Townsend Security Data Privacy Blog

Dear Homegrown Data Protection,

I wanted to write you a letter to say thank you for being an option in our company’s quest to find an encryption solution that works for us.  You have some neat algorithms and some pretty cool features that we haven’t seen before.  However, just because you look secure and have a bit of sparkle around doesn’t mean that we’re ready for you to protect our sensitive data.

Sure, you seem like a great idea on paper; you’re cheap up front, you’re pretty sure that you can help us meet all of our compliance regulations, and your algorithms seem to make you  just as secure as anything else on the market.  What’s not to like?  Still, I feel that you might be missing something in a few key areas.  Before you start encrypting our data there are three things I want to ask you about.

First off, how are you planning on securing our sensitive data?  Are you planning on doing scrambling, masking, or doing actual encryption?  Scrambling sounds great in theory, but if all your program is going to do is mix up all the letters and numbers, I’m not sure how comfortable we would feel about that.  When it comes down to choosing between data scrambling and data encryption, encryption is going to be much more secure.  There are lots of widely accepted encryption libraries out there like AES or Triple DES that you could use to be sure our data will stay safe.  AES has been around since 2001, and is the de facto encryption library to use.  It’s strength lies in its 128-bit, 192-bit, and 256-bit encryption keys.

That brings up the next point: how are you going to manage the keys?  Where are you going to keep them?  Who is going to handle them?  In order to be compliant with many regulations, we will need a solution that has dual control, meaning that at least two people need to authenticate a process before a key can go to work.  It will need separation of duties, which keeps the people handling the key away from the people handling the sensitive data, and visa versa.  Now this isn’t always easy to implement on some OS's, and on some OS's it’s nearly impossible. One way to accomplish that would be to use a hardware security module (HSM).  These HSMs allow companies to keep their keys separate from their sensitive data, and out of the hands of anyone who might break into their system.

Lastly, is your encryption solution going to be NIST Certified?  If you haven’t heard of the National Institute of Standard and Technology (NIST) you might want to check them out.  Being NIST certified means that your product follows proper cryptographic implementation standards, and meets best practices for security.  Every solution that has gone through the NIST certification process has been through a series of rigorous and complex tests to find even the smallest error that could cause the encryption algorithm to fail.  Your algorithms look fine and have some pretty cool features, but we are looking for something that is going to stand the test of time.

Again, I really appreciate you being an encryption option, but when it comes to protecting data we want to be sure that we are getting the right thing.  Give us an encryption solution that is secure, stable, and certified.

Sincerely,

Jacob

2012 was a big year; we survived an apocalypse, screamed our lungs out at the Olympics, and watched another big election year come and go.  However, in the midst of all the hullabaloo people’s lives were being wrecked, computers stolen, and governments attacked.  With each new cyber attack, security breach, and internet scam the world of tech got a bit more scary for all of us.

Below are five stories that I feel best capture the state of data security in 2012.

#1 - Apple+Amazon Personal Information Protocol

In the early part of August, Mat Honan, a well-known tech writer, released an article on Wired that detailed how in 1 hour his entire digital life was taken over and erased.  His information was stolen through a hack, rather the two perpetrators tricked Apple and Amazon customer service representatives (CSR) into believing that they were Mr. Honan and then giving them access to his personal information.  The thieves were then able to access, control, and wipe his iPhone, Macbook, and many of his online accounts.  His tech and online life had been hijacked from just a few calls to two companies.

I won’t detail the specifics here, but I will point out that this was a relatively easy loophole to exploit.  Honan explained that he was also able to do it multiple times with other peoples’ accounts (in a controlled environment).

With the publication of the story both Amazon and Apple have since changed how they handle phone access to personal information.  Amazon CSRs will no longer be able to change the settings on credit cards and email addresses over the phone.  Apple is now pointing customers to use its online ‘iforgot’ system to recover passwords.  This system requires much more personal information than their previous solution.

In the end Honan was able to recover a majority of his personal data that had been erased

#2 - South Carolina Department of Revenue (DoR) Breach

On August 13th an employee at the South Carolina DoR opened and clicked a malicious phishing email.  The link then executed malware that infected the employee’s computer giving the hacker access to their username and password.  Two weeks later, the hacker entered the system remotely by using the credentials that they had previously obtained.

