Townsend Security Data Privacy Blog

Providing Data Security IN the Cloud

The excitement level has been palpable around our office this week as we released the first encryption key manager to run in Microsoft Windows Azure, solving the data security problem that has held many companies back from adopting Microsoft's cloud.  In preparation for this new product, we have had a number of questions to answer, so I thought we should recap a few of them and share an excellent podcast resource with our readers!

What is the main issue that Microsoft Windows Azure customers are experiencing?

The number one concern reported by companies or organizations when they think about moving to any cloud environment is security. The studies show that their biggest concerns revolve around exposure of personally identifiable information and preventing data loss. It is a big enough concern that many companies have held back from migrating mission-critical applications with sensitive data from their traditional data centers into the cloud.  

A few things that are common across many industries and compliance regulations can really help with protecting data in cloud platforms like Windows Azure:

• Use industry-standard AES encryption.
• Keep your encryption keys are separate from the data that's being protected.
• Use dual control and separation of duties to protect your encryption keys.
• Follow best practices in terms of protecting data-at-rest and data-in-motion.

What strategy do you use for deploying a key manager in Windows Azure?

When you are running AKM as a Windows Azure virtual instance it is in a standard or virtual private cloud environment (VPC) allowing for better segmentation and isolation of your key management implementation. You definitely do not want to store encryption keys in the same virtual machine or instance of Windows Azure where sensitive data is stored. That would be like taping your house key to the front door when you leave home! In fact, the core concept for key management is to always separate the encryption keys from the data they protect. 

We know key management is critical to meeting compliance regulations, but is there any guidance about securing data in the cloud?

It is very important for cloud users to protect data using good practical guidance from PCI Security Standards Council (PCI SSC) even if not storing credit card information.  PCI SSC has issued Cloud Computing Guidelines as well as guidance around virtualization of data protection solutions, so you can be PCI compliant with a cloud-based key management and encryption solution.

The Cloud Security Alliance (CSA) has also issued good guidance around security in cloud environments in version 3 of their documentation (domain 11 applies to encryption and key management).

National Institute for Standards and Technology (NIST) also has produced a guidance for security in cloud environments (NIST Special Publication 800-144) which provides excellent guidance for people looking to move into cloud platforms and protect data there.

How does your Alliance Key Manager help protect data in Windows Azure?

Our founder and CEO Patrick Townsend says, “I'm rather proud of the fact that we have the first fully cloud-based key management solution in Windows Azure.  Our Alliance Key Manager for Windows Azure solution is a cloud instance that you can deploy directly into Windows Azure to manage encryption keys and protect data. It can be deployed in standard Windows Azure Infrastructure-as-a-Service (IaaS) environment and you can deploy it directly into a virtual private cloud.  It's the same binary code that is in our HSM which is FIPS 140-2 validated and it's running purely within that Windows Azure environment. I am proud of our development team for bringing forth our Alliance Key Manager for Microsoft Windows Azure users as an affordable solution.”

Along with Alliance Key Manager comes applications that deploy, such as our EKM provider, which gives you full protection of Microsoft SQL Server databases and the Microsoft solution applications that run on top of SQL Server. This includes:

• Custom-built SQL Server applications
• Applications in SharePoint using SQL Server as its content database platform
• Microsoft dynamics applications such as CRM and AX and GP that run on top of SQL Server

For custom applications we provide a .NET assembly that you can use to add to your applications to perform encryption either on versions of SQL Server that don't support transparent data encryption (TDE) or on unstructured data that you may be storing in the Windows Azure platform. You are also able to encrypt data going into SQL Azure as well as MySQL or Oracle or any other database that you might be running. Alliance Key Manager comes with a complete library of SDKs and sample code for developers, along with purpose built applications that are ready to plug in and perform encryption, which will get encryption projects up and running very quickly.

“The recent data breaches experienced by so many retailers just highlight the need to protect data with encryption and properly manage the encryption keys.  We really help answer the challenge of protecting data in cloud environments like Microsoft Windows Azure and we are helping people achieve that data protection that they need to feel comfortable moving to cloud platforms.”

