Meet PCI DSS & HIPAA/HITECH on SQL Server with Encryption Key Management

As a security company, it always puts a smile on our face when we see people properly protecting their (our) data.  Microsoft made this much easier for organizations running Microsoft SQL Server 2008 with Transparent Data Encryption (TDE) and Extensible Key Management (EKM).  By using TDE, EKM, and an encryption key management appliance, proper encryption and key management is now affordable to even small and medium sized businesses.

As recently as last month I had a small organization tell me, “I just pay the PCI fines.  It is part of my monthly budget and cheaper than doing encryption.”  This sort of thinking is making less and less sense these days.  Today, we can tell these smaller organizations that encryption and key management is now affordable and that we have a solution that was built specifically for their SQL Server.

I recently sat down with Patrick Townsend, our Founder & CTO and asked him what Microsoft customers should be thinking about when they consider using TDE and EKM on Microsoft SQL Server 2008:

A number of questions pop up right away for Microsoft customers when they start thinking about SQL Server EKM.  The first question is usually, “What is the performance impact going to be?”  I think Microsoft has done a great job of minimizing the performance impact using TDE.  Microsoft says that you will see about a 2-4% additional load on servers when you implement encryption.  In a practical sense, and from our customers, I think those are pretty good numbers.  There is some impact on doing encryption, but it is probably much less than you might think.  The performance impact has been really minimized by Microsoft in this approach.  Cell Level Encryption will have a little bit higher performance impact, but most people will use TDE and that has a very good performance profile for encryption.

I think the other thing to think about, if you are going to implement encryption using EKM is to address the key server question right up front.  Even though Microsoft gives you the ability to store an encryption key on the local server, it is not considered good security practice and Microsoft recommends the use of an HSM to protect encryption keys.  You should be thinking about using an appliance or HSM as you go forward to protect your encryption keys and give you the best security practice from a compliance point of view.  You don’t want to go down the path of implementing encryption and not following security best practices.  If you have a data breach, you are going to have to defend the approach that you took if you are trying to avoid legal liability and the cost of breach notification.  Using a proper key server should really be a no-brainer.  It is the right thing to do and the right approach.

Finally, an organization needs to look at the affordability of an encryption key management appliance.  In the past, I think one of the real barriers for encryption has been the very high cost of acquiring HSM technology.  I am very proud of our company for really beating down those costs and making them much more reasonable in terms of creating affordable HSM solutions.  With our solution, every mid-market to large-enterprise customer now has HSM technology within their grasp that is affordable and easy to deploy. 

Download our podcast “Encryption Key Management with Microsoft SQL Server 2008” to listen to our complete discussion and learn even more about TDE and EKM.