During the following month the hacker was able to access the entire DoR system without being detected.  To do this the hacker used 4 legitimate username and passwords and 33 pieces of malicious code.  The hacker, among other things, was able to access 44 DoR systems and create 7-zip files that contained 74.7 GB of uncompressed data.  That data included almost 3.8 million Social Security numbers and 387,000 credit and debit card numbers.

When administration of South Carolina broke the news about the breach, they defended their actions by saying they were following industry standards and there was nothing they could have done to prevent the breach.  This, however, was later proved to be a false claim.  If the state had used proper encryption and key management practices, they could have most likely avoided the breach.

The total cost of the breach to the State is around $14 million (a $20 million bailout was approved to help the State cover additional costs).  The total cost to taxpayers both directly and indirectly is yet unknown.

#3 - NASA’s Halloween Trick

Halloween is usually a night where kids can go around the neighborhood getting free candy at nearly every door.  This past Halloween, however, a NASA employee received a nasty surprise in return; somebody had broken into his car in the night, and stole an unencrypted laptop containing personal information of at least 10,000 employees, contractors, and others.  This was the second published breach in 2012 and the third known breach in the past two years.

The director of NASA has offered 1 year of credit monitoring and identity protection to all affected persons.  On top of that he has mandated that all laptops containing personal information must be encrypted by December 21, 2012.

#4 - Nortel’s Hacking Demise

In February a news report was released by the Wall Street Journal detailing how hackers gained access to (the now defunct Canadian corporation) Nortel top-level executives’ usernames and passwords in early 2000.  The hackers had access to business reports, internal communications, and employee information.  The hacks didn’t go unnoticed by employees.  In 2004, one employee noticed monthly downloads being made using China IP addresses and the credentials of an executive.  He made numerous recommendations regarding Nortel’s database security, but a decision was later made to only change the compromised passwords.

In 2009 Nortel went bankrupt, and sold off its assets to various other companies.  When the report was released in early 2012 the former CEO of Nortel insisted that the vulnerabilities could not have been passed onto those other companies.

A former senior security advisor at Nortel, Brian Shields, said that he was certain that being hacked played a role in the demise of the company, “When they see what your business plans are, that's a huge advantage. It's unfair business practices that really bring down a company of this size."

#5 - Lieberman, Collins Cybersecurity Bill Shutdown

On November 14, 2012 a piece of cybersecurity legislation was rejected by the Senate in a vote of 51-47.  This was the second piece of cybersecurity legislation rejected in 2012.  Senator Lieberman and Senator Collins proposed the bill to the Senate because of the increasing number of attacks on critical infrastructure in the United States (i.e. banks, utilities, transportation).

Lieberman wrote an op-ed comparing the the threat of cyber attacks on America to the surprise attack on Pearl Harbor in 1941.  In his article he quoted defense secretary Leon Panetta saying, “The collective result of these kinds of attacks could be a cyber-Pearl Harbor, an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation.”

Such attacks have already taken place in the US.  Early last year a Texas water pump was hacked and taken over remotely in 10 minutes.  Several websites of major banks were barraged by a denial of service attack that either knocked them off-line or crippled their performance.  These attacks aren’t exclusive to the US either; a Saudi Arabian oil company had 30,000 of its computers hacked, hindering the company’s operations.

With this latest cybersecurity bill being rejected by the Senate, the US government is shirking implementing security measures to prevent widespread attacks.

Data security breaches affect all of us whether we are the Average Joe or a C-Suite level executive.  What can be done individually, as a company, or as a government agency to make sure that 2013 won’t be like 2012 for personal information?

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

When a solution integrator assesses a company's IT and data security needs, most solution integrators know that almost every single business will need to meet at least one set of data security compliance regulations. If it's a retail business, they'll need to meet PCI-DSS. If it's a bank or financial company, they'll need to meet FFIEC and GLBA. If the company is a healthcare organization, they'll need to meet the data security requirements of HIPAA-HITECH. 

