Article 29 Security Guidelines on Data Protection

The Article 29 Working Party is composed of representatives of the national data protection authorities (DPA), the European Data Protection Supervisor (EDPS), and the European Commission. It is a very important platform for cooperation, and its main tasks are to:

1. Provide expert advice from the national level to the European Commission on data protection matters.
2. Promote the uniform application of Directive 95/46 in all Member States of the EU, as well as in Norway, Liechtenstein and Iceland.
3. Advise the Commission on any European Community law (so called first pillar), that affects the right to protection of personal data.

Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.

Every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries.

Therefore, common EU rules have been established to ensure personal data enjoys a high standard of protection everywhere in the EU. The EU's Data Protection Directive also foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of sensitive data when it is exported abroad.

In order to help address these EU objectives, Patrick Townsend, Founder and CEO of Townsend Security recommends the following data protection best practices:

• Encrypt Data at Rest
  Make a full inventory of all sensitive personal information that you collect and store. Use strong encryption to protect this data on servers, PCs, laptops, tablets, mobile devices, and on backups.
• Use Industry Standard Encryption
  Advanced Encryption Standard (AES, also known as Rijndael) is recognized world-wide as the leading standard for data encryption.
• Use Strong Encryption Keys
  Always use cryptographically secure 128-bit or 256- bit AES encryption keys and never use passwords as encryption keys or the basis for creating encryption keys.
• Protect Encryption Keys from Loss
  Encryption keys must be stored away from the data they protect.  Keys must be securely managed and should be compliant with the industry standards such as NIST FIPS 140-2 which is recognized and accepted worldwide.
• Change Encryption Keys Regularly
  Change your encryption keys on a quarterly or semi-annual basis. Using one encryption key for a long period of time can expose you to a breach notification for historical data.
• Use Strong, Industry Standard Hash Algorithms
  Never use MD5 or other weaker hash methods. Use the SHA-256 or SHA-512 methods for your hash requirements.
• Use Keys or Salt with Your Hashes
  You can use the Hashed Message Authentication Code (HMAC) method with an encryption key or use a strong encryption key under the protection of a key manager as the salt for the hash method.

For more detailed information on these recommendations, download the white paper on the "EU Data Privacy Protections and Encryption":

An excerpt from the latest white paper “How to Meet Best Practices for Protecting Information in AWS” by Stephen Wynkoop, SQL Server MVP, Founder & Editor of SSWUG.org

Working in the cloud presents several challenges unique to that environment, including significant growth and change in the area of data protection and encryption. There is much confusion about what is - and is not - encrypted and protected.  This encryption of information, and the management of the keys and access controls is a core objective of this paper. If you can render information useless if accessed illegitimately, you have successfully addressed a whole host of regulations, compliance and best practices.

The very definition of protection by cloud providers is an important part of understanding the requirements and challenges of your configurations and information protection. AWS approaches data protection in several ways that impact your systems. The first is the configuration and design of your infrastructure. This consideration includes establishing Virtual Private Clouds (VPC) and providing for encryption of some information stores. The challenge exists in understanding the protection of these information stores and determining what you need to do to bring these protections in line with your requirements and compliance areas.

As you consider your systems, data protection will come down to several important areas:

• Physical access controls – This refers to the doors, secure access controls and other protections at the physical server and server room level.
• Logical access controls for your systems – These are the controls you put in place to prevent unwanted access to information.
• Data access – Data access controls are typically enforced at the information stores level.
• Protection of data in case of a breach – This is addressed by making the information in your systems unusable if accessed in a way that is unwanted.

Stephen’s white paper also covers the impact on data protection in public vs. private clouds, security fundamentals in AWS, and the best practices for deploying an encryption key management solution including:

• Segregation of Duties
• Dual Control and Split Knowledge
• Key Creation (and understanding strong keys)
• Key Rotation
• Protection of Keys
• Access Controls and Audits (Logging)

In his white paper, Stephen also discusses cloud-provider-based key management services and some of the important features, options, questions, and concerns that should be considered before selecting a service or a key management solution. Some important aspects to understand are:

• Control, Ownership, and Access - By managing your own encryption services and providing for industry-compliant key management and data protection practices, you help ensure that your data remains managed by your own secure keys.
• Multi-Tenancy and Key Management - In a worst case scenario it’s possible that keys could be compromised.
• Access to Keys - Many systems and architectures are based on hybrid solutions. Cases where there are systems on-premises combined with systems in the cloud are areas that will be problematic with the AWS services. Systems not on the AWS hosted services will not have access to the key management services on AWS.

