Encryption & Key Management… why that ampersand is so important!
We frequently talk about a variety of different data security measures and the difficulty of making information truly secure in a multi-tenant environment. What steps are we taking to protect the most valuable assets we have as companies, such as our customer’s Personally Identifiable Information (PII)? Are we starting with the most critical steps in the process and then building out from there? Let’s make sure we have the basics covered!
Encryption is the first step to keeping information secure from anyone who accesses it maliciously, it is also a clear compliance requirement and critical part of protecting data in any environment. Use industry standard encryption such as Advanced Encryption Standard (AES, also known as Rijndael) which is recognized world-wide as the leading standard for data encryption. Never use home-grown or non-standard encryption algorithms. Make sure your security partner will supply you with all of the sample code, binary libraries, applications, key retrieval and other tools you need to implement encryption and key management fast and easily. Whether your data resides in the cloud, in a virtual environment, or in your own data center; always make sure you are using the right type of encryption to protect it.
The second step to the security solution is Encryption Key Management. While encryption is critical to protecting data, it is only half of the equation. Most regulations require that encryption keys must be stored and managed away from the data they protect because storing encryption keys with the data they protect, or using non-standard methods of key storage, will not protect you in the event of a data breach. When encrypting information in your applications and databases, it is crucial to protect encryption keys from loss and securely managed from key creation, management, distribution, and archival or destruction (the full key lifecycle). In the past, key management used to be a complex and difficult task that required hardware and a team of security specialists to implement. Our key manager is available as a ready-to-use, easy-to-deploy solution that is compliant with the NIST FIPS 140-2 standard in a variety of instances:
In the Cloud - If you're running on Microsoft Azure, or in Amazon Web Services (AWS), the encryption key manager can run as a true cloud instance in a standard cloud or deploy in a virtual private cloud for added data protection for sensitive applications.
VMware - Businesses are able move their VMware infrastructure beyond traditional data centers and into the cloud with VMware’s vCloud. By using the same FIPS 140-2 compliant software found in physical appliances, enterprises can provably meet compliance requirements with a VMware based encryption key manager running in the cloud.
A Cloud HSM is a physical appliance hosted in a secure cloud with real-time encryption key and access policy mirroring. Dedicated HSMs are hosted in geographically dispersed data centers under an ITIL-based control environment and are independently validated for compliance against PCI DSS and SOC frameworks. No access is available to the cloud vendor or any unauthorized user.
A Hardware Security Module (HSM) is a physical appliance or security device that is protected and tamper evident. Built for high resiliency and redundancy it has hot swappable RAID (Redundant Array of Independent Disks) disc drives, dual power supplies, dual network interfaces, and is deployed in your IT data center. Cloud applications can connect to a remote HSM over a secure, encrypted connection.
Do you have the basics covered? If you are unsure about the status of your defense-in-depth strategy to data security, contact one of the experts on the Townsend Security team. We have a variety of resources to help you answer your most pressing questions and a variety of solutions to make sure you are protecting your data the best way possible. At Townsend Security we also take a very different philosophy and approach:
- We think that when you buy an encryption key manager, you should be able to easily deploy the solution, get all your encryption projects done properly, and have very affordable and predictable costs.
- We understand that we live in a world where budget matters to our customers, so we do not charge client-side application or connection fees.
- We know that IT resources are limited and have done a huge amount of work to make our solutions easy with out-of-the-box integrations and simplified deployments. We also provide ready-made client-side applications, encryption libraries, source code samples, as well as SDKs for developers who need them.