All of these regulations require that entities protect their sensitive data. From names and addresses to credit card and protected health information, these regulations say that the only way to truly secure this data is with encryption--not just firewalls and strong passwords--but with AES encryption. Even more importantly, most industry regulations and laws state that if a company is using encryption and proper encryption key management, should that company have a data breach, they don't always have to report it.

Do you think the companies who had major data breaches last year wish they had known that little fact? We're guessing, yes. 

Unfortunately, there's a lot of false information out there about encryption and encryption key management. A common misconception is that hackers can break encryption. The truth is, hackers don't break encryption, they find the encryption keys. How do they find the keys? If the keys are stored on the same device that the encrypted data is stored on, or the keys are stored in an unsecured location that the hacker gets access to, once the hacker has the keys, he or she can "unlock" the encrypted data. 

It's a little bit like taping your house key to your front door and hoping that a thief won't find it there. It's wishful thinking. 

That's why encryption is considered only half of a solution. All companies encrypting data also must implement good encryption key management. 

Of course solution integrators want to know how offering their customers encryption key management services can grow their business. There's actually still a lot of hesitation around encryption key management as a service because managing keys was once a very difficult and costly thing to do. It even had a reputation for causing severe performance impacts on a network. Maybe that was true 10 years ago, but today encryption and key management technology is: 

• Easier than ever to implement on legacy platforms such as IBM i and Microsoft SQL Server 

• Cost effective

• Has very little impact on performance. 

That’s why offering encryption key management to your customers is always a good idea. Offering these technologies will not only grow your business. Encryption key management service will protect your customers and help them meet compliance (which they’ll be thankful for).

Townsend Security is a Microsoft Silver Partner and an Advanced partner with IBM, providing the only FIPS 140-2 certified key management solution for Pureflex. Want to learn more about encryption and key management for IBM platforms? Download the podcast on automatic encryption for IBM i below!

Today, nearly every business needs to meet at least one set of data security compliance regulations, if not more. Regulations such as PCI-DSS, HIPAA-HITECH, and GLBA/FFIEC recommend if not outright require companies collecting sensitive data to secure that data using encryption and encryption key management. Most solution integrators are aware of this, but they may not know what to look for in a third party key management vendor to partner with.

The key management vendor you chose to partner with should provide you with all services you need to integrate key management into your solution easily. If you're a solution integrator, a third party key management vendor should provide you with:

1. Technology. Does your key management partner provide you with all of adequate hardware, software, encryption libraries, and tools you need to easily deploy encryption and key management on your customers' networks?

2. Certifications. Certifications are crucial to meeting government and industry data security requirements. Is your key management partner’s solution FIPS 140-2 certified? What is the certificate number? Do they use NIST-certified AES encryption?

3. Training. Does your partner provide you with adequate training to tools such as walk-through instruction and training videos to help you implement encryption key management with ease?

4. Platform Compatibility. Does your partner support all of your customers' legacy platforms such as IBM, Microsoft, or Oracle, including newer and older versions?

5. Client Side Support. Does your partner supply you with all of the sample code, binary libraries, applications, key retrieval and other tools you need to implement encryption and key management fast and easily? Do they charge client-side licenses? (Note: Townsend Security never charges for client-side support.)

6. Marketing Collateral. Does your partner provide you with strong sales and marketing material to help you promote and provide credibility to the product?

7. Knowledge of Compliance Regulations. Does your partner know how their solutions will help your customers meet compliance regulations such as PCI-DSS, HIPAA-HITECH, and GLBA/FFIEC?

8. Virtual and Cloud Environment Capabilities. Your customers may be storing their data "in-house", but if they want to move to the cloud, can your key management partner  move with them?

9. Scalable Solutions. Many customers of SIs are small and medium sized businesses with the same data security needs as larger enterprises. Can your key management scale to meet the needs of the SMB market?

10. A Supportive Business Relationship. Does your partner understand your competitive and pricing challenges? Will your partner work with you to craft a solution that will keep your price competitive, or will they just give you a price and walk away?

11. A Win-Win relationship. Will the partnership create new business and generate new revenue for both parties?

Townsend Security is a third party encryption and key management provider of NIST-certified AES encryption and and FIPS 140-2 certified key management systems. With over 25 years of experience helping companies protect data and meet compliance requirements, Townsend Security can help you do the same.

