+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Microsoft SQL Server with Security Enclaves and Always Encrypted

Posted by Patrick Townsend on Mar 4, 2020 7:27:19 AM

Microsoft introduced Always Encrypted in SQL Server 2016 as a way to protect data in SQL Server databases. Always Encrypted runs on a client side system and encrypts data before it is stored in the SQL Server database. This provided some new protection for sensitive data stored in SQL Server - at least the server administrator and the DBA would not have access to the sensitive data. Or, that was the idea.

Encryption & Key Management for SQL Server - Definitive GuideAlways Encrypted suffered from severe limitations and did not achieve wide acceptance and deployment. The types of SQL queries and operations you could perform were minimal. You could not do basic SQL query operations that most businesses rely on. So Always Encrypted has not been deployed much.

Microsoft is attempting to address these limitations in a facility called Secure Enclaves. Secure Enclaves is a special operating environment that runs on SQL Server itself. You can think of it as a special virtual environment that can’t be accessed by a server administrator or DBA, but which can decrypt sensitive data from the database and perform those more complex SQL operations. SQL Server runs in one environment, and Secure Enclaves is a separate, more secure environment on the same server that runs those SQL requests against decrypted data. 

Processing data in a Secure Enclave means that the encrypted data has to be decrypted. How does that happen if the encryption key is on the client-side system and not on the SQL Server system? There are now special drivers on the client-side system that will send the encryption key to the Secure Enclave when needed. 

So, is this more secure? That is a hard question to answer. Here are some things to think about:

  • Protected execution environments, like Secure Enclaves, have their own security concerns. The operating system hypervisors that manage these secure environments bring their own attack surface. Adding new attack surfaces brings more risk.
  • The client-side implementation of Always Encrypted also adds an attack surface. Again, the more places that are potentially open to an attacker the more risk you bear.
  • In many cases, client-side systems are not as well protected as core SQL Server systems. Think of a user PC in your organization, or think of a remote office server. User and remote systems are notoriously hard to protect well. 
  • Encryption key management is the linchpin of your encryption strategy. Unfortunately, Always Encrypted has limited options for deploying industry standard key management. Always Encrypted supports storing encryption keys in the Windows Certificate Store and in Azure Key Vault. It does not support the industry standard Key Management Interoperability Protocol (KMIP). This means you are very limited in terms of your key management options. 
  • Using the Windows Certificate Store to protect your Always Encrypted encryption keys may not be compatible with the California Consumer Privacy Act (CCPA) -and using Azure Key Vault may violate PCI Data Security Standards (PCI DSS) cloud guidance. 
  • A core aspect of your encryption key management strategy is monitoring who has access to encryption key credentials, and reporting on access failures. When the encryption is performed on the client system by Always Encrypted, you may have limited ability to monitor activity and detect unauthorized access attempts. That further complicates your security posture.

My thoughts:

One of the primary goals of Always Encrypted and Secure Enclaves is to protect sensitive data by implementing Separation of Duties. That is, ensuring that system administrators and DBAs do not have access to both protected data and the encryption keys. This is a core security principle when protecting data-at-rest. 

You can achieve Separation of Duties by using a proper key management solution like our Alliance Key Manager. By assigning key management duties to a security professional, and isolating key management responsibilities from DBAs, you achieve the heart of the Separation of Duties goal. I believe that when properly implemented, a SQL Server Transparent Data Encryption (TDE) implementation with good key management gives you a very strong security posture without the risks involved with Always Secure and Secure Enclaves. Of course, you have to do a lot of other things to secure your Windows server and SQL Server. Proper encryption and key management is only one part of your overall security strategy.

Microsoft is doing a lot of things right in the area of data protection. The recent implementation of encryption for SQL Server Standard Edition 2019 is exactly the right thing to do. It puts encryption and key management in the hands of a lot of SQL Server users who have not had access to this technology. I hope that Microsoft will eventually embrace open standards for encryption key management in Azure and in other Microsoft products. This will be a great step forward for Microsoft customers.

Patrick

Encryption

Topics: SQL Server, Security Enclaves

Microsoft SQL Server Encryption in AWS - Without Cloud Lock-In

Posted by Patrick Townsend on Feb 28, 2020 10:00:14 AM

Interest in Microsoft SQL Server database encryption is booming! What is driving the sudden rush to encrypt sensitive data? Certainly the new California Consumer Privacy Act (CCPA) is a part of this. Just a few days after the CCPA became law the first class action lawsuit was filed. No business wants to deal with a class action lawsuit, and encryption is the only safe harbor from class action lawsuits.

