Townsend Security Data Privacy Blog

We all know that in today’s climate of information technology, the steps we take to secure sensitive data must go beyond simply using passwords and firewalls. However, many organizations are still hesitant to adopt encryption and encryption key management, even when it’s mandated by industry regulations and is the strongest safeguard against a data breach. In our new eBook, we’re asking, “What’s preventing you from implementing strong data security?”

Encryption and encryption key management have a reputation for being costly and difficult. This reputation causes organizations a lot of fear. Many people ask themselves, will an encryption and key management project overtake my time and resources? Will it consume my budget? Will it slow down my systems? The good news is, with evolving technology these fears are now based simply on misconceptions. For many organizations, especially those using the cloud, the cost and ease of an encryption and key management project has been greatly improved due to reduced complexity of the Technology. Also, the idea that encryption and key management severely affect performance is usually a misconception of how encryption and key management work in an IT environment, and with proper key management technology, the fear of losing an encryption key is nearly void.

To learn how to overcome the top five most common fears of implementing encryption and encryption key management, check out the excerpts from the new eBook below!

1. Will encryption & key management affect performance on my systems?

One of the most common fears about encryption and encryption key management is that encrypting data will severely impact system performance. It’s true that encryption will have some impact on performance, but if done right, encryption should rarely impact your performance more than 2-4%. Performance impacts can also vary based on the amount of data you’re encrypting and whether you’re doing whole disk, column and field level, or application level encryption. Because encrypting data at any level is difficult to get right, many organizations that attempt “do-it-yourself” encryption solutions see a much higher performance impact…

2. Encryption & key management is too complicated

In the past, managing encryption keys was incredibly complicated as well as costly and time consuming. Specialized solutions had to be developed for an organization’s specific IT infrastructure in order to provide access as well as limit control to certain users. These projects would take months of development to complete and be complicated for an administrator to manage.

Today encryption and key management is easy with SDKs, sample language libraries, and ready-to-use client side applications provided by key management vendors. Little-to-no programming is required by the user at all, and keys can be automatically generated so that complex configuration steps are entirely eliminated...

3. What if I lose a key?

One of the greatest fears of encryption is key loss. If an organization encrypts data and then loses the encryption key, unless they’ve made a backup of the key or restore access to the key, the data becomes permanently unusable. This could be a nightmare for those encrypting millions of pieces of data, such as customer credit card information that needs to be read and retrieved daily in order to complete transactions and maintain business continuity.

While the fear of losing a key is legitimate, the keystone of a successful encryption solution is encryption key management, which is the primary solution for managing, storing, and most of all, protecting encryption keys...

4. Encryption key management is too expensive

Today, a reputable encryption key management vendor will never overcharge you or have hidden fees or costs, and will provide you with information to help you find the right solution, free of charge.

The climate of data security is always changing. However, one thing we know for sure is that hackers are never going away. Hacking is a profitable and growing industry. Firewalls and strong passwords are no longer considered adequate means for protecting sensitive data...

5. My IT staff is too small!

Another common fear is that an organization’s IT department is too small to handle a project like implementing encryption and encryption key management. Encryption key management has a reputation for being incredibly difficult to implement, and many administrators assume that the time and manpower that must be diverted to complete an encryption key management project isn’t worth doing the project at all.

Although this reputation held true ten years ago, encryption key management today has become so simple that in many scenarios it can be implemented in just a few minutes…

To continue reading, download "Overcome the Top 5 Fears of Encryption and Key Management" today.

Protecting sensitive data stored in Amazon Web Services (AWS) is a major priority for SlimTrader, a company helping businesses and individuals in Africa complete secure transactions via mobile ecommerce solutions. SlimTrader chose AWS to host their extensive database of users based on their ability in AWS to reduce costs and scale up as their business grows. The challenge, however, was to find an encryption and encryption key management solution that also featured low initial costs and could scale as well.

Implementing strong encryption and key management in the cloud has been a major challenge in the past. Recently, AWS released the AWS CloudHSM; however, the high startup costs for implementing this encryption key management solution as well as its limitations made this solution an impractical fit. That’s why SlimTrader chose Alliance Key Manager for AWS.  According to Martin Pagel, CTO of Slim Trader:

“Our main challenge is that we’re cloud based, so we can’t use an HSM because we don’t have a physical IT infrastructure. We want to do it the right way, and do it in the cloud. With Alliance Key Manager for AWS I can deploy encryption key management the way I want, and I don’t have to ask anyone in Amazon for help.”

