Townsend Security Data Privacy Blog

Michelle Larson

Recent Posts

A Data-centric Approach to Securing Sensitive Data

Posted by Michelle Larson on Feb 25, 2016 1:11:00 PM

Data-centric security means planning for and implementing encryption and the proper management of encryption keys regardless of the environment. Request the Podcast: Compliance for Coders

All data security plans should constantly evolve to reflect changes in business and compliance regulations, as well as policy and infrastructure changes. Because of this evolution, developers are often called upon to modify existing applications, and to implement new or better security solutions. They also are often required to add new security applications in order to meet data protection best practices or prepare for an audit to meet compliance requirements (PCI DSS, HIPAA, FFIEC, etc.).  

What do developers need to know about coding for compliance?

From the ground up, regardless of the platform or language you use, it is the data security mindset that is critical. Developers need to be aware of protecting sensitive data when writing code because ever-evolving compliance requirements call for that disposition. There should be an emphasis to meet industry compliance standards from the beginning design stages. Code needs to be built with those data protection requirements in mind so that is doesn’t have to be reengineered. Projects can sink or fail due to inadequate data security measures, which can put a whole organization at risk.

Whether you are working in hardware, virtual, or cloud environments, understanding and identifying where sensitive data will reside is very important from day one. There needs to be an understanding of the criminal mindsets that will be trying to breach the systems you create, proper preparation for security audits, and a full knowledge of the compliance guidance available to meet industry standards. Developers should also develop for every possible platform/application that the project might be deployed on. As applications move more to multi-tenant cloud environments, you want to make sure you are not locked into or out of a particular platform. You want your code to be compatible from day one with hardware, VMware virtual environments, and cloud platforms. As more organizations move away from using only hardware, VMware technology is at the center of a revolution around virtual and cloud environments. VMware (the company) has done a great job with providing educational materials, helping developers program in a compliance fashion, and producing reference architecture for PCI compliance.

As developers know, their customers want “out of the box” third-party solutions that already meet required security validations. A few of the fundamental basics to keep in mind when developing for data security compliance:

    • Use encryption standards such as AES encryption for data-at-rest.
    • Use proper Encryption Key storage and management tools
    • Do not burn the keys in code
    • Do not store keys on the same server as the protected data
    • Plan for a compliance audit from the beginning stages

It is also important to look for solution providers that will talk with you before just giving you an instant trial download, it is a good idea to make sure their solution is a technical fit, and not a waste of your time. This is something we do here at Townsend Security with all of our products. We offer a 30-day full version trial of all our software so that you can do a full proof-of-concept and test in your environment. We also feel it is important to supply client-side applications, SDK’s and modules that fit naturally into the platforms and languages that match your development environment. I encourage you to take a little time to listen to this podcast and hear from Patrick Townsend, the Founder & CEO of Townsend Security, on his perspective for developers.

Request the Podcast: Compliance for Coders

Topics: Data Security, Developer Program, Encryption Key Management, Defense-in-Depth, Podcast, Key Life Cycle

AES Encryption Performance on the IBM i (AS/400, iSeries):

Posted by Michelle Larson on Feb 8, 2016 7:39:00 AM

Understanding the basics can help you avoid problems! 

As enterprise customers deploy data security solutions to meet various compliance regulations (PCI DSS, HIPAA, etc.), they are frequently surprised by the performance impacts of encryption. Inadequate preparation in an encryption project can lead to increased costs, delayed (or even failed) projects, inability to meet compliance requirements, and even exposure in the event of a data breach. AES Encryption 30-day free trial

By its very nature, encryption and decryption are resource intensive processes. Enterprise customers can be surprised to discover that encryption from one vendor can perform very differently than the very same encryption from another vendor. While the various vendor solutions accomplish the same tasks, they vary greatly in how efficiently they do these tasks. The differences can vary by a factor of 100 or greater! This can have a large impact on business applications that perform encryption and decryption tasks. One vendor’s solution may encrypt a data in 10 minutes, and another vendor’s solution may take 10 hours to perform the same task!

Avoid surprises, ask for performance metrics:

Armed with the knowledge that encryption performance is important, you can take action to avoid potential problems. Before acquiring an encryption solution, ask your data security vendor to provide performance metrics for their solution. How long does it take to encrypt one million credit card numbers? Can they provide you with source code and demonstrate this performance on your server? Optimizing software for performance is a complex task and usually involves specialized technical talent and some experimentation with different computational techniques. Unless an encryption vendor is deeply committed and invested in encryption technologies, they may not make performance enhancements to their applications.

Create your own proof-of-concept applications that measure encryption and decryption performance in your application environment. Be sure to measure how well the encryption solution performs under your current transaction loads, as well as anticipated future transaction loads. A good rule of thumb is to be sure you can handle three times your current encryption volume. This will position you for increased loads due to unexpected changes in the market, or an acquisition of another company. It also insures that you are seeing real-life performance metrics, and not just the vendor’s marketing message.