There are many different considerations when thinking about the choices in your key management solution. Be sure to fully understand logs, key management, backups and other elements that provide the utility you require. Finally, be sure you’re checking for proper compliance and certification of the solutions you are considering. It is important that any solution you choose has been through a FIPS 140-2 validation, and that you have a full understanding of any PCI, HIPAA or other regulatory body requirements.

Please download the full document to learn more about protecting information in Amazon Web Services and how Townsend Security’s Alliance Key Manager for AWS provides a FIPS 140-2 compliant encryption key manager to AWS users who need to meet data privacy compliance regulations and security best practices.

Make 2015 your year for increased data security with Encryption & Key Management

During the 2014 holiday season, the Sony data breach made the headlines even though the numbers affected weren’t in the millions like their 102 million PlayStation Network records that were breached back in 2011. This time, beyond all the damage done to their systems, Sony Pictures Entertainment became one of the most publicly blackmailed corporate breaches to date. The group that took over their company network had a list of demands that went along with the financial data and legal information being leaked on to file-sharing sites and sent directly to rival Hollywood studios.   

While the end results of the Sony breach may take time to be fully realized, there were a number of other large scale data breaches this year. Some of these you may be familiar with, more may yet be reported, and others might surprise you: 

• eBay - online retailer
  The breach is thought to have affected the majority of the 145 million global members when a database containing customer names, encrypted passwords, email addresses, physical address, phone numbers, and dates of birth was compromised.
• JPMorgan Chase
  76 million people were affected by the loss of PII including names, addresses, phone numbers, and email addresses.
• Google
  5 million people had their account information compromised with the theft of usernames and passwords.
• Home Depot
  In a large nationwide malware attack, 56 million card records were stolen through point-of-sale systems. In a second attack in Atlanta, 20,000 employees personal information was stolen and used to open fraudulent credit cards by 3 human resource employees.

Those are some pretty significant numbers, and most likely everyone that reads this blog has been affected in some way by at least one of these events, or by one of the 600+ breaches reported so far this year. What we all need to remember is that cyber crime isn’t limited to “Black Hat” hackers that only go after the big piles of data. Sometimes it is a disgruntled employee that destroys or releases sensitive data. Sometimes it is an unintentional employee error, or loss of an employee’s laptop/thumbdrive that thieves go after. Often it is the smaller company or mid-sized Enterprise that hasn’t yet implemented security steps, like encryption and authentication, to protect their sensitive information. For example, the unintentional loss of data on unencrypted backup tapes would be considered a reportable data breach event.

A new study from researchers at Gartner indicates that it is markedly less expensive for companies to invest in new security and encryption technologies than it is for them to respond to a data breach. According to the analyst firm, businesses pay roughly $6 per year per user for encryption tools, or $16 per user per year for intrusion prevention software licenses, versus paying out an average of $90 per user to address problems after a breach has occurred.

Five steps you can take to make sure this doesn’t happen to you:

1. Have a defense-in-depth strategy that meets your level of risk tolerance.

2. Make sure you know where all of your sensitive data is stored, and who has access to it.

3. Use standardized encryption algorithms to make that data unreadable.

4. Use an encryption key management solution to protect keys away from the data.

5. Use two-factor authentication whenever possible, because passwords are no longer enough.

To help open up the conversation around your conference table, download this eBook on “Turning a Blind Eye to Data Security” and find out more about the tools & resources to begin discussions about data security in your company!

Encryption, Key Management, and Data Security…Oh My!

This has been a busy year at Townsend Security with the addition of 2FA, the introduction of Key Management in AWS, Azure, and Key Connection for Drupal. Looking back over our data security blog and the most-viewed topics, I wonder... Did you miss out on any of these?  Take some time to check them out!

Heartbleed and the IBM i (AS/400)

by Patrick Townsend  (April 11, 2014)

Key take-away: It is important to understand that while the IBM i platform may not be directly vulnerable to the Heartbleed problem, you may have lost IBM i User IDs and passwords over VPN or other connections which are vulnerable. An exploit of Heartbleed can expose any information that you thought was being protected with session encryption.

