Townsend Security Data Privacy Blog

When a solution integrator assesses a company's IT and data security needs, most solution integrators know that almost every single business will need to meet at least one set of data security compliance regulations. If it's a retail business, they'll need to meet PCI-DSS. If it's a bank or financial company, they'll need to meet FFIEC and GLBA. If the company is a healthcare organization, they'll need to meet the data security requirements of HIPAA-HITECH. 

All of these regulations require that entities protect their sensitive data. From names and addresses to credit card and protected health information, these regulations say that the only way to truly secure this data is with encryption--not just firewalls and strong passwords--but with AES encryption. Even more importantly, most industry regulations and laws state that if a company is using encryption and proper encryption key management, should that company have a data breach, they don't always have to report it.

Do you think the companies who had major data breaches last year wish they had known that little fact? We're guessing, yes. 

Unfortunately, there's a lot of false information out there about encryption and encryption key management. A common misconception is that hackers can break encryption. The truth is, hackers don't break encryption, they find the encryption keys. How do they find the keys? If the keys are stored on the same device that the encrypted data is stored on, or the keys are stored in an unsecured location that the hacker gets access to, once the hacker has the keys, he or she can "unlock" the encrypted data. 

It's a little bit like taping your house key to your front door and hoping that a thief won't find it there. It's wishful thinking. 

That's why encryption is considered only half of a solution. All companies encrypting data also must implement good encryption key management. 

Of course solution integrators want to know how offering their customers encryption key management services can grow their business. There's actually still a lot of hesitation around encryption key management as a service because managing keys was once a very difficult and costly thing to do. It even had a reputation for causing severe performance impacts on a network. Maybe that was true 10 years ago, but today encryption and key management technology is: 

• Easier than ever to implement on legacy platforms such as IBM i and Microsoft SQL Server 

• Cost effective

• Has very little impact on performance. 

That’s why offering encryption key management to your customers is always a good idea. Offering these technologies will not only grow your business. Encryption key management service will protect your customers and help them meet compliance (which they’ll be thankful for).

Townsend Security is a Microsoft Silver Partner and an Advanced partner with IBM, providing the only FIPS 140-2 certified key management solution for Pureflex. Want to learn more about encryption and key management for IBM platforms? Download the podcast on automatic encryption for IBM i below!

We’ve heard a lot of different excuses and reasons for a company to decide not to encrypt sensitive data — ”it’s not in our budget”, “a data breach won’t happen to us”, etc. For the companies out there who are taking responsibility to protect their customers’ sensitive information with encryption, we also often see these companies fall prey to a few common pitfalls that make their encryption strategy weak. A weak encryption strategy isn’t much better than having no encryption strategy at all. Here are the top 10 encryption pitfalls to avoid in order to implement strong encryption:

1. Failure to Asses Risk

We are still finding today a lot of organizations and companies that have not implemented any type of data protection at all. When we talk to a company taking credit cards and not encrypting that credit card information, we know that they've not properly done risk assessment on what it  means to fail a PCI-DSS audit or have a breach when you're not meeting PCI-DSS standards. The risks associated with a data breach not only include fines paid to the government, but also the cost of credit monitoring for your customers with compromised data, loss of trust from stakeholders, and damage to your brand name.

2. Encryption Key Management

Once you start an encryption project you’ll be faced with the one, core technical requirement: protecting the encryption keys. One of the biggest causes of audit failure for encryption is not adequately protecting those keys. Getting a secure, FIPS 140-2 compliant key management device in place to protect your encryption keys will help you avoid having to go back and re-do your encryption project using proper key management.

3. Client Side Support

Does your vendor supply you with all of the tools you need to implement encryption and key management? Choosing a vendor the provides poor client-side support can be a huge detriment to your encryption project. That is why it’s important to choose a vendor that will provide sample code and applications that snap into client-side environments to make your encryption project faster and easier.