Avoid hidden costs, ask for pricing calculations:

Ask your purchasing and accounting departments to include performance upgrade costs in the pricing calculation during vendor evaluation. Be sure these costs include any increases in software license fees. If an encryption solution consumes one third of the CPU processing power of a server, you might want to include the cost of upgrading to a processor twice as powerful as the one you have. Working these costs in during the product evaluation phase can provide a more realistic view of the actual cost of a vendor encryption solution. Upgrading hardware can lead to unexpected additional software costs. Some software vendors license their solutions to the number of processors, or speed of the processors, in your server. Upgrading hardware to solve a performance problem can result in increased software license fees.

Avoid red flags, not all AES encryption solutions are the same:

Some encryption solutions use “shadow files” (files external to your application) to store encrypted data. The use of shadow files normally indicates that the vendor has an incomplete implementation of the AES encryption suite, or that the system architecture is limited in some way. The use of shadow files can impose severe performance penalties. In order to perform an encryption or decryption task an addition file read or write is required which essentially doubles the file activity. This may also increase processor loads as your application mirrors the data to a hot backup system. You will want to be very careful in measuring the performance impacts of encryption solutions that use shadow files.

If an encryption vendor will not provide you with a fully functional evaluation of their solution, this represents a clear warning signal. Your application environment is unique and you will need to be able to evaluate the impact of encryption in your environment with a limited test. A vendor who refuses to provide you with a clear method of evaluating the performance of their solution may not have your best interests in mind.

Avoid frustrations, take a test drive with us:

Despite an organization’s best efforts, data will get out. The best way to secure sensitive information is with strong encryption that is NIST compliant and FIPS 140-2 compliant key management that meets or exceeds the standards in PCI, HIPAA/HITECH, and state privacy laws. For a more technical look at AES encryption, including FieldProc exit points and POWER8 on-board encryption, check out this blog by Patrick Townsend, Founder and CEO of Townsend Security: How Does IBM i FieldProc Encryption Affect Performance?

Our proven AES encryption solution encrypts data 115x times faster than the competition. But don’t just take our word for it, we provide a fully functional evaluation!  Request a free 30-day trial (full version) of our popular Alliance AES Encryption and see for yourself.

AES Encryption 30-day free trial

Topics: Alliance AES/400, IBM i, AES Encryption, iSeries, AS/400, Evaluation

The Boyd Gaming Case Study of LogAgent for IBM QRadar

Posted by Michelle Larson on Jan 22, 2016 3:00:00 PM

Collecting and Monitoring Real-time IBM i Security Events with Alliance LogAgent for IBM QRadar

Collecting and Actively Monitoring System Logs is Important Across ALL Operating Systems!

Because the IBM i (AS/400, iSeries) can handle multiple applications, it doesn’t log information like other systems do. The IBM i collects logs simultaneously from multiple sources and deals with large volumes: Up to 3,500 events per second…250 Million events per day!  The essence of good log security is externalizing the systems logs and collecting them in a central repository, which helps remove the risk of tampering. Close monitoring of system logs can help you detect a breach before it happens, it can be a requirement for compliance with security regulations, and it can be a very difficult, inefficient, and cumbersome process.

PDF of Boyd Gaming Case Study of LogAgent for QRadar

For years, our Alliance LogAgent solution has been helping businesses using the IBM i to collect logs from the QAUDJRN security journal, convert them to common syslog formats and then transmit to a central log server or SIEM product for collection, analysis, and alert management. Now, with Alliance LogAgent for IBM QRadar, deeper threat intelligence and security insights can be gained in real-time.

For example, having chosen IBM Security’s QRadar SIEM, the security team at Boyd Gaming needed a solution to collect IBM i security and application logs into a coherent strategy for log collection, analysis and alert management. Before they started using Alliance LogAgent for IBM QRadar, Boyd Gaming used a Device Support Module (DSM) that made copies of their security journal and sent them out over FTP to a server, where QRadar would go grab them – a very cumbersome and inefficient process. By implementing Alliance LogAgent for IBM QRadar, they brought their IBM i platform into a common strategy for log consolidation and analysis with the security events from other servers.

Alliance LogAgent for IBM QRadar does exactly what it needs to do. It was built for the IBM i and gives you the data you need,said Anthony Johnson, IT Security Engineer, Boyd Gaming.Knowing that Townsend Security worked with IBM made Alliance LogAgent for IBM QRadar an easy choice. By being able collect all security events and convert them to the IBM Log Event Extended Format (LEEF) made a seamless deployment.

For Boyd Gaming, getting started was very simple. With 15 installations of Alliance LogAgent for IBM QRadar, it only took one hour for them to get them to set up, configured, and begin collecting logs from their IBM i platform.