Alliance Key Manager not only scales to meet your business needs, but also gives you complete administrative control over your own virtual key server. Having this level of control is critical in a cloud environment where you may not be sure who you are sharing resources with. Alliance Key Manager also uses the same FIPS 140-2-compliant encryption key management and NIST-validated AES encryption service found in Townsend Security’s HSMs so that you can provably meet compliance requirements for several industry security regulations. Meeting compliance requirements is important to SlimTrader and many of their larger customers.

Overall, Townsend Security helped SlimTrader achieve their security goals and overcome security challenges in four major ways:

• Making encryption and key management in AWS easy. For many businesses, moving their data to the cloud is simply more practical than assembling an internal IT department. It is also significantly easier.  “The ease of firing up an AKM cloud instance and having control over it appeals to me,” said Pagel, “And I don’t have the limitations of needing to install a physical box.”
• Making encryption and key management in AWS affordable. SlimTrader also chose AKM for AWS for affordability. With Alliance Key Manager for AWS, SlimTrader is taking advantage of Townsend Security’s no end-point license fee model that will allow them to grow without burdening their budget. For strong data security to become ubiquitous, and for data breaches to become fewer, encryption and key management must become affordable. With AKM for AWS, small businesses such as SlimTrader can lead the way in data breach prevention.
• Providing encryption and key management that works with their applications. SlimTrader needed a key management solution that would work seamlessly with MySQL and Drupal in AWS. Alliance Key Manager is designed from the ground up to integrate with many platforms, applications, and databases and can protect encryption keys for data encrypted at the application level.
• Certified Solutions. SlimTrader works with several banks and government agencies in Africa who consider PCI compliance important. “When we manage data on their behalf, we need to manage it securely,” says SlimTrader CTO Martin Pagel. FIPS 140-2 compliance is critical for many organizations who must meet government standards, and important for businesses that want provably defensible encryption key management.  Alliance Key Manager also provides onboard NIST-validated AES encryption service. This service allows you to provably meet compliance regulations for encryption.

To see for yourself how easy encryption and key management can be in Amazon Web Services, download a free 30-day evaluation.

Data security in Drupal is a top concern. Townsend Security recently launched our Drupal Developer Program to engage Drupal developers in building stronger, more secure websites, and to give back to the Drupal community by creating a collaborative network of Drupal developers concerned with data security and compliance regulations. Members of the Drupal Developer Program gain free access to Alliance Key Manager, our FIPS 140-2 compliant cloud key manager, as well as NIST-validated AES onboard encryption, for non-production testing and development.

Many Drupal developers today run up against tricky situations when developing websites that collect sensitive data such as payment card information, personally identifiable information (PII), and user passwords--not just commerce information. Developers are asking themselves, “what compliance regulations do I face”, “which data needs to be encrypted”, and “how do I do encryption and key management right to meet compliance?”

With Key Connection for Drupal, an API designed to offboard encryption keys to a secure key server, encryption and key management is made easier than ever.  Now Drupal developers can join the Drupal Developer Program and learn how to do encryption and key management right.

Here are the top reasons to consider joining the Drupal Developer Program:

1. Encryption and key management is critical to effective data security in Drupal website development.
Today, Drupal is a top CMS for all kinds of websites. Some of these websites, such as commerce, health, and government websites collect sensitive data from users that must be encrypted under compliance regulations such as PCI, HIPAA and FISMA. These compliance regulations also have clear language strongly recommending, if not requiring, encryption and key management.
As Drupal developers take on larger clients, these compliance regulations become a greater concern. Historically, the Encrypt module could be used to encrypt any sensitive data collected; however, there was no adequate means to protect encryption keys. Today, with Key Connection for Drupal, developers can help their clients manage encryption keys away from encrypted data on a secure key server and create websites that effectively protect sensitive data.

2. Learn how to encrypt sensitive data and properly manage encryption keys
In the last year, many of the largest data breaches could have been avoided if proper encryption and key management was implemented. Within the Drupal Developer Program, Drupal developers can learn how to implement encryption and key management into their projects from the ground up. Encrypting and management encryption keys is actually quite easy now in Drupal, and learning how to use these tools will prepare Drupal developers for larger projects that require strong data security.