Please download this podcast to learn more about securing data in the Microsoft Windows Azure platform:

The primary concern of cloud customers is the security of their sensitive data. Security remains one of the major barriers to cloud adoption. And that makes sense. Cloud platforms like Microsoft Windows Azure are by their nature shared environments. The computational resources are shared, the network resources are shared, and the responsibility for physical security is ceded to a third party. That would make anyone nervous.

There are also some additional practical issues. Where, for example, do you actually store your encryption keys that protect your data? For customers and software providers who are fully in the cloud, this is a difficult practical question. You just don’t have a convenient place to securely store encryption keys away from the data that they protect.

Until now.

Today we announced the availability of our latest encryption key management solution, Alliance Key Manager for Windows Azure. The same key management solution that we ship in our FIPS 140-2 compliant key management hardware security module (HSM) is now available as a virtual machine in Windows Azure. With a few clicks in the Windows Azure portal you can launch Alliance Key Manager for Windows Azure and start protecting encryption keys the right way.

All of the features that make a hardware HSM desirable - key management and encryption dedicated to you, exclusive administrative access to only you (sorry cloud provider), encryption and key management provably based on industry standards, and high availability now run as your dedicated virtual machine.

Alliance Key Manager for Windows Azure is deployed in just the way you would hope. An affordable, usage based pricing model, and managed through the same Windows Azure facility that you manage all of your other virtual machines. For added security, you can launch your virtual machine in a Windows Azure Virtual Private Cloud (VPC), and you can deploy two VMs in a Windows Azure Availability Set for better redundancy.

As is the case for our hardware key management solutions, our Windows Azure cloud offering supports encryption within the key management virtual machine. This means that you don’t even need to expose the encryption key in your Windows Azure web application. Just send the data to the key management virtual machine and encryption or decryption takes place there.

In conjunction with our launch into the Windows Azure platform, we’ve also added a great new feature we call “Ready-To-Use”. When you start your key management virtual machine for the first time it will automatically install a 30-day evaluation license, generate the certificates you need for authentication, and generate some encryption keys that are unique to you and ready to use with SQL Server, SharePoint, and your Windows .NET applications. You are ready to start encrypting in seconds.

There are many challenges to meeting compliance regulations, and you should be aware of the recommendations of the Cloud Security Alliance and of the PCI Security Standards Council for encryption and key management. You don’t need to compromise with poor key management, or a key management solution that has never seen the daylight of a FIPS 140-2 validation.

Happy cloud computing!

Patrick

With encryption and key management now being offered on a variety of hardware, virtualized, and cloud platforms, is it simply just a matter of preference or is one option better for you than another?  

Companies of all sizes now have options for securely protecting sensitive data using the appropriate security technology for their situation and industry regulations. Being responsible for the safekeeping of sensitive data like credit cards, social security numbers, or e-mail addresses, makes your encryption and key management strategy critically important. Once your sensitive data is encrypted, key managers are the specialized security devices that are designed to safeguard your encryption key (which is the secret that must be protected). Before deciding on how an enterprise should deploy an encryption key manager there are several questions to ask and factors to consider.

What different device options are available to organizations needing an encryption key manager?

Hardware Devices
Today we have many options for key management solutions, including the traditional key management hardware security module (HSM), which is now more cost effective and easy to deploy than it was even five years ago. HSMs are network attached in your data center and accessed when encryption keys are needed. If your company has a physical data center and the infrastructure to support it, an HSM can still be your most secure option.

Cloud-hosted HSM
The cloud-hosted key management HSM functions in much the same way as the traditional security device. However, you do not need to have the infrastructure of a physical data center in order deploy or maintain the cloud-based HSM since it is hosted by the cloud hosting provider.  Be aware of your cloud environment (is it shared or private?), and make sure to choose an option that provides real-time mirroring and redundant backups in geographically diverse locations.

Virtualization Options
Additionally it is now possible to deploy virtualized key management appliances. There is no hardware when you deploy a VMware or Hyper-v or Xen virtualized appliance inside your own virtualization infrastructure. A true cloud-based key management solution like VMware gives you a path to run key management solutions in vCloud either as standard cloud instance or virtual private clouds. Microsoft Azure and Amazon Web Service and other cloud platforms provide a mechanism for deploying virtualized key management appliances too.

What are some factors people need to consider when deciding which key management option is right for their organization?

