced that some of the largest data breaches in the past few years perhaps could have been prevented using two-factor authentication. The Target and Anthem breaches are listed among these. Two-factor authentication is defined as an authentication method using two factors: something you have and something you know. If using two-factor authentication on the IBM i, anytime a user signs on, they will also receive a text or phone call providing them with a pin number they must enter in to their sign on client as well. Since hackers are becoming more and more adept at discovering a person’s password, two-factor authentication would stop a hacker from signing on as that person if they didn’t have access to their phone as well. Large companies such as Google and Apple are using these technologies already, and it won’t be long before use of two-factor authentication is a standard across all platforms.

Every year, COMMON gives us an opportunity to connect with IBM i users and some of our customers as well. We use this opportunity to spread the knowledge we have about the best security solutions available for the IBM i and learn from the community what new security needs coming down the line. If you weren’t able to attend COMMON this year, check out Patrick Townsend presentation on on two-factor authentication, available online here.

Two Factor Authentication on the IBM i

Topics: COMMON, IBM i

Introducing Key Connection for Encryptionizer

Posted by Liz Townsend on Apr 17, 2015 8:01:00 AM

Easier Encryption and Key Management for SQL Server Standard & Web Editions

Your IT environment is ever changing. As technologies evolve, you constantly have to upgrade systems and migrate to new platforms to accommodate these changes. This often results in complex IT environments that are comprised of multiple platforms and operating systems, and data located in disparate locations. Protecting sensitive data in a multi-platform environment that’s made up of both old and new technologies can be one of the most frustrating aspects of data security. White Paper: Key Management in a Multi-Platform Environment

One of Townsend Security’s core missions is to help customers protect sensitive data, regardless of where that data resides, in a cohesive way. One area where we’ve seen the need to improve upon this is around encrypting data in Standard versions of Microsoft SQL Server. Because Microsoft does not provide transparent data encryption (TDE) capability on SQL Server Standard and Web editions, Microsoft customers using these older editions struggle with implementing easy and fast transparent encryption.

In order to simplify the encryption process for Standard and Web Edition users, we have partnered with NetLib, a database encryption solution provider that supports easy and automatic folder, file, and application encryption in Windows as well as database and column level encryption for all Microsoft SQL Server editions. NetLib Encryptionizer easily protects data in SQL Server (2000-2014), Standard, Web, Workgroup and Express Editions. NetLib provides column level encryption as well using triggers and views without the need to write SQL statements or any other development.  

NetLib’s customers choose NetLib Encryptionizer for their FIPS 140-2 compliant encryption solution, for which they require FIPS 140-2 compliant encryption key management as well. As a critical step in our partnership, Townsend Security built Key Connection for Encryptionizer, a no-cost plug-in module that allows Encryptionizer customers to easily secure encryption keys using Townsend Security’s Alliance Key Manager.  

System audits and logging are critical to detecting and alerting you to malicious activity in your systems. Key Connection for Encryptionizer allows users to fully audit the encryption and key management process. Encryptionizer audit logging of user-file interaction as well as audit logging of the key life cycle in Alliance Key Manager provides a comprehensive logging service. Additionally, encrypting data on SQL Server Standard and Web editions typically involves some level of development. With NetLib Encryptionizer, users can encrypt data using a simple point-and-click configuration.

Townsend Security is proud to partner with NetLib to provide an easier method to encrypting data in Microsoft SQL Server Standard and Web editions. To learn more about managing encryption keys for data encryption in complex environments, download the white paper, Key Management in the Multi-Platform Environment.

White P


 





Topics: Alliance Key Manager, NetLib Encryptionizer, Encryption Key Management, White Paper

VMware Encryption - 9 Components of a Defensible Encryption Strategy

Posted by Liz Townsend on Feb 11, 2015 2:37:00 PM

VMware Encryption eBook We all know encrypting sensitive data such as customer, employee, and business critical data is not only crucial to protecting your company’s assets, encryption is also required by industry regulations such as the Payment Card Industry Security Standards Council (PCI SSC) and GLBA/FFIEC. Today businesses are turning to VMware virtual machines and the cloud to reduce cost and complexity within their IT environments. When companies set out to encrypt sensitive data that is stored or processed in VMware, meeting industry regulations is top of mind. Businesses also sometimes assume that meeting the encryption requirements of a regulation will protect them from a data breach as well. Unfortunately, passing a data security audit does not always guarantee a strong defense to a data breach. Where data is encrypted and how it is encrypted is often subjective to the auditor, and where one auditor might give your encryption solution a passing grade, another might fail you. If you are only looking for a passing grade, you may be implementing the bare minimum requirements. When you consider the possible deviation between one auditor to the next, it becomes clear that meeting compliance is often a low bar.

