Townsend Security Data Privacy Blog

The risks with handling customer data when you’re operating a business are inherent. Whether you run a hotel, resort, or casino you are probably handling thousands to millions of pieces of important customer data, much of which should be protected using technological controls. Most industry standards mandate that you protect data such as names, credit card information, protected health information (PHI), and other personally identifiable information (PII) with strong encryption and encryption key management. Hospitality is one of these industries that must comply with regulations, specifically Payment Card Industry (PCI) security standards as well as state privacy laws.

Unlike retail stores that handle credit card information via individual transactions, businesses that fall under the category of hospitality such as hotels, resorts, and cruise-lines deal with greater risks from having to hold on to a client’s credit card information over time. The property management systems (PMS) that handle this data should be using encryption and encryption key management while the data is stored.

Think back to the last time you booked a hotel reservation. The first thing you were asked to provide was a credit or debit card number. By the time you’ve made your trip, stayed in the hotel, and are ready to check out, do they ask for your credit card again? No. They’ve been storing it since you gave it to them, and they have it on file just in case you ate some snacks out of the minibar. They keep your card number because they’ll want to charge you for those macadamia nuts.

While holding on to customers’ card information mitigates certain risks for hotels, the processes of storing their customers’ sensitive data also results in new, more challenging risks around data security. Many people in the hospitality industry know this and take preventative measures, many businesses are still suffering from the pains of not having a working data security strategy.

What are the pain points?

• Hospitality industry is targeted by hackers
• IT systems of franchise hotels are interconnected, resulting in larger data breaches
• Smaller hotels often have weaker data security systems
• When customer data is held over time there is greater risk of a data breach
• Implementing security that protects the data, such as encryption and encryption key management, has a reputation for being difficult and costly
• Hospitality organizations need powerful solutions that integrate seamlessly into their existing IT infrastructure

The technology vendors that sell hospitality organizations the property management systems and payment application systems that house and protect customer cardholder data need to know that these pain points are real. The only way to protect customers and avoid data breach notification is by protecting the data itself using encryption and strong encryption key management. Encryption renders sensitive data unreadable, and if you’ve securely stored your encryption keys away from the encrypted data, malicious intruders will never be able to “decode” or “unlock” the encrypted data. Implementing a strong encryption key management solution can be difficult for many IT teams in any organization. Offering hotels and casinos powerful encryption key management through their property management and payment application systems is an untapped opportunity for hospitality software vendors to increase revenue.

According to a new report by British insurance firm Willis Group Holdings, insurance claims for data theft worldwide jumped 56% last year, with the largest share of those attacks – 38% – targeting hotels, resorts and casinos.  Intrusion prevention such as firewalls and strong passwords are of course recommended, but hospitality organizations need to know that they will not protect your data from an intelligent hacker. With the appropriate technology in place any hospitality business can not only detect unauthorized or malicious access to sensitive data in real time, but can also be assured that their data is safe if they are using strong encryption and encryption key management. These controls fortify your IT infrastructure with security that does more than give hackers a fun challenge to break through.

To learn more about encryption key management to meet PCI requirements and protect your business in the event of a data breach, download the podcast, “Must-Haves in an Encryption Key Manager,” featuring security expert Joan Ross, CISSP-ISSAP, HISP.

What is “social engineering,” and how do you prevent malicious attacks such as phishing? I’m sure many of you have heard the term before, but you may not quite know what social engineering means. There are many forms of Social Engineering; however, when we talk about baiting, phishing, and tailgating we’re not talking about a fun weekend at the lake.

When it comes to the realm of data security, ‘social engineering’ refers to using social means to gain entry into a system, building, or storage of information.

One example of social engineering you might remember from the movies is the scene in the  film “Hackers,” when the hero gains access to a TV station by tricking a security guard into revealing the phone number of an internal modem, which he then uses to take over the station. According to Kevin Mitnick, a reformed computer criminal turned security consultant, it is much easier to trick someone into giving a password for a system than to spend the effort to crack the system.

In our daily lives social engineering is a bit more subtle, but even more prevalent than what we see in the movies. For example, an attacker may wait outside of a secured door, waiting for an employee to enter, and either claim a lost or forgotten badge, or simply grab the door before it closes and walk in. This is known as ‘Tailgating’, and even though most people know what this is and how to prevent it, it is in our nature to be helpful and that makes us want to help a “New Employee” that looks lost.