Encryption & Key Management for SQL Server - Definitive GuideWe have to give some credit to Microsoft, too. In the past, database encryption was only available in the Enterprise editions of SQL Server. Upgrading from SQL Server Standard, Express and Web editions was an expensive proposition. Then (... SURPRISE! ...) in November 2019 Microsoft announced that SQL Server Standard Edition 2019 would also support encryption in the same way that the Enterprise edition does. It was a great Holiday gift to the many thousands of SQL Server users and ISVs who need to meet compliance regulations.

And the continued publicity about data breaches, ransomware, state actors, and new zero-day exploits continued to elevate everyone’s awareness of the threats to their sensitive data. So encryption is suddenly hot.

Let’s take a look at using SQL Server encryption in Amazon Web Services (AWS). 

Encryption Key Management

If you’ve been following this blog series you know how important key management is to an encryption strategy. That is even more true in the AWS environment. While Amazon makes available a proprietary key service, it can’t be used with databases like SQL Server that implement vendor or open standards. And AWS KMS is a shared encryption key service - both you and Amazon have access to your keys. So, before you start your SQL Server encryption project, be sure to get your key management strategy right.

Local Master Key Storage

When you implement encryption with SQL Server you have a choice about where you store the master keys. You can store them next to the SQL Server database (bad), or you can store the keys in an external key management system using the SQL Server Extensible Key Management (EKM) interface (better). Using an external key management system through the EKM interface is the only way to protect your data under CCPA, and it’s a best security practice. That is what we will focus on for the rest of this blog. 

SQL Server and Extensible Key Management (EKM) Provider

Starting in SQL Server 2008 Enterprise, Microsoft implemented database encryption and added the EKM Provider interface for encryption key management. This interface pre-dated the modern KMIP interface, but provides a similar architecture for integrating encryption key management for SQL Server. The EKM Provider architecture has been a part of SQL Server Enterprise since that release more than a decade ago. Our customers have performed many upgrades to SQL Server and the EKM interface has been stable and reliable. 

The EKM Provider architecture is essentially a set of rules for implementing a plug-in module for SQL Server to integrate with a key manager such as our Alliance Key Manager for SQL Server. You code a Windows DLL to the specification, register it to SQL Server, run an activation command in the SQL Server console, and you have encrypted your SQL Server database! It is fast, easy and straightforward.

Key Management in the Cloud

Now you need a key manager that implements the EKM Provider interface, and you need a place to deploy that key manager. Our customers usually deploy Alliance Key Manager directly from the EC2 console and the AWS Marketplace when they want a dedicated key manager that runs within AWS. Alliance Key Manager runs in an EC2 instance, is dedicated to you (not shared with Amazon or us), and provides the EKM Provider software at no additional charge. You just: 

  • Launch Alliance Key Manager
  • Answer a few configuration questions
  • Download the certificates that SQL Server needs
  • Configure the EKM Provider
  • And activate it

In a short period of time you can fully protect SQL Server with strong encryption and proper key management.

Key Management Outside of the Cloud

Some Microsoft SQL Server users want full control of their encryption keys outside of the AWS cloud. This is incredibly easy! You can deploy Alliance Key Manager as a VMware instance in your on-premise data center, then configure the SQL Server EKM Provider to connect to the on-premise key server. The EKM Provider interface is exactly the same in all Alliance Key Manager platforms. You will need to set network permissions in AWS, and allow a connection to the on-premise key server, but that’s it. You can get key management outside the AWS cloud very easily. Additionally, if you initially deploy in the cloud and want to migrate to your own data center, that is also fast and easy.

Key Management Across AWS Regions

Many AWS customers deploy their applications in different AWS regions in order to achieve a higher level of resilience and reliability for failover. Alliance Key Manager can fully support this approach. You can deploy the production key manager in the same region as your AWS application, and deploy the failover key manager in the remote AWS region where your failover runs. Once configured, they will automatically synchronize the keys and access policy, and will give you an optimal, real time failover across the AWS region boundary. 

Business Continuity and High Availability

The key manager you deploy with SQL Server has to match the high availability strategy you use with SQL Server and your applications. This means the key manager has to fail over in real time. Alliance Key Manager mirrors keys in real time in an active-active configuration. If your database and applications are designed for continuous operation, Alliance Key Manager will give you the immediate failover support you need - and that can be cross-region, outside the cloud, and even across cloud service providers.

Unlimited Databases

Most of our Microsoft SQL Server customers run multiple applications and databases. Alliance Key Manager does not restrict the number of SQL Server databases that you connect to it, and there are no client-side licenses per database. You can encrypt your first database with Alliance Key Manager, and then add any number of additional databases at no charge. Alliance Key Manager does not count or limit the number of databases you protect. You can even protect other databases like MongoDB and MySQL using the same key manager. This is the way enterprise key management should work!

Cloud Independence - It’s real

Amazon Web Services provides a great number of cloud services for applications and storage. Unfortunately, most of the AWS services implement a proprietary interface. The result is cloud lock-in restricting your ability to easily move to other cloud platforms. A business opportunity, merger, acquisition and other events can be painful when you have cloud lock-in. Alliance Key Manager runs in a number of cloud and virtualized environments and will help you avoid cloud lock-in. Cloud independence is real.

Evaluations and Proof-of-Concept

At Townsend Security we know that key management is a part of your critical infrastructure. We make evaluations and Proof-of-Concept projects extremely easy. You can launch Alliance Key Manager for AWS directly from the AWS Marketplace, get access to Quick Start guides for SQL Server, and be up and running quickly. Alliance Key Manager will automatically license for a free 30-day evaluation period, and you will have access to our technical support group for assistance.

HINT: When you launch Alliance Key Manager from the AWS Marketplace, be sure to register with us. Amazon does not share your company information with us, so we won’t be able to help unless you register. Here is the link to register.

True Enterprise Key Management for SQL Server, dedicated to you, is a couple of clicks away right from the AWS Marketplace

Patrick

Encryption Key Management for AWS

Topics: Amazon Web Services (AWS), SQL Server

How MySQL Enterprise Transparent Data Encryption Works

Posted by Ken Mafli on Feb 25, 2020 12:11:46 PM

What is MySQL Encryption for Data-at-Rest?

MySQL Enterprise encryption for data-at-rest enables the encryption of tablespaces with transparent data encryption (TDE). It is relatively easy to set up and with the use of a compliant key management server (KMS)—secure.

MySQL Enterprise Transparent Data Encryption (TDE)

InnoDB, MySQL’s storage engine, offers transparent data encryption (TDE) for your sensitive data-at-rest. It secures the tablespaces via a “two tier encryption key architecture” that consists of:

  • Tablespace encryption keys that encrypt the tablespaces.
  • A master encryption key that encrypts the tablespace keys.

Encrypting Everything in MySQL EnterpriseThe only thing that you must add is a trusted, third-party encryption key manager. But more on that later.

With these items in hand, the system works like this:

  • A tablespace is encrypted, generating a tablespace encryption key.
  • The tablespace key is encrypted via the master key.
  • The encrypted tablespace key is stored locally in the tablespace header.
  • The master key is stored in a trusted, third-party encryption key manager.
  • The master key’s full lifecycle is managed via the encryption key manager.

In this way, when a user or application needs to access the encrypted data, they just need to authenticate that they are authorized to access the data. From there, InnoDB uses the master key to decrypt the tablespace key and tablespace key is used to decrypt the data. The end user never sees this process, it is transparent to them.

Advantages of Using MySQL Encryption

Advantages of MySQL Enterprise Encryption

Meets Compliance Regulations

Organizations are under increasing pressure to comply with a patchwork of compliance regulations. The good news, MySQL Enterprise edition uses standards based AES encryption for data-at-rest and is also KMIP compatible, so centralized key managers can plug-in to properly manage the master keys. Here are a few compliance regulations that MySQL Enterprise encryption helps you comply with:

Payment Card Industry Data Security Standard (PCI DSS)

Nick Trenc, IT Security Architect at Coalfire Labs, had this to say about encryption and PCI DSS compliance:

One of the key components to the protection of cardholder data at any merchant location is the use of strong cryptography along with just-as-strong cryptographic key management procedures. PCI DSS Requirement 3 outlines what the PCI council believes to be the baseline for strong cryptographic key management procedures and is a key element of any PCI DSS audit.

General Data Protection Regulation (GDPR)

According to GDPR, your security controls must be adequate to account for the risk of accidental, unlawful, or unauthorized disclosure or loss of personal data. If you are not adequately prepared to fend off attacks from hackers or unscrupulous employees and prevent a data breach, you could face stiff fines and lawsuits. Only proper encryption and centralized key management will ensure that should an attack occur, the data will be useless to the attacker.

California Consumer Privacy Act (CCPA)

Here is what Patrick Townsend said about encryption and CCPA:

If you want to avoid the risk of direct or class action litigation related to data loss you should encrypt the sensitive data. Individual and class action litigation only applies to unencrypted sensitive data that is disclosed or lost, for whatever reason. The CCPA is clear on the need for encryption. If you lose unencrypted sensitive data this is direct evidence that you violated your duty to provide reasonable security procedures and practices to protect the sensitive information.

The good news: enabling MySQL Enterprise encryption, coupled with encryption key management, will help keep you in compliance with these regulations. If you are protecting cardholder data, consumer data, or just internal HR records, encrypting that data with MySQL’s TDE will help you meet compliance and keep that sensitive data safe.

Easy to Deploy

MySQL encryption is easy to configure. Entire databases can be encrypted with just a few command line edits. Here are some selected examples from MySQL’s Reference Manual:

  • To enable encryption for a new file-per-table tablespace:
    • mysql> CREATE TABLE t1 (c1 INT) ENCRYPTION='Y';
  • To enable encryption for an existing file-per-table tablespace:
    • mysql> ALTER TABLE t1 ENCRYPTION='Y';
  • To disable encryption for file-per-table tablespace:
    • mysql> ALTER TABLE t1 ENCRYPTION='N';

Alliance Key Manager also makes this process easy. Since we are fully integrated with MySQL Enterprise, the configuration process is pretty straight forward. Many times, you can be up and running in a matter of minutes.

KMIP Compatible

As MySQL Enterprise encryption is KMIP 1.1 compatible, you can easily deploy your prefered key manager to manage your encryption keys. This means you are able to use a FIPS 140-2 compliant encryption key manager, like our Alliance Key Manager.

How It Works

 

MySQL Enterprise has made protecting your sensitive data easy. What’s more, setting up Alliance Key Manager for MySQL is easy as well. Here’s how it works:

  • First, install and set up the primary and failover Alliance Key Manager servers.
  • Download the admin authentication certificates from the Alliance Key Manager server to create a secure TLS connection and perform authentication.
  • Then, create a directory to store your KMIP config file and store certificates needed for the Alliance Key Manager admin / client connection.
  • Next, you will need to specify your primary key server and high availability failover key server.
  • Finally, create a master key in Alliance Key Manager and use that to encrypt your tablespace keys in MySQL.

That's it, you have successfully encrypted your MySQL Enterprise database and properly managed the keys! To learn how Alliance Key Manager can help you easily protect your sensitive data in MySQL.

Final Thoughts

Encrypting your sensitive data in with MySQL’s Enterprise encryption has these advantages:

  • It’s standards based AES-256 encryption. This means that your data is secured with the encryption algorithm that NIST recommends.
  • It’s KMIP compliant. Your encryption is only strong if your keys are secure. With a trusted third-party key manager protecting your master keys, your encryption will remain strong.
  • The encryption is transparent to users and applications. No manual processes are needed to access the databases. The data is there, on demand, for all authorized users and applications.

If you haven’t taken advantage of MySQL encryption, now is the time. MySQL encryption makes it simple. Alliance Key Manager makes it secure. Talk to us today.

 

What Data Needs To Be Encrypted in MySQL?

 

 

Topics: MySQL, Alliance Key Manager for MySQL

California Consumer Privacy Act (CCPA) and Lawsuits

Posted by Patrick Townsend on Feb 10, 2020 10:39:44 AM

Well, that did not take long.

34 days after the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, a lawsuit was filed against retailer Hanna Andersson and cloud service provider Salesforce for a data breach where sensitive information was not properly protected. Information about approximately 10,000 California customers were exposed on the dark web. The information apparently included customer names, addresses, credit card numbers, CVV codes, and card expiration dates. Everything a cybercriminal needs to execute financial fraud. What a haul!

Encryption and Key Management for VMware - Definitive GuideThe fine under the CCPA can be up to $750 per record, making the liability cost in this case about $7.5 million - and that is only a part of the picture. Litigation costs will be large and there may be fines from the California Department of Justice and from other governmental entities. Hanna Andersson is a relatively small retailer with approximately 60 stores, 400 employees and annual revenue around $140M. Losses of this size are painful.

Here is a good article about the data breach, and it has a link to the actual lawsuit:

CCPA Cited in Hanna Andersson/Salesforce Breach Lawsuit 

Let me share a few thoughts with you.

First, let’s not forget that the villains in this case are the cybercriminals who perpetrated this crime against Hanna Andersson and Salesforce, and ultimately against the individuals who will experience identity theft and financial fraud. Could Hanna Andersson and Salesforce have done more to prevent this data breach? Certainly yes. But in the early years of my IT career I worked for companies like Hanna Andersson. I worked with wonderful, amazing, dedicated IT professionals and my sympathies are with them, too. Salesforce has been a moral leader in an industry that has seemed at times to lack a moral compass and I admire the values that Marc Benioff and his company have promoted over these last few years.

But this lawsuit is a harbinger of things to come. Ignoring the new landscape of regulatory compliance is dangerous.

Here are some takeaways that I hope will be helpful:

  • We are all moving our IT infrastructure to the cloud. The financial and operational benefits are overwhelming and this migration to the cloud will not change. However, we have not properly accepted responsibility for the security of our applications and data in the cloud. Our cloud service provider, whomever it is, will not protect us. Own and embrace your security posture now, no one else will do it for you.
  • The California Consumer Privacy Act puts the onus on businesses to protect consumer sensitive data. This may not be fair, but it is now a fact of life and other states will certainly follow California’s lead. The CCPA mandates that businesses protect consumer information with encryption if they want to avoid these types of lawsuits. That’s where we are, and that is what you need to do.
  • We have fully arrived in the land of Zero Trust. All of your systems in the cloud and on-premise are at risk. If you haven’t done an inventory of your systems with sensitive data, this is the first thing to do. Knowing where sensitive data resides provides you with a map to address adding the protections that are needed.
  • Prioritize the systems based on risk. Which systems have the most sensitive data? Which are more exposed to a data breach? Which databases will be the easiest to mitigate? The prioritized list does not have to be perfect, but you need one as soon as possible.
  • Get started with your encryption projects. Some databases make this easy to do. If you have Microsoft SQL Server, MongoDB, or MySQL, you have a clear and fast path to add encryption through native database support. If you have databases or storage that do not support native encryption, consider migrating them to VMware vSAN encrypted storage for these applications. 
  • On your way to encrypting your sensitive data, don’t forget about encryption key management. One of the changes that came with CCPA is the requirement to store encryption keys away from the sensitive data. Most databases give you the option of storing the encryption key on the same server as the data. Don’t do this, you will lose all of the protections you need under CCPA.

Here at Townsend Security we help organizations large and small achieve the highest level of data protection. It won’t cost you an arm and a leg, either. The days of overpriced encryption and key management solutions are over. Talk to us about our Alliance Key Manager solution for protecting your data.

Patrick

New call-to-action

Topics: CCPA

AWS and Key Management and Pricing

Posted by Patrick Townsend on Feb 4, 2020 8:42:06 AM

Ahhhh, Amazon Web Services (AWS) are so delightfully inexpensive, aren’t they? The AWS Key Management Service (KMS) is one of those really inexpensive services that many of us love to use. For many AWS customers AWS KMS isn’t even noticeable on your bill.

Or, is it?

New call-to-actionAs we start to deploy data in the cloud we start to use more encryption keys. The first project might use one or two keys, and that cost is not even noticeable. What happens as you start to deploy more and more projects to the AWS cloud? Or, you adopt a strategy of assigning each user in your database their own key (a great strategy to deal with GDPR and CCPA)? The number of keys can start to go up quickly, and your AWS KMS cost goes up with them.

Here is something that happened to one of our customers who had a growing need for keys:

They decided to use a separate encryption key for each of their customers. The idea was to encrypt with an encryption key unique to each customer. When they needed to delete the customer data they only needed to delete the encryption key for that customer. With lots of customers they soon had thousands of encryption keys. And they were shocked when a really large Amazon bill came due for those keys. AWS charges $1.00 for each key and it adds up really fast. So some caution is in order.

Is there any way to avoid the high cost of AWS KMS for multiple keys?

Yes there is. Our Alliance Key Manager in AWS solution can be deployed right in the AWS cloud at a low monthly cost, with no charge per encryption key. Whether you need 10 encryption keys, or 100,000 encryption keys, the cost is the same. And we don’t count the number of endpoints, either. So, the cost remains the same even as you increase your data protection.

Besides a lower cost for key management, there are other benefits to deploying our key manager in AWS:

  • You have exclusive access to the key manager – unlike AWS KMS, it isn’t shared with Amazon (or us).
  • You can deploy redundant key managers (product and high availability) across different AWS geographic regions.
  • You can mirror your encryption keys from AWS to an on-premise key manager.
  • You can deploy replicating key managers across multiple clouds.
  • You have full support for encryption of databases like SQL Server, MySQL, MongoDB, and others.

When you need a lot of encryption keys in AWS, our Alliance Key Manager is a winner. We don’t charge per key, you have flexible options to deploy key management in the cloud and on premises, you will save a lot of money over AWS KMS, and you will have a dedicated Enterprise key management solution that you don’t share with anyone. You will be deploying a true cloud neutral key management solution.

Talk to us to find out more details about the benefits of deploying Alliance Key Manager for AWS for your organization.

Patrick

Encryption Key Management for AWS

Topics: Amazon Web Services (AWS)

California Consumer Privacy Act (CCPA) and Encryption Key Management

Posted by Patrick Townsend on Jan 31, 2020 9:46:06 AM

In October of 2019 I blogged about the California Consumer Privacy Act (CCPA) and its impacts on businesses. I knew that a lot of businesses were aware of the CCPA coming into effect on January 1, 2020, but I thought that there was a lot of misinformation and confusion about the CCPA. In that blog I laid out a number of facts about CCPA and some suggestions on actions you can take. I also noted that the law was very likely to get an update by the end of the year. You can find that original blog here:

California Consumer Privacy Act (CCPA) - Things You Need To Know

Podcast: CCPA - What You Need to KnowWell, that update to CCPA and related notification laws has happened. Several new laws were enacted in December 2019 that clarify and modify the CCPA. While the broad requirements of CCPA remain intact, there were some changes that bear noting.

One important change relates to encryption key management and breach notification. Let’s do a deeper dive.

First, it is important to note the role that encryption of sensitive information plays in CCPA. Among other things, the CCPA dramatically empowers consumers to recover damages after a data breach of unencrypted data, and limits the ability of businesses to inhibit that recovery. Here are a few aspects of CCPA law:

  • Businesses are not allowed to limit the ability of consumers to seek recovery. The widely used practice of liability limitation, arbitration clauses, and so forth are prohibited.
  • The California Department of Justice can levy steep fines on businesses that suffer a data breach and who have not adequately protected sensitive data.
  • Consumers are empowered to bring class action lawsuits around a data breach to recover damages. This kind of litigation is specifically enabled by the CCPA and should scare covered businesses.
  • However, class action lawsuits are only allowed with the loss of unencrypted sensitive data. Encryption is your friend!

So, what is different with the new laws?

AB1130 is one of those recent bills that modifies the CCPA notification requirements. It retains the litigation protections provided by encryption, but further clarifies that encryption keys must be properly protected. Here is what AB1130 says about breach notification (extracted and highlight added):

SECTION 1. Section 1798.29 of the Civil Code is amended to read:

1798.29. (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

The full text of AB1130 is here:

https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB1130

Security professionals know that encryption is only as good as the protection you provide to the encryption key. The CCPA notification rules now embed that understanding right in the law. And you must understand what this means in terms of your litigation protections.

Let’s take one example:

Microsoft SQL Server is a widely used database for business information. SQL Server implements Transparent Data Encryption (TDE) to protect all data in the database. And it gives you two options for storing encryption keys:

  • Local storage of the key on the same server as the database.
  • Remote storage of the key by integrating with a professional key management system.

A lot of Microsoft SQL Server customers store the key locally on the same server as the database. Why? Well, it is easy and free. 

Here is the problem:

It is trivially easy for a cybercriminal to recover a locally stored encryption key if they have access to the server or a backup of the server. In fact, there are ready made programs that will just recover the key for the hacker and unlock the encrypted data, in just a few seconds. This is a prime example of where poor encryption key management will damage your ability to limit notification and liability under CCPA. Don’t expect to argue that the key was properly protected. Every security professional knows how poorly protected a locally stored key is.

Is there a way to mitigate this poor encryption key strategy?

Yes. 

Microsoft SQL server also supports remote encryption key management systems through a special interface known as Extensible Key Management, or EKM. You don’t have to store the key locally - you can easily plug in a key management system and protect the encryption key properly as the CCPA recommends. Problem solved, from a CCPA perspective. Our own Alliance Key Manager supports remote key management through the EKM interface.

Here are a few takeaways:

  • Under the CCPA, encryption is a critical part of your compliance strategy, and your strategy to limit liability after a data breach. It is hard to overstate the importance of encryption.
  • When you do encryption, you have to manage the keys properly. Use a professional key management system like our affordable Alliance Key Manager to accomplish this. Alliance Key Manager is NIST FIPS 140-2 compliant which is the gold standard for key management certification.
  • If you are currently storing the key locally, it is easy to move to a proper key management system. It usually just takes a few minutes.
  • There is no such thing as a good, secure method to store keys locally with your data. Just don’t do it.
  • Key management systems are now affordable and easy to deploy. We can prove it!

The California Consumer Privacy Act and subsequent laws change everything in terms of how we process and protect sensitive data. Encrypting that sensitive data, and protecting the encryption key, is not hard and is within reach of every business. 

Talk to us. We’ll show you how fast and easy it is to meet this part of the new CCPA and notification regulations.

Patrick

P.S. I don’t mean to pick on Microsoft SQL Server here. The same issue applies to almost every commercial and open source relational and NoSQL database! 

Podcast: CCPA - What You Need to Know

Topics: Encryption Key Management, CCPA

2019 SQL Server Encryption Survey

Posted by Ken Mafli on Jan 15, 2020 6:00:00 AM

This last November (Nov. 6-8, 2019) we had a chance to participate in the 21st annual PASS Summit in Seattle as an exhibitor. It was a great time as SQL Server professionals from around the world attended. We had an opportunity to ask them about their company's encryption and key management practices. Below are the results as well as some expert weigh-in on the findings. Enjoy!

The SQL Server Encryption Survey—2019

 

2019-SQL-Server-Encryption-Survey

 

A special thanks to our contributors for their expertise and guidance. You all are clear-minded professionals that have a lot to offer those looking to better secure their data:

-Ed Leighton-Dick, Kingfisher Technologies
-Tim Roncevich, CyberGuard Compliance
-Justin Garren, LyntonWeb
-Sharon Kleinerman, Townsend Security
-Patrick Townsend, Townsend Security

If you are looking to protect your encryption keys for your sensitive data in SQL Server, you need a FIPS 140-2 compliant centralized key manager that:

  • Never charges you additional fees for connecting a new end-point.
  • Never limits the number of end-points based on the model of the KMS.
  • Never limits the number of encryption keys generated or stored.
  • Never forces you to pay extra fees for software patches.
  • Never forces you to pay extra fees for routine software upgrades.
  • Always gives you unmatched customer service.
  • Always protects your keys, 24/7.

You need Alliance Key Manager for SQL Server.

Alliance-Key-Manager-for-SQL-Server 

 

 

Topics: Key Management, Extensible Key Management (EKM), SQL Server 2008, Microsoft, Info-graphic, SQL, Encryption Key Management, SQL Server, Transparent Data Encryption (TDE), SQL Server encryption

Townsend Security Provides NFR Licenses for Key Management Server (KMS) to VMware vExperts

Posted by Luke Probasco on Jan 7, 2020 12:00:00 AM

Alliance Key Manager, featuring full support for VMware encryption of VMs and vSAN, is now available free of charge to VMware vExperts.

Free NFR License for Encryption Key Management Server (KMS)Townsend Security today announced that it offers free Not for Resale (NFR) licenses to VMware vExperts for Alliance Key Manager, their FIPS 140-2 compliant encryption key management server (KMS). The NFR license keys are available for non-production use only, including educational, lab testing, evaluation, training, and demonstration purposes. NFR Licenses are available here.

Alliance Key Manager enables VMware customers to use native vSphere encryption for VMs and vSAN to protect VMware images and digital assets while deploying a secure and compliant key management server (KMS). VMware users can deploy multiple, redundant (HA) key servers as a part of the KMS Cluster configuration for maximum resilience and high availability. The key manager is certified by VMware for use with vSphere version 6.5 and later, and for vSAN version 6.6 and later. 

Using the advanced cryptographic permissions in VMware vCenter Server, along with a KMS, VMware users can prevent internal/external threats and protect sensitive workloads. In addition to supporting vSphere encryption of VMs and vSAN, Alliance Key Manager supports application and database encryption deployed in VMware virtual servers.

“We are excited to provide VMware vExperts with Alliance Key Manager, our encryption key management server (KMS) for their test labs,” said Patrick Townsend, CEO of Townsend Security. “Protecting sensitive data continues to be a critical concern in IT, and an important part of both security and compliance efforts. Data-at-rest encryption options in vSphere are comprehensive and very easy to use. Alliance Key Manager seamlessly integrates with VMware’s encryption capabilities.”

Townsend Security is a VMware Technology Alliance Partner (TAP) and Alliance Key Manager for VMware has achieved VMware Ready status.   VMware vExperts can request an NFR license of Alliance Key Manager for VMware here.

New call-to-action

Topics: Alliance Key Manager, Press Release

Ransomware and Encryption - I Was Wrong

Posted by Patrick Townsend on Jan 2, 2020 8:48:08 AM

I might as well start the New Year with an admission and an apology. Let’s clear the slate.

eBook: Definitive Guide to Encryption Key ManagementIn the past I’ve minimized the use of encryption as a specific way to deter Ransomware attacks. My thinking was that encryption would not really help you if your systems are compromised by Ransomeware. After all, my thinking was, the data is still on your servers it just isn’t accessible because it is now encrypted with a key that you don’t have. Of course, you can pay the ransom to unlock your data. There are lots of good reasons to encrypt sensitive data, but I was not seeing encryption as a specific way to specifically minimize the risks associated with Ransomware.