At Townsend Security we help our customers not only meet compliance, but achieve a level of security in their VMware environment that will protect them in the event of a data breach. Our new eBook, “VMware Encryption: 9 Critical Components of a Defensible Encryption Strategy,” discusses nine strategies for ensuring your VMware encryption strategy is strong enough to protect your business in the event of a data breach.

Download this eBook to learn more about these critical components and more:

1. Establish a VMware Security Roadmap
The first step in securing your VMware environment is to establish a security roadmap. Determine how encryption and key management in VMware fit into a holistic security plan, and assess security requirements that compliance regulations mandate. Assess your level of risk tolerance for the types of data you want to protect. It’s important to keep in mind that compliance regulations may not mandate the protection of some data, such as email addresses and passwords; however, you may want to encrypt this data in order to protect your brand and reputation should this data get breached. At an IT level, like other security applications that perform intrusion detection/prevention, and active monitoring, you should deploy your encryption key management virtual machine in a separate security workgroup and provide administrative controls in the same way as for other VMware and third party security applications. [Download the eBook to read more]

2. Inventory and Prioritize Sensitive Data
Every encryption project should start by making an inventory of sensitive data in your IT environment. The first step is to define “sensitive data.” Sensitive data is any customer or internal data that you must protect in order to meet compliance requirements or protect your customers, employees, and yourself from data theft and fraud. The scope of what is considered “sensitive data” and how hackers use data to commit fraud is growing. However, if you do not know where to start, first consider the compliance regulations you fall under. [Download the eBook to read more]

3. Use Industry Standard AES Encryption
Encryption protects your data at the source and is the only way to definitively prevent unwanted access to sensitive data. Academic and professional cryptographers have given us a number of encryption algorithms that you can use to protect sensitive data. Some have interesting names like Twofish, Blowfish, Serpent, Homomorphic, and GOST; however, it is critical in any professional business to use encryption algorithms accepted as international standards. Many compliance regulations require the use of standard encryption, such as AES, a globally recognized encryption standard, for encrypting data at rest. [Download the eBook to read more]

4. Encryption Key Management

Many organizations that encrypt sensitive data fail to implement an adequate encryption key management solution. While encryption is critical to protecting data, it is only half of the solution. Your key management will determine how effective your encryption strategy ultimately is. When encrypting information in your applications and databases, it is crucial to protect encryption keys from loss. Storing encryption keys with the data they protect, or using non-standard methods of key storage, will not protect you in the event of a data breach. For businesses that are already encrypting data, the most common cause of an audit failure is improper storage and protection of the encryption keys. [Download the eBook to read more]

Download “VMware Encryption: 9 Critical Components of a Defensible Encryption Strategy,” to learn 5 more critical components! Learn how to protect your customers, secure your business assets, avoid regulatory fines, and protect your brand.

VMware Encryption eBook

Topics: Encryption, Encryption Key Management, VMware

Securing SQL Server in the Cloud

Posted by Liz Townsend on Dec 19, 2014 10:21:00 AM

Organizations running SQL Server Enterprise edition gain the added benefit of SQL Server transparent data encryption (TDE) and extensible key management (EKM). The encryption capabilities of Enterprise edition enable users to easily encrypt data at the column level of a database, and EKM allows users to store encryption keys using a third-party encryption key management solution. These streamlined capabilities of SQL Server Enterprise Edition have made SQL Server one of the easiest databases to encrypt, and therefore it’s popularity hasn’t waned. SQL Server Resource Kit on Encryption & Key Management

One of the biggest issues facing SQL Server users today is maintaining security as users move their SQL databases to the cloud. While Microsoft Azure remains a popular cloud service provider (CSP) for SQL users, Amazon Web Services (AWS) and VMware are also common amongst organizations moving to the cloud, especially those migrating a multi-platform environment. Each of these top-tier CSPs offer security solutions to help you protect your cloud environment; however, when considering security in the cloud there are two important things to remember: The security offered by your CSP won’t provide you with a complete security solution, and the security solutions you bring to protect your data in the cloud can fail if not implemented correctly.