To learn more about partnering with Townsend Security, contact us now. To learn more about AES Encryption and encryption key management, download our White Paper  "AES Encryption and Related Concepts."

In any organization, the CEO has many jobs.  At the macro level, a CEO’s job is to instill confidence in his stakeholders, which include customers, investors, employees, suppliers and partners.  To accomplish this, a CEO must be able to establish a level of trust with these stakeholders in order to Inspire, Encourage, and Engage the stakeholders in the vision to which the entity is in pursuit of.  This trust ultimately is used to create value for the entity through the confidence that the market has in the ability of the CEO and his team to execute.

Every business has inherent risks in its execution and as part of the CEO’s ability to instill confidence that ultimately results in value, he/she must be able to identify and address each of the risks in the business.  Therefore, risk mitigation, by nature, becomes a core component of a CEO’s job.

In a pre-internet world, the risk of data loss was limited to a physical breach of the “four walls” of the entity.  Security guards, fences, and access control systems were established to keep people away for sensitive information.  However, as today’s world has become connected at virtually every level, the protection of data needs to be equally focused on the data itself rather than simply blocking someone from getting at the data.

Most CEO’s are well aware that encryption methodologies were created for their CIO’s to be able to protect data in their networks.  However, this is such a new phenomenon that few CEO’s understand the inherent risks to ALL there data and the changes in the regulatory industry that they must comply with in order to maintain the confidence and the resulting value in their entity.

As you’ve already read, the cost of a data breach isn’t just the cost to the owner of the data whose data has been compromised, it’s to the entity entrusted with the protection of the data as well and it comes in the form of fines and the time necessary to recover from the breach.  This is measured in $millions per incident in many cases.

A CEO loses confidence when he/she doesn’t adequately ensure that policies are in place to protect ALL data from breach.  Here are some examples of data that needs protection:

• Employee records – anything that includes name, address, phone number, e-mail address, SSN number, insurance information etc.
• Customer records – anything that includes name, address, phone number, e-mail address, EIN number, financial information etc.
• Supplier records – same as above
• Health information records
• Credit Card information
• Password information, even if stored separately
• Confidential information about company strategy / plans
• Confidential information about customer strategy / plans
• Confidential information about vendor strategy / plans

Many CEO’s would answer – my data is encrypted, what’s the problem?  The problem is that you’ve probably pasted the key to the encryption on the front door and don’t even know it.  “Hey hacker, come on in, here’s the key, take what you want”.

Now lets look at the cost.  If you were to have a data breach, the cost may be different depending on what’s been lost.  However, that’s a dangerous game to play.  The data that isn’t “regulated” may have the greatest impact on your value.

If someone steals confidential customer information, what is the affect on your brand?  Can you recover from the market impact of being labeled as not having the safeguards in place to protect your customer data?  DropBox is dealing with this question as you read this.  They blamed their customers.  Who are you going to blame?

The only viable solution to this risk is to ensure that you have an adequate “encryption key management” solution in place that meets ALL requirements of safe data protection methods.  You must not only protect the data, you must also protect the keys to the data.

The inability to address this issue may just cost you your company.

Download our white paper "AES Encryption Strategies - A White Paper for the IT Executive" to learn more about key issues in data security, how to choose the right data security partner, and how to develope a strategy that insures early successes.

We’ve heard a lot of different excuses and reasons for a company to decide not to encrypt sensitive data — ”it’s not in our budget”, “a data breach won’t happen to us”, etc. For the companies out there who are taking responsibility to protect their customers’ sensitive information with encryption, we also often see these companies fall prey to a few common pitfalls that make their encryption strategy weak. A weak encryption strategy isn’t much better than having no encryption strategy at all. Here are the top 10 encryption pitfalls to avoid in order to implement strong encryption:

1. Failure to Asses Risk

We are still finding today a lot of organizations and companies that have not implemented any type of data protection at all. When we talk to a company taking credit cards and not encrypting that credit card information, we know that they've not properly done risk assessment on what it  means to fail a PCI-DSS audit or have a breach when you're not meeting PCI-DSS standards. The risks associated with a data breach not only include fines paid to the government, but also the cost of credit monitoring for your customers with compromised data, loss of trust from stakeholders, and damage to your brand name.