From the blog article you can download additional content:  
Ebook: Turning  a Blind Eye to Data Security

What are the Differences Between DES and AES Encryption?

by Michelle Larson  (September 4, 2014)

Key take-away: Even Triple DES (3DES), a way of using DES encryption three times, proved ineffective against brute force attacks (in addition to slowing down the process substantially).

From the blog article you can download additional content:    
White Paper: AES Encryption & Related Concepts

Encryption & Key Management in Windows Azure

by Michelle Larson  (February 13, 2014)

Key take-away: In February 2014 we released the first encryption key manager to run in Microsoft Windows Azure. This blog highlights four of our most frequently asked questions about providing data security IN the Cloud.

From the blog article you can download additional content:    
Podcast: Key Management in Windows Azure 

Homomorphic Encryption is Cool, and You Should NOT Use It 

by Patrick Townsend  (October 6, 2014)

Key take-away: Homomorphic encryption is a promising new cryptographic method and hopefully the cryptographic community will continue to work on it. It has yet to achieve adoption by standards bodies with a proper validation processes.

From the blog article you can download additional content:  
eBook: the Encryption Guide

Authentication Called For By PCI DSS, HIPAA/HITECH, and GLBA/FFIEC

by Michelle Larson  (March 24, 2014)    

Key take-away: Two-factor authentication (2FA) plays a critical role in both meeting compliance regulations and following data security best practices. This trend will only grow within various industries and throughout the overall data security environment.

From the blog article you can download additional content:  
2FA Resource Kit: White paper, Webinar, Podcast

Encrypting Data In Amazon Web Services (AWS)

by Patrick Townsend  (August 28, 2014)

Key take-away: Amazon Web Services is a deep and rich cloud platform supporting a wide variety of operating systems, AWS services, and third party applications and services. This blog explores some of the ways that our Alliance Key Manager solution helps AWS customers and partners protect this sensitive data.

From the blog article you can download additional content:  
Podcast:  Encrypting Data in AWS

Key Connection - The First Drupal Encryption Key Management Module

by Michelle Larson  (February 21, 2014)

Key take-away:  Working together to solve the Drupal data security problem, the security experts at Townsend Security and Drupal developers at Cellar Door Media have released the Key Connection for Drupal solution, which addresses the need for strong encryption and encryption key management within the Drupal framework. Now personally identifiable information collected during e-commerce checkouts and user account that contain names and e-mail addresses can be easily encrypted, and the encryption keys properly managed, by organizations that collect and store that sensitive information.

From the blog article you can download additional content:   
Podcast: Securing Sensitive Data in Drupal

Nine Guidelines for Choosing a Secure Cloud Provider

by Patrick Townsend  (July 8, 2014)

Key take-away:  Security professionals (CIOs, CISOs, compliance officers, auditors, etc.) and business executives can use the following set of key indicators as a way to quickly assess the security posture of a prospective cloud provider and cloud-based application or service. Significant failures or gaps in these nine areas should be a cause for concern and suggest the need for a more extensive security review 

From the blog article you can download additional content:  
eBook: The Encryption Guide 

Never Lose an Encryption Key in Windows Azure       

by Patrick Townsend  (March 7, 2014)

Key take-away: This blog discusses backup/restore, key and policy mirroring, availability sets, and mirroring outside the Windows Azure Cloud.  Alliance Key Manager in Windows Azure goes the distance to help ensure that you never lose an encryption key. You might be losing sleep over your move to the cloud, but you shouldn’t lose sleep over your encryption strategy.

From the blog article you can download additional content:    
Free 30-day Evaluation of Alliance Key Manager for Microsoft Azure

3 Ways Encryption Can Improve Your Bottom Line

by Michelle Larson  (May 20, 2014) 

Key take-away: In a business world that is moving more towards virtualization and cloud environments, the need for strong encryption and proper key management is critical. Due to all the recent and well-publicized data breaches, we all know about the ways your brand can be damaged if you don’t encrypt your data. This blog takes a look at the benefits of encryption, and three of the ways it can have a positive effect on your business.

Additional content:  You’ll also discover that this is the third time in this Top-10 list that the eBook: The Encryption Guide is offered… so if you haven’t read it yet… what are you waiting for?