4. Virtual and Cloud Environments

Today, security is the number one concern for companies migrating to the cloud. The principles of encryption and key management remain largely the same, but the question of how to manage keys for encrypted data in the cloud is still debated. Hosting encryption keys “in-house” is currently the most common model. Even if you’re managing your encrypted data in-house, be aware that you may choose to move to a virtual cloud environments in the future, and you will want to make sure that your encryption strategy and key management strategy can migrate with you to the cloud

5. NIST and FIPS Certifications

Industries that deal with sensitive client information such as credit card numbers, social security numbers, and private health information must adhere to regulations (some of them governmental) in order to protect individuals’ personal and sensitive information. These regulations follow recommendations by the National Institute of Standards and Technology (NIST). When protecting data at rest, you should be using Advanced Encryption Standard (AES) encryption, which is a standard put forth by NIST. You should also look for a key management device with FIPS 140-2 validation, also a NIST standard.

6. Performance - What are the Performance Impacts?

It’s possible to encounter serious performance impacts when you implement encryption. That’s why we not only recommend you use only AES and NIST certified solutions, but that if you’re the IT person dealing with the encryption, that you do some preliminary testing of the encryption on a sample database the same size as the actual database you will be encrypting. Your encryption and key management vendor should be able to help you do this with ease.

7. Ease of Use

An encryption and key management solution that is difficult to use can lead to a slowed project, unexpected costs, and delays. This can be a huge roadblock, especially if you are struggling to address a data protection problem or meet deadlines imposed by compliance regulations. To avoid ease-of-use problems, look for a solution with a GUI interface designed to run on your platform and allows you the necessary points of access to your encrypted data and encryption keys.

8. Data Leakage to Quality Assurance (QA) and Test Environments

Segmenting your critical data apart from non-critical data is an important step in preventing leakage of the critical data onto unprotected environments such as testing and development environments. Simple employee mistakes make up a large portion of data breaches that occur every year. Knowing which servers your sensitive data is located on and making sure that data doesn’t accidentally get moved to and unsecured location is critical.

9. System and Compliance Logging

Most compliance regulations including PCI-DSS recommend if not require some sort of system logging of your critical data. Whether it is file integrity monitoring or system logging to collect and store security events, these tools help you to catch changes to your database in real time. This is actually one of the most important parts of data security, and many data breaches can be immediately detected with system logging.

10. Budget Should Not Be a Barrier

When implementing encryption and key management, trying to save money by skipping steps will cause you a great deal of grief. Conversely, your encryption and key management vendor should be able to offer you a NIST certified,  scalable solution at an affordable price.

In 2012, we saw several large data breaches occurring to website-based companies such as LinkedIn, eHarmony, and Last.fm. These breaches exposed millions of passwords and led us to ask the question, are emails and passwords personally identifiable information (PII)? Because people tend to use email addresses and passwords across multiple website accounts that might contain information such as first and last names, physical addresses, and credit card information, we suspect that if email addresses and passwords aren’t considered PII by everyone today, they soon will be.

Last year I wrote a blog article on the states that had passed some sort of data privacy law, and how widely each state’s definition of PII varies:

(Aug. 8th, 2012) “A significant number of states just lifted verbatim what other states had written into law. A rough guess is that about one third of the states had almost identical data privacy laws.

But the remaining two thirds of the regulations varied greatly, even in defining what PII is. It was common to consider the First Name and Last Name in combination with a Social Security number, bank account number, or driver's license number as information that constituted PII that needed to be protected. But after reading and collating all 45 states, I found 41 data items that were considered PII! In addition to the standard data items, I found passport numbers, military IDs, medical numbers, email addresses, and much else. I even found definitions of PII that went something like this: ‘Any information in aggregate that can identify an individual must be protected.’ It was a lot of ground to cover.

So, should you be protecting email addresses? Absolutely!”

This is something I believe not only still holds true, but will become even more important in the future. Using encryption to protect log-in information and passwords is the best way any one company can protect that information. Of course, using good encryption key management is also a critical part of that process. Even if a hacker gets hold of encrypted data, they cannot get access to that data unless they also find the encryption keys.

For more information, download our white paper "AES Encryption and Related Concepts" and learn about how proper encryption and encryption key management work together to secure your data.

Q: What is enterprise key management? What questions should I ask an enteprise key management vendor?

When it comes to protecting sensitive data, it’s fairly common knowledge today that the best way to protect that data is to encrypt it. Companies of all sizes must do this whether they’re taking credit card information, names and addresses, or protected health information. These days encrypting your data is pretty easy. Some operating systems even do it for you, automatically. And if you have a fairly small database of sensitive data that’s stored all in one place, then the key management for your encrypted data is also pretty straightforward.