Alliance LogAgent for IBM QRadar fits the bill for everything. It is very simple to set up, minimal maintenance, and once you set it, you never have to make any adjustments – set it and forget it,finished Johnson.

Not only does IBM Security QRadar perform real-time monitoring of events across the Enterprise, it learns from the events over time in order to recognize normal patterns, detect anomalies, and better identify attacks and breaches. Combined with this intelligent platform IBM Security QRadar provides a broad set of compliance reports that are ready to use. Townsend Security’s Alliance LogAgent for IBM QRadar helps IBM i customers realize the full benefits of the IBM QRadar Security Intelligence solution.

For more detail, please read the whole case study on Boyd Gaming:

IBM i QRadar SIEM Case Study

Topics: IBM QRadar, IBM Security Solutions, Alliance LogAgent for IBM QRadar

Looking Back on 2015 Data Breaches

Posted by Michelle Larson on Jan 5, 2016 8:08:00 AM

Data Breach Statistic for 20152015 was a year of large and sometimes very controversial data breaches across a broad industry spectrum.  The Identity Theft Resource Center 2015 Breach List contains 780 breaches and 177,866,236 exposed records. Here are just a few that everyone should be aware of:

HEALTHCARE

Anthem

    • 78.8 million highly sensitive patient records
    • 8.8 to 18.8 million non-patient records
    • Names, birth dates, Social Security numbers, addresses, employment information, and income data

Premera

    • Over 11 million subscribers
    • Names, birth dates, Social Security numbers, member identification numbers, and bank account information.

Excellus

    • 10 million members
    • Names, birth dates, Social Security numbers, member identification numbers, financial account information, and claims information

ENTERTAINMENT

Avid Life Media (ALM), the parent company of Ashley Madison

    • 37 million user accounts
    • Email addresses, first and last names, and phone numbers.

VTech

    • 6.4 million children accounts
    • 4.9 million customer (parent) accounts
    • Photos, names, passwords, IP addresses, download history, and children’s gender and birth dates.

Hello Kitty (SanrioTown)

    • 3.3 million customers, including children
    • Full names, encoded by decipherable birth dates, email addresses, and encrypted passwords, along with password reset questions and answers.

TECHNOLOGY

T-Mobile via Experian

    • 15 million records
    • Names, birth dates, addresses and social security numbers and/or an alternative form of ID, such as drivers’ license numbers. (This was an unusual hack because the company itself (in this case T-mobile) didn’t have a data breach rather Experian (a credit reporting company) had a data breach which leaked T-mobile’s consumers’ data)

TalkTalk

    • 3 breaches affecting up to 4 million user records
    • Names, addresses, dates of birth, phone numbers, email addresses, TalkTalk account details and payment card information

Comcast

    • Over 200,000 users
    • Login credentials were sold on the dark web

GOVERNMENT

Office of Personnel Management (OPM)

    • Over 4 million personnel files
    • Over 21 million federal employees and contractors
    • Social Security numbers, security clearance information, fingerprints, and personal details that could leave federal personnel vulnerable to blackmail.

Internal Revenue Service (IRS)

    • Over 100,000 taxpayers
    • Online transcripts and significant personal information was accessed as a result of access to previously stolen identity information.

Wrapping up the year; on December 20th, 191 million registered U.S. voter records were exposed online. The database that was discovered contained more than the voter’s name, date of birth, gender, and address; which on their own is a good amount of personally identifiable information (PII). It also include the voter’s ethnicity, party affiliation, e-mail address, phone number, state voter ID, and whether he/she is on the “Do Not Call” list.

As we head into 2016, we will be focused on prevention and how we can best provide information and solutions to protect your sensitive & valuable data.

Let us know how we can help you!

The Encryption Guide eBook

Topics: Data Security, Encryption, eBook, Encryption Key Management, Data Breach

Securing your IBM i (AS/400, iSeries) - Webinar Q&A

Posted by Michelle Larson on Dec 4, 2015 10:41:00 AM

Data security doesn’t need to be a challenge! 

Whether your data is stored within your database files or transmitted to your trading partners, using the right tools can mean the difference between meeting compliance and security best practices or suffering a data breach.  Webinar: Securing Data on Your IBM i

Townsend Security is well known for providing security solutions for a wide variety of platforms (IBM i (AS400, iSeries), IBM mainframe, VMware, Windows, Linux). Recently, our founder and CEO produced an excellent webinar on “Securing Your IBM i Using the Right Tools”. Many of our IBM i customers are under multiple compliance requirements including PCI, HIPAA, SOX, GLBA, and others which require securing data-at-rest and data-in-motion, real-time security event logging, file integrity monitoring, and two-factor authentication. The webinar covers encryption and key management as well as a number of our other auxiliary products specifically for the IBM i (AS400, iSeries) platform.

There were a number of excellent questions asked after the presentation, and the following is a brief recap of that Q&A session with links to additional information:

Q:  Can I use FieldProc to protect multiple fields in a file?

