Townsend Security Data Privacy Blog

Going Beyond Compliance Requirements with Encryption Key Management

If you are new at protecting data in Microsoft SQL Server environments, generally compliance regulations are what drive an encryption project.   In the past, encryption has had a reputation for being difficult to do, complex, and  time consuming, we hope to show you how that has changed.  

To start us off, here are a few definitions and acronyms that may help:

• AES – Advanced Encryption Standard – this is the most common standards based encryption that is used to protect data whether that is in SQL Server or any other environment where data-at-rest is protected.
• EKM – Extensible Key Management – within the Microsoft SQL Server environment EKM is a part of the Enterprise edition 2008/2012 and higher
• HSM – Hardware Security Module – the Townsend Security HSM encryption key management product is Alliance Key Manager
• FIPS – Federal Information Processing Standard
• NIST – National Institute of Standards in Technology

Since it wasn’t thought of as something that improved the “Bottom line” by increasing revenue or decreasing expenses, encryption has historically been a project solely driven by the need to meet compliance regulations.

There are a large variety of compliance regulations that most, if not all, businesses fall under. One common misconception about compliance regulations is that they don’t equally apply to both private and public companies. To clarify, these regulations apply to all companies, of all sizes, whether they are privately-held or publicly-owned. For example, if you take credit cards for any reason, you fall under Payment Card Industry - Data Security Standards (PCI-DSS). Other common regulations are:

• HIPAA Data Security & HITECH Act of 2009 which applies to Medical Providers and the healthcare industry.
• GLBA/FFIEC apply to banks, credit unions, credit reporting agencies, and anyone in the financial industry.
• FISMA is for Federal US Government Agencies.
• The Federal Trade Commission (FTC) also gets involved with anyone who issues a privacy statement.

More than 45 states also have their own privacy rules, in addition to the ones listed above, that strongly recommend encryption of any personally identifiable information (PII).

So, beyond compliance with regulations, why should you care about encryption… and what is it anyways?  First of all, your customers, clients, and suppliers all expect you to protect their sensitive data.  Hackers and data thieves are targeting mid-sized companies because, as larger companies get better at securing sensitive information, the hackers see smaller companies as better targets.  Financial fraud and data breaches become more common in those businesses that might not be as prepared without the resources to have an internal security team. Data loss can have a big impact on a company's reputation as well as their financial health.

AES encryption is a mathematical formula for protecting data.  It is based on a proven, well-known algorithm and standards published by NIST.  But since that formula is a open and vetted standard use, it is not the mathematical algorithm that is the big secret.  It is what happens with the “Key” that locks and unlocks the data that all the fuss is about.

Key management is so important because the encryption keys are THE secret that must be protected.  Without access to the key, a hacker that accesses encrypted data has no way to read it.  Industry standards and best practices for encryption key management, as well as compliance regulations that require proper encryption key management, all state that storing encryption keys on the server with the protected data is a poor security practice.  Encryption keys are unique and cryptographically secure, and once created, protecting the key is the core practice that will protect the sensitive data.  It will not be defensible in the event of a data breach if the keys were stored in the same server as the data.  (Akin to leaving the key to your house in the door lock and being surprised that someone has entered uninvited!)

Our solutions help Microsoft SQL Server customers really protect their data.  Alliance Key Manager, our encryption key management hardware security module (HSM), is FIPS 140-2 certiied.  This means it meets Federal standards that private enterprises expect around key management.  We provide encryption key management solutions for every version and edition of SQL Server starting with SQL Server 2005.

Please join our founder and data security expert, Patrick Townsend, in this 30-minute webinar that will cover encryption and key management best practices with Microsoft SQL Server!

As always, your comments and feedback are appreciated! 

ISV Executives Can Improve their Payment Applications with the Right Encryption and Key Management Partner

Your company competes against many other ISVs selling niche retail management software and payment applications. You need a strong partner to guarantee you are providing the best encryption and key management to your customers.
Because when payment applications don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data, they leave your customers extremely vulnerable to data breaches.

At Townsend Security, we offer industry standard AES encryption and certified key management and we believe that good encryption and key management is the cornerstone of good security.  Here are three ways we believe a good partner should help ease the burden of data security:

1. Reduced Cost and Complexity          

I know... you are thinking “Key management is both costly and difficult” - while that reputation was accurate ten years ago, today certified encryption key management using best practices can be achieved quickly, easily, and at an affordable price. We help you by offering encryption key management that is quick and easy to deploy, has a cost effective licensing model, and we will even OEM or “white label” for you because we don’t believe issues around branding should get in the way of good data security.

