+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

How Do I Find and Start Alliance Key Manager for Encryption Key Management in AWS?

Posted by Patrick Townsend on Sep 6, 2016 10:52:19 AM

For Amazon Web Services (AWS) users, encryption and key management has never been easier.  Townsend Security's Alliance Key Manager uses the same FIPS 140-2 compliant key management technology found in the company's HSM and in use by over 3,000 customers worldwide. In the AWS Marketplace, there are two entries for Alliance Key Manager – one is for the fee-based implementation and one is for the Bring Your Own License (BYOL) implementation. Both are identical in their key management functionality. If you only need one or two instances of Alliance Key Manager you can use the fee-based entry in the marketplace. If you are going to use more than a couple of instances of the key manager you may want to use the Bring Your Own License entry to launch the key manager. There are discounts available for multiple instances of Alliance Key Manager and the BYOL version may be less expensive.

How to Meet Best Practices for Protecting Information in AWS by Stephen Wynkoop If you are logged into your AWS account you can directly launch Alliance Key Manager from the marketplace. Both licensing models support a free 30-day license to use the key manager. 

Before launching, you should determine if you want to run the key manager in the public AWS cloud, or if you want to run the key manager in a virtual private cloud (VPC).  The AWS virtual private cloud platform provides more isolation from other cloud customers and therefore a bit more security, if that is desired.

As you launch Alliance Key Manager in the AWS cloud you will need to select a region in which to run the key manager. Alliance Key Manager supports all of the AWS regions and you can run it anywhere. Your choice of regions may reflect your estimate of where you will have the greatest demand, or where you want critical key material to reside.

Once your AWS instance of Alliance Key Manager has been launched you can open an SSH session to the key manager to perform initial set up. You will change your password, create a set of server and client PKI certificates, indicate whether this instance of the key server is a primary or secondary mirror server, and create some initial unique encryption keys. After answering these questions you will have a fully functional, dedicated EC2 instance of Alliance Key Manager ready to use.

Alliance Key Manager comes with a full suite of software development kits (SDKs) and documentation, but the marketplace is limited to three documents. After you launch your AWS instance of the key manager please contact Townsend Security to register and get access to the AKM Supplemental documentation.  Unless you register at the Townsend Security web site it will not be possible to contact you and send you the documentation. There is no charge for access to the documentation.

The AWS license comes with customer support at the Basic level. This provides technical support and software updates via email during business hours. A Premium Support options is available that provides telephone and web support and includes 24/7/365 support for business interruption issues. Please visit the Townsend Security web site for more information about the Premium Support option and to register your instance of Alliance Key Manager for AWS.

At Townsend Security we want to provide you with a positive experience with our key management products and provide you the support you deserve. When you run our Alliance Key Manager in AWS we won’t know who you are because Amazon does not report that information. By registering at the Townsend Security web site you get access to documentation, SDKs and free support. And we can keep you up to date on the latest security patches and enhancements!

You can find more information about Alliance Key Manager in AWS here.

How to Meet Best Practices for Protecting Information in AWS by Stephen Wynkoop

 

Topics: Alliance Key Manager, Amazon Web Services (AWS)

How Do I Encrypt Data and Manage Encryption Keys Using Java in Amazon Web Services (AWS)?

Posted by Patrick Townsend on Aug 22, 2016 10:51:12 AM

If you are a Java developer you probably know that the Java language has full native support for AES encryption. You don’t need any third-party SDKs or add-ins to Java to use industry-standard, strong encryption. The standard Java APIs are based on industry standards and are very efficient. Don’t hesitate to use that built-in facility. You include it in your Java application like this:

import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

Protecting Encryption Keys in AWS Encryption key management is another story. To implement good encryption key management you will need to turn to an enterprise key management solution and their Java library to make this happen. Our Alliance Key Manager for AWS solution provides a Java SDK to help you with encryption key use. The Alliance Key Manager Java SDK lets you easily retrieve an encryption key for use in your application, or alternatively to send data to Alliance Key Manager on a secure connection where the encryption or decryption task can be performed directly on the key server. This encryption service is helpful in situations where you don’t want to expose the encryption key in your application or server environment.

Many developers use the Java Keystore (JKS/JCEKS) facility for storing encryption keys. The Java key store is more a key storage facility rather than a key management facility and rarely meets compliance regulations for separating keys from the data they protect, providing for separation of duties, and dual control. If you are currently storing encryption keys in a JKS repository you may want to consider moving them to true key management solution like Alliance Key Manager.