An Introduction to Townsend Security's VMware Guidance Document

VMware customers benefit from the many operational, and cost efficiencies provided by VMware virtualization technologies both in traditional IT infrastructure and in cloud environments. As VMware customers deploy data encryption solutions as a part of their defense-in-depth strategy, the need for encryption key management can present barriers to a good encryption implementation. This article provides high-level guidance, general in nature, on how deploy and protect Alliance Key Manager for VMware within your VMware environment. Actual VMware deployments of Alliance Key Manager for VMware will use different VMware applications and architectures to meet specific user, application, and security needs.

General VMware Recommendations

Identify and Document Trusted and Un-Trusted Applications

Properly identifying application groups based on the level of trust is critical for a secure implementation of virtualized applications and encryption key management services. Create and isolate a management cluster for your core VMware applications such as vSphere, vShield, etc. Identify application groups and their associated level of trust, and isolate applications into appropriate application workgroups. Avoid mixing trusted and untrusted applications in a workgroup.

You should consider creating a security workgroup to contain your third party security applications such as encryption key management, authentication services, active directory, system logging, and other applications whose primary function is to assist in securing your VMware environment. Encryption key management services provide by Alliance Key Manager should be implemented in this separate security workgroup used for critical, non-VMware security applications.

In preparation for properly securing these environments, create an inventory of all Virtual Machines managed in each workgroup. For each workgroup and virtual machine, identify the security controls that will be required for each one (network segmentation, storage segmentation, system logging, active monitoring, etc.). VMware flow tools can assist with this documentation.

Restrict Physical Access

Fundamental to all IT security implementations is proper security of the physical environment. This means proper physical security controls and physical monitoring of the data center as well as good auditing and procedural controls. These physical controls should also apply to access to VMware management and security applications. You can look to the PCI Data Security Standards and guidance for information on appropriate physical controls. You can also refer to standard security guidance in SOC 2 and SOC 3 assessments for information on physical controls. When deploying on a cloud platform it is always a good idea to ask the Cloud Security Provider (CSP) for a copy of the PCI letter of attestation, or an SOC 2 / SOC 3 report.

Isolate Security Functions

Because security applications are often a target of cybercriminals, you should isolate them into their own security workgroup and implement the highest level of VMware security. Only trusted VMware administrators should have access rights to Alliance Key Manager, system logs, and audit reports. Be sure to actively monitor access to and use of all encryption key management, key retrieval, and encryption services.

Change VMware Default Passwords

Review all VMware applications used to secure and manage your VMware environment and change the default passwords as recommended by VMware. The failure to change default passwords is one of the most common causes of security breaches.

Implement Network Segmentation

Network segmentation is easy to accomplish with VMware network management and security applications and you should implement network segmentation to isolate applications that process sensitive information from applications that do not require as high a level of trust. Additionally, you should provide network segmentation for all third party security applications such as Alliance Key Manager. Network segmentation should include all high availability and business recovery infrastructure. Do not rely on virtual network segmentation alone; use firewalls that are capable of properly securing virtual networks.

Implement Defense in Depth

The VMware management and security applications provide for a high level of security and monitoring. They also provide hooks and integration with third party security applications that provide system log collection, active monitoring, intrusion detection,etc. Encryption is a critical part of a defense-in-depth strategy, and protecting encryption keys is the most important part of an encryption strategy. Regardless of the operating systems in your application Virtual Machines, Alliance Key Manager will provide encryption key management, key retrieval, and encryption services for your business applications and databases running in your VMware infrastructure.

Monitor VMware Administrative Activity

Use an appropriate SIEM solution to collect VMware application and ESXi hypervisor system logs and perform active monitoring. The log collection and SIEM active monitoring solutions should be isolated into a security workgroup that contains other third party security applications such as Alliance Key Manager.

For more detailed information, read the entire VMware Guidance Document and other materials available in this VMware Resource Kit: 

Questions and Answers on Encryption and Key Management Projects

VMware® is hands-down the virtualization choice of large and small organizations, and it is easy to see why. Not only is it a highly reliable and scalable platform, VMware also provides a complete set of tools you need to deploy, manage, monitor, and protect virtual machines.

Earlier this month, Paul Taylor with Security Insider - Podcast Edition spoke with our founder, Patrick Townsend about encrypting data on Microsoft SQL Server in VMware environments, steps to encrypting data on SQL Server (with and without TDE), as well as talk about Townsend Security’s Alliance Key Manager for VMware. Here are a few highlights (download the podcast for the whole conversation):

Paul Taylor: We’ve talked about the Townsend Security encryption and key management solutions for VMware. Today let’s put the focus on Microsoft SQL Server and encryption in the VMware customer environment. Can you give us an overview of how VMware customers can protect data in SQL Server databases?