Risk Tolerance
Risk tolerance is perhaps the main driving force for which of the key management options you might choose. If you're very risk-averse then probably you will want to deploy a hardware security module (HSM) in your own data center.  If you have a moderate level of risk tolerance  you might consider a cloud-based HSM hosted by a cloud vendor with appropriate security technology. A company dealing with small amounts of data might bear some additional risk and use a key management solution to help protect encryption keys in a virtual environment. Cloud or virtual solutions can be much more cost-effective and give enough protection for encryption keys to meet a lower risk tolerance level.

Compliance Regulations
Most compliance regulations give clear guidance on best practices about where encryption key management can and should run. Generally speaking, regulations are based on your industry and what type of sensitive data you store. 

PCI Security Standards Council has issued Cloud Computing Guidelines as well as guidance around virtualization of data protection solutions, so you can be PCI compliant with a cloud-based key management and encryption solution.

Cloud Security Alliance (CSA) has issued good guidance around key management and cloud environments - version 3.

Other regulations are not yet providing concrete guidance,and in some cases it is best to confirm with qualified auditors and assessors to really understand whether or not you can be in compliance and deploy true cloud-based virtualized key management solutions.

Infrastructure
Your key management options are also based on where your data is stored. If you don't have a traditional data center, for example if you are using a software as a service (SaaS) solution, you may not have your own IT infrastructure or personnel with which to deploy a traditional encryption key management HSM internally. So the physical and organizational structure will come to bear in terms of the choices that you have around deploying key management.

Cost
Budget is always an important factor. As you consider various options, ask about endpoint licensing fees and make sure you have predictable maintenance costs as more databases/applications request key access. Remember to consider the costs of not properly managing sensitive data when doing the security cost benefit analysis.

Whatever option you choose, it is always wise to use key management best practices:

• Always separate the encryption keys from the protected data
• Use dual control
• Practice separation of duties
• Manage key rotation
• Look for NIST validations like FIPS 140-2

Please download our most recent podcast on Encryption Key Management Options to hear more about how to meet the challenges of running cloud or virtual applications where implementations are inherently shared, multi-tenant environments!

Supporting two models for encrypting data = Alliance Key Manager

Traditional encryption key retrieval with local encryption is when you retrieve the encryption key from the hardware security module (HSM) key server and use it with your own local encryption library to encrypt or decrypt data. The encryption key is transmitted securely from the key manager to your application, your application uses the key as long as it needs to, and then destroys that key.

On-board encryption is where you can send the data to the server, along with the name of the encryption key, and ask the server to encrypt or decrypt the data. In this case you never retrieve the encryption key, you actually send the data to the HSM device encrypted or decrypted, the encryption takes place on board actually within the hardware security module (the key manager itself), and you get the results sent back securely to your application.

When would you typically choose to do on-board encryption rather than retrieve the encryption key and then do encryption locally?

• Vulnerable client applications - you would want to use onboard encryption when you have more risk in an exposed environment (web application or ATM or kiosk), that way the encryption key (which is the secret you're trying to protect) remains within the HSM and never leaves it.
• Amount of data to be encrypted is small - Small chunks of data, such as credit card numbers, Social Security numbers, e-mail addresses, etc., are prime examples of things you can use onboard encryption for effectively.
• If you don’t have encryption library - if you're working with an embedded system and you have a small amount of resources on your application side.

When should you not use onboard encryption for applications?

• When you have large amounts of data it is best to retrieve an encryption key and perform the encryption locally.

How does Townsend Security’s encryption key manager, Alliance Key Manager, implement on-board encryption?

• Your application will launch and create a secure encrypted TLS connection to Alliance Key Manager. There is an authentication mechanism that requires you to have a proper certificate and private key.
• When that connection is open and authenticated, you send the data that you want encrypted and the name of the encryption key to be used to the key manager HSM.
• Once the encryption is complete and the key manager sends data back to your application over the same secure channel, the connection can then be torn down.

Once a developer has decided to use onboard encryption with Alliance Key Manager what do they need?

There are three mechanisms that we deploy to make it a straightforward and simple process for developers use on-board encryption or key retrieval.