However, not all networks are so simple. Many times I run into companies who not only store their data on several different operating systems, but they also use several different versions of each system. With such a highly complex network, it can be difficult for IT administrators to easily encrypt all of their sensitive data. They might not even know where their sensitive data is! The complexity of the database infrastructure might be so overwhelming, that implementing an encryption key management system doesn’t even seem feasible.

That’s because these companies don’t just need a key management solution, they need an enterprise key management solution.

Enterprise key management is term being used to today to refer to professional key management systems that provide encryption keys across a variety of operating systems and databases. A network, for example, might be comprised of several different versions of Microsoft SQL Server as well as IBM i, Linux, UNIX, or Oracle servers, as well as backup tapes and data stored in the cloud. The encryption key manager needs to be able to communicate simultaneously with all of these locations in order to provide encryption keys, decrypt, and rotate keys.

Your enterprise key manager (not to be confused with Extensible Key Management, or EKM for Microsoft SQL server) should have high availability and be located centrally in the network, typically in a protected hardware security module (HSM). When looking for an enterprise key management solution, make sure you ask your key management vendor these important questions when assessing their solutions:

1. Is your key manager FIPS 140-2 certified?  What is the certificate number?
2. How would you describe the encryption key payload as retrieved from the key server?  Is it simple or complex?
3. Is there a common key retrieval application interface on all platforms?  What are the differences?
4. What platforms do you support for key retrieval?  (Note any gaps in platform coverage for your company)
5. Do you provide working sample code for the platforms I need? (Windows, Linux, UNIX, IBM i, IBM z)
6. Do you supply binary libraries for all enterprise servers?
7. Do you have a Java key retrieval class and examples? Is it standard Java or JNI?
8. Do you charge separate license fees for each client operating system?
9. Do you require that we purchase consulting services from you?  Why?
10. I am an independent software vendor (ISV), can you brand the solution and certify the solution for us?

For more information on the importance of encryption key management, download our ebook "Definitive Guide to Encryption Key Management Fundamentals" and learn how to overcome the challenges of deploying encryption key management in business applications.

Encryption key management has a bad reputation. How bad? I once heard a SQL Server professional describe encryption key management as so costly and difficult to implement, it is a “nightmare.”  It’s hard to imagine that attempting to simply manage your encryption keys evokes images of terrifying dreams that wake you up at night in a cold sweat. However, for many database administrators who must encrypt data, the idea of incorporating a good encryption key management strategy (dual control, separation of duties, etc.) really does sound like a daunting task. Most DBAs assume that a key management project is time consuming, expensive, incredibly complicated, and requires specialized third-party consultants. Simply getting the encryption key manager up and running is a huge headache.

We don’t believe good encryption key management needs to be difficult. In fact, we believe that good encryption key management should have these 9 easy features:

1. Easy to Install: A single-use (1U) server plugs right into your IT infrastructure and requires no on-site technician to install.
2. Easy to Configure: Install your license, certificates and keys, configure options, and start the server all within a standard, secure web browser and administrator console.
3. Easy to Manage: Operate your console within secure and authenticated TLS sessions, use two admins for dual control, collect logs, manage multiple servers as well as manage local and remote key servers, all through one interface.
4. Easy to Evaluate: Evaluating a product before you buy shouldn’t be difficult. You should be able to evaluate the product without any hardware on a ready-to-use VMware instance or an internet-based demo server, pre-configured with licenses, certificates, and keys.
5. Easy on Developers: Developers should be provided with a rich library of documentation and sample code to use in their applications for any platforms that need more development to get key management running smoothly.
6. Easy to License: You should not need to license every end point that connects to the key server. The cost and complexity of licensing all endpoints is unnecessary and can be a huge barrier to getting data protection up and running quickly across the organization.
7. Easy to Own: Key management should be affordable to small and mid-sized businesses. The solution should be scalable to each organization’s needs.
8. Easy to Deploy: Customers should always have access to direct shipping, a simplified order process, remote configuration, and installation services.
9. Easy to Sell: Integrating a key management solution should be easy for partners and include easy software integration, thorough technical and sales training, multiple support plans, and flexible and tiered solutions!

Looking for key management as easy as this? View our webcast, “Encryption Key Management Simplified - Removing Complexity & Cost” to learn more. Or contact us for a technical overview on Alliance Key Manager, our encryption key manager, with one of our technical sales support representatives.

