Townsend Security Data Privacy Blog

Townsend Security recently asked data security expert Kevin Beaver, CISSP, to contribute his extensive knowledge and expertise about the current climate of data security to our most recently published eBook, Turning a Blind Eye to Data Security (Mending the Breakdown of Communication Between CEOs and CIOs).

Read his entire article, "Information Security is Up to You," in your free copy of the eBook now.

In his article, Kevin inspires CEOs to ask some critical questions about data security such as:

• Who is in charge of data security at your organization?
• Is there transparency and communication across your organization when it comes to data security?
• Who will be held responsible in the event of a data breach?
• Why do we keep talking about the need for better data security but nothing seems to be getting done?

With these questions in mind Kevin Beaver leads us into a discussion on how both IT administrators and business executives avoid critical conversations about data security and why this poses a huge business risk to organizations.

“When it comes to information security, many people within a business – from executives to end users – often assume that security is a technical issue that falls under the umbrella of duties performed by the IT department. These IT administrators manage network firewalls, clean up virus outbreaks, and manage the IT infrastructure. These tasks are often so far removed from the actual goings-on of the business, that few people in the company—including the CEO—truly understand the ever-evolving complexities of IT infrastructure and security.

With little understanding of these systems, networks with sensitive data are left unsecured and at risk to hackers, network failures, and employee mistakes. Today, an average data breach costs a company $5.5 million. At this price, information security is not an IT problem. It’s so much more.

The Ponemon Institute surveyed 1,894 people in 12 countries in its 2012 State of Global IT Security study and found the main reasons why the appropriate steps are not being taken to improve information security are 1) insufficient resources, 2) it’s not a priority issue and 3) lack of clear leadership.

However, in most situations, good information security is achieved with easily accessible and simple solutions.  In fact, in a 2012 study on data breaches, Verizon found that 96% of security attacks were not highly difficult, and were easily preventable. If security attacks are preventable, why are so many breaches occurring every year...”

Download the eBook to read more!

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with over 24 years of experience in IT - the last 18 of which he’s dedicated to information security. Before starting Principle Logic in 2001, he served in various information technology and security roles for several healthcare, e-commerce, financial firms, educational institutions, and consulting organizations. Kevin Beaver has written 32 whitepapers, over 600 articles, and authored/co-authored 10 books on information security. Visit Kevin’s blog to learn more about information security, and his website to learn more about his business, Principal Logic.

http://securityonwheels.blogspot.com
http://www.principlelogic.com

I’m often asked if we can protect sensitive data in the Microsoft Windows Azure cloud. The answer is YES, and I’ll try to summarize our support on the different flavors of Windows Azure here:

First, Windows Azure has both a Platform-as-a-Service offering (PaaS) to run applications and store data in SQL Azure, and an Infrastructure-as-a-Service (IaaS) offering that allows you to run full Virtual Machines. Our data protection solutions run in all versions of Windows Azure – anywhere you run applications in Azure, we provide encryption and key management solutions to protect your data.

Windows Azure Platform-as-a-Service:

In this environment we provide .NET libraries that perform encryption key retrieval from our Alliance Key Manager, a FIPS 140-2 certified key management HSM. Any data store you choose for your sensitive data is supported by our client libraries and include SQL Azure. Our .NET software libraries are add-ins to your Visual Studio project and let you seamlessly retrieve encryption keys from the HSM. 

Windows Azure Infrastructure-as-a-Service: 

In this environment we provide a broad set of data protection solutions for both Microsoft and non-Microsoft operating systems and applications. These include the following:

Microsoft SQL Server Extensible Key Management (EKM)

The Townsend Security EKM Provider software fully supports SQL Server Transparent Data Encryption (TDE) and Cell Level Encryption integrated with Townsend Security's Alliance Key Manager key server, a FIPS 140-2 certified HSM. Because no code or database application changes are required, TDE encryption is the fastest path to compliant data protection.

Microsoft SQL Server Standard and Web Editions

Many Microsoft customers use SQL Server Standard or Web editions in the Azure cloud. These editions of SQL Server do not support EKM and TDE. For these versions of SQL Server Townsend provides .NET software libraries to implement automatic column level encryption using SQL Views and Triggers.

