Going Beyond Compliance Requirements with Encryption Key Management
If you are new at protecting data in Microsoft SQL Server environments, generally compliance regulations are what drive an encryption project. In the past, encryption has had a reputation for being difficult to do, complex, and time consuming, we hope to show you how that has changed.
To start us off, here are a few definitions and acronyms that may help:
- AES – Advanced Encryption Standard – this is the most common standards based encryption that is used to protect data whether that is in SQL Server or any other environment where data-at-rest is protected.
- EKM – Extensible Key Management – within the Microsoft SQL Server environment EKM is a part of the Enterprise edition 2008/2012 and higher
- HSM – Hardware Security Module – the Townsend Security HSM encryption key management product is Alliance Key Manager
- FIPS – Federal Information Processing Standard
- NIST – National Institute of Standards in Technology
Since it wasn’t thought of as something that improved the “Bottom line” by increasing revenue or decreasing expenses, encryption has historically been a project solely driven by the need to meet compliance regulations.
There are a large variety of compliance regulations that most, if not all, businesses fall under. One common misconception about compliance regulations is that they don’t equally apply to both private and public companies. To clarify, these regulations apply to all companies, of all sizes, whether they are privately-held or publicly-owned. For example, if you take credit cards for any reason, you fall under Payment Card Industry - Data Security Standards (PCI-DSS). Other common regulations are:
- HIPAA Data Security & HITECH Act of 2009 which applies to Medical Providers and the healthcare industry.
- GLBA/FFIEC apply to banks, credit unions, credit reporting agencies, and anyone in the financial industry.
- FISMA is for Federal US Government Agencies.
- The Federal Trade Commission (FTC) also gets involved with anyone who issues a privacy statement.
More than 45 states also have their own privacy rules, in addition to the ones listed above, that strongly recommend encryption of any personally identifiable information (PII).
So, beyond compliance with regulations, why should you care about encryption… and what is it anyways? First of all, your customers, clients, and suppliers all expect you to protect their sensitive data. Hackers and data thieves are targeting mid-sized companies because, as larger companies get better at securing sensitive information, the hackers see smaller companies as better targets. Financial fraud and data breaches become more common in those businesses that might not be as prepared without the resources to have an internal security team. Data loss can have a big impact on a company's reputation as well as their financial health.
AES encryption is a mathematical formula for protecting data. It is based on a proven, well-known algorithm and standards published by NIST. But since that formula is a open and vetted standard use, it is not the mathematical algorithm that is the big secret. It is what happens with the “Key” that locks and unlocks the data that all the fuss is about.
Key management is so important because the encryption keys are THE secret that must be protected. Without access to the key, a hacker that accesses encrypted data has no way to read it. Industry standards and best practices for encryption key management, as well as compliance regulations that require proper encryption key management, all state that storing encryption keys on the server with the protected data is a poor security practice. Encryption keys are unique and cryptographically secure, and once created, protecting the key is the core practice that will protect the sensitive data. It will not be defensible in the event of a data breach if the keys were stored in the same server as the data. (Akin to leaving the key to your house in the door lock and being surprised that someone has entered uninvited!)
Our solutions help Microsoft SQL Server customers really protect their data. Alliance Key Manager, our encryption key management hardware security module (HSM), is FIPS 140-2 certiied. This means it meets Federal standards that private enterprises expect around key management. We provide encryption key management solutions for every version and edition of SQL Server starting with SQL Server 2005.
Please join our founder and data security expert, Patrick Townsend, in this 30-minute webinar that will cover encryption and key management best practices with Microsoft SQL Server!
As always, your comments and feedback are appreciated!