Patrick Townsend: Just to recap, we really need two things to get encryption right: A key management solution to protect the critical encryption keys, and an encryption solution for the SQL Server database. And they have to talk to each other.

For the first part, our Alliance Key Manager for VMware solution provides a fully functional, enterprise key management solution that protects SQL Server databases as well as other databases and other operating systems.

For encrypting SQL Server, our Alliance Key Manager solution comes with a full Microsoft SQL Server Extensible Key Management Provider. We call this Key Connection for SQL Server and it is one of the modules that our key management customers receive without paying additional license fees. Key Connection for SQL Server provides the encryption and integration with our key server to provide a complete, end-to-end solution for encrypting data in the SQL Server database.

Paul Taylor: Can you talk a little about how Microsoft enables encryption in SQL Server?

Patrick Townsend: If you are running SQL Server Enterprise Edition or higher, you have access to Microsoft’s automatic, full database encryption facility called Transparent Data Encryption, or TDE. You also have access to Microsoft’s automatic, column level encryption facility which Microsoft calls Cell Level Encryption. Both of these options, TDE and Cell Level Encryption,  are implemented without any programming work at all. And both are fully supported by Alliance Key Manager and the Key Connection for SQL Server software from Townsend Security.

Paul Taylor: What about Microsoft customers who aren’t using the Enterprise Edition of SQL Server? Can they encrypt their data with the Townsend Security solution?

Patrick Townsend:  With SQL Server Standard and Web Editions we provide two paths to encrypt data. The first is to use SQL Views and Triggers along with our .NET DLL to provide automatic encryption without any changes to applications. And the second path is to modify your C# or Java applications to use our .NET DLL to perform encryption at the application level.

Both approaches leverage our Microsoft .NET DLLs to perform encryption with integrated key management. Both are very simple to implement. And there are no additional license fees to deploy and use our Microsoft .NET DLLs to accomplish this.

Paul Taylor: So, walk me through the steps for encrypting data in my SQL Server Enterprise Edition database. How difficult is it?

Patrick Townsend: Encrypting data in Enterprise SQL Server is really very easy. The first step is to install our Alliance Key Manager for VMware solution. It launches like any other virtual machine using the normal VMware applications and you can have a key management solution up and running very quickly.

The second step is to install the Key Connection for SQL Server application on the virtual machine running SQL Server in Windows. This is a normal install process with an MSI file. You answer some questions, install a certificate and private key in the Windows Certificate Store, and run a handful of commands to start SQL Server TDE encryption or Cell Level Encryption. You also restart the log file to be sure that it is encrypted as well. That’s about it.

Of course, you will want to follow the instructions on how to set up a high availability key server, and point your Key Connection for SQL Server configuration to it as failover. That is a normal configuration process and also very easy to do. We find that VMware customers can deploy SQL Server encryption very quickly.

Paul and Patrick also cover which versions of SQL Server are supported, the availability of Alliance Key Manager in other platforms (hint: it’s quite versatile), and our 30-day evaluation program (you can do a full proof-of-concept in your own environment at no charge). Be sure to download the podcast to hear the rest of their conversation:

Questions and Answers on VMware Encryption Projects

Every business is trying to save money and reduce complexity in their IT departments, and many are accomplishing this today by using virtual machines such as VMware®. While these businesses’ infrastructures are becoming virtual, their security threats are still very much real.

Recently Paul Taylor with Security Insider - Podcast Edition spoke with our founder, Patrick Townsend about encrypting data in VMware, encryption performance, and special encryption and key management concerns for VMware users.  Here are a few highlights (download the podcast for the whole conversation):

Paul Taylor: As VMware customers start to work on encryption projects to protect sensitive data, what are the things they worry about? What concerns them?

Patrick Townsend: VMware customers have made a large investment in VMware technologies. This includes, but is not limited to, an investment in the VMware solution stack that lets them run a variety of virtual machines; administer those machines, monitor the health of the virtual environment, and secure the entire infrastructure of virtual machines and VMware itself.

VMware customers also have invested heavily in the talent needed to run a VMware data center, have adopted governance and risk management procedures specific to a VMware environment, and have invested heavily in migrating existing applications to this platform. It’s a large investment but the payoffs are substantial.