One of the advantages of the Alliance Key Manager SDK is the built-in high availability failover facility. By using the Alliance Key Manager SDK in the event of a network or other failure you automatically fail over to a secondary HA key server in real-time. This means your application keeps running even though a network or system error prevents access to the primary key server.

The Java SDK for Alliance Key Manager includes all of the support needed to make a secure connection to the key server, retrieve an encryption key, access the encryption and decryption services on Alliance Key Manager, and perform other common functions. By using the SDK the Java developer can avoid writing all of the code needed to perform these tasks – the work needed to retrieve an encryption key is reduced to a few lines of code.  We think this is a big bonus for the Java developer and helps make their lives easier. And sample source code will really speed along the process.

Here is an extract of the sample source code showing the retrieval of an encryption key from Alliance Key Manager, an encryption of some plaintext, and the decryption of that ciphertext:

// Note: Full sample source available (this is just an extract)

import javax.crypto.Cipher;

import javax.crypto.spec.IvParameterSpec;

import javax.crypto.spec.SecretKeySpec;


import com.townsendsecurity.akmcore.AkmException;

import com.townsendsecurity.akmcore.AkmUtil;

import com.townsendsecurity.akmcore.AkmRequest;


import com.townsendsecurity.akmkeys.AkmKeyRequest;

import com.townsendsecurity.akmkeys.AkmSymKey;


// The AKM configuration file

String sCfgFile = "/path/jakmcfg.xml"


// Create a key request object initialized from the configuration file

AkmKeyRequest keyRQ = null;

keyRQ = AkmKeyRequest.getInstance(sCfgFile);


// Define the key instance (version) name

String sInstance = "some-name"


// Retrieve the encryption key from Alliance Key Manager

AkmSymKey symkey = null;

symkey = keyRQ.retrieveSymKey(sKey, sInstance);


// Create a context

EncryptDecryptCBC cryptor = new EncryptDecryptCBC(symkey.getKeyBytes());


// Let’s encrypt some plaintext

byte[] ciphertext = null;

ciphertext = cryptor.encryptSymmetric(plaintext.getBytes());


// Let’s decrypt the ciphertext

byte[] plainbuf = null;

plainbuf = cryptor.decryptSymmetric(ciphertext);

There is no charge for the Java SDK and all Alliance Key Manager customers have access to the Java SDK and sample code. AWS customers must register on the Townsend Security web site to get access to the Java code. You can do that here.

Protecting Encryption Keys in AWS

Topics: Alliance Key Manager, Amazon Web Services (AWS), Encryption Key Management, Enryption

How Can I Be Sure I Never Lose My Encryption Keys in Amazon Web Services (AWS)?

Posted by Patrick Townsend on Aug 12, 2016 11:00:00 AM

As organizations move to the cloud, the topics of encryption and key management are top concerns.  "How can I be sure that I never lose my encryption keys?" is one that we hear a lot.  With Alliance Key Manager (AKM), Townsend Security's FIPS 140-2 compliant encryption key manager, you never have to worry about that! There are several layers of protection that help put this worry to rest. Let’s take a look at them in order.

Backup and Restore

Protecting Encryption Keys in AWS The first layer of protection is that Alliance Key Manager gives you a complete backup and restore facility -including both a manual and automated facility. At any time you can run the manual backup operation to back up your key database, certificates, configurations and access control definitions. This backup can be sent to your own secure server either in the AWS cloud or in your own data center. You can also create the backup image and download it directly to your own server for safekeeping.

Alliance Key Manager also supports the ability to automatically backup to a secure server at an interval you specify. You can back up your encryption keys daily, weekly, monthly or at an interval you specify. Secure off-line backup is the first layer of protection.

High Availability

Most of our customers in AWS will deploy a second instance of Alliance Key Manager as a high availability failover key server. You can deploy the HA instance of the key server in a different region, or even completely outside of the AWS cloud. Once you deploy the secondary HA instance of the AKM key server you can start mirroring your data keys from the primary production instance of the key server to this secondary HA instance of the key server. Keys and access policies are securely mirrored in real time and the mirror architecture is active-active. This means that if you fail over to the secondary key server, create keys or make changes to key access policies, these will be mirrored back to the production key server in real time. Key mirroring provides a second layer of protection from key loss.