2. Provide Certified Solutions

We believe that data security should be constantly evolving to meet the challenges of new security threats. Retail ISVs and payment application software companies need to know that although their solution may have earned a PA-DSS certification, these standards, like all PCI standards, are not set in stone. Just because a solution has been certified once, outdated encryption and key management practices might not suffice during the next certification process. Since encryption and key management are necessary components of payment application systems, providing customers with third party OEM NIST-certified AES encryption and FIPS 140-2 compliant key management would give an ISV some critical advantages.

Townsend Security not only supplies NIST and FIPS 140-2 certified encryption and key management, we'll help you achieve your own FIPS certification under our OEM program. In order to confidently protect your customers, NIST and FIPS certifications ensure that encryption key management has been tested against government standards and will protect compromised data in the event of a breach.

3. Protect Your Customers

While many payment applications have a PA-DSS certification, in order to protect your customers from a data breach, you must not only meet these certifications, but also build a security solution that will truly protect data at rest and data in transit using industry best practices. Data security must be a critical element in your risk management plan and conveyed well to your customers.

With our NIST and FIPS certified encryption and key management solutions, retail ISVs can offer easy and affordable industry standard data security. Townsend security has redefined what it means to partner with a security company. Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model.  So when (not if) your customer experiences a data breach, and you have implemented adequate security that renders the compromised data unreadable, you will not only be your customer’s hero, but your own company’s hero as well.

In this complimentary podcast, security expert Patrick Townsend discusses “How Retail ISVs Can Improve Their Payment Applications” with Paul Taylor from Security Insider.
 

As always, we welcome your comments and questions! 

Are you providing your customers with the very best in point of sale (POS) data security?

On an almost daily basis, the news media reminds us of the risks associated with unprotected data as they report on each massive data breach that cost companies billions of dollars in lost value and remediation costs.  Data breaches are not a matter of “if”, but more a matter of “when” as hackers get more and more creative.  Many CEO’s think that meeting the basic requirements of the Payment Card Industry (PCI) for data protection will keep their point-of-sale (POS) systems from being compromised. Truth is, hacking into retailer POS payment applications is a recurring problem worldwide, even for retailers who meet compliance standards.

1.     Know Your Data Breach Risks – Ask the Right Questions!

As CEO, security and risk management is your bottom line. You need to know if and how your product development team is following best practices to protect your company and your customers from a data breach.  Most payment application vendors offer encryption and key management, however not all of them are following best practices by using an encryption key management hardware security module (HSM). An HSM keeps the encryption key physically separate from the encrypted data, making sure that the data a hacker retrieves from a compromised system is functionally unusable.

With tighter security standards for data encryption, encryption key management, and constantly evolving regulations, you have an opportunity to go beyond basic compliance and gain consumers’ trust amid growing concern about the amount of electronic data companies collect, analyze, and share. 

So, what can you do as a CEO to ensure your products are fully protecting your customers’ data? One important thing to do is start asking more specific questions of your product managers. Asking the right question can quickly expose data protection risks that you didn’t know you have.

Here are some sample questions:

• Where in our systems does sensitive data reside, even briefly, in unencrypted form? Could I get a list?
• What type of encryption do we use in our payment application for data at rest?
• How are we protecting encryption keys?
• Are any of the encryption keys stored on the same server with the protected data?
• Are we protecting our encryption keys with an HSM?
• Are we using industry standard encryption and key management?
• Are our encryption and key management solutions NIST certified?
  

There are really straight-forward answers to these questions. The lack of clear and unambiguous answers should raise an immediate red flag in your mind, and provide the beginning of a deeper discussion about data protection with your product development team.

2.     Know What Your Customers Fear– Think Like a Hacker!

Awareness is the first step toward point-of-sale security. Retail payment systems are frequently hacked by criminals who are employed seasonally or temporarily, and given access to a system with insufficient security measures in place.

Help gain your customers trust by training them on the importance of good password management and system log monitoring as a part of their overall POS security efforts.

• A surprising number of retailers never change the factory passwords on their POS systems and this is a huge security risk. Not only should factory passwords be changed, subsequent passwords should be changed regularly. Often, cracking a payment application system relies on the merchant being lazy about password implementation and changes.  Make sure your customers know best practices and you’ll be their hero!
• Hackers’ techniques have gotten more sophisticated and they can hide evidence of attacks; going undetected for months or even years. Yet, a study of confirmed breach cases in 2009 found that nearly 90 percent of victims had evidence of the breach in their system log files.  Do you train your customers in the importance of monitoring their system logs in real time?

3.     Proactive Security Planning - Use Best Practices To Start With!

Keeping on top of point-of-sale security is essential for every business.  Good encryption and key management is the cornerstone of good security. It can’t be an afterthought at the executive level; data security has to be a critical element in every risk management plan and conveyed well to your customers.

An effective data breach plan can mean the difference between a quick recovery and a serious blow to a company’s reputation. The steady pace of data breaches reinforces the need for encryption as a first line of defense. Firewalls and VPNs can provide some protection against data breaches and theft, but there is no substitute for strong encryption and effective encryption key management, especially in customer data and cloud environments. There’s no longer an excuse not to properly protect your POS payment application system and educate your POS system customers in security best practices.

In this complimentary eBook, "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication CEOs and CIOs", authors Kevin Beaver, CISSP, Patrick Townsend, and Todd Ostrander will teach you about:

• Business risks associated with unprotected sensitive data
• Tools and resources to begin the discussion about data security in your company
• 5 Common misconceptions
• Actionable steps YOU can take
   

In Microsoft SQL Server 2008/2012 Enterprise edition users can enable Extensible Key Management (EKM) and use either TDE or cell level encryption to encrypt their sensitive data and to be selective about the data they encrypt.  EKM is an architecture that allows users to incorporate a third-party* encryption key management hardware security module (HSM) in order to truly secure their data using key management best practices and meet compliance regulations.

*Townsend Security is a Microsoft Silver partner and provider of encryption key management HSMs for Microsoft SQL Server, Microsoft SharePoint, Windows, and Microsoft Azure.

Users select from one of the two methods of SQL Server encryption available for the Microsoft SQL Server 2008/2012 Enterprise Edition and above:

1) Transparent Data Encryption (TDE): TDE encrypts the entire database and temporary files within that space with no additional programming.

On earlier versions of SQL Server deploying encryption had been a much larger and more complicated programming project.  With 2008/2012 Enterprise edition, TDE can be implemented fully without any programing at all. Once your administrator has DBA administrative rights, he or she can implement TDE through a straightforward process that requires no changes to coding, queries, or applications. TDE is a favored way to rapidly encrypt data and works well for small or medium sized databases because of its speed and ease of deployment.

2) Cell Level Encryption: Cell Level Encryption allows database administrators to select the columns they wish to encrypt in a database - a benefit for many administrators with larger databases; however, this process takes a little bit more effort to set up.

If you are leveraging EKM and using an external encryption key manager, the database administrator can encrypt data in the column (cell level) by adding a modifier on a particular fetch or update to the database. However, administrators will need to make small changes to their databases to enable their encryption key manager to do this. This is not a complicated step, however, and your encryption key management vendor should be able to help you through this. Cell level encryption works well for large databases where performance impacts must be kept to a minimum and only certain data needs to be encrypted.

Here is a very straightforward YouTube demonstration video where you can see just how easily TDE is set up.

Setting Up TDE & EKM on SQL Server 2008 / 2012 for Compliance

For a more in-depth look, we have compiled a selection of resources (webinar, white paper, podcast) that can provide additional information:

When protecting your data in SQL Server, you need to be as informed as the hackers!

Whether you are the CEO or the database administrator of your company, you need to be aware of what data you are storing and the different compliance regulations that require encryption and key management.

Having a data breach can often go undetected for quite some time, but when it happens (and these days it is “when” not “if”) it can cause some serious issues for your company and your customers!

While “the bad guys” get more creative every day, being aware of their tactics and following security best practices can slow them down and hopefully thwart their attempts from being successful.  Research and “post-data breach” studies have shown that 80% of data breaches happen with a fairly low-tech “old school” type of attack known as SQL injection.  In fact, Injection is #1 on the “2013 Top 10 List” of simple security problems from OWASP (the Open Web Application Security Project).

While not the only method, SQL injections are still one of the most common ways of attacking web services by sending malicious SQL code in parameter fields, with the intent that the server will execute the code. When designing web applications or internal applications you need to remain aware of SQL injection opportunities beyond just the systems securing credit card data. So many people think “we don’t have that problem.” However, if your application is on the internet… you do. Features such as login pages, support or product request forms, shopping carts are all examples of web applications that can make your databases vulnerable. Hackers can gain entry through these other areas of your company website and navigate their way to more valuable data. Once inside your database, they can retrieve or delete sensitive information such as credit card numbers, clients personal information, or company records.  Safeguards such as encryption and key management can help prevent those losses only if they are in place.

Good practices to prevent or mitigate attacks like SQL injection and the loss of unencrypted data :

• Analyze your website and web applications for vulnerabilities.
• Look for it in your system logs, make monitoring a priority.
• and remember,  internal apps are just as susceptible as public apps.

From a best practice point of view, as well as a regulatory compliance view, encrypting your data is a fundamental security step for any system. So even if the information is “retrieved”, it isn’t in a readable format and the hackers won’t be able to use it! While data encryption used to seem like a daunting task, that is no longer the case.  SQL Server 2008/2012 Enterprise Edition and above includes TDE offerings that allows for encryption without application changes.  You can now deploy key management that is easy to use and affordable with Alliance Key Manager, our FIPS 140-2 certified encryption key management HSM. 

Just keep in mind that the single biggest data security issue is failure to protect the encryption key. Always keep your keys off the server and out of the system that holds your encrypted data.  Think of it like the lock on your front door…  you wouldn’t lock up your house and then tape the key next to the handle… would you?

We would like to offer you a complimentary copy of our eBook: “Encryption Key Management Simplified”, which is a fundamentals guide for both IT administrators and business executives alike.  

As always, your comments and questions are welcome!

With the emergence of data security standards, encryption and key management have become a necessity for most companies storing or transferring sensitive data such as credit card numbers, patient data, social security numbers, and other personally identifiable information (PII). 

Transparent Data Encryption (TDE) on Microsoft SQL Server 2008, 2008 R2, and 2012, allows automatic encryption on these editions of SQL Server without application changes. With newly available SQL Server encryption capabilities, encryption key management--a critical step to securing your data--is done easily on SQL Server with extensible key management (EKM). EKM allows customers to choose a third-party encryption key management hardware security module (HSM) and integrate that HSM easily into their SQL database.

Without an encryption key management HSM, SQL Server users are essentially leaving the keys to their data underneath their welcome mat!

Three things to remember for following security best practices:

# 3 – SQL Server Encryption isn’t as imposing as it sounds…

• Compliance regulations drive the need for encryption and require that you protect the encryption keys apart from the encrypted data storage.  
• An encryption algorithm is simply a mathematical formula that protects data. The critical element is the way the “Key” to that formula (the encryption key) is managed. 
• HSMs like Alliance Key Manager create, manage, and protect encryption keys through the entire lifecycle and deliver them securely when they are needed.
• Alliance Key Manager is a quick, efficient, and compliant solution that is easy to implement with our “Key Connection for SQL Server” EKM provider software. Based on FIPS (Federal Information Processing Standard) 140-2 certified technology, it is easy to implement, deploy, and configure with “out of the box” integration with SQL Server.
• Townsend Security is Microsoft Silver partner and Alliance Key Manager works with all versions of Microsoft SQL Server including SQL Server 2005. Additionally, Alliance Key Manager allows you to protect sensitive data stored in Microsoft SharePoint and Microsoft Azure.

#2 - You are required to protect data by government and industry created regulations…

• PCI-DSS (Payment Card Industry – Data Security Standard) for merchants
• HIPAA/HITECH  (Health Insurance Portability and Accountability Act)/(Health Information Technology for Economic and Clinical Health) for medical providers
• GLBA/FFIEC (Gramm-Leach-Bliley Act)/(Federal Financial Institutions Examination Council) for the financial industry
• FISMA (Federal Information Security Management Act) for US Government agencies

#1 - Customers expect their data to be protected!

• PCI-DSS is required for anyone who takes credit cards.
• While expectations for data protection in the medical and financial industries are wide-spread, and easily understood, compliance regulations affect business and organizations of all sizes. 
• Beyond the expectations for privacy, and the laws that require it, the consequences of a data breach or data loss can be substantial. 
• Small to mid-sized companies can be an easy target for data thieves, resulting in costly losses to their business and reputation.

We have resources to share with you about SQL Server Encryption and how to best secure your data.  Please click the button below to access these informative downloads! 
 

As always, we welcome your comments and questions!