So, when approaching an encryption project the VMware customer really wants to deploy products and solutions that run naturally in VMware. It is painful and concerning to have to deploy solutions that don’t fit naturally.

Paul Taylor: I know that Townsend Security has encryption and key management solutions for VMware customers. Can you talk a little about those?

Patrick Townsend: For any encryption project there are really two major components:

1. The encryption of the sensitive data, usually in a Windows or Linux virtual machine
2. The protection of the encryption keys

An effective strategy in the VMware environment has to address both of these. I think we are doing this very well with our encryption solutions for VMware.

First, our Alliance Key Manager for VMware product provides for the creation, management, and protection of encryption keys in a VMware virtual machine. It runs the same FIPS 140-2 compliant key management solution that we offer in our Hardware Security Modules (HSMs). So VMware customers can get encryption key management right without having to go outside of their VMware infrastructure.

Second, all of our encryption solutions that are deployed to protect sensitive data run in the VMware platform and talk to our key manager. For example, you can deploy our SQL Server Transparent Data Encryption solution for automatic SQL Server encryption in a Windows Server virtual machine, and it will talk naturally to our key management server also running in a VMware virtual machine. It’s a perfect match for the VMware customer.

Paul Taylor:  Encryption has a reputation for being the hardest part of security. How do you address that concern?

Patrick Townsend: Yes, you are certainly right about encryption having a reputation for being hard and expensive to deploy. However, things are really different today. I’ll give you a couple of examples:

First, our VMware key management solution will soon be released as a ready-to-use key manager. This means that the first time you boot our Alliance Key Manager For VMware solution it will ask you a few questions, create a complete configuration for the key manager, and start the service. You literally have a functioning key server in a few seconds. What 5 years ago required multiple engineers and weeks of installation and configuration now gets done in a blink.

Secondly, our client-side encryption applications and SDKs are also designed for rapid deployment. For example, SQL Server Transparent Data Encryption also deploys through a standard Windows install process. Again, you answer a few questions, install credentials into the Windows Certificate store, run a handful of SQL Server commands, and you are fully protected with encryption. It is incredibly easy.

Paul Taylor:  I think everyone worries about performance when you talk about encryption. How well do your encryption solutions perform in VMware?

Patrick Townsend: Performance impacts are a natural thing to worry about. Encryption is a CPU intensive task, and it will have some effect on your application or database. Fortunately modern encryption libraries are very efficient and the impact is usually very modest. Back to our example about SQL Server TDE encryption, the average customer will experience about a 2% to 4% impact when activating TDE encryption. This is very manageable. Large SQL Server databases can pose a performance issue with TDE which is why we also support Cell Level encryption with SQL Server.

We always encourage our customers to try our encryption solutions before they make a full commitment. We make it very easy to do a proof-of-concept project with encryption. Our free evaluations let you take it for a spin and evaluate the impacts yourself.

Paul and Patrick also cover topics on high availability, business recovery, and compliance regulation concerns for protecting data in a VMware environment.  Be sure to download the podcast to hear the rest of their conversation:

Understanding PCI Merchant Levels and how an assessment can help your business

If your business takes credit cards for payment, then you are subject to the Payment Card Industry – Data Security Standards (PCI-DSS).

Companies of all sizes must comply with PCI DSS to ensure that their customers' data is protected during the processing and transmission of credit or debit card transactions and securely stored within any internal databases. PCI categorizes businesses into different classification levels based on the number of transactions and dollar amounts they processes each year.

Level 1 – All merchants processing more than 6 million card transactions annually

Level 2 – All merchants processing between 1 million and 6 million card transactions annually

Level 3 – All merchants processing between 20,000 and 1 million card-not-present only transactions annually

Level 4 – All other merchants

Level 1 companies are most likely well versed in the annual PCI audit process as they have a certified onsite audit annually with a Qualified Security Assessor (QSA). Level 2, 3, 4 merchants are not required to hire an onsite QSA, but can have a certified Internal Security Assessor (ISA) do the PCI self assessment annually. However, a small business preparing a self-assessment to participate in their first PCI review may find it a little daunting. If you're feeling that the PCI assessment process is overwhelming and complicated, understanding this process may be the first step toward putting your mind at ease. If you are a Level 1 merchant, the PCI assessment is a process carried out by a QSA to establish whether or not a business is compliant with security standards relating to the processing of transactions made via a credit or debit card (payment card). PCI compliance assesses your business point of sale system, payment applications, and all interconnecting systems with these goals in mind: (1) to examine your system, (2) to identify vulnerabilities, and (3) to prevent data from being compromised.