3. Implement strong data security in your web development projects from the ground up
Adding data security after-the-fact is difficult. Building your websites and applications using strong encryption and key management from the ground up prevents data security projects from turning into a massive headache. The Drupal Developer Program allows developers to test encryption and key management in their projects from the start to avoid a complicated project down the road.

4. Build your knowledge of compliance requirements and help to educate your colleagues
Our Drupal Developer Program is designed to educate developers on encryption and key management best practices as well as any compliance regulations you may face. We continuously offer resources to help you learn what you need to know to meet PCI DSS, HIPAA, GLBA/FFIEC, FISMA, and other compliance regulations, as well as state privacy law requirements.

5. It’s free!
There’s no charge to join our Drupal Developer Program. With free access, we hope to give Drupal Developers the freedom to learn about, test, and implement strong encryption and key management so that you will become a security thought leader in your own organization!

Implementing strong data security to protect sensitive data is a top priority for many businesses. Not only does processing and storing sensitive data put you at risk for data loss or breach, it also means that you must meet certain industry regulations and possibly undergo periodic data security audits. Encryption and key management is required if not strongly recommended by many industry regulators such as the Payment Card Industry (PCI) and HIPAA; however, these technologies have a reputation for being difficult, costly, and causing severe impact on server or application performance.

Today this reputation doesn’t holds true, and these common fears can, in fact, get in the way of implementing a strong security solution.

Fear #1 : Encryption & Key Management Will Affect Performance On My System and Applications
One of the most common fears about encryption and encryption key management is that encrypting data will severely impact system performance. It’s true that encryption will have some impact on performance, but if done right, encryption should should never impact your performance more than 2-4%. Performance impacts can also vary based on the amount of data you’re encryption and whether you’re doing whole disk, column and field level, or application level encryption. Because encrypting data at any level is difficult to get right, many organizations who attempt “do-it-yourself” encryption solutions see a much higher performance impact.

Application level encryption is considered the best way to encrypt sensitive data as well as the most difficult. Within an application, an administrator can be selective about which types of data should be encrypted, and which data can be stored in the clear. Therefor the encryption is targeted and only performed on necessary data, which reduces overall performance impact. If done properly, application level encryption will not interfere with your applications.

Fear #2: What if I Lose an Encryption Key?
While the fear of losing a key is legitimate, the keystone of a successful encryption solution is encryption key management, which is the primary solution for managing, storing, and most importantly, protecting encryption keys. Unlike a “key storage” solution, a cryptographic encryption key manager is typically a NIST FIPS 140-2 compliant hardware security module (HSM) or virtual machine in the cloud that manages key storage, creation, deletion, retrieval, rotation, and archival. Many key management solutions are also produced in pairs, with one located in a different geographical location for high availability. If doing encryption key management right, you will never lose an encryption key.

Fear #3: Encryption Key Management Is Too Expensive
Perceived cost is a common barrier for many organizations. However, cutting corners and choosing a third-rate solution is a lot like choosing the cheapest and least reputable car insurance policy: it might get you through the day, but should you ever have an accident, you’ll deeply regret it. Data breaches are no longer a matter of “if,” but “when,” and when a breach happens, it might be the kind that costs you your entire business. Luckily, strong, certified encryption key management solutions are becoming less costly as demand rises and data moves to the cloud. Cost should never be a barrier to good security, and choosing a subscription-based cloud key management solution might be your best way to overcome any cost barriers.

Fear #4: My IT Staff is Too Small
Another common fear is that an organization’s IT department is too small to handle a project like implementing encryption and encryption key management. Encryption key management has a reputation for being incredibly difficult to implement, and many administrators assume that the time and manpower that must be diverted to complete an encryption key management project isn’t worth doing the project at all.

Although this reputation held true ten years ago, encryption key management today has become so simple that in many scenarios can be implemented in less than ten minutes. Of course, ease of implementation always varies depending on your IT infrastructure, platforms, and applications; however, a reputable encryption key management vendor knows that IT departments vary and can work with a variety of platforms in multi-platform environments.

To learn more about encryption key management, download the eBook, Encryption Key Management Simplified.