A:  The short answer is yes, encrypting multiple fields is a fully supported capability. FieldProc does allow, from both DB2 and from our solution, protecting multiple columns or fields in a DB2 file. You can define multiple fields and then enable FieldProc with one command on all those fields within our solution. People often ask if indexes can also be encrypted and yes, that is fully supported as well. There are a few limitations in legacy RPG applications, while with a native SQL application there are no limitations.

To learn more about Field Procedures on the IBM i, check out this blog:  5 Common FAQs About IBM i Encryption Using FIELDPROC 

Q: Can’t I just transfer my file from IBM i to Windows and then PGP encrypt it there?

A:  This is a great compliance question and comes up often with QSA Auditors. Yes, of course you can move a file from one machine to another using operations navigator. The problem is that it exposes data in the clear during the movement, either across the network if it is an unsecured connection or when the data lands on the other side of the transfer. Any of these exposures will likely result in an audit failure.

Good security practice, regardless of the platforms involved is:

  •   Encrypt at the Source
  •   Decrypt at the Destination

Make sure to securely move it in encrypted form and don’t let it get loose anywhere in between!

Learn more about the core components of a total encryption strategy in this blog: Secure Managed File Transfer and PGP Encryption

Q: How does key management work with older back-up copies of data that was secured with earlier keys?

A:  Any Enterprise key management solution should maintain encryption keys under policy for as long as they are needed. As you generate new keys, the older keys are retained and made available for decryption purposes, until you retire those keys. Our solution will maintain multiple versions, and doesn’t have a limit on how many keys or generations you can have of master or key encryption keys. If you have a loss or need to delete data that is out of your control, you can then delete the key. 

For more information on the full life cycle of keys, check out this blog: Why Key Management is So Critical in the Life Cycle of an Encryption Key

Q:  Your two-factor authentication product is supported in which countries?

A:  Since our 2FA solution is through TeleSign, a global company, it has a broad presence in more than 200 countries around the world and in 87 languages.  By leveraging an individual's mobile phone, a reliable means of authentication has become readily available for the IBM i platform. For example, instead of tokens, businesses can simply send an SMS or voice message that contains a one-time authentication code to the individual user’s phone. This means cyber criminals cannot log into the IBM i without physical control of the actual phone. 

This blog will outline Making a Case for Two Factor Authentication: Taking Security Beyond Usernames and Passwords

Webinar: Sec

Topics: Data Security, IBM i, Webinar, iSeries, AS/400, IBM Security Solutions

Encryption and Key Management – “Bring Your Own” to the Cloud

Posted by Michelle Larson on Jun 11, 2015 9:56:00 AM

In this age of “Bring Your Own”, we see the acronyms BYOD (device), BYOE (encryption), and BYOK (key) showing up all over the blog-o-sphere. BYOK is a cloud computing security model that allows cloud service customers to use the provided server-side encryption software and (bring) manage their own encryption keys. Click to request the webinar: Encryption & Key Management Everywhere Your Data Is

The idea of encryption (cryptography) is almost as old as the concept of written language: if a message might fall into enemy hands, then it is important to ensure that they will not be able to read it. Most typically, encryption relies on some sort of "key" to unlock and make sense of the message it contains, and that transfers the problem of security to a new level – now the message is secure, the focus shifts to protecting the key. In the case of access to cloud services, if we are encrypting data because we are worried about its security in an unknown cloud, then why would we trust the same cloud to hold the keys without using a key management solution?

BYOK can help an organization that wishes to take advantage of cloud services to address both regulatory compliance and data privacy concerns in a third-party multi-tenant environment. This approach allows a customer to use the encryption technology that best suits the customer's needs, including the cloud provider's underlying IT infrastructure. For example, Amazon’s Simple Storage Service (S3) is about protecting data-at-rest using server-side encryption with customer-provided encryption keys (SSE-C) or “BYOK”. With the encryption key you provide as part of your data request, Amazon S3 then manages the encryption (as it writes to disks) and decryption (when you access your data). You don't need to maintain any code to perform data encryption and decryption in S3. The only thing you do is manage the encryption keys you provide to the Amazon Simple Storage Service. When you upload an object, Amazon S3 uses the encryption key you provide to apply AES-256 encryption to your data and then removes the encryption key from memory. When you retrieve data, you must provide the same encryption key as part of your data request. Amazon S3 first verifies that the encryption key you provided matches, and then decrypts the data before returning it to you.

Important to Note: Amazon S3 does not store the encryption key you provide. Instead, they store a randomly salted HMAC value of the encryption key in order to validate future requests. The salted HMAC value cannot be used to derive the value of the encryption key or to decrypt the contents of the encrypted object. That means, if you lose the encryption key, you lose the object.

Any time a company decides it wants to host its applications in the cloud, or use a SaaS application where the company’s data will be stored in the cloud, their IT security professionals have to ask a series of questions.