Almost everybody has heard about someone receiving a legitimate looking email from a service such as a bank or utility, asking you to verify your information. This technique is called phishing. Most people are savvy enough to recognize this sort of thing (Unless you really do know a Saudi Prince that wants to give you $50,000) and either ignore it or report it to the institution being fraudulently represented. Unfortunately, this type of attack is still effective and many people are tricked into giving away access to their personal information.

Another type of Social Engineering attack is called quid pro quo. This is an attack where a hacker calls random numbers at a company claiming to be from technical support. Once they find a cooperative victim, they instruct them to install malware that then gives the attacker access to the internal network.

Preventing Social Engineering attacks is difficult because prevention relies on individual knowledge of what these attacks look like. What is your company doing to prevent Social Engineering attacks?

Many companies today have policies in place that require account verification before any information is given out. This certainly helps stem the flow of unprotected information, but it is not a foolproof method.

In today’s business environment it is up to companies to properly train their employees in the countermeasures against Social Engineering, and up to the trained individual to remain vigilant in following safe practices and procedures regarding release of information. 

If your company needs to protect sensitive data such as credit card information, health information, or other personally identifiable information (PII), you should also make sure you have the correct network security in place as well as protecting sensitive data at the source using strong encryption and encryption key management.

In their latest podcast, Paul Taylor with Security Insider Podcast Edition and Patrick Townsend, CTO of Townsend Security discuss using PGP encryption to secure data in motion for meeting compliance regulations, the OpenPGP standard, the differences between Open and Commercial PGP solutions, and ways to automate your managed file transfers on the IBM i.

PGP stands for “Pretty Good Privacy”, and it’s an encryption solution that originally started in the 1990s. Over 20 years ago, Phil Zimmerman and a group of developers decided to produce secure file encryption technology and felt that PGP should be used everywhere to protect data-in-motion, both for individuals and for companies who need to transfer data across networks. Originally, Phil Zimmerman’s development team offered a free, open-source version of PGP. Over the years, ownership of PGP was transferred from Network Associates to McAfee, and is now owned and commercially licensed by Symantec.  Throughout that development, Townsend Security has helped to bring this important encryption technology to IBM enterprise platforms. We have partnered with Symantec to offer the only commercial version of PGP Command Line on the IBM i.

In their podcast, Paul and Patrick discuss the OpenPGP standard and the two solution versions of PGP, Open and Commercial, and the confusion around them. OpenPGP is a standard (RFC 4880 & RFC 2440), not software, and that standard covers what an Open PGP solution is and should do. There are multiple open source editions for software, available from a number of different organizations, that should meet the OpenPGP standard.

The commercial version from Symantec was created and continues to be advanced by the original PGP developers. It conforms to the OpenPGP standard, and it adds additional functions that are important to enterprise customers.

For example:

• Additional decryption key support (the ability to encrypt a file for multiple recipients)

If you need to send and recover an encrypted file to yourself for due diligence, your ability to recover that encrypted file through additional decryption key support becomes an important regulatory component.

• Self-decrypting archives (the ability to encrypt data and send it to almost anyone for processing)

You can create an encrypted file on your system, even on IBM z mainframe or IBM i platform that can be decrypted as an executable on a Mac system, a Windows PC, or even a Linux box.

• Support for X.509 Certificates, external key management protocols, and the ability to actually store encryption keys on an external server.

With the Commercial PGP product comes full support for OpenPGP standard, as well as these additional features, which really make a difference for enterprise businesses. When you base your company reputation on something mission-critical like PGP encryption, you deserve the comfort of knowing that there’s a support team there ready to stand behind you.

“Pretty Good Privacy” is well recognized and accepted across a broad number of compliance regulations as a secure way to protect sensitive data as it is in transit to your trading partners. PGP encryption helps businesses meet PCI DSS by encrypting credit card numbers and other PII as required by HIPAA/HITECH Act, Sarbanes-Oxley, and FISMA compliance regulations.

Listen to the podcast for more in-depth information and a discussion on how PGP meets compliance regulations with it’s NIST certifications, and how Townsend Security, the only Symantec partner on the IBM i or AS/400 platform as well as the IBM z platform providing PGP Command Line 9, can help IBM i users with PGP!

If you have topics you would like to hear discussed in future podcasts, please email them to us at podcast@townsendsecurity.com or post your comments here in the blog!