Townsend Security recently traveled down south to Austin, TX for the Drupal developer annual conference, DrupalCon 2014! In partnership with Cellar Door Media, Townsend Security recently released Key Connection for Drupal, the first encryption key management solution for Drupal. Key Connection for Drupal enables developers to use world NIST-validated AES encryption FIPS 140-2 compliant key management for data stored in Drupal.

At DrupalCon 2014 Townsend Security introduced our new Drupal Developer Program. The Drupal Developer Program puts encryption and key management in the hands of developers, free of charge, to implement and test.

Key Connection for Drupal
Key Connection for Drupal allows Drupal users to encrypt sensitive data and do it right. Historically, the Drupal encrypt module only allowed users to store encryption keys natively, or in other less secure ways. Key Connection for Drupal enables encryption keys to be stored off-site in a FIPS 140-2 compliant encryption key manager. Townsend Security’s Alliance Key Manager is available as an AWS, Microsoft Azure, or VMware instance; as a hosted appliance in the cloud; or as a physical HSM. Alliance Key Manager can also perform onboard encryption, meaning that developers can send sensitive data to the key manager to be encrypted with NIST validated AES encryption so that they can provably meet compliance regulations and their encryption keys never leave the key manager.

Developer Program
At Townsend Security, we know that encryption and encryption key management are critical to strong digital security and meeting several compliance regulations such as FISMA, PCI DSS, HIPAA, etc.  With Key Connection for Drupal we’ve made encrypting data and managing encryption keys easier than ever. We also know that for strong security to become ubiquitous, it must be easy to obtain and implement. That’s why we’ve begun a developer program that puts technology in the hands of the people who use it most. Drupal developers can now join our developer program, for no fee, and receive up to two free Alliance Key Manager licenses to test internally for non-production use. We hope that through the developer program we can help improve data security in Drupal and the community.

Community
Townsend Security firmly believes in giving back to the Drupal community. Through the Developer Program and our participation in the Drupal Association we hope to continue to bring strong security to the Drupal community as we move forward. To sign up for the Drupal Developer Program, contact us here. To learn more about Key Connection for Drupal, visit the Drupal.org project site here.

Your company may survive a data breach. Your job may not.

Just a few days ago Target announced that CEO Gregg Steinhafel would be stepping down in the wake of the massive data breach that exposed millions of customer credit and debit card numbers. This announcement came following the resignation of Target CIO, Beth Jacob, in March. While the consequences of a data breach are far reaching, few business leaders consider themselves in harm’s way. From this data breach, and many others, executives are beginning to realize that they have far more at risk than fines or a slap on the wrist.

At the end of the day, the responsibility for Governance, Risk Management, and Compliance as well as the protection of customers falls directly on the shoulders of the CEO and other accountable executives. Target is not the only organization to push out leadership in the wake of a breach. In 2012, a massive data breach of Utah Medicaid servers exposed personal information of 780,000 individuals, resulting in the resignation of the state Chief Information Officer (CIO) Steve Fletcher. Also in 2012, the South Carolina Department of Revenue (DOR) was hacked, resulting in the loss of 1.9 million social security numbers, and the South Carolina DOR director, Jim Etter, resigned as well. The Target breach resulted in the first resignation of a senior executive in a major corporation.

While risk management is directly incorporated into other daily activities such as financial transactions, as a whole, businesses have yet to fully adopt risk management practices in data security. The Target breach stands as an example of what can happen to business leaders when data security falls to the wayside, and these leaders should consider this breach a wake up call. Not only are lost jobs a major consequence of a data breach, extensive litigation also follows suit.

Business leaders now may be asking themselves how they can prevent a data breach. To avoid the costs of a data breach, a business leader can ask his or her IT security team these questions:

Are we using encryption everywhere our sensitive data is?

Sensitive data such as credit card numbers, financial data, email addresses, and passwords should be encrypted from the moment you received that data from your customer until the deletion of it from your database. An intelligent hacker will detect any holes in your encryption strategy and exploit them. If Target had been using proper encryption and encrypting customer cardholder data from the moment it entered the Point of Sale (POS) system, they never would have become a poster child for bad security, there never would have even been a story, and Gregg Steinhafel would likely still have his job.

Are we protecting our encryption keys?