    • Can we encrypt the data? If so, who will have access to the keys?
    • How will we perform key rotation and manage the lifecycle of the encryption keys?
    • Is the cloud vendor using a proprietary encryption technology that prevents us from moving our data to another vendor?
    • If we use 10 SaaS applications, will we have to administrate 10 different key management solutions?

These questions are tough enough to answer when the data and encryption technologies are in a company’s own data center where it has complete control over everything. In many cases, if encryption is provided, the cloud provider holds or has access to the keys, which creates another set of problems for the end user. For one thing, a third-party having access to data in the clear is a violation of regulations such as PCI-DSS, HIPAA, GLBA and others. Also, customers have yet to establish trust in cloud platforms or SaaS providers to protect their data. There have been many high profile data breaches that make end-users nervous. Customers also fear the U.S. government will subpoena access to their data without their knowledge or permission. For companies outside the U.S. that choose to use a U.S.-hosted cloud or app, there are data privacy and residency concerns. Instinctively it feels a lot more secure to manage your own key and use BYOK instead of leaving it to the cloud provider.

A few things have become crystal clear:

  1. You need to know where your sensitive information is. Period.
  2. You need to know who has access to it. Not who you think has access to it, but who really has access to it.
  3. Wherever you put your sensitive information, you need to protect it. The most critical thing you need to do is to apply a strong defense in depth approach to data security, including the use of encryption and access controls.
  4. You need to be able to document, through audit logs and reports, who has actually accessed your information. This is true (and important) for sensitive data, as well as for compliance-regulated data.
  5. If you think that having your cloud service provider encrypt your data provides adequate security for your information, you probably need to rethink this.

It all boils down to this: When encrypted data is stored or processed in the cloud, the data and the keys must be kept separate and only the end-user should control the encryption keys.

Cloud storage options bring new economies and business efficiencies, but security can’t be ignored, and it can’t be simply outsourced to some other party. We believe that it is fundamental to good security to control all access to your data, including managing your own encryption keys. Managing encryption keys may sound daunting, but it doesn’t need to be. Our technology makes data security and encryption key management simple and straightforward. Our key management solution addresses all of the issues described above and can protect your data everywhere you have it stored.

Request the webinar: Encryption & Key Management Everywhere Your Data Is

Topics: Alliance Key Manager, Encryption, Encryption Key Management, Webinar, Cloud Security

Basics of Keeping Data Safe in the Cloud

Posted by Michelle Larson on May 1, 2015 9:47:00 AM

Encryption & Key Management… why that ampersand is so important!

We frequently talk about a variety of different data security measures and the difficulty of making information truly secure in a multi-tenant environment. What steps are we taking to protect the most valuable assets we have as companies, such as our customer’s Personally Identifiable Information (PII)? Are we starting with the most critical steps in the process and then building out from there?  Let’s make sure we have the basics covered! eBook - Encryption Key Management Simplified

Encryption is the first step to keeping information secure from anyone who accesses it maliciously, it is also a clear compliance requirement and critical part of protecting data in any environment. Use industry standard encryption such as Advanced Encryption Standard (AES, also known as Rijndael) which is recognized world-wide as the leading standard for data encryption. Never use home-grown or non-standard encryption algorithms. Make sure your security partner will supply you with all of the sample code, binary libraries, applications, key retrieval and other tools you need to implement encryption and key management fast and easily. Whether your data resides in the cloud, in a virtual environment, or in your own data center; always make sure you are using the right type of encryption to protect it.

The second step to the security solution is Encryption Key Management. While encryption is critical to protecting data, it is only half of the equation. Most regulations require that encryption keys must be stored and managed away from the data they protect because storing encryption keys with the data they protect, or using non-standard methods of key storage, will not protect you in the event of a data breach. When encrypting information in your applications and databases, it is crucial to protect encryption keys from loss and securely managed from key creation, management, distribution, and archival or destruction (the full key lifecycle). In the past, key management used to be a complex and difficult task that required hardware and a team of security specialists to implement. Our key manager is available as a ready-to-use, easy-to-deploy solution that is compliant with the NIST FIPS 140-2 standard in a variety of instances:

In the Cloud - If you're running on Microsoft Azure, or in Amazon Web Services (AWS), the encryption key manager can run as a true cloud instance in a standard cloud or deploy in a virtual private cloud for added data protection for sensitive applications.

VMware - Businesses are able move their VMware infrastructure beyond traditional data centers and into the cloud with VMware’s vCloud.  By using the same FIPS 140-2 compliant software found in physical appliances, enterprises can provably meet compliance requirements with a VMware based encryption key manager running in the cloud.

A Cloud HSM is a physical appliance hosted in a secure cloud with real-time encryption key and access policy mirroring.  Dedicated HSMs are hosted in geographically dispersed data centers under an ITIL-based control environment and are independently validated for compliance against PCI DSS and SOC frameworks. No access is available to the cloud vendor or any unauthorized user.