• First we provide some software libraries, dynamic link libraries, in Windows or .NET assemblies or LINUX of shared libraries that can be used out of the box to perform these kind of tasks. These software libraries are on our AKM supplemental CD image and are free to use.
• We also provide actual sample source code, that can be used as a starting point for an on-board encryption or traditional encryption key retrieval project.
• We also provide purpose built applications that are ready to use out of the box to implement onboard encryption (typically by a configuration option when our software is installed).

For more information this brief video will talk about traditional encryption key retrieval versus onboard encryption services on the Alliance Key Manager device:

• When you want to use, or avoid using, onboard encryption
• Practical guidelines on how Alliance Key Manager implements the encryption service
• How your applications will actually use either key retrieval or onboard encryption
• Some performance and connection issues, and then
• We'll point you to some resources that might be helpful as you do your project

(That’s the Way) You Need it…

Now that you have the tune from Journey running through your head, let’s talk about how you are going to protect your data with encryption and key management.  

So you have all this sensitive data that you need to secure… how are you going to protect it? What kind of key management choices do you have? How do you decide what encryption to use? Just how do you decide what you need, and where you will put your key management device, and will it be hardware or virtual? In many cases, regulations require you to protect sensitive information. Beyond being a compliance requirement, it is also a responsibility to your business and your customers. We understand all those questions can be a bit daunting at first, but there are a variety of encryption key management options to choose from.

The main consideration that will be determined within each of the following factors is your Risk Tolerance. What kind of sensitive data are you storing? What will happen to that information if there is a data breach? What will the impact be to your company, to your customers, if that information gets accessed by the wrong people? What are your liabilities? No matter whether it lives in a single PC hard drive or a vast data center, or even in a shared cloud environment, the type of information you need to protect will have a large impact on what level of risk tolerance you have.  

Here are four factors you need to consider as you devise or revise your data security plan:

Infrastructure: Where your data lives (client side application) determines what kind of options you have. Is your data all in one location (on a PC, or in a data center)? or is it in the cloud? or a combination? Are there requirements that would limit where your key server could be located? How will data need to be transmitted from one location to another? Once you have a clear picture of the sensitive information you are responsible for then you can move on to the next set of questions.  

Compliance Regulations: If you are dealing with Personal Identifiable Information (PII) or Protected Health Information (PHI) or Payment Card Industry (PCI), you have a great responsibility to protect that information and meet different compliance regulations. Depending on what industry you are in and where you live, different regulations may come into play. If you take credit card payments, you will certainly fall under PCI-DSS and be required to encrypt that data. If you are a part of or even partner with the medical sector then you also need to comply with HIPAA/HITECH Act requirements for security of Protected Health Information (PHI). GLBA/FFIEC sets regulations for banks, credit unions, credit reporting agencies, and anyone in the financial industry. FISMA is for Federal US Government Agencies and businesses that partner with them. The Federal Trade Commission (FTC) also gets involved with anyone who issues a privacy statement. On top of those regulations, more than 45 states also have their own privacy rules that strongly recommend encryption of any personally identifiable information (PII).

Availability:  Beyond just the availability of your encryption key management options, think about how many people need access to your data. What kind of security procedures do you need in order to keep the wrong people out and yet allow the right people to do their jobs? Will you have a key management system that supports separation of duties and dual control of your encryption keys?  

Cost: Your budget will also determine what kind of key management system you use. While cloud options may present a cost savings, you would potentially need a higher risk tolerance in a shared environment.  

Once you have identified your level of risk tolerance and the other factors listed, you will need to consider what kind of encryption and key management options are available to you:

Data Center - Hardware Security Module (HSM) - This is probably the most common option for companies that have their own data centers. The HSM is “under your roof” and you provide the security and IT support for the device.  

Cloud HSM -  If your data lives in the cloud and in a variety of client side applications, perhaps hosting your key server in a cloud HSM makes more sense for you. In a cloud HSM, look for two dedicated redundant HSMs in geographically diverse locations that are managed for you. Options and access will vary depending on which cloud HSM solution you deploy. With Alliance Key Manager Cloud HSM, you maintain exclusive access to your key servers.

In the Cloud -  If your data lives primarily in the cloud, you may want to go with a key server deployed directly in the cloud. Ways to make that option more secure would be to locate your key server in a different cloud environment from your data or even in a virtual private cloud (VPC). Cloud options are certainly cost-effective and easy to deploy, just make sure that you have a high enough risk tolerance for a shared environment!