Microsoft SharePoint

Microsoft SharePoint provides a user-friendly collaboration platform for sharing documents, spreadsheets, and other files. When you need to protect sensitive information in SharePoint documents, Townsend provides TDE encryption of the SharePoint database, and full encryption for files stored in Remote Blob Storage (RBS). All document information and document files are encrypted with 256-bit AES encryption using the Alliance Key Server HSM. ** 

Microsoft Dynamics CRM, GP, AX, etc.

Microsoft customers using the popular Dynamics applications need to protect customer and employee information stored in these applications. Townsend Security's SQL Server TDE software provides full application data encryption and integrates with their Alliance Key Manager HSM. 

.NET applications

Many Microsoft users create custom applications using a variety of Microsoft technologies. For customers developing applications in any .NET language such as C#, VBNET, and so forth, Townsend provides .NET software libraries to perform encryption key retrieval and encryption. These libraries support the protection of unstructured data and purpose-built applications that need encryption support.

Non-Microsoft databases, languages, and operating systems

Townsend supports a wide variety of non-Microsoft databases, languages and operating systems in Windows Azure. You can use Oracle Database, MySQL, and other commercial and open source databases on Azure. Townsend provides appropriate client-side libraries to help you protect data. Townsend also provides a rich set of language libraries to help you achieve your data protection goals. Language support includes Java, Perl, PHP, Python, C/C++, and others. And these work in other operating systems supported by Windows Azure such as Linux.

At this point I hope you are getting the idea that we can help you with any of your data protection needs in the Microsoft Azure cloud. With key management solutions on hardware HSMs, hosted facilities, and VMware platforms, I think we’ve got your back when it comes to Azure data protection. 

Patrick

** RBS encryption available in late 2013.

Data breaches of sensitive, unencrypted information occur almost every week and many of these events become highly publicized. Organizations are thrust into the public's eye and scrutinized for gross lack of oversight and accountability around data security. Despite the fact that these breaches happen at the IT level, the burden and the blame for a data breach almost always falls on C-level leaders such as the CEO or CIO. Consumers ask, “why didn’t you protect my personal information?” and the leaders respond, “We didn’t think it would happen to us.”

Today business leaders need to know that data breaches are no longer a matter of “if” but “when.” Even behind firewalls and secure networks, unencrypted sensitive data is a goldmine for hackers. Not protecting this information with encryption is like driving a brand new Ferrari without car insurance. You can drive as safely as you want, but you can’t control the behavior of other drivers. Just like driving without insurance, not encrypting your organization’s  sensitive data in a time when hackers are always trying to break into networks is taking a huge risk with both your organization’s financial resources and reputation.

I recently sat down with data security expert Patrick Townsend, CEO & Founder of Townsend Security, to discuss why unprotected data is a business problem, not just an "IT problem."

Watch the video of that discussion here.

Why is unprotected data a business problem?

In most organizations, a large part of the CEO's role is to assess risk. Every day the leaders in any given organization address financial, market, competitive, and many other types of risk. These leaders are used to assessing risk in their organizations, but they are not yet thinking about unprotected data and the possibility of a data breach as a fundamental risk. Unprotected sensitive data leads to identity theft, fraud, and theft of financial resources from employees and customers.

Data breaches happen to both large, small, public, and private companies. In fact, today hackers are targeting small to mid-sized businesses simply because those networks tend to be less secure. However, every day I come across large business that have failed to protect their customers' data either by not encrypting the data, or failing to protect the encryption keys.

Anyone who's been through a data breach understands in their bones the importance of encryption and encryption key management. The costs associated with a data breach are far reaching.

These costs include:

• Fines
• Forensics investigation
• Credit monitoring for customers
• Lost sales due to brand damage
• Litigation costs

These are costs all organizations want to avoid. They represent huge risk in terms of actual financial costs and damage to reputation. Not considering these costs and not protecting your company and customers' sensitive data is a failure to assess risk.