A Hardware Security Module (HSM) is a physical appliance or security device that is protected and tamper evident. Built for high resiliency and redundancy it has hot swappable RAID (Redundant Array of Independent Disks) disc drives, dual power supplies, dual network interfaces, and is deployed in your IT data center. Cloud applications can connect to a remote HSM over a secure, encrypted connection.

Do you have the basics covered? If you are unsure about the status of your defense-in-depth strategy to data security, contact one of the experts on the Townsend Security team. We have a variety of resources to help you answer your most pressing questions and a variety of solutions to make sure you are protecting your data the best way possible. At Townsend Security we also take a very different philosophy and approach:

  • We think that when you buy an encryption key manager, you should be able to easily deploy the solution, get all your encryption projects done properly, and have very affordable and predictable costs.
  • We understand that we live in a world where budget matters to our customers, so we do not charge client-side application or connection fees.
  • We know that IT resources are limited and have done a huge amount of work to make our solutions easy with out-of-the-box integrations and simplified deployments. We also provide ready-made client-side applications, encryption libraries, source code samples, as well as SDKs for developers who need them.
Check out this eBook for more information: 

Encryption Key Management Simplified eBook

Topics: Alliance Key Manager, eBook, Encryption Key Management, Cloud Security

Three Things to Know about PGP Encryption & the IBM z

Posted by Michelle Larson on Apr 24, 2015 6:10:00 AM

Pretty Good Privacy (PGP) Encryption is a solid path to provable and defensible security, and PGP Command Line sets the standard for IBM enterprise customers.

Pretty Good Privacy (PGP) encryption is one of the most widely deployed whole file encryption technologies that has stood the test of time among the world’s largest financial, medical, industrial, and services companies. Download the PGP z podcast It works on all of the major operating system platforms and makes it easy to deploy strong encryption to protect data assets and file exchange. PGP is also well recognized and accepted across a broad number of compliance regulations as a secure way to protect sensitive data as it is in transit to your trading partners. PGP encryption can help businesses meet PCI-DSS, HIPAA/HITECH, SOX, and FISMA compliance regulations.

Here are three key things to know about PGP encryption for your IBM System z Mainframe, and how to discuss them with your technology providers:

1) Always encrypt and decrypt sensitive data on the platform where it is created. This is the only way to satisfy regulatory security and privacy notification requirements.

Moving data to a PC for encryption and decryption tasks greatly increases the chances of loss and puts your most sensitive data at risk.  In order not to defeat your data security goals it is important to encrypt and decrypt data directly on the platform.

2) The best PGP encryption solutions manage PGP keys directly on the platform without the need for an external PC system, or key generation on a PC.

Using a PC to generate or manage PGP keys exposes the keys on the most vulnerable system. The loss of PGP keys may trigger expensive and time-consuming privacy notification requirements and force the change of PGP keys with all of your trading partners.

3) The best data security solutions will provide you with automation tools that help minimize additional programming and meet your integration requirements.

Most Enterprise customers find that the cost of the software for an encryption solution is small compared to the cost of integrating the solution into their business applications. Data must be extracted from business applications, encrypted using PGP, transmitted to a trading partner, archived for future access, and tracked for regulatory audit. When receiving an encrypted file from a trading partner the file must be decrypted, transferred to an IBM z library, and processed into the business application. All of these operations have to be automated to avoid expensive and time-consuming manual intervention.

While the IBM System z Mainframe has always had a well-earned reputation for security, recently IBM modernized and extended their high-end enterprise server, the IBM System z Mainframe with the new z13 model. With full cross-platform support you can encrypt and decrypt data on the IBM Mainframe regardless of its origination or destination.

For over a decade Townsend Security has been bringing PGP encryption to Mainframe customers to help them solve some of the most difficult problems with encryption. As partners with Symantec we provide IBM enterprise customers running IBM System z and IBM i (AS/400, iSeries) with the same strong encryption solution that runs on Windows, Linux, Mac, Unix, and other platforms.

With the commercial PGP implementation from Symantec comes full support for OpenPGP standard, which really make a difference for enterprise businesses. Here are just a few of the things we’ve done with PGP to embrace the IBM System z Mainframe architecture:

    • Native z/OS Batch operation
    • Support for USS operation
    • Text mode enhancements for z/OS datasets
    • Integrated EBCDIC to ASCII conversion using built-in IBM facilities
    • Simplified IBM System z machine and partition licensing
    • Support for self-decrypting archives targeting Windows, Mac, and Linux!
    • A rich set of working JCL samples
    • As always we offer a free 30-day PGP evaluation on your own IBM Mainframe

PGP Command Line is the gold standard for whole file encryption, and you don’t have to settle for less. When you base your company reputation on something mission-critical like PGP encryption, you deserve the comfort of knowing that there’s a support team there ready to stand behind you.