If you knew that something was going to happen to your business that would cost you not only your clients' trust but also $13 million (the average cost of a healthcare data breach), would you try to prevent that thing from happening?

According to the Ponemon Institute study, Third Annual Benchmark Study on Patient Privacy & Data Security, healthcare data breaches cost the industry $7 billion dollars annually. Unfortunately, that's not the most shocking number of the study. As it turns out, 94% of healthcare organizations have experienced at least one data breach over the past two years. Almost half of all healthcare organizations have experience at least five data breaches each over the past two years. This means that almost 100% of healthcare organizations have lost patient data such as private health information, names and addresses, credit card information, and social security numbers. If you're wondering how identity theft happens, this is it!

In a recent article published by Forbes, Rick Kam of ID Experts and Larry Ponemon of the Ponemon Institute pointed four major issues around data security in the healthcare industry:

1. Cost of a data breach: "Data breaches cost the U.S. healthcare industry nearly $7 Billion annually."

The cost to the industry includes losing patient trust, providing patients with credit monitoring services, as well as paying out hefty fines to HHS. The cost to patients often comes in the form of identity theft.

2. Electronic records: "The rise of electronic health records (EHRs) is putting patient privacy at risk."

Using computers to store and organize patient data is a blessing to most healthcare providers. However, maintaining electronic records not only causes healthcare organizations to fall under state and industry data privacy regulations, it also opens up the door to data breaches caused not only by external hackers looking to make a buck, but also employee mistakes which account for about one third of all data breaches.

3. Mobile devices and the cloud: "The rise of mobile and cloud technology threaten the security of patient data."

These days many doctors and healthcare providers use personal mobile devices to access patient data. How are these devices protected? Often they are not. Since many organizations include healthcare are now using cloud providers to store data, cloud security has also become a hot topic. How do you secure your data stored in the cloud, when it may be accessed by other users? Encryption and encryption key management is the best place to start. [Blog: 3 ways to manage encryption keys in the cloud]

4. "Little time, even less money"

Budget is one of the biggest factors that goes in an organization's data security plan. The tools needed for a comprehensive data security plan such as encryption and encryption key management may seem expensive and complicated, but the solutions out there today are in fact cost-effective and easier than ever. In the end, a company's security posture really comes down to priorities. Is preventing a multi-million dollar data breach a priority? Or will you leave it up to chance?  

Encrypting your data at rest and data in motion is the first critical step to protecting your database. Always look for NIST and FIPS certifications to ensure you are using the best encryption and key management tools available.

View our webcast “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” to learn how your organization can manage their risk of a data breach and achieve breach notification safe harbor status.

These are the last two myths in our installment “5 Data Security Myths Debunked.” With the rise of data breaches occurring all over the world, we’ve been watching closely to see how company leaders are responding to these incidents. To say the least, we have been shocked by what some government leaders and CEOs have said surrounding data security in their own organizations. We believe that some of these sentiments are highly misleading, if not downright false. That is why we have decided to compile these statements into five "myths" of data security. These myths come from direct quotes by CEOs and government leaders.

Myth #4: There is nothing you can do to prevent your company from being hacked

Fact:
There are many actions a company can take to protect its network and prevent a data breach:

• Know which parts of your data is considered “sensitive”, and know where all of your sensitive data is stored. Is it on one server or many servers? Is it stored in applications or databases? Do you have multiple data centers that store sensitive information?
• Use file integrity monitoring (FIM) or system logging to be alerted to changes in system configuration, sensitive data, or unauthorized access in real time.
• Develop and enforce a unified, proactive data security policy to protect data at rest and in transit across your company’s entire network.
• Use AES standard encryption to encrypt sensitive data at rest and FIPS 140-2 compliant key management to protect your encryption keys.
• Automate updates to firewall configurations, password changes, and system patches.
• Restrict employee access to sensitive data.

Myth #5: CEOs do not need to be concerned about data security.

Fact:
Data security isn’t just the Chief Information Security Officer’s (CISO) problem, it’s a business problem that affects both the C-level and the IT level of an organization. IT security is often not made a priority due to the disconnect of perceived vulnerability and actual vulnerability within a company’s IT infrastructure. A recent survey by CORE Security found that approximately 75% of CEOs surveyed didn’t believe their networks were under attack or already compromised, while 60% of CISOs felt very concerned about attacks and believed their systems were already breached.