Want to learn more about the risks associated with unencrypted data? Check this video, “Why is Unprotected Data a Business Problem?” featuring Patrick Townsend, Founder & CEO of Townsend Security.

With data breaches in the news every week, and each bigger than the previous, security is a top concern for system administrators, as well as business leaders.  As we have seen, a data breach can cripple an organization.  While the IT team performs forensics and updates their systems, the management team has to explain to investors why they weren’t adequately prepared and break the news that “Those big plans we had to grow the business in the next two years? Yeah, those are on hold while we remediate this breach.” 

While the IBM i (AS/400) is considered by many to be a secure platform, it is not immune to data breaches.  As a data security company, we see plenty of organizations think they are doing the right things to keep their data safe, but are falling down on a few key areas.  Below are the top three tips to keep your IBM i (AS/400) secure and your data safe:

1) Encryption and Key Management

Did you know that many compliance regulations consider an email address personally identifiable information (PII) and require it to be encrypted?  Security experts recommend using NIST-certified AES encryption coupled with an external encryption key management hardware security module (HSM).  With the introduction of FIELDPROC in V7R1, IT teams can now encrypt their sensitive data without application changes – saving development resources and time coming up with excuses to company leaders on why the company is still at risk.

For organizations who have been encrypting their sensitive data, security audits often find they haven’t been properly managing their encryption keys.  Encryption keys should never reside on an IBM i with encrypted data. We help more enterprises than you would like to know after they fail a security audit for improper encryption key management.   

2) Password Management

Password management continues to be a challenge for all organizations.  Poor management leads to insecure passwords and inconsistent policies – which in turn leads to more data breaches.  Fortunately for IBM i administrators, IBM realized this and made a Single Sign On (SSO) option as part of the OS – all administrators have to do is enable it.  Patrick Botz, former lead security architect and founder of the IBM Lab Services security consulting practice, regularly helps organizations enable SSO and eliminate 80% or more of an organization’s password management problems just using tools that IBM provides as part of the OS.  Additionally, there is a clear return on investment when an organization enables SSO, which makes you a hero when you tell management “I have a way to make our jobs easier and save money at the same time.”

3) Secure System Logging and File Integrity Monitoring

A recent study shows that 69% of data breaches could have been detected before any data was lost if proper system logging was in place. Maybe that is why most compliance regulations (PCI DSS, HIPAA/HITECH, etc.) require it.  So why isn’t system logging a common practice on the IBM i?  Simply put, the IBM i doesn’t log information like other systems.  There are some big challenges getting security information into a usable format and transmitted to a SIEM for monitoring.  Challenges an administrator faces with propriety IBM i logs:

• Data format – IBM security events are in internal IBM format, not syslog format.
• Multiple sources – Security events get collected in a variety of locations, almost always in an internal and proprietary IBM format.
• Timeliness – Tools are lacking to collect security events in real-time, increasing the security exposure.
• Communications – There are no native syslog UDP, TCP or SSL TCP communications facilities.
• Data completeness – While it is possible to print security information using IBM tools, critical information is missing from reports.

Fear not, there is a solution – Alliance LogAgent Suite with File Integrity Monitoring (FIM).  Alliance LogAgent Suite can send system logs to any collection server that is listening for messages.  Additionally, the FIM tools allow system administrators visibility right down to the field and column level, record-by-record, in their databases.

While this is by no means a comprehensive list of everything security-related an administrator should do to their IBM i, these three areas are where we recommend you start. If you are currently encrypting data, we challenge you find out where your encryption keys are being stored (it might scare you).  If you aren’t securing your systems with SSO, what are you waiting for?  Are you under a compliance regulation that requires system logging?  A complete system logging solution like our Alliance LogAgent Suite can be installed and running in an hour. To hear security experts Patrick Townsend and Patrick Botz elaborate on these three IBM i security tips, view our webinar “Top 3 IBM i Security Tips.”

The updates to the HIPAA/HITECH Act Meaningful Use standards were recently released and indicate a stronger urgency by Health and Human Services (HHS) to encourage healthcare companies to encrypt sensitive patient data in order to protect that data and avoid data breach notification.

I recently sat down with Patrick Townsend, CEO & Founder of Townsend Security, to discuss what these meaningful use updates mean and how healthcare organizations should respond to the recommendations:

If you’re a healthcare organization, and you are wondering if you should be encrypting your electronic data, the straightforward answer is yes. Patient information should be encrypted at rest and in transit, and HHS will really start to bring down the hammer in terms of fines and penalties for those who have a data breach and have not encrypted data. We live in a time when a data breach is no longer a matter of “if” but “when,” and encryption is really an insurance policy to protect your organization when a data breach happens to you.

HHS still does not mandate that health care organizations encrypt sensitive patient data, but the meaningful use updates reiterate that they should encrypt their data.

The original HIPAA law and HITECH Act of 2009 did not mandate encryption of electronic patient information. However, HHS has the ability to set rules in a number of areas, and they have added stricter rules around data privacy by mandating that all data breaches must be reported to HHS. Data breach notification typically results in hefty fines and other financial losses associated with brand damage and credit monitoring for affected patients. HHS has been very clear that the only way to avoid breach notification and the impacts of a data breach, is to encrypt patient data. In these most recent updates, they reaffirmed that the only safe-harbor from breach notification is encryption.

Many organizations believe they can prevent a data breach by using strong passwords and other network security tactics such as access control lists. It's true that those actions fall within the purview of the law, but they will not help you avoid breach notification.

Another piece of the update of meaningful use concerns encryption keys. Encryption keys that are used to protect data should not be stored on the same server with encrypted patient information. HHS is trying to give better and clearer guidance on this to the best of their ability while staying within the law.

To learn more about encrypting protected health information (PHI) and achieving safe-harbor from data breach notification, download our podcast, “HIPAA/HITECH Act Breach Notification Meaningful Use Update.”

Today there are so many ways to lose control over sensitive data. Hackers are constantly trying to access networks, laptops get stolen out of cars, and unauthorized employees are given access to data that they were never meant to see. With so many ways to lose data, no wonder so many IT execs bury their heads in the sand at the idea of data security. It seems like there's nothing they can do.

Unfortunately for those people who ignore the pressing need for tighter data security (and are probably setting themselves up for a data breach), there is something they can do. They can encrypt their data, and they can use key management best practices to protect their encryption keys.

Encryption and key management are considered the highest standard in data protection, and are required or recommended by most industry regulations such as PCI-DSS, GLBA/FFIEC, FISMA, and HIPAA-HITECH Act.

But what exactly is encryption and why do you need key management?

I recently talked with data security expert Patrick Townsend, founder and CEO of Townsend Security, to find out. Watch the video of that discussion here.

What is encryption?

Encryption is a means of encoding data using an encryption algorithm to render data unreadable. AES encryption is a standard put forth by the National Institute of Standards and Technology (NIST). It is accepted as the strongest method to secure sensitive data. Encrypted data looks like gibberish. For example, an encrypted version of the name "John Doe" might look like "Ue%#KD#@". In order to read the gibberish, someone must have access to the encryption key, which unlocks the encrypted data to make it readable.

What is an Encryption Key?

When you encrypt data, an encryption "key" is created. Each encryption key is unique.  Encryption keys are the secret that must be protected. Encryption keys are a lot like the keys you use to lock your house. It's likely that you and several of your neighbors use the same kind of lock on your door, but each of you owns a unique key. Like a house lock, encryption uses the same algorithm to encrypt data, however in each instance, a unique key is created to unlock each piece of data. Losing your encryption key to a hacker is like losing your house key to a thief.

Hackers don't break encryption. They find the keys.

A lot of IT executives have dug themselves into a hole because they know they need encryption and key management, but they don't want to admit to their bosses that they've been ignoring the issue--and putting the company at risk--for years. It can be a very difficult subject to talk about, especially when budget has played a role in the decision making.

If you’re ready to begin having this discussion with your IT team, you should arm yourself with the right questions. We recommend you check out this video, “What is Encryption Key Management?” featuring Patrick Townsend, Founder & CEO of Townsend Security.

When it comes to data security, the question every single CEO and CISO should be asking her or himself is, "how do I prevent a data breach from happening to me?"

I recently sat down with data security expert Patrick Townsend, founder and CEO of Townsend Security to discuss the challenges around protecting sensitive data in the cloud and the most common methods of how people are protecting data in the cloud today.

Watch the video of that discussion here.

We live in a word today where data breaches are no longer a matter of "if" but "when." It is almost certain that some unauthorized person will at some point access your company's sensitive data, either by mistake, or with malicious intent to commit fraud. Whether it's by accident or intentional, unauthorized access of unencrypted sensitive data is usually grounds for data breach notification.

With so many companies moving their data storage to the cloud, preventing a data breach or unauthorized access to sensitive data becomes even trickier. Across the board, the number one concern people have with the cloud is data security. Because the cloud is fundamentally a shared environment in a location most users don't typically have physical access to, people are right to wonder, "Am I inadvertently sharing data with other people, and I don't know it?"

The truth is, in the cloud it's really hard to tell who you may inadvertently be sharing data with. That's why in order to prevent a data breach and avoid data breach notification it's critical to encrypt your sensitive data in the cloud, and you must use key management best practices. In fact, the concepts of protecting data in the cloud are fundamentally the same as protecting data outside of the cloud. You must (in review):

1. Encrypt the data
2. Use key management best practices to protect encryption keys

Using key management best practices for data in the cloud is fundamental, especially if you need to pass compliance regulations such as PCI-DSS, FFIEC, or FISMA.

As you'll learn in the video, there are really three ways to protect keys for encrypted data in the cloud:

1. Store the keys "in-house"
2. Store the keys in a hosted environment
3. Store the keys in the cloud

All three methods have their own advantages. But there are also ways with each method  to incorrectly protect encryption keys. In the end, it's essential that you use key management best practices, and often times the easiest way to make sure you're doing that is by using an third party vendor with expert knowledge of key management best practices for the cloud.

Check out "Encryption Key Management for the Cloud" where Patrick Townsend discusses the challenges and solutions for protecting encryption keys.

I can remember visiting a securities trading office while in junior high school as part of a class project to experience the business world. People seemed to be hurrying everywhere; delivering important documents, processing buy and sell orders, urgently getting important people on the phone right away. The pace of business was frantic! But when my teacher asked what impressed me most, I recalled something else.

“No one ever said ‘Thank you’,” I answered. “Does that really matter in the business world,” my teacher inquired. “Yes, it does matter,” I stated emphatically.

All these years later, I’m proud to work in a business where, despite the frantic pace of business and technology, we do take the time to say “thank you.”

For one, saying “thank you” is part of Townsend Security being a great place to work. Hearing from, and saying it to, co-workers contributes to each of us feeling like we are doing important work and that our efforts are appreciated. It makes us feel like individuals, not just employees. But that’s not why we do it.

Saying “thank you” is also part of holding on to great customers. We certainly value the revenue we receive from them, but even more so, we value the relationships we build through time. It’s wonderful that so many of our customers come back year after year and often point to the way they are treated as a reason. Saying “thank you” is a part of great customer service, but that’s not why we do it. 

As we enter into the United Way annual campaign, we see this as another way to say “thank you.” We proudly support this important organization and, through it, the many agencies doing the hard work of caring for, nurturing and empowering those in our communities that most need help. For any of you considering participating as well, we highly encourage it. It is certainly nice to be recognized by the United Way as a contributing business, but that’s not why we do it.

I’m glad I can say that at Townsend Security, we say “thank you” not because it’s mandated or because it is part of an orchestrated profit-motive. We simply say “thank you” because it’s the right thing to do.

I was recently speaking with a technology value added reseller (VAR). When I asked how often he spoke with his customers about data protection, he answered “All the time!” When I pressed for what he actually talked about, he explained, “I talk about the best ways to keep intruders out of their systems.” By this, he was referring to anti-virus software, firewalls and VPNs; not surprisingly, things he had become quite proficient at selling over the last number of years.

“So, what happens when somebody gets in anyway”, I asked. He looked at me with a blank stare. He had only been having part of the full conversation around enterprise data security.

Although keeping individuals, or groups, with malicious intent out of your network is an important part of protecting your data, it is far from being the whole story. Intrusion Prevention is only one of the three legs to the data protection stool. The other two legs are Network Monitoring and Encryption. It takes all three of these to truly protect any company’s data. If any one of them is missing, the stool simply falls over.

Sadly, most companies learn about their own data breaches only after being told by a partner, vendor or customer. A recent study shows that 69% of data breaches could have been detected before any data was lost if proper system logging was in place. Knowing what is going on within your systems is important to tracking, and taking steps to neutralize, malicious activities. A number of solid and affordable solutions are available for security information and event management. These include LogRhythm, Dell SecureWorks, McAfee Enterprise Security Manager and others. You can’t fix what you don’t know about, and if you’re not actively monitoring your systems, you may be blissfully, but dangerously, unaware.

But ultimately, it’s not about “if” someone will get access to your data, but “when” they will. That means it’s vitally important to make sure they only get their hands on useless data when they do. Using NIST-certified AES encryption along with a FIPS 140-2 certified key management system is the best way to avoid costly fines and notification requirements in the case of a data breach. When that data is lost or stolen, correctly implemented encryption assures that it is nothing more than a bunch of random 1’s and 0’s. Townsend Security’s Alliance Key Manager is an affordable and reliable solution for your customer’s needs in this area.

If you sold your customer a firewall and anti-virus software, but they still experienced a data breach, would they thank you for what you did, or be upset you didn’t do more? I’m guessing the latter.

So the next time you talk to your customer about data protection, remember to have the whole conversation. Make sure you include all three legs of the data protection tool: Network Monitoring, Encryption AND Intrusion Prevention.

If you could find out if your network is being hacked or tampered with, as it happens in real time, would you want to know? If there was a tool that collected, encrypted, and standardized your IBM i security events to give you peace of mind, would you use it?

We’re guessing yes. Luckily, system monitoring software is widely available for IBM operating systems, and there are two big reasons why you should use system monitoring:

1. Most system breaches go unnoticed for months (sometimes years) before the breach is discovered and dealt with. By then a hacker or employee may have gained access to thousands of personal files containing sensitive information such as credit card numbers and home addresses.

2. Less than 1% of the breaches in 2011 were discovered through log analysis, even though 69% of these breaches could have been detected before any data was lost if proper system logging was in place.

You know you need to collect your system logs in real time in order to detect unauthorized changes to your system, but with all of your security logs being created on different systems, web services, and applications, the task might seem overwhelming. How do you get a consolidated view of the security state of your database? How do you get information into usable format for log collection and Security Information & Event Management (SIEM) servers?

The answer is in a third party logging solution that can standardize, collect, and report security events. There are many logging solutions out there, but your solution should always provide you with these four key points:

1. Real time Log Collection. Your logging solution should collect logs of events in real time as they happen across multiple applications and servers. You should be alerted immediately to suspicious log events on your servers instead of receiving a batch at the end of the day or week.

2. High Speed Performance. Performance should not be a barrier when it comes to log collection and analysis. Your logging solution should be able to collect tens of millions of events from multiple applications and thousands of users per day without huge performance impacts.

3. Secure Communication. Your logging solution also needs to secure the transfer of events to a log server. Your logging solutions should use SSL TCP to encrypt log entries in transit from an IBM server to a log collection server.

4. Industry Standard. There is a standard format for system log events, and the data you collect from your IBM i and transfer to your log collection server should be in that format. The most widely used standards are the syslog standard based on RFC 3164 and the Common Event Format (CEF) used by a number of SIEM vendors.

Townsend Security’s Alliance LogAgent and LogAgent Suite with File Integrity Monitoring (FIM) allows IBM i users to meet compliance regulations by collecting security system logs and transmitting to a log collection server or any SIEM solution. Alliance LogAgent will help you achieve inner peace of mind.