For customers concerned about protection from failures of the AWS cloud platform itself, you can mirror encryption keys to a key server outside of the AWS cloud. That secondary mirror key server can be located in your data center, in another cloud service provider platform, or in a hardware security module (cloud HSM) in a hosting center. Note that there is no limit to the number of backup mirror key servers that you can configure. Alliance Key Manager supports a many-to-many architecture for key mirroring.

Export Encryption Keys

A third layer of protection is provided by the key export facility of Alliance Key Manager. You can securely export individual encryption keys to your own internal systems. The key export facility also provides you with the ability to share an encryption key with another user or organization.

Separation of Duties & Dual Control

Using Separation of Duties and Dual Control can provide a fourth layer of protection for encryption keys. This level of protection is especially helpful for protecting from insider threats. You can create a separate AWS account for use by your security administrators to create and manage encryption keys. These key management administrators would have no access to normal AWS instances where you store sensitive data, and your normal AWS administrators would have no access to the key management account. By activating Dual Control in Alliance Key Manager at least two security administrators need to authenticate to the server to make changes or delete encryption keys.

Stand-alone Instance

Lastly, Alliance Key Manager runs as a stand-alone EC2 instance in the AWS cloud. You are automatically taking advantage of the security, resilience and recoverability provided by Amazon. Always use good AWS account security and management practices to help protect your sensitive data and encryption keys!

It may theoretically be possible to lose an encryption key, but you are going to have to work very hard to do so! Alliance Key Manager takes the fear of key loss out of your encryption strategy in AWS.

You can find more information about Alliance Key Manager for AWS here.

Protecting Encryption Keys in AWS

Topics: Amazon Web Services (AWS), Encryption Key Management

Who Has Access to My Encryption Keys in Amazon Web Services (AWS)?

Posted by Patrick Townsend on Aug 5, 2016 9:23:56 AM

One of the most common questions we get here at Townsend Security is something like “Who has access to my encryption keys in AWS?” It is a natural question to ask and it can be hard to determine the answer to this question with many key management solutions - including the key management services provided by Amazon. Let me try to answer this question for our Alliance Key Manager for AWS.

Protecting Encryption Keys in AWS Alliance Key Manager for AWS runs as a stand-alone EC2 instance in Amazon Web Services. There is no component of Alliance Key Manager that is shared by other users of AWS, and there is no component of Alliance Key Manager that uses encryption key management services provided by Amazon in AWS. Neither Amazon nor Townsend Security hold any credentials that grant access to the key manager solution, and there are no “backdoors” to the key manager. You, the AWS customer, solely and exclusively manage it.

Encryption keys in Alliance Key Manager are managed by the Alliance Key Manager Administrative Console. This is an application that you install on your PC and which accesses one or more instances of Alliance Key Manager in AWS. While you could install the administrative console in an EC2 instance in AWS, we recommend that you install it on a secure PC outside of AWS. You maintain full control over the application used to manage keys.

The administrative console connects to Alliance Key Manager over a secure TLS session using certificates that are issued by the Alliance Key Manager instance. That is, only administrators using PKI certificates known and authenticated by the specific key manager are allowed to perform management functions.

The use of encryption keys by applications or users inside of AWS or outside of AWS is likewise controlled by secure TLS sessions that are also validated to the specific key manager instance and certificate authority. Just having a valid certificate from Verisign or other certificate authority is not adequate to gain access to encryption keys.

An additional layer of encryption key access control allows you to restrict an encryption key to a user or group as defined on the client-side certificate. This level of key access control leverages to Common Name (CN) and Organizational Unit (OU) of the client-side certificate to control access to a key. If you specify that a key can only be accessed by user “Bill” in the group “Sales”, then Alliance Key Manager will inspect the connecting session to be sure that the certificate Common Name contains the value “Bill” and that the certificate Organizational Unit is “Sales”. Access is denied unless this rule is met.

Lastly, if an unauthorized user gains access to the Alliance Key Manager encryption key database they will not have access to the actual encryption keys. Data encryption keys (DEK) are encrypted by key encryption keys (KEK) which are stored separately. A stolen backup or copied key database file will be insufficient to gain access to the encryption keys.

You should be aware that any cloud service provider has low level access to your virtual machines and storage. That is true of Amazon’s cloud platform as it is with any other cloud platform. And you should also be aware that Amazon and other cloud service providers must obey the laws and regulations of the countries in which they operate. You cannot exclude the possibility that Amazon will provide access to your key management EC2 instance if required to do so under the law. In some countries this means that law enforcement organizations, national security agencies, and other governmental actors may have access to your encryption keys. And, while very unlikely, you cannot exclude the chance that an Amazon employee might make an unauthorized access to the EC2 instance of your key server. If these possibilities make you feel uncomfortable you should consider hosting your key management server outside of AWS. Townsend Security's Alliance Key Manager solution can be hosted in your data center or in a hosting facility that you designate for this and provide keys to your AWS applications.