While encryption is a major player in a strong data security solution, the success of your encryption relies heavily on how well you protect your encryption keys. What many business executives don’t know is that without an encryption key management solution, their IT administrators may be storing the encryption keys locally in a database alongside the encrypted data. This is a common practice for organizations who are encrypting, but don’t have a comprehensive security plan. Executives should understand that if a hacker gains control of the encryption keys, then they can “unlock” the encrypted data, and the encryption itself is rendered useless.

Are we using two factor authentication to prevent unwanted intruders from gaining access to our data?

Two factor authentication is becoming a widely popular method of ensuring that the person viewing your company’s sensitive data is authorized to do so. Usernames and passwords can be easy to steal, so two factor authentication requires the user to present a piece of information they have (such as a one-use code texted to their cell phone) along with the information they know (i.e. username and password).

Are we monitoring our IT technology with system logging software in order to catch malicious activity in real time?

Detecting suspicious activity on your servers is a critical step to preventing a breach, or preventing one from becoming much worse. With good system event monitoring tools, your IT administrators should be able to catch malicious activity in real time, and be notified if anything out of the ordinary occurs.

According to the 2014 Online Trust Alliance Data Protection & Breach Readiness Guide, of 500 breaches studied in 2013, 89% of them were preventable if proper controls and security best practices were used. Business leaders can play an active role in mitigating data breach risk by asking informed questions and becoming acquainted with basic security practices.

To learn more about the disconnect between executives and their IT teams, download the eBook: Turning a Blind Eye to Data Security (Mending the Breakdown of Communication Between CEOs and CIOs.

Roadmap to a Strong Encryption Solution

We live in the time of the data breach. Data privacy experts no longer consider a data breach a matter of “if”, but “when”. That’s why organizations are asking themselves: How do I protect myself? How do I find out what data I’m supposed to protect? For most businesses, they can find out what data they need to protect based on industry data security standards that they fall under. The technology those regulations require or recommend can be difficult to implement, however, especially encryption.

Townsend Security has just released a new eBook, “The Encryption Guide,” to help IT professionals and business leaders alike navigate the steps to implementing a successful encryption solution. This eBook answers both basic and more difficult questions about encryption such as:

• What is encryption
• When should I use encryption?
• What data should I encrypt?
• Where can I encrypt data?
• What are encryption best practices?

Check out the excerpt below from the introduction, and download the full eBook to get answers to these questions and more.

“Data security today is a major problem. Security professionals, administrators, and executives know this because highly publicized data breaches occur on what seems to be a monthly, if not weekly, basis, and lesser-publicized data breaches happen nearly every day. Loss of customer trust, huge payouts in fines, damage to reputation, and business leaders losing their jobs are just some of the consequences associated with a data breach.

Most high profile data breaches result in a lot of finger pointing with little discussion about what actually went wrong, and how other companies can prevent suffering a similar fate. Unfortunately, it is often revealed that some of the largest data breaches could have been prevented had the organization used proper encryption and encryption key management where it was needed.

Unencrypted sensitive data is a dangerous reality for most businesses. It’s an issue complicated by the fact that sensitive data is typically processed and stored in many disparate, fragmented locations so that administrators and business leaders alike aren’t certain where their data is, if they’re handling unknown sensitive data, which data should be encrypted, or know if their data is being encrypted at all.

In this eBook designed for IT administrators and executives, we will discuss how critical encryption is to your business continuity, how a solid encryption plan can help protect your business in the event of a data breach, and encryption best practices that will ensure your data security plan is effective and defensible, and keep you and your customers safe.”

Today, cloud resellers need to know that companies searching for a cloud provider to host their information technology have several good options. Microsoft Azure and Amazon Web Services (AWS) are two popular and trustworthy cloud platforms, and there are many other smaller cloud and private cloud platforms that can meet specific technological needs. However, when moving to the cloud, organizations must also consider the security options provided by that cloud service in order to address their own concerns about data security. This can be an issue for cloud resellers whose customers need good security in order to move to the cloud.

Finding good security on a cloud platform can be difficult when cloud security seems to be far more expensive than the cloud solution itself. Many companies need to encrypt sensitive data such as cardholder data, protected health information (PHI), and other personally identifiable information (PII), as well as manage their own encryption keys to meet compliance regulations.

This is why third-party cloud encryption and key management solutions are becoming more and more popular with cloud resellers who need to provide their customers easy and cost-effective encryption and key management. Third-party security can help a company choose the cloud provider they want without having to compromise their data security due to cost.

Cloud resellers for Azure, AWS, and other cloud providers should consider these concerns their customers’ may have about data security on cloud platforms:

1. Multi-Tenancy

Since it is shared by many users, the cloud is inherently less secure than a hardware solution. Cloud solutions utilize shared resources such as disk space and RAM, which is why the cloud is much less expensive than purchasing your own hardware; however, this means you have less control over who has access to your data. This is why encryption is critical to organizations who are storing sensitive data in the cloud.

2. Standards-Based Encryption

Many organizations attempt “in-house” or do-it-yourself encryption in an attempt to avoid difficult or costly third-party encryption solutions. However, these DIY projects tend to be difficult and rarely result in strong, defensible security. They can lead to huge problems down the road, especially when it comes to meeting compliance regulations, and it is common for these solutions to fail data security audits.

One major reason a DIY approach to encryption often fails is a lack of strong cryptography and and encryption key management. The management and documentation of encryption key lifecycle, rotation, creation, and deletion is mandated by many regulations such as the Payment Card Industry Data Security Standards (PCI DSS). Anyone handling sensitive data must meet specific encryption and key management requirements set forth by the industry or government regulations they fall under.

For these reasons, most organizations chose a certified third-party encryption and key management vendor to help them meet compliance as well as centralize and streamline the encryption and key management of all of their sensitive data in the cloud.

3. Encryption Key Management

Encryption key management is a major concern for cloud users. Even if their cloud vendor offers a native encryption option, how that vendor manages encryption keys can be a barrier for organizations who need to manage their own encryption keys in order to meet compliance. In accordance with many compliance regulations, businesses must document how they manage their encryption keys away from their encrypted data. This can be very difficult if your encryption keys are being stored in the cloud and accessible by the cloud provider. Some cloud providers offer encryption key management; however, they do so at a cost that makes using the cloud an unattractive choice. Cloud resellers must be aware that this, too, can be a barrier to cloud adoption.

Cloud resellers need to know that security is a barrier for many companies who wish to move to the cloud. Building a toolbox of certified cloud encryption vendors can help them win these customers and gain new revenue.

To learn more about encryption key management for the cloud, view our webinar, “Encryption & Key Management Everywhere Your Data Is,” featuring data privacy expert Patrick Townsend.

In light of the recent, massive Target data breach, and the fact that Target had passed a PCI DSS audit yet lacked proper security controls, many organizations are searching for stronger data security. Using encryption to protect sensitive data should be considered a top priority for organizations that want to protect themselves from a potential data breach. Strong, defensible encryption used in conjunction with strong key management and a system logging solution can enable a business to catch a breach in real time when it happens, and know that any sensitive data that has been accessed is undecipherable by the attacker. Even with sophisticated and expensive malware detection software, the only way to secure the breach and avoid breach notification is with encryption and encryption key management.

Few organizations are aware of the extreme criticality of encryption and key management, and for the ones that are aware, many still consider encryption a last-effort solution and grapple with its reputation for being difficult and costly. Encryption and encryption key management can be difficult and costly; however, it doesn’t need to be. Different encryption key management vendors offer varying features and applications as well as pricing structures, and finding a solution that can integrate easily into your IT infrastructure is an achievable task. The key is to look for specific features that increase ease of use while decreasing costs.

1. Easy to use client side applications - A security expert and developer once said to me, “People say a lot of things aren’t ‘rocket science,’ but encryption key management is like ‘rocket science’. This is why businesses very rarely develop their own encryption and key management solutions internally. How easy an encryption key management vendor makes their solution to use is a major factor of a purchasing decision. If encryption is going to become as widely used as it needs to be, the client-side applications that manage encryption keys must be usable and intuitive to the average security administrator.
2. Scalable pricing structure - Scalability results in affordability. Not every company can invest in millions of dollars of malware detection and security consultants, and we’ve found out that the companies who can afford those services still have data breaches. Data breaches don’t discriminate, which is why encryption and key management solutions must be affordable for organizations, regardless of size. Five years ago, the only encryption key management solutions available were very expensive hardware solutions. Many vendors charge extra fees per network connection, which is neither an easy or scalable solution for companies that are growing. These hardware security modules (HSMs) are still widely used and preferred by businesses with a low tolerance for security risk, but many are turning to newer cloud solutions that offer the same certified technology with a lower price tag.
3. Cloud compatibility - Moving applications and data centers to the cloud is a natural step for organizations attempting to consolidate their IT infrastructures and lower operational costs. Security, however, remains the number one concerned for the cloud--a multi-tenant environment that shares resources with other users. Encryption and key management is essential to protecting any sensitive data processed or stored cloud applications or databases, and cloud-based or hosted solutions are readily available. Just remember that your key management solution must be FIPS 140-2 compliant and not share services with other users in order to be compliant with most data security regulations.