It’s not a matter of “IF”, but “WHEN”

If you have already suffered a data breach, working closely to review your assessment and put data security best practices into place will provide you with a roadmap to help avoid future losses. If you have not yet been breached, undergoing an assessment and reviewing your risk tolerance can still be stressful. Understanding the process may alleviate some of that stress and help you to maximize your use of the information in the PCI DSS assessment report

How can a PCI audit help my business?

PCI compliance auditing helps businesses to ensure they are providing the most secure environment for their customers to process payments and ensures that transactions are less likely to result in a compromise in the customers' data.

Ensuring that you meet PCI compliance and have a solid infrastructure for managing data security will increase customer confidence in your business and ensure that you're not exposed to security breaches that could have been avoided. 

To learn more about meeting PCI compliance requirements, download the whitepaper Meet the Challenges of PCI Compliance and find the answers to the following questions (and more):

• What will my auditor look for?

• How can I ensure my customers' data is secure?
• What is the difference between tokenization and encryption?
• What is encryption key management and why are auditors looking at this?

Because Hackers Don’t Take a Holiday

Companies earn my loyalty when I know they are looking out for and protecting their customers! So yes, I am truly thankful every day for data security and the encryption & key management solutions that help protect our personal information.

Michelle – Marketing

I’m grateful for all the amazing blessings I receive on a daily basis.  I have a loving and healthy family, dear friends, creative and witty co-workers.  I also get to work for a company that is truly focused on doing good in the world, our community, and here in the office too.   

Robbi – Administration 

I am thankful everyday I wake up and have the gift of another day to spend with my family, friends and doing the things I love.

Ken ~ Marketing

I am thankful for my girls!  (the day we adopted our daughter and became a forever family)

Jim – Development

I am thankful for my family and friends.

Victor – Partner Operations

I am thankful for a happy and healthy family.

David –Support

I’m thankful for biosynthetic insulin!

Shayna – Sales

I am thankful for my family who has always challenged me to be the best version of me.  I am thankful for the family I call my coworkers for always believing in my abilities.  I am thankful for my fiance for always making me feel safe and making me laugh.  I am thankful for my dog Barkley who has brought me pure joy and happiness and my new puppy Lenny who we are getting for Christmas!

Sandra – Administration

I am thankful for our family cabin and the joy that it brings.

Robbn – Support

This is exactly what I am thankful for…  3 of my favorite people!

Tim – Development

I am thankful there’s always more!

James – Sales

I am grateful for my wife and daughter's love.

Luke – Marketing

I am thankful for an awesome, musical family and being able to work with an awesome company that is helping keep your and my personal information safe.

Carol – Administration

I am thankful for my family, and for working at a place where everyone feels like family!

Victoria – Support

I'm thankful for Starbucks hot chocolate.  

Katie – Administration

I’m always thankful for family, friends and community!

Paul – Development

I'm thankful for the way the universe has brought me together with my father, he is 97 and an irascible old guy. But he has an unbounding love for life and an enthusiasm that is fantastic. Unfortunately his zest for living exceeds his physical abilities but to see his love for the moment is wonderful.

Patrick – CEO

I am thankful for my wonderful family, my tolerant and forgiving friends, and for the great community of employees and partners who make Townsend Security successful. Best holiday wishes to them all!

Being surrounded by loved ones, mashed potatoes, turkey, gravy, and pies has become the annual setting where Americans express their thanks each November.  Instead of bottling up all that gratitude to be released on one day, let’s take time throughout the year to show our thanks, express our gratitude, and share with others!  

“Not what we say about our blessings, but how we use them, is the true measure of our thanksgiving.” ― W.T. Purkiser

More Questions from the Tradeshow Floor (Part 2)

In our last blog we touched on a few of the questions asked at events we attended in November.  There were so many great conversations that I’ve decided to share a few more!

With the various platforms that I can deploy an encryption key manager in, how do I know which one is right for me?