“Encryption and key management can’t become endemic the way it needs to be without being easy and affordable. That’s a fundamental fact.” - Patrick Townsend, Founder & CEO of Townsend Security

Every day securing sensitive data becomes more and more important. With sensitive information being entered into databases, and many databases moving to the cloud, the risks associated with unprotected data increase exponentially. Data such as credit card information, social security numbers, financial information, and protected health information (PHI) gets dumped into internal IT networks as well as the the stratosphere of the cloud. Without adequate data security tools, businesses are sitting ducks when it comes to data loss.

Unfortunately for a lot of organizations, the security tools their IT departments have deemed “adequate” are mostly firewalls and other access prevention mechanisms. Today, however, it is widely acknowledged by security professionals that these mechanisms are easily breached by hackers. In fact, many data breaches are simply caused by employees mishandling data. Because firewalls don’t keep data secure, industry regulators such as the Payment Card Industry Security Standards Council and HIPAA/HITECH Act mandate or strongly recommended organizations use strong encryption and encryption key management to secure the data itself. If encrypted data is compromised, but the encryption keys are securely protected, then the data remains unreadable.

Recently Joan Ross, security expert, published a White Paper outlining critical encryption key management principles that will help organizations overcome one of the biggest barriers to implementing a strong encryption key management solution: The need for a solution that is affordable and quick to deploy.

Time, money, compatibility, and hidden costs are issues every business struggles with. Almost every single successful, new innovative technology these days is designed to help individuals or businesses reduce time, save money, and increase compatibility between devices--unfortunately, the hidden costs sometimes persist. You see simplification driving down costs with tools such as virtualization and cloud computing, for example. These technologies are so effective at helping businesses reduce costs that more and more people are using them every day.

However, as businesses move more and more data into virtualized and cloud platforms, securing that data becomes even more difficult due to the inherent complexities of these environments. As this happens it’s important to remember that data security shouldn’t fall to the wayside.

With over 25 years in the data security industry, Ross addresses in her White Paper the issues of affordability and hidden costs in effective encryption key management systems. When choosing a key management vendor, Ross reiterates that hidden costs can quickly add up, resulting in a solution that that becomes too exorbitant to execute. Transparency, she urges, is critical to a successful relationship with a key management vendor. Achieving affordability and transparency is possible today because there are vendors today who want to work with customers--and who believe that cost should not be a barrier to good data security.

In Joan’s words: “Data security has come a long way within just the past few years.  Organizations no longer have to continue to maintain current patchwork methods because there are no available, cost-effective, or interoperable solutions that easily solve their problems.  Encryption and encryption key management are now industry standards and work across both legacy and newer business systems, multi-platform and multi-tenant networks, remote access workstations, geographical offices, data centers, and third-party business partners.”

Download the White Paper "Industry Must Haves for Effective Encryption Key Management" to learn more about must-haves in an encryption key manager and how to ensure your data is fully protected.

… What are people so afraid of? 

In motivational bestsellers, Who Moved My Cheese by Spencer Johnson and Sheryl Sandberg's new book Lean In, the question has been posed "What would you do if you weren’t afraid?”  From that question has come thousands of YouTube video responses, even more posts on social media outlets, and years worth of facilitated group meetings.  So I thought of my own question; “what could we do if we weren’t afraid of technology?”                                        

Even today, in 2013, there is resistance to moving forward with new cloud technology.  I have talked with many prospects about how they currently manage their virtual customer data and most of the time it ends with “well we don’t”.

We recently released a VMware version of our Alliance Key Manager.  Alliance Key Manager for VMware allows enterprises to deploy virtualized encryption and key management servers in IT data centers, as well as the cloud.

So now we ponder “why are people afraid of this technology, and what could we help them accomplish if that fear was gone?”

Here at Townsend Security, we can see how some of our prospects and even customers are afraid of these advancements in technology.  How in the world is this piece of software going to protect our business and our customer information?  Isn’t it easier to reach over to your desk drawer, and pull out that sticky note with your passwords?  Or to walk over to the server and manage your system internally?  I mean, how do we really know things are going to be safe “out there”?  

Well, we’ve got answers to those questions.  Advanced technology. Product testing. Accountability.  Solid reputation. Trusted products. Dependable support. Testing, testing, and more testing. These are just a few ways to describe Townsend Security’s solution to a virtualized encryption key manager.

As enterprises adopt public and private cloud storage, they bring their sensitive data with them – customer names, email addresses and other personally identifiable information (PII). While compliance regulations require protecting this information, encrypting this data has been a challenge for organizations who want the flexibility and security of a native VMware solution. By deploying Alliance Key Manager for VMware as a vCloud instance, customers can achieve their security and efficiency goals in a cloud environment.