2. Encryption Key Management

Once you start an encryption project you’ll be faced with the one, core technical requirement: protecting the encryption keys. One of the biggest causes of audit failure for encryption is not adequately protecting those keys. Getting a secure, FIPS 140-2 compliant key management device in place to protect your encryption keys will help you avoid having to go back and re-do your encryption project using proper key management.

3. Client Side Support

Does your vendor supply you with all of the tools you need to implement encryption and key management? Choosing a vendor the provides poor client-side support can be a huge detriment to your encryption project. That is why it’s important to choose a vendor that will provide sample code and applications that snap into client-side environments to make your encryption project faster and easier.

4. Virtual and Cloud Environments

Today, security is the number one concern for companies migrating to the cloud. The principles of encryption and key management remain largely the same, but the question of how to manage keys for encrypted data in the cloud is still debated. Hosting encryption keys “in-house” is currently the most common model. Even if you’re managing your encrypted data in-house, be aware that you may choose to move to a virtual cloud environments in the future, and you will want to make sure that your encryption strategy and key management strategy can migrate with you to the cloud

5. NIST and FIPS Certifications

Industries that deal with sensitive client information such as credit card numbers, social security numbers, and private health information must adhere to regulations (some of them governmental) in order to protect individuals’ personal and sensitive information. These regulations follow recommendations by the National Institute of Standards and Technology (NIST). When protecting data at rest, you should be using Advanced Encryption Standard (AES) encryption, which is a standard put forth by NIST. You should also look for a key management device with FIPS 140-2 validation, also a NIST standard.

6. Performance - What are the Performance Impacts?

It’s possible to encounter serious performance impacts when you implement encryption. That’s why we not only recommend you use only AES and NIST certified solutions, but that if you’re the IT person dealing with the encryption, that you do some preliminary testing of the encryption on a sample database the same size as the actual database you will be encrypting. Your encryption and key management vendor should be able to help you do this with ease.

7. Ease of Use

An encryption and key management solution that is difficult to use can lead to a slowed project, unexpected costs, and delays. This can be a huge roadblock, especially if you are struggling to address a data protection problem or meet deadlines imposed by compliance regulations. To avoid ease-of-use problems, look for a solution with a GUI interface designed to run on your platform and allows you the necessary points of access to your encrypted data and encryption keys.

8. Data Leakage to Quality Assurance (QA) and Test Environments

Segmenting your critical data apart from non-critical data is an important step in preventing leakage of the critical data onto unprotected environments such as testing and development environments. Simple employee mistakes make up a large portion of data breaches that occur every year. Knowing which servers your sensitive data is located on and making sure that data doesn’t accidentally get moved to and unsecured location is critical.

9. System and Compliance Logging

Most compliance regulations including PCI-DSS recommend if not require some sort of system logging of your critical data. Whether it is file integrity monitoring or system logging to collect and store security events, these tools help you to catch changes to your database in real time. This is actually one of the most important parts of data security, and many data breaches can be immediately detected with system logging.

10. Budget Should Not Be a Barrier

When implementing encryption and key management, trying to save money by skipping steps will cause you a great deal of grief. Conversely, your encryption and key management vendor should be able to offer you a NIST certified,  scalable solution at an affordable price.

CEOs swim in a sea of risk, and become very adept at identifying, assessing, and managing the risks they know. These risks include financial, regulatory, reputational, physical, and many others. The CEO has many other tasks besides addressing risk, of course, but assessing, monitoring, and mitigating risk is a critical part of the job.

With the rise of data breaches worldwide, IT security has become a new risk that seems to be the most ignored. Even though technologies exist to prevent the majority of these breaches, little is ever done to take preventative steps.

Since the fallout cost of a data breach is on average in the millions, why are CEOs so bad at assessing IT security risk?

Here are some answers I’ve gathered based on my discussions with CEOs who have experienced a data breach:

It’s a new threat
It’s human nature to mis-understand the potential damage of newly emerging threats. When DDT was first discovered, it was treated as a miracle pesticide. It took many years to understand the threat to human health and natural systems from the use of DDT. In many ways the situation is the same today in relation to Internet commerce and data security. Many CEOs just don’t see the potential damage a data breach will have on their organizations.