I know there are a lot of questions that each company needs to consider and answer for themselves during this security planning process. The good news is that we have solutions that can encrypt your data and protect your encryption keys in all of those locations. We offer affordable and easy to deploy solutions with what we feel is the best customer support in the industry.  

Check out this complimentary eBook on Key Management, then give us a call and let’s see how we can partner together to protect your data!
 

After our latest webinar “Encryption & Key Management with Microsoft SQL Server” there were a number of great questions asked by attendees and answered by security expert Patrick Townsend.

Here is an informative recap of that Q&A session:

Q: Are there any special considerations when deploying an encryption key manager in the cloud?

A: The cloud always presents some additional security challenges related to encryption and security in general and has the impression of being less secure and having some new challenges around security. In the cloud, the encryption key manager itself is only one component to consider, and you need a good FIPS 140-2 compliant solution like our Alliance Key Manager for SQL Server. You also need client side applications and libraries, so when you're thinking about moving to the cloud, paying attention to that particular issue is very important. Also know that not all libraries can easily migrate to cloud. We develop ours from the ground up with the cloud in mind, so all of our components that talk back to our key manager for encryption keys or encryption services are cloud-enabled and can be deployed there.

From a compliance point of view, it is very important to take a look at the Cloud Security Alliance (CSA.org) document on cloud security - version 3.

We also provide a compliance brief about domain 11 which talks about encryption key management and issues around the security in the cloud.  

Q: Can you go a little more in-depth about what gets installed on SQL Server?

A: For the SQL Server platform (the client side software) Microsoft allows for Extensible Key Management (EKM) which allows vendors like Townsend Security to plug into their environment. Our Key Connection for SQL Server is an EKM provider and it is a GUI (Graphical User Interface)  install, so you load it on your own SQL Server platform and it walks you through some questions:

• It will ask what SQL Server instances you want to protect
• It will ask for your authentication credentials in order to execute the necessary commands  
• It will allow you to install certificates into the Windows certificate store that are used to communicate with the key manager HSM
• It allows you to define the location of your production and multiple high-availability failover key servers (most companies deploy one production and one HA key server. However, you can actually identify a more complex environment if needed)  
• Then it allows you to actually test, right there in the install dialog, your connection to your key manager to confirm it is working the way it is supposed to

Side Note: We do not charge based on the number of endpoints that talk to our Alliance Key Manager. This is something that is unique to us as a vendor. We believe the encryption should be easy to do and affordable, so no additional license fees are required to actually use it. We want our customers to deploy encryption and use it to protect data.

Q: What are the minimum requirements for the key server?  

A: The Alliance Key Manager product is available as either a hardware security module (HSM) device or virtual appliance. As an HSM it has a 1U server footprint, so it looks like any normal 1U server in your data center. However if you use our Alliance Key Manager Cloud HSM implementation, the encryption key manager is installed for you in a secure data center. It is also our philosophy that these are customer install processes, so we don't have consulting fees because it is a user deployed device. The server administration is done through a secure web browser session with our Townsend Security technical experts. The encryption key management security functions are done through a specific Windows application that talks to one or more key servers to actually create and deploy encryption keys whether they’re for Oracle or SQL Server EKM.  

Also, we do provide our encryption key manager as a VMware virtual appliance, which allows you to deploy a key manager within your VMware infrastructure and we give you guidance on that process. With this option you don't have to purchase a hardware appliance, you can run it in your VM infrastructure or within a vCloud architecture. We strongly recommend that a review of the PCI Security Council's - Cloud Computing Guidelines as well as their guidance around virtualization when deploying a virtual encryption key manager.

Q:  Does your key manager handle encryption and decryption or just key management?

A: Our encryption key management appliance itself does support on-board encryption and decryption.

Q: Can the same EKM module be used to encrypt servers in both data centers and cloud environments?

A: Yes. You can mix and match these anyway you want. You can use the same encryption key management solution for applications running in either environment, and they can talk to each other. You should be aware of a good security practice guidance around using different encryption keys for different kinds of applications, or different user communities, even in a high-availability data center or disaster recovery centers.  

Q: What are the performance impacts on encryption?