We wouldn’t have advanced this far in technology, if we were all afraid to move forward.  Our development team has worked long and hard to make sure your fears will be a thing of the past.

So go ahead already!  
Listen to the Podcast: Virtualized Encryption Key Management to hear Patrick Townsend discuss:

• The benefits of virtualized encryption key management

• How organizations can use virtualized servers in their data centers and the cloud

• Special compliance considerations for enterprises who virtualize their infrastructure

• What Townsend Security is doing to help organizations deploy virtualized encryption key management

After the podcast you can request a product evaluation of our Encryption Key Manager VMWare solution for 30 days and test it out.  We offer complimentary 30-day trials of all our solutions, and have a great team of people to walk you through the process… so you have nothing left to fear.

Easily Meet Compliance Requirements...
...with Secure Managed File Transfer

We did a survey almost a year ago of IBM i customers and just about half of them said “yes, we’re transferring data”...
“no, we’re not protecting it”... “yes, we know we have a problem”!

One of the easiest ways for an organization to have a Big Security Win is to secure sensitive data using secure managed file transfers. When unencrypted sensitive data moves off your IBM i to internal servers, public networks, or service providers via the Internet, the data is vulnerable to malware and other attacks. Unencrypted data (also called “data-in-motion”) is extremely vulnerable to a breach. This is a critical issue for companies that must transfer sensitive data such as credit card numbers, financial information, and other personally identifiable information (PII). Sensitive data is covered under industry and many state data security regulations and any organization, no matter the size, collecting and transferring data is required to protect that information.

According to compliance regulations such as the Payment Card Industry (PCI-DSS version 2.0 Section 4), organizations must always encrypt credit card numbers as they are transferred from one location to another. PCI DSS applies to everyone - both public and private companies (large and small) - that accepts credit card payments.  PCI-DSS version 3.0 will be released this fall, and we will be talking about that more as that time approaches. While PCI-DSS applies to credit card information, other regulations cover different elements of PII.  HIPAA/HITECH Act addresses protected health information (PHI), but while it does not mandate encryption, it does state that the only safe harbor from data breach notification and severe penalties & fines is to protect PHI with encryption. Sarbanes-Oxley (SOX) applies to all publicly traded companies in the US and has a component (section 404) that applies to IT systems and best practices around protecting data. The Federal Trade Commission (FTC) has also been active in the area of data breaches where it applies to published privacy statements. They consider it an aspect of consumer fraud if companies are not following their published guidance around privacy.

So what are the “must-haves” for meeting compliance around securing sensitive data that will stand up to scrutiny in terms of any kind of outside audit, challenge, or data breach?  PGP (Pretty Good Privacy) encryption is the industry standard for encrypting data-in-motion. Secure file transfer protocol, also known as SSL FTP or SSH sFTP, is often combined with PGP whole file encryption as part of a core solution to ensure that the data-in-motion is encrypted and remains encrypted after being transferred to trading partners. While data is transferred via secure SSL connection, keep in mind it is important that the sensitive data lands encrypted at its final destination. For a much more technical look at all of these components, I’m sharing a recently recorded webinar on Secure Managed File Transfer with you, and as always, please post any additional questions you may have here in the comment section!

Specifically for IBM i users, the following webinar will cover how easy it can be to meet compliance regulations with a Secure Managed File Transfer solution. You can also learn more about how PCI-DSS, HIPAA, Sarbanes-Oxley, and new state/federal laws affect your company and discover real-life examples of how others are meeting these challenges with Alliance FTP Manager and the PGP solutions.

During this 45-minute webinar, Patrick Townsend will also discuss core components of a total encryption strategy and show you how to:

• Automatically transfer files using Secure Shell sFTP or Secure SSL FTP
• Send your first encrypted file in an hour
• Review detailed audit trails of all transfer activity

… just a reminder on our special offer in August:

For the remainder of the month of August, Townsend Security will provide additional help to our new customers, or customers licensing new modules of Alliance FTP Manager, by implementing their first secure FTP project.  This means our team of security experts will help you fully implement your first secure transfer.  Working with your IT team on your IBM i platform, we will help you do the configurations, do the transfer, set up DCM if that is required, and sFTP and SSL FTP configurations. This full set up will get your first transfer done very quickly and you will be able to see the success right away!

Contact us about how to take advantage of this limited time offer: Just fill in the fields below, click the blue button... and Ken will contact you!