CEOs don’t have the tools to assess the risk
With our financial systems we have many tools that help us assess risk. Expense ratios, profit and loss statements, retained earnings, asset ratios, and many other tools allow the CEO to assess the changing nature of the financial status. It’s easy to see this risk as it develops. It is not yet a common practice to do the same with IT security risks.

Although there are many tools available to monitor IT security risk such as system logging and file integrity monitoring (FIM), few of these tools are made to be easily interpreted by a CEO, and many CIOs are not in charge of these tools. In many cases the CEO turns to the CIO and asks “Are we OK,” and often gets an equally soft answer: “Everything is OK. Our consultants and vendors tell us that we are fine.” Real information is hard to come by, and thus everyone is surprised when the data breach happens.

A persistent state of denial
Many CEOs engage in a common form of magical thinking. They tell themselves that “It hasn’t happened to us yet, so it probably won’t.” But security professionals know that a data breach is a matter of When, not If. Assuming something won’t happen to you because it hasn’t happened so far is not a form of risk assessment.

Underestimating the damage potential
Another common risk assessment failure among CEOs is the failure to understand the full impacts of a data breach. I’ve heard many executives say things like, “If it happens to us, we’ll just pay the fine.” The problem with this thinking is that the fine, if there is one, is a tiny fraction of the damage to the organization. Data breaches often lead to expensive litigation, years of on-premise security audits, shareholder lawsuits, credit monitoring services, lost goodwill, and lost revenue through customer defections. The impacts are often much larger than the CEO was ever expecting.

The danger to the CEO’s job from inadequately assessing IT security risk is real. Few CEOs survive long after a large and embarrassing data breach. And a stellar career history is tarnished by the painful public exposure that follows the data breach.

Real change will take place when CEOs fully come to understand the nature of IT security risks, and begin to hold the organization, and themselves, fully accountable.

Patrick

Download our white paper "AES Encryption Strategies - A White Paper for the IT Executive" to learn more about key issues in data security, how to choose the right data security partner, and how to develope a strategy that insures early successes.

IBM i users have been reaping the benefits of IBM’s modernization efforts for some years now. The IBM i platform now has a number of new web and open source technologies including the PHP web development platform. With partner Zend Technologies, IBM has brought an industrial strength web development platform to the IBM i.

If you are using PHP on the IBM i, or if you are starting a new project with PHP, I would like to introduce you to NSC Software Solutions, Inc. headquartered in Brillion, Wisconsin. Started in 1981 by Larry Nies, NSC specializes in helping companies develop and deploy PHP web applications on the IBM i platform. They are specialists in PHP design and development, and create cross-platform PHP solutions for companies around the globe.

Web applications and data security? Yes, a big concern for companies of all sizes.

We turned to NSC for advice on how to help IBM i PHP customers do encryption and key management the right way. Wow, we got way more than advice!

Under the direction of Eric Nies, NSC created a professional PHP module to make it easy for IBM i customers to use our Alliance Key Manager for encryption key management in a PHP application. They also create a GUI application to make configuration easy to do.  So IBM i customers who need to meet PCI, HIPAA, GLBA, FISMA and other data security compliance regulations can now do this quickly and easily. For IBM i customers new to PHP, NSC can provide professional services to get that first project off the ground quickly.

If you are a PHP developer you might like to know that the NSC solution works well for both IBM’s DB2 database and for MySQL. The code that NSC developed for encryption key retrieval is a module that is easy to add to your PHP project. And applications can move from the IBM i platform to other platforms that support PHP.

Customers who develop PHP applications on the IBM i are also running legacy RPG and COBOL applications in the same environment. The same Alliance Key Manager appliance that protects data in the PHP environment can protect data in your legacy IBM i applications, and across the complete set of non-IBM technologies that you use including Microsoft SQL Server, Oracle Database, MySQL, and many other platforms.

PHP web application security? It’s a piece of cake - talk to NSC.

Disclaimer: We don't have any financial relationship with NSC Software Solutions, Inc.  They are just a great company that we think our readers should know about.

Patrick

In 2012, we saw several large data breaches occurring to website-based companies such as LinkedIn, eHarmony, and Last.fm. These breaches exposed millions of passwords and led us to ask the question, are emails and passwords personally identifiable information (PII)? Because people tend to use email addresses and passwords across multiple website accounts that might contain information such as first and last names, physical addresses, and credit card information, we suspect that if email addresses and passwords aren’t considered PII by everyone today, they soon will be.

Last year I wrote a blog article on the states that had passed some sort of data privacy law, and how widely each state’s definition of PII varies:

(Aug. 8th, 2012) “A significant number of states just lifted verbatim what other states had written into law. A rough guess is that about one third of the states had almost identical data privacy laws.

But the remaining two thirds of the regulations varied greatly, even in defining what PII is. It was common to consider the First Name and Last Name in combination with a Social Security number, bank account number, or driver's license number as information that constituted PII that needed to be protected. But after reading and collating all 45 states, I found 41 data items that were considered PII! In addition to the standard data items, I found passport numbers, military IDs, medical numbers, email addresses, and much else. I even found definitions of PII that went something like this: ‘Any information in aggregate that can identify an individual must be protected.’ It was a lot of ground to cover.

So, should you be protecting email addresses? Absolutely!”

This is something I believe not only still holds true, but will become even more important in the future. Using encryption to protect log-in information and passwords is the best way any one company can protect that information. Of course, using good encryption key management is also a critical part of that process. Even if a hacker gets hold of encrypted data, they cannot get access to that data unless they also find the encryption keys.

For more information, download our white paper "AES Encryption and Related Concepts" and learn about how proper encryption and encryption key management work together to secure your data.

Q: What is enterprise key management? What questions should I ask an enteprise key management vendor?

When it comes to protecting sensitive data, it’s fairly common knowledge today that the best way to protect that data is to encrypt it. Companies of all sizes must do this whether they’re taking credit card information, names and addresses, or protected health information. These days encrypting your data is pretty easy. Some operating systems even do it for you, automatically. And if you have a fairly small database of sensitive data that’s stored all in one place, then the key management for your encrypted data is also pretty straightforward.

However, not all networks are so simple. Many times I run into companies who not only store their data on several different operating systems, but they also use several different versions of each system. With such a highly complex network, it can be difficult for IT administrators to easily encrypt all of their sensitive data. They might not even know where their sensitive data is! The complexity of the database infrastructure might be so overwhelming, that implementing an encryption key management system doesn’t even seem feasible.

That’s because these companies don’t just need a key management solution, they need an enterprise key management solution.

Enterprise key management is term being used to today to refer to professional key management systems that provide encryption keys across a variety of operating systems and databases. A network, for example, might be comprised of several different versions of Microsoft SQL Server as well as IBM i, Linux, UNIX, or Oracle servers, as well as backup tapes and data stored in the cloud. The encryption key manager needs to be able to communicate simultaneously with all of these locations in order to provide encryption keys, decrypt, and rotate keys.

Your enterprise key manager (not to be confused with Extensible Key Management, or EKM for Microsoft SQL server) should have high availability and be located centrally in the network, typically in a protected hardware security module (HSM). When looking for an enterprise key management solution, make sure you ask your key management vendor these important questions when assessing their solutions:

1. Is your key manager FIPS 140-2 certified?  What is the certificate number?
2. How would you describe the encryption key payload as retrieved from the key server?  Is it simple or complex?
3. Is there a common key retrieval application interface on all platforms?  What are the differences?
4. What platforms do you support for key retrieval?  (Note any gaps in platform coverage for your company)
5. Do you provide working sample code for the platforms I need? (Windows, Linux, UNIX, IBM i, IBM z)
6. Do you supply binary libraries for all enterprise servers?
7. Do you have a Java key retrieval class and examples? Is it standard Java or JNI?
8. Do you charge separate license fees for each client operating system?
9. Do you require that we purchase consulting services from you?  Why?
10. I am an independent software vendor (ISV), can you brand the solution and certify the solution for us?

For more information on the importance of encryption key management, download our ebook "Definitive Guide to Encryption Key Management Fundamentals" and learn how to overcome the challenges of deploying encryption key management in business applications.