Listen to the podcast for more in-depth information and a discussion on how PGP meets compliance regulations, and how Townsend Security, the only Symantec partner on the IBM i (AS/400) platform as well as the IBM z mainframe providing PGP Command Line 9, can help IBM enterprise customers with defensible data security!

 

Download the Podcast for PGP z


Topics: Data Security, PGP Encryption, IBM z, Podcast

Overcome Security Challenges with Your VMware Environment

Posted by Michelle Larson on Apr 15, 2015 10:29:00 AM

Prioritize Your Data Security Plan and Encryption Strategy

New Call-to-action Many businesses migrating to VMware environments are storing or processing credit card numbers, financial information, health care data, and other personally identifiable information (PII) in a virtual, shared environment. How does an organization meet industry data security requirements and prevent unwanted access to sensitive data?

In order to achieve a comprehensive data security plan in a VMware environment, organizations should consider the following steps:

Take Inventory of Your Sensitive Data

Every data security project should start by making an inventory of sensitive data in your IT environment. If you do not know where to start, first consider the compliance regulations you fall under. For example, do you process credit cards? If so, you must locate and encrypt primary account numbers (PAN), expiration date, cardholder name, and service codes where they are processed, transmitted, or stored in order to meet PCI compliance. If your company is a financial institution, include Non-Public Information (NPI) about consumers, and if you are in the medical segment, you must also locate all Protected Health Information (PHI) for patients. Finally, locate all data that is considered Personally Identifiable Information (PII) which is any information that can uniquely identify an individual (social security number, phone number, email address, etc.). Business plans, computer source code, and other digital assets should make the list, too.

Once you have a list of the kinds of information that you should protect, find and document the places this information is stored. This will include databases in your virtual machines, unstructured data in content management systems, log files, and everywhere else sensitive data comes to rest or can be found in the clear.

After you have a full inventory of your sensitive data, prioritize your plan of attack to secure that information with encryption and protect your encryption keys with a key management solution. The most sensitive information, such as credit card numbers, medical or financial data, is more valuable to cyber criminals and should be encrypted first. Creating this map of where your sensitive data resides and prioritizing which data to encrypt is not only a requirement for many compliance regulations, but will help to focus your resources as well.  

What to do:

  • Define sensitive data for your organization.
  • Using manual and automated procedures, make an inventory of all of the places you process and store sensitive data.
  • Create a prioritized plan on how you will encrypt the sensitive information affected by compliance regulations.

Implement Encryption and Encryption Key Management

While encryption is critical to protecting data, it is only half of the equation. Your key management solution will determine how effective your data security strategy ultimately is. When encrypting information in your applications and databases, it is crucial to protect encryption keys from loss. Storing encryption keys with the data they protect, or using non-standard methods of key storage, will not protect you in the event of a data breach.

For businesses who are already encrypting data, the most common cause of an audit failure is improper storage and protection of the encryption keys. Doing encryption key management right is often the hardest part of securing data. For this reason, it is paramount to choose a key management solution that is compliant and tested against the highest standards:

  • Your VMware key management solution should be based on FIPS 140-2 compliant key management software (find out if your key management vendor offers FIPS 140-2 compliant key management on the NIST website look it up on the NIST web site.
  • A key management solution should also conform to the industry standard Key Management Interoperability Protocol (KMIP) as published by OASIS. Ask for the KMIP Interoperability Report from the KMIP testing process.

Encrypting sensitive data on your virtual machine protects your data at the source, and is the only way to definitively prevent unwanted access to sensitive data. With VMware environments, businesses that need to protect sensitive data can use encryption and encryption key management to secure data, comply with industry security standards, protect against data loss, and help prevent data breaches.

What to look for:

  • Use industry standard encryption algorithms such as AES to protect your sensitive data. Avoid non-standard encryption methods.
  • Your encryption solution should support installation in any application workgroup that you define for your trusted applications. Be sure your encryption vendor explains any limitations in the VMware deployment.
  • Your encryption key management solution should support deployment in a separate VMware security workgroup. Ideally, the key management solution will include internal firewall support to complement the VMware virtual firewall implementation.
  • Your key management solution is a critical part of your VMware security implementation. It should support active collection and monitoring of audit logs and operating system logs. These logs should integrate with your log collection and SIEM active monitoring systems.

As your IT environment evolves, make sure your key management evolves with you. In addition to support for VMware, be sure your key management solution is available as a hardware security module (HSM), as a Cloud HSM subscription, and as a native cloud application on major cloud service provider platforms such as Amazon Web Services and Microsoft Azure. Even if you do not have these non-VMware platforms today, it is important to consider that the evolution of your IT infrastructure is inevitable. The encryption and key management solutions you deploy today in your VMware data center should be prepared to move to cloud or hosted platforms quickly and seamlessly. A merger, acquisition, rapid growth, competitive challenges, and technology advances can force the need to migrate your solutions to new platforms.