There are several factors that will come in to play when deciding where you deploy your key management:

• Compliance regulations that you need to meet can be a factor in whether you deploy an Hardware Security Module (HSM) or a cloud HSM or a virtualized instance. If you are working with an auditor or going through a QSA audit, you'll want to have a conversation with them to understand their expectation from a compliance point of view around where you deploy your encryption key manager.
• Risk tolerance will also come into play. You may have a security group within your organization with strong feelings about how to deploy encryption key management and how to mitigate risk. If you have large amounts of sensitive data to protect you might decide to deploy an HSM in your secure data center. If you're dealing with a very small amount of data and you do not process credit cards or personally identifiable information, your risk assessment may indicate a cloud deployment.
• Budget is certainly always a factor to consider. It is important to consider the cost benefits of security however, we all understand that leaving our data in the clear is no longer an option. It is a matter of understanding your industry regulations and risk assessment, then deciding what encryption and key management to deploy.

While they are generally the most secure solution, Hardware Security Modules (HSMs) can be more expensive than a virtual environment, dedicated cloud instance, or virtual private cloud. Once you look at all the factors that affect your company, we will be there with the right solution that will work for your needs.

Tell me more about all these different options you have for the Alliance Key Management Solution… are they all going to help me meet compliance requirements?

There are still our original hardware security modules (HSMs) and now there are new options for deployment of cloud-based HSMs, virtual appliances (VMware), and true cloud instances of encryption and key management in AWS and Microsoft Azure.

• Hardware Security Module (HSM) is a physical appliance or security device that is protected and tamper evident. Built for high resiliency and redundancy it has hot swappable rated disc drives, dual power supplies, dual network interfaces, and is deployed in your IT data center.
• Cloud HSM is a physical appliance hosted in a secure cloud with real-time encryption key and access policy mirroring.  Dedicated HSMs are hosted in geographically dispersed data centers under an ITIL-based control environment and are independently validated for compliance against PCI DSS and SOC frameworks. No access is available to the cloud vendor or any unauthorized user.
• Virtual Appliances are the exact same key management solution - the same binary software that runs inside the hardware HSM - available as a VMware instance.
• In the Cloud - If you're running on Microsoft Windows Azure, vCloud, or in Amazon Web Services (AWS),the encryption key manager can run as a true cloud instance in a standard cloud or deploy in a virtual private cloud for added data protection for sensitive applications.

Because encryption and key management is so important, we offer all of the options listed above as NIST and FIPS 140-2 compliant solutions.

How is Alliance Key Manager Priced?

We have a wide set of options for our customers, and are dedicated to helping find affordable solutions. We have perpetual license or subscription options for classic HSMs, Cloud HSM, and virtualized environments. Our cloud offerings are true usage-based subscriptions, so if you're used to deploying in Amazon Web Services or Windows Azure, our encryption & key management solutions will fit that same strategy for pricing.  

We really believe that the encryption should go everywhere you need it to go! Your key management should work across a wide set of application environments, and it must be affordable, so that we can all get where we need to be in terms of protecting sensitive data. Regardless of where your data is or what platform you are using, there's a key management solution that can work for you!

How can Encryption and Key Management improve my bottom line?

Whether you choose a designated hardware security module (HSM), something designed specifically for virtualized environments (VMware), or data storage in the cloud, encryption and key management solutions can help you:

• Gain competitive advantage and build loyalty by protecting your customers data against access by unauthorized users
• Reduce hardware costs by leveraging virtual environments in the cloud
• Significantly improve your data security strategy while satisfying data compliance and privacy requirements

Overall, data encryption offers many benefits and provides solid protection against potential threats or theft. In addition to the many benefits, encryption is also efficient, easy to use, and affordable!

What sets Townsend Security apart from other key management vendors?

We want to protect data and make sure encryption is available everywhere you need it, so at Townsend Security we have a very different philosophy and approach:

• We think that when you buy an encryption key manager, you should be able to easily deploy the solution, get all your encryption projects done properly, and have very affordable and predictable costs.
• We understand that we live in a world where budget matters to our customers, so we do not charge client-side fees.  
• We know that IT resources are limited and have done a huge amount of work to make our solutions easy with out-of-the-box integrations, simplified deployments, and also provide along with our solution ready-made client-side applications, encryption libraries, source code samples, as well as SDKs for developers who need them to get their projects done very quickly.

Want to learn more about how to properly secure your data and protect your business against a data breach? Download our eBook “The Encryption Guide”: