Download our Encryption Key Management and PCI DSS 2.0 Compliance Matrix white paper and learn more about ensuring the data you are protecting meets PCI compliance.
I recently returned from 5th Annual PCI Security Standards Council vendor expo in Scottsdale, AZ. And rather than returning with a sunburn - after all it was 106 degrees there - I returned with a much better appreciation of what companies are doing to help protect cardholder data. Every major company that accepts credit cards was at this event. As a consumer at many of these companies, it made me feel good to know that they take this job seriously and are doing everything they can to keep my information and all of their customers’ information secure.
This was my first time at the event and I enjoyed meeting new people and learned a lot of interesting things. I met with QSA audtiors, customers, potential customers and vendors. When asked who Townsend Security was, I recited my elevator pitch and said “we provide certified encryption and key management solutions to help mid-market customers meet compliance requirements.” That message was well received, however, as the expo continued, I discovered that people “get” encryption and were more interested in discussing encryption key management. Many knew key management was something they needed to do and for those that said they were doing something, they wanted to know how they could automate the process.
I spoke with one QSA auditor and asked his opinion on why so many people might be inquiring on this topic and his response, “I have yet to see key management done correctly.” And for companies working on staying compliant, I think one lady’s response about key management at her organization may sum it up best -- a long pause, accompanied with a rolling of her eyes and a heavy sign saying “it’s not good.”
We know encryption key management isn’t easy, but it is necessary for compliance and to be honest, it is really a best practice for protecting data. If you are going to go through all the work of encrypting data, then you really should make sure the keys safeguarding the data are also secure. I talked a lot about our encryption key management solution, Alliance Key Manager (Enterprise and SQL Server editions), at the Expo and thought it would be worth recapping some of the discussion for those who couldn’t be there and are facing encryption key management requirements of PCI DSS.
1) Manage and store encryption keys on a certified appliance. Our encryption key management solution ensures encryption keys are stored away from the encrypted data, it allows you to satisfy PCI requirements for dual control and separation of duties. QSA auditors will look to make sure the same person who has access to encrypted data doesn’t have access to encryption keys (dual control). It is important to restrict access to certain keys by certain users or groups (separation of duties). You don’t want the same person who has access to encrypted data to have have access to keys that unlock that data.
2) Rotate encryption keys. PCI DSS states that you need to periodically rotate the encryption key. This can be a very time consuming task if done manually and may even be overlooked because it can be a very complex project, depending upon your encryption code. Our encryption key management solution allows you to schedule regular key rotations and enforce your internal security policies while meeting PCI requirements.
3) Log all encryption key activity. Alliance Key Manager has built in logging, which allows administrators to track all key retrieval, management, and system activity. Reports can be sent automatically to central log management, alerting facilities, or SIEM products for a timely and permanent record of activity.
4) Certification. Our encryption key management solution is FIPS 140-2 Level 1 certified, ensuring you are effectively managing keys to industry standards.
5) Don’t let cost be a barrier to meeting compliance requirements. If you have looked at key management solutions, you know they can be costly. Alliance Key Manager (enterprise and SQL Server editions) are priced with the mid-market customer in mind. I think this was the fact that resonated with people I spoke with the most. They were happy to hear about a solution that is easy to implement, as well as cost-effective.
We handed out this useful PCI DSS and Key Management matrix at the conference, several people found it useful. Download your copy to learn more about key management requirements. And if your company knows you need an encryption key management solution, give us a call. We are happy to spend a 15-minute technical overview with you and your team to find out how we can help you.