For more detailed information, check out our eBook on VMware Encryption – 9 Critical Components of a Defensible Encryption Strategy:

VMware Encryption eBook

Topics: Alliance Key Manager, Data Security, eBook, Encryption Key Management, VMware

Understanding Encryption and Key Management for VMware

Posted by Michelle Larson on Apr 3, 2015 11:33:00 AM

How to implement solutions that are based on compliance standards and meet security best practices.

As more and more Enterprise businesses move into virtual and cloud environments, they face challenges and security issues in these multi-tenancy situations. VMware customers benefit from the many operational and cost efficiencies provided by VMware virtualization technologies both in traditional IT infrastructure and in cloud environments. VMware Resource Kit for Encryption and Key Management As VMware customers deploy data encryption solutions as a part of their defense-in-depth strategy, the need for compliant encryption key management can present barriers to a good encryption implementation. It is possible to deploy a proper encryption key management solution within the VMware infrastructure without the need for traditional hardware security modules (HSMs) when this approach is appropriate to the security needs of the organization.

Here is some high level guidance on how to deploy and protect a solid encryption and key management solution for VMware within your virtual or cloud environment. While these recommendations are general in nature (actual VMware deployments will use different VMware applications and architectures to meet specific user, application, and security needs) they can provide a good roadmap.

Seven General VMware Recommendations

1. Identify and Document Trusted and Un-Trusted Applications

Properly identifying application groups based on the level of trust is critical for a secure implementation of virtualized applications and encryption key management services. Create and isolate a management cluster for your core VMware applications such as vSphere, vShield, etc. Identify application groups and their associated level of trust, and isolate applications into appropriate workgroups. Avoid mixing trusted and untrusted applications in a workgroup.

You should consider creating a security workgroup to contain your third party security applications such as encryption key management, authentication services, active directory, system logging, and other applications whose primary function is to assist in securing your applications in your VMware environment.

In preparation for properly securing these environments, create an inventory of all Virtual Machines managed in each workgroup. For each workgroup and virtual machine, identify the security controls that will be required for each one (network segmentation, storage segmentation, system logging, active monitoring, etc.). VMware flow tools can assist with this documentation.

2. Restrict Physical Access

Fundamental to all IT security implementations is proper security of the physical environment. This means proper physical security controls and physical monitoring of the data center as well as good auditing and procedural controls. These physical controls should also apply to access of VMware management and security applications. You can look to the PCI Data Security Standards and guidance for information on appropriate physical controls. You can also refer to standard security guidance in SOC 2 and SOC 3 assessments for information on physical controls. When deploying on a cloud platform it is always a good idea to ask the Cloud Security Provider (CSP) for a copy of the PCI letter of attestation, or an SOC 2 / SOC 3 report.

3. Isolate Security Functions

Because security applications are often a target of cyber-criminals, you should isolate them into their own security workgroup and implement the highest level of VMware security. Only trusted VMware administrators should have access rights to the encryption key management solution, system logs, and audit reports. Be sure to actively monitor access to and use of all encryption key management, key retrieval, and encryption services.

4. Change VMware Default Passwords

Review all VMware applications used to secure and manage your VMware environment and change the default passwords as recommended by VMware. The failure to change default passwords is one of the most common causes of security breaches.

5. Implement Network Segmentation

Network segmentation is easy to accomplish with VMware network management and security applications and you should implement network segmentation to isolate applications that process sensitive information from applications that do not require as high a level of trust. Additionally, you should provide network segmentation for all third party security applications such as your encryption and key management solution. Network segmentation should include all high availability and business recovery infrastructure. Do not rely on virtual network segmentation alone; use firewalls that are capable of properly securing virtual networks.

6. Implement Defense in Depth

The VMware management and security applications provide for a high level of security and monitoring. They also provide hooks and integration with third party security applications that provide system log collection, active monitoring, intrusion detection, etc. Encryption is a critical part of a defense-in-depth strategy, and protecting encryption keys is the most important part of an encryption strategy. Regardless of the operating systems in your application Virtual Machines, your solution should provide encryption key management, key retrieval, and encryption services for your business applications and databases running in your VMware infrastructure.

7. Monitor VMware Administrative Activity

Use an appropriate SIEM solution to collect VMware application and ESXi hypervisor system logs and perform active monitoring. The log collection and SIEM active monitoring solutions should be isolated into a security workgroup that contains other third party security applications such as Townsend Security’s Alliance Key Manager.

For additional information on securing Alliance Key Manager for VMware, our encryption key management solution, request the VMware Resource Kit containing the Guidance Document and other valuable resources:

Resource Kit: Encryption and Key Management in VMware

As solutions and implementations vary a great deal, always consult with a security specialist and compliance auditor for specific guidelines for your industry and environment! Just contact us to get started!

Topics: Compliance, Data Security, Encryption Key Management, Defense-in-Depth, VMware, Resource Kit