A: Encryption always has performance impacts. Generally it can impose a penalty somewhere between 2% and 4% in terms of computing resources. Guidance from Microsoft regarding very large SQL Server databases show that performance can become an issue with certain operations. For example, encrypted indexes may require the entire index to be decrypted in order to be processed. Very large SQL Server databases can impose a bigger performance penalty than 4%. Sometimes, cell level encryption has been a better performing implementation than transparent data encryption. We support both TDE and cell level encryption, allowing our customers to use our product as needed.

We strongly recommend to our customers, especially those with larger more complex SQL Server applications, that they contact us and ask for a complimentary evaluation of our encryption key manager. The complimentary product trial is fully functional and allows an opportunity to do analysis of the performance impacts. We want you to give it a try and make sure you understand the impacts personally.

Q: Is there any limit to the number of servers that you can hook up to the key manager?

A: No. There's no license limit. If you're considering putting up multiple servers we recommend you engage our pre-sales support team and get some guidance on your project. You will never come to us for additional licensing fees around adding a new platform, new SQL Server, or any other application that talks to the encryption key management server. We are unique in the industry that way and is part of our philosophy; we believe encryption needs to go everywhere, data needs protection wherever it lives, and we should lower the barriers -not raise them- when it comes to getting data protection in place. You can connect as many client-side applications to the key server as you wish.

Q: How do you keep system administrators from getting at the data and the keys at the same time.

A: Tasks such as the management of the server, putting it on the network, establishing system logging options, setting the timeservers - all network administration processes - are segmented from the actual management of the encryption keys. Good security practice says that those should be different people engaging in those activities. We provide completely different interfaces to simplify separation of duties.

If you are using our Cloud HSM environment, it is not administered, managed, or accessed by the cloud provider nor by Townsend Security. You have exclusive access and control over your encryption key managers. We even provide a path if you wish to take the encryption key manager out of the cloud environment and install it in your own data center. We believe strongly that a security device should be exclusively under your control, not under the control or management of the cloud provider.

I encourage you to download the recording of the entire webinar and Q&A session:

It’s truly fascinating to watch one of the great technology paradigm shifts, isn’t it? We now take for granted that the applications we use run in the cloud and organizations are moving applications to the cloud as quickly as possible. It’s an amazing transformation of how technology is delivered to consumers and organizations of all types.

In this midst of this transformation and migration to the cloud, one issue remains at the top of everyone’s mind: Security.

Protecting sensitive data in the cloud has all of the same challenges as protecting data in on-premise IT infrastructure, and some new challenges as well. For example, when you use encryption to protect your data assets, security best practices say that you should use encryption key management hardware security modules (HSMs) to protect encryption keys. But where does this critical security device reside when your applications live in the cloud?

Our new Alliance Key Manager Cloud HSM solution is designed to answer this question. Starting today, we now offer our FIPS 140-2 compliant encryption key management HSM in the cloud. Cloud application vendors and cloud users can now get the best encryption key management without having to deploy HSMs in their own data center.

Here are a few highlights of our new offering:

• Alliance Key Manager HSMs in a secure cloud platform
• PCI-DSS and SOC validated secure physical infrastructure
• Only you have access to your key managers - no cloud provider access or administration is allowed
• Production and HA key servers always included
• Real-time key server mirroring with geographic, network, and power redundancy
• Server monitoring and notification included with the license
• Client-side encryption applications at no additional charge. Quickly and easily protect SQL Server, Oracle, MySQL and other databases.
• Cloud provider independence - you control your cloud provider choices
• Affordable options for perpetual and subscription licensing
• No set up fees through December 31, 2013!

I am proud of our leadership in encryption key management for enterprises large and small. This is the first cloud HSM offering that gives you exclusive control over your key management strategy and independence from your cloud provider.

Here at Townsend Security we are dedicated to making the best possible data protection easy-to-use and affordable for every size organization. If you thought that good encryption key management was out of reach, let us show you a new way forward. Evaluations are fast, easy, and free.

Patrick

Just because data is encrypted, doesn’t necessarily mean it is safe...

2 Ways Alliance Key Manager Encrypts MySQL Database and Protects Encryption Keys

MySQL is the most popular open source relational database system and is in wide use in commercial and non-commercial environments. It is natural that developers and security professionals want to know how to encrypt sensitive information stored in MySQL databases.

