Questions from the Tradeshow Floor (Part 1)
November was a very busy month for tradeshows, conferences, and speaking engagements for the team at Townsend Security. We love getting out to meet our current and potential customers and other than “giant Tetris”, our favorite things are the great questions we get asked at events.
What if I lose an encryption key?
While the fear of losing a key is legitimate, the keystone of a successful encryption solution is encryption key management, which is the primary solution for managing, storing, and most importantly, protecting encryption keys. Unlike a “key storage” solution, a cryptographic encryption key manager is typically a NIST FIPS 140-2 compliant hardware security module (HSM) or virtual machine in the cloud that manages key storage, creation, deletion, retrieval, rotation, and archival. Many key management solutions are also produced in pairs, with one located in a different geographical location for high availability. If doing encryption key management right, you will never lose an encryption key.
Is there more to encryption key management than just storing my encryption keys?
There is far more to encryption key management than just storing the encryption key somewhere. Generally, a key storage device only provides storage of the encryption key, and you need to create the key elsewhere. Also, just storing your encryption keys “somewhere” doesn’t work very well for compliance regulations. With an encryption key manager, there is a whole set of management capabilities and a suite of functions that provide dual control, creates separation of duties, implements two factor authentication, generates system logs, and performs audit activities, along with managing the key life cycle. Beyond storing the encryption key, a cryptographic key manager manages the entire key life cycle. Some of the most important functions the key management administrator performs are the actual creation and management of the encryption keys. The keys are generated and stored securely and then go through the full cycle to become active, go into use, expire, retire (post-activation), and then be backed up in escrow, and then deleted (the “destruction” phase). There is a very real need, and very specific compliance regulations & guidelines that require you to store and manage your encryption keys away from the data that they protect.
How easy is securing and protecting sensitive data on SharePoint?
The path to implementing encryption and key management for SharePoint is one of the most straightforward and easy paths. Townsend Security’s Alliance Encryption Key Management solution fully supports automatic encryption in SQL Server and integrates with ease. SQL Server Enterprise and higher editions (starting with 2008) fully implement extensible key management (EKM) and encryption to protect data. Installing encryption on that platform is the first step. Administrators can then leverage the automatic encryption capabilities of SQL Server with only a few commands and no application changes.
What impact does encryption have on SQL Server performance?
Encryption will always be a CPU intensive task and there will be some performance impact due to extra processing power needed for encryption and decryption. However, the Microsoft encryption libraries as well as the .NET environment are highly optimized for performance. We have always seen very good performance on SQL Server and the native encryption capabilities that it provides. Microsoft reports that Transparent Data Encryption (TDE) on SQL Server may cost you 2-4% penalty in performance, and our own tests show similar results that fall on the 2% end of things.
Is there any limit to the number of servers that I can hook up to your encryption key manager?
There are no restrictions, and no license constraints on our encryption & key management solution. We don't meter or count the number of client-side platforms that connect to our Alliance Key Manager, so you can hook up as many client side applications, servers, and processors as you need to. This is one of the things I think is different about how we approach encryption and key management with our customers. We also know the applications you are running today may not be the applications you need to be running tomorrow and we really want you to deploy encryption to all your sensitive data and scale up when & where you need it.
I am collecting data in Drupal. What data do I need to encrypt?
Organizations starting an encryption project always have this question on their minds. It is a simple question, but can be hard to answer. Generally speaking, you should encrypt any information that alone, or when combined with other information, can identify a unique, individual person. This is called Personally Identifying Information, or PII. This should be your starting point, but you may need to address other information depending on the compliance regulations you must meet.
- PCI Data Security Standard (PCI DSS) applies to anyone, public or private, who take credit cards for payment. Primary account numbers (PAN) are specifically addressed.
- HIPAA/HITECH Act requires the medical segment (and any business associate) provide data protection for protected health information (PHI) of patients.
- GLBA/FFIEC applies to the financial industry (bank, credit union, trading organization, credit reporting agency) for protecting all sensitive consumer information.
- Sarbanes-Oxley (SOX) applies to public traded companies for sensitive data of personally identifiable information (PII).
In addition to these compliance regulations, the Cloud Security Alliance (CSA) has created the Cloud Controls Matrix (CCM) specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.
We encourage all developers to check out Townsend Security’s Developer Program, it allows developers to design strong and secure applications from the ground up using NIST compliant AES encryption and FIPS 140-2 compliant encryption key management.