Don’t rely on the cloud for complete security!

Your CSP should provide your business with some security, but their solutions are likely limited. Most CSPs will offer firewall protection, for example. Top-tier CSPs have also undergone some certifications such as Payment Card Industry (PCI) and FedRAMP compliance. It is important to remember, however, that relying on firewalls alone is not enough to prevent intruders, and cloud certifications never mean that your company will automatically meet these compliance regulations as well. A comprehensive data security plan is required for any business operating in the cloud, and this typically requires using third-party security solutions to ensure your business meets compliance and is adequately protecting data.

Remember these two things when protecting data in the cloud:

  • The security solutions offered by your cloud vendor are rarely enough to prevent a data breach.
  • Just because your cloud service provider is compliant, doesn’t mean you are.

Storing data in SQL Server in the cloud presents new security challenges. Hackers or malicious users can gain access to sensitive data easily through common hacks. Easy hacking of SQL Server is a result from:

  • Incorrect configuration of cloud provider’s firewall
  • Attacks through weaknesses that could have been addressed by updating and patching SQL Server
  • Missing or weak passwords
  • social engineering and account hacking
  • Lax administrative access

When it comes to securing SQL Server in the cloud, you should also always consult your legal and auditing team (or consultants) before assuming that your data is safe and you are compliant with any industry security regulations. On a general level, it’s important to include these security measures in your holistic security plan:

  • Intrusion prevention
  • System logging and monitoring
  • Encryption & key management
  • SSH in place of passwords
  • Limited access to sensitive data
  • Separation of duties and split knowledge when accessing encryption keys and sensitive data.

It’s important to remember that your business continuity relies on your own security plan. Regardless of the environment, when your organization experience a data breach, ultimately the responsibility is yours. Your customers, as well as your employees, rely on you to protect their data, and if you fail to do so, the consequences may include loss of customer loyalty and a severely damaged brand. The ultimate way to prevent access to sensitive data is using encryption and encryption key management.

To learn more about how Microsoft SQL Server Enterprise Edition can easily be secured in the cloud, download:

Resource Kit: Encrypting Data on SQL Server

 

Topics: Encryption, Encryption Key Management, Resource Kit, SQL Server, Cloud Security

Encrypting Data in the Cloud: How a CEO Can Manage Data Security Risk

Posted by Liz Townsend on Nov 24, 2014 2:07:00 PM

For many business leaders, the idea of moving to the cloud can be a daunting thing. Fear of the cloud still exists, and this fear is easily understood due to the inherent insecurities of the cloud. A shared, multi-tenant environment would never sound like a safe place to store sensitive business and customer data. The appeal of low-cost data storage clearly has trumped these fears, and today the cloud has become the de-facto platform for all small businesses and startups as well as larger corporations that are continually trying to mitigate costs and choose to use the cloud over buying new, expensive hardware that must be operated in-house.

encryption, key management, grc, governance, risk, compliance However, movement to the cloud has not alleviated these fears, and the biggest concern with the cloud remains security. This is largely because there isn’t a standard for securing data in the cloud, and although organizations such as the Payment Card Industry (PCI) and the Cloud Security Alliance publish recommendations around protecting data in the cloud, there are no hardened rules in place for organizations to follow to help them (or make them) secure data and prevent data breaches in the cloud.

The cloud has become a paradox for business leaders desperate to cut costs and manage risk at the same time. Using the cloud to store and process data at a lower cost is an obvious choice; however, such a quick decision often precludes due diligence around risk mitigation. It leads one to ask, if it’s the CEO’s job to govern and manage risk, why isn’t she or he more aware of the risks associated with storing sensitive data in the cloud?

The answer might be this: CEOs aren’t necessarily ignoring the risk, but simply do not know how to ask the right questions in order to adequately assess risk. If they don’t know how to assess risk in a certain area of their business, then there is little way to control that risk. When dealing in a technical landscape where data breaches are the new norm, and the cost of a breach can be millions, the inability to control the risk of a data breach is a massive problem.