I believed that your best defense against ransomware was to have good backups and be prepared to restore systems quickly from those backups. A lot of our customers had become lax in their backup strategy, and this left them exposed to Ransomware attacks. They just weren’t able to quickly restore from backups, or those backups did not exist, or they were not current enough.

I failed to understand the evolving nature of Ransomware threats. It simply did not occur to me that a cybercriminal would BOTH lock your data AND steal the data and threaten to release it if the ransom payment was not made. That is exactly what is happening now. 

It is now clear to me that encrypting your sensitive data is an important part of your defense against Ransomware attacks. If the attacker cannot access the data, they can’t threaten its release to put pressure on you. So it is time to revisit your security strategy around Ransomware:

  • Backups are still important. They are a first line defense against Ransomware.
  • Your backup strategy is not complete until you fully test the restore process. You will always find glitches during the test of the restore operation. You don’t want to be finding these glitches during a Ransomware recovery process.
  • Encrypt all sensitive data to deny its use by attackers.
  • Use proper encryption key management as a part of your encryption strategy. Locally stored encryption keys (SQL Server, MongoDB, MySQL, and so forth) are easy to recover. If you are not protecting the encryption keys you don’t have an encryption strategy.

There is much more that you need to do to protect against Ransomware, but these items are crucial to your strategy. 

Encryption has many other benefits including helping you meet compliance regulations (California CPA, etc.), helping you minimize reputational damage, helping you protect digital assets and business secrets, and much more. It is time to review your encryption strategy and plug any holes.

If you are a small organization you don’t have to feel left out in the cold. Here at Townsend Security we help small organizations get encryption and key management right. You are NOT priced out of the market. If you are a small organization ask us about our SMB plan.

Patrick

eBook: Definitive Guide to Encryption Key Management

 

Topics: Encryption, Ransomware

Alliance Key Manager Now Available for IBM Cloud for VMware

Posted by Luke Probasco on Dec 18, 2019 11:15:00 AM

Alliance Key Manager for IBM Cloud for VMware provides encryption and key management to help IBM Cloud for VMware customers meet data privacy compliance regulations and security best practices.

Key Management for IBM Cloud for VMware PodcastTownsend Security today announced Alliance Key Manager, its affordable FIPS 140-2 compliant encryption key manager, is available for IBM Cloud for VMware. By running Alliance Key Manager for IBM Cloud for VMware, enterprises can encrypt VMs and vSAN virtual directories and protect private information in their applications and databases with a dedicated key manager - with no access to encryption keys by IBM.

Working with VMware and Coalfire, Townsend Security’s Alliance Key Manager achieved compliance with PCI-DSS when implemented on a standard VMware reference architecture. Support for the PCI-DSS standard has smoothed the path to compliance for VMware customers in IBM Cloud. Additionally, Alliance Key Manager for IBM Cloud for VMware can also help businesses meet other compliance regulations such as GDPR, CCPA, HIPAA, GLBA/FFIEC, FISMA, etc.

“Customers want to experience regulatory compliance out-of-the-box. They don’t want to have to engage in lengthy audits and security validations in order to deploy applications to the cloud. PCI-DSS is one of those key indicator regulations and our commitment to provide proven regulatory compliance is a great benefit to our VMware customers,” said Patrick Townsend, CEO of Townsend Security. “We take data security compliance issues off of the table and this really helps our customers. With this announcement we are extending formal support for our solutions to the IBM Cloud for VMware.”

As enterprises move to IBM Cloud they bring their sensitive data with them. With Alliance Key Manager for IBM Cloud for VMware, organizations can encrypt their VMs and vSAN storage that are managed by vSphere. Leveraging the KMIP interface in vSphere users can define one or more key managers to protect the encryption keys used to encrypt VMs and vSAN. Alliance Key Manager is certified by VMware for all versions of vSphere and vSAN that support encryption.

“Encrypting VMs and vSAN storage provides a rapid path to meeting security best practices and compliance regulations. There is no limit to the number of VMs or vSAN storage pools that you can protect,” continued Townsend. “I am proud of our team for creating a truly affordable solution for VMware key management. Small businesses should contact us for information about special small business pricing.”

Alliance Key Manager for IBM Cloud for VMware is available for a free 30-day evaluation.

Key Management for IBM Cloud for VMware Podcast

Topics: Press Release, Alliance Key Manager for IBM Cloud for VMware

Blog-CTA-VMware-CSP
 
The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 
 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all