While MySQL does not implement a Transparent Data Encryption (TDE) solution like Microsoft SQL Server and Oracle Database, you still have options to get the data protected with strong encryption and use a defensible encryption key management strategy.

With a strong encryption key management solution you can encrypt data in two ways in MySQL databases to meet compliance regulations for proper encryption key management:

1. Column Level Encryption:

Alliance Key Manager provides shared libraries for Windows and Linux that provide the technical support for SQL Views and Triggers with User Defined Functions (UDFs). Using these shared libraries lets the developer fully automate the encryption tasks without changes to application code. Alliance Key Manager provides an example of how to do this in a Windows Server operating system context.

2. Encryption in Application Code

Second, Alliance Key Manager provides many shared libraries and application code examples if you need to implement encryption in your applications. The extensive library of code examples include Java, PHP, Ruby, Python, Perl, C/C++, C#, VBNET and others. You can encrypt data in your applications, or send the data to the key server for on-device encryption. The on-device encryption option is a favorite of web developers who don’t want to expose encryption keys in their web server application.

About Alliance Key Manager

Alliance Key Manager is a NIST validated, FIPS 140-2 compliant solution that meets PCI DSS and other compliance regulations for protecting encryption keys. You can deploy the key server as an HSM in your own data center or in our hosting center, or as a VMware instance, or as a cloud application running in PCI DSS certified infrastructure. Alliance Key Manager is available with a number of licensing options that will meet the budget constraints of any organization.

Key Lifecycle & Rotation Explained

Encryption key management refers to the ability of a system to administer an encryption key through the length of its crypto-cycle. From the creation of a key, through it’s use, and eventually to its deletion, an encryption key management system needs to be able to securely and efficiently handle the encryption keys. I will talk a little about each major part of the encryption key lifecycle and how our Alliance Key Manager manages and administers the key throughout the lifecycle.

Key Creation: First, the encryption key is created and stored on the key manager server. The key can be created by a sole administrator or through dual control by two administrators. Townsend Security’s Alliance Key Manager creates the AES key through the use of a cryptographically secure random bit generator and stores the key, along with all it’s attributes, into the key database (which is also encrypted). The attributes stored with the key include its name, activation date, size, instance, the ability for the key to be deleted, as well as its rollover, mirroring, and key access attributes. The key can be activated upon its creation or set to be activated automatically or manually at a later time. Alliance Key Manager can also create keys of three different sizes: 128, 192, or 256-bit. The encryption key manager also tracks current and past instances, or versions, of the encryption key. You can also choose whether or not the key can be deleted, mirrored to a failover unit, and by which users or groups it can be accessed. Alliance Key Manager also allows the change of many of the key’s attributes at any time.

Key Use and Roll: Alliance Key Manager will allow an activated key to be retrieved by authorized systems and users for encryption or decryption processes. It also manages current and past instances of the key. For example, if a key is rolled every year and the version is updated, then the key manager will retain previous versions of the key but will dispense only the current instance for encryption processes. Previous versions can still be retrieved in order to decrypt data encrypted with such versions of the key. Alliance Key Manager also uses transport layer security (TLS) connections to securely deliver the encryption key to the system and user requesting it, which prevents the key from being compromised. The encryption key manager will also roll the key either through a previously established schedule or manually by an administrator.

Key Revocation: An administrator can use Alliance Key Manager to revoke or deactivate a key so that it is no longer used for encryption requests. In certain cases the key can continue to be used to decrypt data previously encrypted with it, like old backups, but even that can be restricted. A revoked key can, if needed, be reactivated by an administrator, although this would be more an exception to the rule than common practice.

Key Deletion: If a key is no longer in use or if it has somehow been compromised, an administrator can choose to delete the key entirely from the key database of the encryption key manager. Alliance Key Manager will remove it and all its instances, or just certain instances, completely and make the recovery of that key impossible (other than through a backup). This is also an option if sensitive data is compromised in its encrypted state. If the key is deleted, the compromised data will be completely secure since it would be impossible to recreate the encryption key for that data.

To learn more about encryption key management, download our ebook, "Encryption Key Management Simplified.”