For CEOs and business leaders concerned about sensitive data and data breaches in the cloud, it is important to learn the basics of assessing data security risk. A good place to start is by nailing down the answers to these topics:

  1. Find out if the customer data your company is processing or collecting must be protected under industry data security regulations and/or state laws. You may be surprised to find out that data not listed under these regulations is now considered “sensitive” in the public eye, such as email addresses, passwords and phone numbers and should also be encrypted.
  2. Choose a cloud provider that will work with your compliance needs and help you mitigate risk. If applicable, choose a cloud provider that provably demonstrates commitment to security and privacy by having undergone PCI, FEDRamp, SOC or similar certifications. You may want to have the option of storing some data in a private cloud. Does your cloud provider offer this?
  3. Work with your compliance auditor(s) to determine if your cloud solution aligns with industry compliance requirements and best practices. At the end of the day, your auditing and legal counsel should be able to determine if you are securing data to regulations, recommendations and best practices. It is important to remember that meeting compliance is often considered a low bar and that it is typically better to do more than the bare minimum requirements.
  4. Document the type of data that you will be storing or processing in the cloud and which compliance regulations apply to encrypting that data. Depending on whether you are handling credit card information, financial information, patient healthcare information, or other types of sensitive data, you may fall under one or more industry data security regulations. Each set of regulations identifies what kinds data need to be encrypted
  5. Choose a cloud provider that will allow you to bring your own encryption key management when encrypting data. When encrypting data in the cloud, it is critical to remember that your encryption keys are your keys to the kingdom. If you store your encryption keys with your encrypted data, then anyone who gains access to that data will be able to decrypt it using the encryption keys. Some cloud providers offer key management as a service, which may be an adequate method of protecting encryption keys, but may not be preferable for organizations who want complete control over their encryption keys.

For any business leader concerned with GRC, knowing how to assess risk in the cloud is critical. Download our podcast "Encryption, Key Management, and GRC" to learn about what technologies you can implement to help mitigate a data breach or prevent one from happening altogether.

encryption, key, management, grc

Topics: Risk Management, Executive Leadership, GRC

5 Ways CEOs Can Limit Liability, Manage Risk with Encryption

Posted by Liz Townsend on Oct 27, 2014 11:05:00 AM

Recently I traveled to Los Angeles to speak at a NetDiligence Cyber Risk and Liability conference on a panel focusing on technology to mitigate risk. I was eager to attend and speak at this conference since the area of data breach clean-up is a field that I rarely come in contact with. In our organization, we spend much of our time consulting with companies who are attempting to prevent a data breach or meet compliance by implementing encryption and key management technology, and rarely are we involved in any post-breach scenarios involving breach forensics, insurance payouts, or litigation.

encryption, key management, grc, governance, risk, compliance It is common knowledge, however, that for attorneys who wish to help limit their client’s liability when it comes to data breaches (and also make litigation easier should a data breach occur), advising them on processes and technologies that will mitigate risk and liability is essential.

From speaking to attorneys who attended this conference, this is what I learned: Executives don’t treat their data as an asset that needs to be protected as a part of governance and risk mitigation. This is a pervasive issue that is exemplified in highly publicized data breaches that seem to occur on a weekly basis. Negligence around data protection, I believe, simply stems from a lack of education. Twenty or 30 years ago, when most enterprise executives were in business school, governance of sensitive, electronic data was not taught, simply because the issue didn’t exist. Today, protecting data as a method of risk management is an entirely new field. Unfortunately, as data breaches become more and more serious, business leaders can no longer avoid the issue or fall back on an “I’ll just pay the fine” mentality, which is woefully inadequate since the cost of a data breach extends far beyond fines to respective governing industry regulators. The cost of a breach includes fines, brand damage, loss of customer loyalty, litigation, credit report monitoring for affected customers, and even job loss. Executives should take a note from the ex-CEO of Target to learn how a data breach reflects on leadership (or lack-there-of).

In the face of never-ending data breaches and an entire industry based on hacking complex networks, the question now becomes, how can executives effectively mitigate cyber risk and liability using technology?

1. Accept data is a critical part of governance, risk management, and compliance

Imagine a CEO walks into a room with his or her board of directors and says, “I’m going to cancel our errors and omissions insurance.” Any director would be terrified and livid to hear their CEO say such a thing, and likely begin to doubt his or her ability to govern. However, in a similar situation, if a CEO said, “I don’t think we’re going to encrypt our customers’ sensitive data this year,” historically no one would have blinked an eye. This is changing. The cost of a data breach has skyrocketed to a point where ignoring the risk of unprotected sensitive data is considered negligence. Executives need to understand that not encrypting sensitive data reflects on their ability to govern.

2. Know what data is considered “sensitive” and needs to be protected

Sometimes business leaders aren’t even sure which data needs to be encrypted. Overall, it is common knowledge that data such as credit card numbers and social security numbers need to be encrypted, especially under payment card and financial regulations such as PCI-DSS and GLBA/FFIEC; however, loyalty data such as email addresses, passwords, and phone numbers are considered sensitive and should be protected. Hackers are great aggregators and can derive very sensitive data from this kind of information. The recent JP Morgan Chase breach is a good example of a breach of customer data that landed a business in hot water. Executives need to examine which regulations they fall under, as well as consider what is now considered sensitive (even though it may not be listed as “sensitive” under regulation), and encrypt that data.

3. Learn to ask the right questions

Executives have learned to ask the right kinds of detailed questions to ensure their financial and business processes are limiting risk, but they still haven’t learned to ask the same kinds of detailed questions about their data security. In fact, it’s common for a CEO to simply ask their security or IT department, “are we secure”? Unfortunately, vague questions such as this get vague answers. While business leaders should work with a qualified security auditor to determine what kinds of questions they need to be asking their IT security team, here are a few examples that might be helpful:

Can I get an itemized list of all of the locations of our sensitive data, and the specific method in which we are protecting those sets of data?

Are we transferring sensitive data across networks? How are we encrypting that data?

Are we encrypting our data at rest? If so, are we using industry standard methods such as NIST AES encryption or RSA encryption?

How are we managing our encryption keys? Are they located in a secure, FIPS 140-2 compliant encryption key manager?

4. Know the limits of your technology

Assuming a certain amount of risk is common when that risk can’t be avoided. Unfortunately, it’s not very pleasant to realize you’ve assumed risk that you are unaware of. Many large retailers have been experiencing this recently with data breaches occurring in their point-of-sale systems. Understanding the limits of the technology you use is critical to preventing data breaches. Many organizations still rely on firewalls, strong passwords, and intrusion prevention software alone to protect sensitive data. These methods are certainly a component of a data security strategy, but they have limits, and are inadequate to protect sensitive data. Industry regulators know this which is why data security regulations require if not strongly recommend the use of encryption and encryption key management.

5. Encrypt data everywhere, including in the cloud

The internal network of any businesses can be incredibly complex. With many points of entry in many departments, a network can be easily breached. Encryption and key management are defense-in-depth technologies used to stop data breaches before they happen. Since data moves across multiple applications and networks, in every location where that data moves or stays it needs to be encrypted. Any sensitive data processed or stored in the cloud should always be considered in danger of greater risk, due to the inherent insecurities of a multi-tenant cloud solution. Assume that any holes in your encryption strategy will attract a breach.

Managing risk by implementing the right technologies is critical to mitigating the effects of a data breach. To learn more about encryption and risk mitigation, download the podcast, “Encryption, Key Management, and GRC: Technology to Mitigate Risk

encryption, key, management, grc

Topics: Encryption, Key Management, GRC

Why Encrypt Data in Your Drupal Websites?

Posted by Liz Townsend on Oct 3, 2014 10:44:00 AM

The internet has become a portal for the transmission and storage of sensitive data. Most websites today gather information from potential or current customers, clients, and users. From credit card numbers to email addresses and passwords, few websites exist today that don’t collect some sort of personal data. Therefore, website developers are becoming more and more interested in learning how to build websites that can easily encrypt sensitive data that their client’s website may be collecting. Drupal Developer Program

Encryption isn’t as widely used at the application and module level in websites as it probably should be. Protecting sensitive data using strong encryption from the moment a website accepts a customer’s information, and throughout transmission and storage of that data is the only method to ensure that data is never compromised. This is critical for websites using commerce modules or forms that collect a person’s health information, financial information, or other personally identifiable information (PII); and for businesses who wish to avoid a data breach.

As Drupal grows and more Drupal developers are beginning to interact with larger clients, the need to provide strong security to those businesses grows as well. The need for encryption will continue to grow as potential clients ask Drupal developers for standards-based security solutions that will help them meet compliance regulations and mitigate risk.