More than any other industry, it is surprising that the gaming industry struggles with protecting customer credit card information. For businesses that deal in money, you’d think that protecting this asset would be their number one concern. However, just like every other industry, some casinos still lack many proper controls such as encryption and encryption key management to keep customer card data safe.

The truth is, there are so many credit and debit card transaction points from the moment a customer walks into a casino. At every single point a customer swipes their card, that card information needs to be encrypted. This isn’t just a best practices--credit card encryption is mandated by the Payment Card Industry Security Standards Council (PCI-SSC). This means that at any point during any transaction, credit card numbers should never be transferred, processed, or stored “in the clear.” PCI also sets regulations around how businesses handling credit card data should manage encryption keys.

Even though encryption key management is required by PCI, not every business manages their encryption keys, and if they do, not every business does it right. Just like in the financial world, there are several critical encryption key management “best practices” that should be put in use in order to manage encryption keys in the most secure way possible. The number one risk associated with not following best practices is data loss. A data breach of credit card numbers can be devastating, especially if your business relies on customer loyalty.

Whether you’re a casino, gaming vendor, or gaming ISV providing card processing applications to casinos, always look for an encryption key management solution with these 3 features:

• Follows Best Practices - Your encryption key management vendor should have best practices integrated into their solution in order to guarantee your success. Best practices include having certified solutions, using industry standard encryption, and implementing controls such as dual control and separation of duties.
• World Class Support - When protecting critical customer data, your reputation is only as good as your encryption key management vendor’s reputation for providing solid products and world class support. Choose a vendor that has a reputation for helping customers.
• World Class Partner - If you’re a gaming ISV that sells applications that handle credit card data inside casino IT networks, you should be offering your customers encryption key management to protect that data. Choosing an encryption key management partner is a big decision, and you should look for one with a powerful solution that will grow with you and is focused on your success.

The gaming industry isn’t exempt from needing to protect sensitive data, although it is sometimes the industry that flies under the radar and has some of the biggest issues around data security. As we have seen, data breaches "are not a matter of if, but when."  Encryption key management is fundamental to protecting yourself from a data breach. By protecting yourself from a breach, you in turn will in turn maintain your customers' loyalty to your casino - because who wants to play at a casino who gambled with their personal information and lost.

Even though technology has evolved to reduce cost and complexity in our IT infrastructure through virtualization and cloud computing, these technologies have also introduced new concerns and complications around data security. The main reason security and IT professionals are so concerned about virtualization and the cloud is that these environments share resources. In a virtualized environment, a single application will share resources with every other application including RAM, disk storage, memory, and CPU. In a cloud environment, these same resources are shared amongst multiple users.

A fundamental fact to acknowledge if you’re using virtualized, hosted, or cloud services is that the companies who provide these services are not required to protect your data. In fact, you should never assume that they are doing just that. When it comes to meeting compliance regulations such as PCI, HIPAA/HITECH, or GLBA/FFIEC, the burden of compliance falls upon individual companies and organizations. If organizations want meet compliance and protect their data from a data breach, they need a powerful, certified, and industry standard data protection strategy.

When it comes to protecting sensitive data such as credit card information, social security numbers, protected health information (PHI), and other personally identifiable information (PII), it is a recognized fact that only using network security protocols such as firewalls and strong passwords is not enough to protect data from outside intruders. The Payment Card Industry Security Standards Council (PCI-SSC) knows this, which is why they require the use of strong encryption and encryption key management to protect credit card data.

Once you realize this, then you should also consider your options when choosing an encryption key manager. An encryption key manager will generate and protect your encryption keys and should include these five critical features:

1. Certifications. Is the encryption key manager NIST FIPS 140-2 validated? The National Institute of Standards and Technology (NIST) is governmental organization that sets the highest standard for encryption and encryption key management. A FIPS 140-2 level compliance means that your key manager has been heavily tested and will stand up to scrutiny in the event of a data breach.
2. Virtualization and Cloud Compatibility. Even if you haven’t moved to virtualized environments or the cloud, it is very likely that someday you’ll consider these options. You want to choose an encryption key manager that can securely protect your encryption keys “in-house,” and will move with you to virtualized environments or the cloud when you’re ready.
3. A Key Manager that Uses Best Practices. Encryption key management best practices are not outrightly required by many compliance regulations, but they are critical to a successful data security strategy. Protocols such as dual control and separation of duties should be implemented in your encryption key manager as a part of its operability. This is the only way to truly protect data and protect yourself in the event of a data breach.
4. Easy to Deploy. Encryption and key management has a reputation for being incredibly difficult. That may have been true ten years ago, but today encryption key management can be easy to deploy in your organization, depending on your provider. Keep in mind your vendor’s ability to deploy key management in multi-platform environments, in your own IT infrastructure as well as cloud and virtualized environments, if it’s easy enough to install and deploy yourself, and if your key management vendor provides supplemental code and encryption libraries free of charge.
5. World Class Technical Support. Choosing an encryption key manager and deploying it is a big decision. Choose a key manager with a reputation for amazing technical support.

Townsend Security’s Alliance Key Manager for VMware now supports VMware and vCloud.

Data security has come a long way within just the past few years.  

Information is the lifeblood of business, and strong protection of your customers personalrecords is a constant task since data always gets out. When data is breached, business executives and organizational leaders come under immediate scrutiny for their commitment to secure and protect sensitive data.

This vital information requires continuous and effective protection while it is stored or transferred during any dynamic transaction all the way through to storage, archival, and successive retrieval.

Data security is a daily dilemma for CSO’s, IT & risk management departments, regulatory and compliance auditors. These security professionals are experiencing the ramifications of data breaches due to aging implementations, lack of consistently implemented controls and processes, and risk management evaluations.

Organizations no longer have to continue to maintain current patchwork methods because there are cost-effective, interoperable solutions available that can easily solve their problems and security needs.

Top Three Needs to Solve

• I need a solution that’s affordable and quick-to- deploy.
• I need an encryption key manager that distributes encryption keys across all my system platforms.
• I need an implementation with known costs and no additional professional service or connectivity fees.

When data is accessed without authorization, the details are illegible in encrypted format without access to the secure encryption key.  Encryption key management is essential within an enterprise or cloud-computing environment to ensure protection and privacy for your customers and your business.  Fortunately, encryption and encryption key management are now industry standards and work across both legacy and newer business systems, multi-platform and multi-tenant networks, remote access workstations, geographical offices, data centers, and third-party business partners.

Need to learn more about the principles of effective encryption key management?

• Encryption Methodology
• FIPS 140-2 HSM Certification
• Separation of duties and dual-control
• Encryption keys (type/size, creation, lifecycle)
• Authentication options
• System logging and file integrity monitoring

You are invited to download the latest white paper Industry Must-Haves for Effective Encryption Key Management authored by Joan Ross. Ms. Ross is a well known security expert, who participates and presents at a number of cyber security, key management, and encryption conferences and seminars. She holds numerous security certifications including the NSA IAM-IEM, CISSO-ISSAP, HISP, and FTK.

This white paper will discuss the top three security needs businesses must address. It will then outline how businesses can meet these needs using ‘must-haves’ such as industry standard encryption and key management, key management best practices, and solutions that are easy to use and cost-effective.      

2 Ways Alliance Key Manager Encrypts MySQL Database and Protects Encryption Keys

MySQL is the most popular open source relational database system and is in wide use in commercial and non-commercial environments. It is natural that developers and security professionals want to know how to encrypt sensitive information stored in MySQL databases.

While MySQL does not implement a Transparent Data Encryption (TDE) solution like Microsoft SQL Server and Oracle Database, you still have options to get the data protected with strong encryption and use a defensible encryption key management strategy.

With a strong encryption key management solution you can encrypt data in two ways in MySQL databases to meet compliance regulations for proper encryption key management:

1. Column Level Encryption:

Alliance Key Manager provides shared libraries for Windows and Linux that provide the technical support for SQL Views and Triggers with User Defined Functions (UDFs). Using these shared libraries lets the developer fully automate the encryption tasks without changes to application code. Alliance Key Manager provides an example of how to do this in a Windows Server operating system context.

2. Encryption in Application Code

Second, Alliance Key Manager provides many shared libraries and application code examples if you need to implement encryption in your applications. The extensive library of code examples include Java, PHP, Ruby, Python, Perl, C/C++, C#, VBNET and others. You can encrypt data in your applications, or send the data to the key server for on-device encryption. The on-device encryption option is a favorite of web developers who don’t want to expose encryption keys in their web server application.

About Alliance Key Manager

Alliance Key Manager is a NIST validated, FIPS 140-2 compliant solution that meets PCI DSS and other compliance regulations for protecting encryption keys. You can deploy the key server as an HSM in your own data center or in our hosting center, or as a VMware instance, or as a cloud application running in PCI DSS certified infrastructure. Alliance Key Manager is available with a number of licensing options that will meet the budget constraints of any organization.