Poor data security is a business risk. The consequences of a data breach include loss of reputation, loss of customer trust, and hefty fines. In 2011, the average data breach cost an organization $5.5 million. Despite these often highly publicized repercussions, 65% of CEOs surveyed by CORE Security reported that they did not have the information they need to translate IT risk into business risk.

With the rise of data breaches occurring all over the world, we’ve been watching closely to see how company leaders are responding to these incidents. To say the least, we have been shocked by what some government leaders and CEOs have said surrounding data security in their own organizations. We believe that some of these sentiments are highly misleading, if not downright false. That is why we have decided to compile these statements into five "myths" of data security. These myths come from direct quotes by CEOs and government leaders.

Myth #1: Encrypting social security numbers is not a standard in most industries, including banks. 

Fact:
Most banks and financial institutions adhere to state laws and industry regulations (such as FFIEC and GLBA) regarding the protection of social security numbers.

For example, California data privacy laws identify Social Security numbers as a critical piece of personally identifiable information (PII) that must be protected using “reasonable security procedures and practices appropriate to the nature of the information” such as encryption or redaction (1798.81.5) . The law upholds businesses within the state, financial or otherwise, to the same data security laws that the state itself must adhere to which state that any business owning or licensing computerized data containing personally identifiable information (PII) such as names and Social Security numbers must protect that data using encryption, redaction, or other methods that render the data unusable in order to avoid data breach notification (1798.29). The average cost of a data breach is $5.5 million (Ponemon, 2012).

The FFIEC IT Handbook action summary states that “Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Encryption implementations should include: Encryption strength sufficient to protect the information from disclosure until such time as disclosure poses no material risk, effective key management practices, robust reliability, and appropriate protection of the encrypted communication endpoints” (ithandbook.ffiec.gov).

Myth #2: Encryption is too complicated for my IT and database administrators.

Fact:
Most database platforms such as SQL Server, Oracle, and IBM i are designed to easily implement encryption and encryption key management solutions. SQL Server and Oracle, for example, use Transparent Data Encryption (TDE) and Extensible Key Management (EKM) to easily encrypt data. IT professionals agree that these tools make encryption easier. “TDE is relatively straightforward” - Michael Otey, SQL Server professional (www.sqlmag.com). Encryption with TDE on SQL is “Easy to Implement and administer” -Brad M. McGehee, SQL Server professional, MCTS, MCSE+I, MCSD (https://www.bradmcgehee.com).

Learn how to set up TDE and EKM on SQL Server 2008/2012 in 10 minutes or less here.

Myth #3: Data breaches are usually caused by highly sophisticated hackers.

Fact:
The top four mechanisms for a hacker to break into a company’s network are: exploiting system vulnerabilities, default password violations, SQL injections, and targeted malware attacks (Symantec, 2009). These techniques are not considered highly sophisticated. They are used often to penetrate networks with inadequate security.

Curious what the final two data security myths are? View "5 Data Security Myths Debunked: Part 2" to find out if there is really nothing you can do to prevent your company from being hacked and whether or not CEOs should be concerned about data security.

1. Increased security of sensitive data

The number one advantage of File Integrity Monitoring (FIM) is increased security in your database(s). When you look at how data breaches happen, we often see a very similar chain of events. First, the data breach is discovered by someone inside the company, or a third party investigator. Second, the breach was discovered to have happened weeks, if not months ago. Third, the security holes in the IT infrastructure take several more weeks to plug. And finally, the database administrators discover that the breach could have been completely avoided using tools, such as file integrity monitoring. I won’t even go into the subsequent steps which also include data breach notification and paying hefty fines (an average data breach costs $5.5 million, by the way).

FIM allows you to see potentially harmful changes made in your database in real time. FIM helps you to detect early events by monitoring for changes to access controls, configurations, and all sensitive data at both database and application levels. For example, if you are storing social security numbers, credit card numbers, or other personally identifiable information (PII) on your IBM i, you can subject those fields to file integrity monitoring to catch any changes to that data immediately when it happens.