  • Government websites, for example, will need to pass FISMA regulations around encryption.
  • Large retail websites will need to pass Payment Card Industry Data Security Standards (PCI DSS).
  • Colleges and Universities have multiple compliance requirements, as well as FERPA, to adhere with.

Helping clients meet compliance regulations will also require, in some cases, the need for encryption key management. Historically, developers only had three choices for encryption key storage: they could store the key in a file protected on the server, in the Drupal database, or in Drupal’s settings file. None of these options are secure, and would not meet several compliance regulations and general security best practices.

Encryption key management is more than a “key storage” solution. An encryption key manager protects encryption keys on a separate server (located in the cloud or as a physical Hardware Security Module (HSM) or in a (VMware) virtual environment) that implements control layers such as dual control and separation of duties. An encryption key manager manages encryption key creation, deletion, lifecycle, rollover, and archival. Key managers that are FIPS 140-2 compliant have undergone NIST validation and are based on industry standards. Choosing an encryption and key management solution based on standards will ensure your solution will stand up to scrutiny in the event of a breach.

If you are a Drupal developer, you can now join the Townsend Security Drupal Developer Program, work with our encryption and key management technology free of charge, and learn how to secure sensitive data in Drupal for your clients concerned with security.

Using Key Connection for Drupal, the first encryption & encryption key management module, Drupal developers can now build NIST compliant AES encryption and FIPS 140-2 compliant encryption key management into their Drupal websites.  

Just click below to sign up:

Developer Program Encryption  

Topics: Encryption, NIST, Developer Program, Encryption Key Management, FIPS-140, Drupal

Want to Get Bigger Clients? Give Them Encryption & They Will Come

Posted by Liz Townsend on Sep 26, 2014 8:55:00 AM

Businesses leaders are becoming more and more scared of an impending data breach. Most IT security professionals agree that a data breach is no longer a matter of “if” but “when”. While major enterprises are now scrambling to implement strong encryption and encryption key management to protect customer data, for many companies, like Target and Home Depot, these efforts are too little too late.

Drupal Developer Program These medium to large enterprise-sized businesses are now holding their vendors and partners to a higher security standard. As a B2B organization that would like to onboard these larger clients, you should consider learning how to implement strong data security into your hardware, software, and cloud applications.

Encryption is one of the best-kept secrets of companies that have prevented or mitigated the consequences of a data breach. Because encryption renders data unreadable, any unauthorized access to that data is useless to the person who sees it. If the encryption key is adequately protected and not discovered by the intruder, then there is no way to decrypt the data and the breach has been secured. Encryption and encryption key management are the most defensible technologies for data breach protection.

Today encryption and encryption key management is as easy as launching an AMI in Amazon Web Services (AWS) in just a few minutes. Developers can now launch Townsend Security’s key manager, Alliance Key Manager (AKM), in AWS, Microsoft Azure, or VMware and receive up to two free licenses to develop and test encryption and key management in their applications. Alliance Key Manager is FIPS 140-2 compliant and provides NIST compliant AES encryption services so that encryption keys never leave the key server.

Businesses are not only concerned with risk management. Meeting compliance using standards-based solutions is also a critical piece to building defensible data security. Especially for government organizations that must comply with FISMA, many CIOs and CTOs won’t even consider an encryption or key management solution that hasn’t undergone NIST certification.

The importance of NIST compliance is far-reaching. Implementing a solution that meets an industry standard means that your solution will stand up to scrutiny in the event of a breach. NIST compliant encryption and key management have been tested against accepted standards for cryptographic modules and are routinely tested for weaknesses. Can meeting compliance regulations still be a low bar? Of course, but following standards and then implementing accepted best practices is the only way to meet compliance and achieve the highest levels of security.

With the Townsend Security Developer Program, you can develop applications that not only meet compliance but exceed them to give your clients the highest levels of security, you can win enterprise clients that you haven’t been able to work with before, and gain access to a host of Townsend Security APIs that have been designed for easy integration into new development projects.

Language libraries we provide for Alliance Key Manager include: Java, C/C++, Windows .NET application source code, Perl, and Python. Also available are client side applications for SQL Server and Drupal CMS.

To learn more and to join our Developer Program, click here.

Developer Program Encryption

Topics: Developer Program, Data Breach, Business Risk, Executive Leadership