Encryption and encryption key management are essential, proactive technologies that help organizations remain intact in the event of a data breach. Look for these three features in a certified solution to protect yourself and your customers.

Townsend Security’s FIPS 140-2 compliant “one-click” ready-to-use key management solutions enable cloud users to easily protect their data in the cloud or data center at an affordable price. Learn more by viewing the webinar, “Encryption & Key Management Everywhere Your Data Is,” featuring data security expert Patrick Townsend.

On February 19th the University of Maryland disclosed to the public a data breach exposing over 300,000 records of students, faculty, and alumni including names, social security numbers, and dates of birth.

Universities and colleges using their website to communicate with students are aware of the fact that their website is a massive portal for student data. From the moment a potential student applies to a university through its website, up through each time a student submits financial and health information, thousands of personal records are being collected by the website and stored for internal use in databases.

Why is this data not being protected? That’s the big question asked by data security experts and concerned students alike, who are aware of the massive number of data breaches that occur yearly through websites. The information submitted on higher education websites includes nearly everything a hacker or malicious user wants including: home addresses, social security numbers, phone numbers, email addresses, passwords, parent names, credit card, and financial data. Many universities run teaching hospitals, not to mention their own student health services. Protected health information (PHI) entered through patient portals also poses a huge risk if the data isn’t protected.

This information should not only be encrypted to protect students, faculty, and patients alike, but it should be encrypted because the collection of financial data, credit card data, and PHI fall under industry regulations such as HIPAA/HITECH and PCI-DSS which require the encryption of this data.

Here’s the good news: Many college and university websites are built using the common content management system (CMS) Drupal. Drupal is one of the most widely used CMS platforms, and is used by both small start-ups and Fortune 100 enterprises. It is very commonly used for higher education sites. Drupal has a long history with addressing security in its modules, and in fact has even supported an Encrypt module to encrypt sensitive data. Although the Encrypt module made encrypting data easy for Drupal users, it lacked a very important component of successful encryption: encryption key management.

Encryption key management is the foundation of a successful encryption strategy. If the encryption key is stored locally with the encrypted data, then a hacker who gains access to the data can immediately decrypt the data, making the encryption useless. If the key is protected, away from the encrypted data, then the data remains safe, even if accessed by an attacker.

Ok, here’s the actual good news: Stronger encryption and encryption key management is now available for Drupal users. Chris Teitzel and Rick Hawkins, Drupal developers and owners of Cellar Door Media have recently teamed up with Townsend Security to create Key Connection for Drupal--a module that enables NIST-validated AES encryption and FIPS 140-2 compliant key management for data in Drupal.

Key Connection for Drupal offers these important features:

• Encryption anywhere you want it - The Key Connection for Drupal APIs allow developers to encrypt data and protect encryption keys anywhere data is collected in a website from student enrollment applications to student health service portals.
• Onboard encryption - While Drupal developers can still use the encrypt module to encrypt sensitive data, and protect the encryption keys to a cloud or physical key management module, they also have the option to do “onboard” encryption within the key manager using NIST validated AES encryption. This is a critical new feature for business who need to meet PCI-DSS compliance requirements.
• Multiple key management options - Developers can choose from multiple key management options from key management in the cloud to a physical hardware security module (HSM) that they can rack up in their own IT infrastructure. Townsend Security also offers virtual and hosted options.

To learn more about Key Connection for Drupal and how you can encrypt sensitive data in Drupal using NIST validated AES encryption and protection of encryption keys using FIPS 140-2 compliant key management, listen to the podcast featuring the Key Connection for Drupal developers.