2. Comply with Industry regulations to pass your next audit

You should always know which data security regulations your organization must comply with. PCI DSS directly requires File Integrity Monitoring controls to prevent unauthorized access or changes to sensitive data (section 11.5). File Integrity Monitoring is also a critical component of the Sarbanes-Oxley (SOX) act for publicly traded companies. The Federal Information Security Management Act (FISMA) as well as the National Institute of Standards and Technology (NIST) also mention File Integrity Monitoring as a recommended security control.

3. Not a Matter of If, but When

There’s a really, really good reason why governments and industries are imposing more and more stringent data security regulations on both public and private organizations: the number of data breaches occurring every year is not slowing down. It’s speeding up! A common sentiment these days is that a data breach within your company isn’t a matter of “if”, but “when”. Think about it this way: How many times have you received a call from your bank informing you that your credit card has been compromised and they are issuing a new number? Once? Twice? Three times? More? The unfortunate reality is that even though data breaches run rampant like wildfire, many businesses are doing too little or nothing at all to protect their data. When the fire hits your business, I bet you won’t be thinking, “good thing I didn’t waste my time on fire alarms and home owner’s insurance!”

For more information on file integrity monitoring and meeting data security compliance regulations, check out our podcast, “File Integrity Monitoring on the IBM i”, featuring Patrick Townsend, founder and CEO of Townsend Security.

One of the worst scenarios we can think of when it comes to encryption and encryption key management is having to do your encryption project a second time around. We see this again and again when companies come to us after realizing they’re about to fail or have failed a data security audit due to a number of reasons:

• They did their own “home grown” encryption project
• Were not using an external HSM to house their encryption keys
• They were not using dual control to manage their keys
• Or any other reason that made them, in the end, not compliant with the industry regulations they face (PCI DSS, FFIEC, GLBA, etc.)

The unfortunate thing about these situations is that these companies are forced to redo an entire encryption project that they’ve already invested time and money into. Going through this process twice, however, is completely unnecessary if you take the right steps the first time around.  Here are three things to keep in mind before you start your encryption project.

1. Know your compliance requirements and security best practices before you start

The first step is to identify which data security compliance regulations you face. If you collect credit card information, you must comply with PCI DSS. If you collect personal health information (PHI), you must comply with HIPAA-HITECH. If you’re a financial institution, then you must be compliant under FFIEC and GLBA. Publicly traded companies must comply with the Sarbanes-Oxley Act, and any company collecting personally identifiable information (PII) will almost always fall under state or other data security compliance regulations. Many companies fall under several compliance regulations and you must be aware of these.

All of these regulations require that you protect your sensitive data, and the only way to truly accomplish that is with AES standard encryption used correctly. These regulations also recommend—if not require—encryption key management best practices, such as dual control and separation of duties, which can only realistically be implemented using an external hardware security module (HSM) to house your keys. HIPAA/HITECH, for example, doesn’t outright require good encryption key management. However, if your healthcare company has a breach, and isn’t using key management best practices, your data will be considered compromised and you will be thrust into the costly process of data breach notification.

2. Do your encryption key management right

Hackers don’t break the encryption, they find the encryption keys. Storing keys and protected data on the same server will almost always lead to an audit failure, and will leave you highly susceptible to a data breach. If you’re not doing a good job managing your encryption keys by using an external HSM and dual control, you’re already in line for a costly audit failure or devastating data breach.

3. Choose a solution that’s NIST certified

Choosing encryption and key management solutions that are National Institute of Standards and Technology (NIST) certified will ensure you’re meeting the minimum requirements. NIST determines the highest standard for encryption and provides pointers and best practices for managing encryption keys. You should also avoid cutting corners by doing your own “in house” encryption project. Recently, a study by Symantec found that over fifty percent of unauthorized encryption projects resulted in serious problems with encryption keys. Unprotected encryption keys leads to data breaches and audit failure.

When it comes to protecting sensitive data, you should never cut corners because of cost. Many small to mid sized companies forgo data security because they perceive the monetary cost of an encryption project to be too great. The truth of the matter is that a lack of proper data security could result in millions of dollars in fines and damage control. The cost of an average-size data breach is $5.5 million. In the end, data security is an investment to protect your business from a costly breach that many companies never recover from.

For more information on encryption and key management, download our white paper "AES Encryption and Related Concepts" and learn about how proper encryption and key management work together to secure your data.