You can find more information about Alliance Key Manager for AWS here.

Protecting Encryption Keys in AWS

 

Topics: Alliance Key Manager, Amazon Web Services (AWS), Encryption Key Management

Data Protection in the Cloud & PCI DSS - Logs and Log Monitoring (Part 3)

Posted by Patrick Townsend on Mar 18, 2015 9:16:00 AM

This is the third part in our series looking at recent announcements by Amazon, Microsoft and other cloud service providers regarding new encryption and key management services. Let’s talk about log collection and active monitoring as a security best practice, and as a requirement to meet PCI DSS security requirements. Since the PCI DSS guidelines implement common security best practices, they are a good starting point for evaluating the security of any application and platform that processes sensitive data. Following the practice of the first part of this series we will use the PCI document “PCI DSS Cloud Computing Guidelines, Version 2.0” as our reference point, and add in some other sources of security best practices. Even if you don’t have to meet PCI data security requirements, this should be helpful when evaluating your security posture in the cloud.

Download Whitepaper on PCI Data Security

Collecting system logs and actively monitoring them is a core component of every cyber security recommendation. Cybercriminals often gain access to IT systems and go undetected for weeks or months. This gives them the ability to work on compromising systems and stealing data over time. Active monitoring is important in the attempt to detect and thwart this compromise.

Here is what PCI says about active monitoring in Section 10 of the PCI DSS (emphasis added):

Review logs and security events for all system components to identify anomalies or suspicious activity.

Many breaches occur over days or months before being detected. Checking logs daily minimizes the amount of time and exposure of a potential breach. Regular log reviews by personnel or automated means can identify and proactively address unauthorized access to the cardholder data environment. The log review process does not have to be manual. The use of log harvesting, parsing, and alerting tools can help facilitate the process by identifying log events that need to be reviewed.

In recognition of the importance of ongoing, active monitoring the National Institute of Standards and Technology (NIST) provides this guidance in their Special Publication 800-137 “Information Security Continuous Monitoring (ISCM)” guidance:

The Risk Management Framework (RMF) developed by NIST, describes a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. Ongoing monitoring is a critical part of that risk management process. In addition, an organization’s overall security architecture and accompanying security program are monitored to ensure that organization-wide operations remain within an acceptable level of risk, despite any changes that occur. Timely, relevant, and accurate information is vital, particularly when resources are limited and agencies must prioritize their efforts.

And active monitoring is a component of the SANS Top 20 security recommendations:

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

Deficiencies in security logging and analysis allow attackers to hide their location, malicious software, and activities on victim machines. Even if the victims know that their systems have been compromised, without protected and complete logging records they are blind to the details of the attack and to subsequent actions taken by the attackers. Without solid audit logs, an attack may go unnoticed indefinitely and the particular damages done may be irreversible.

Because of poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target organization knowing, even though the evidence of the attack has been recorded in unexamined log files.

Deploy a SIEM (Security Incident and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis.

This is why actively collecting and monitoring system and application logs is critical for your security strategy.

Implementing this critical security control in a cloud environment presents some special challenges. Here is what the PCI cloud guidance says:

Additionally, the ability to maintain an accurate and complete audit trail may require logs from all levels of the infrastructure, requiring involvement from both the CSP and the client. For example, the CSP could manage system-level, operating-system, and hypervisor logs, while the client configures logging for their own VMs and applications. In this scenario, the ability to associate various log files into meaningful events would require correlation of client-controlled logs and those controlled by the CSP.

It is not enough to collect logs from a few selected points in your cloud application environment. You need to collect all of the logs from all of the components that you deploy and use in your cloud application. This is because the effectiveness of active monitoring depends on the correlation of events across your entire application, database, and network and this includes the cloud providers systems and infrastructure. Here is what ISACA says about security event correlation:

Correlation of event data is critical to uncover security breaches because security incidents are made up of a series of events that occur at various touch points throughout a network--a many-to-one process. Unlike network management, which typically is exception-based or a one-to-one process, security management is far more complex. An attack typically touches a network at multiple points and leaves marks or breadcrumbs at each. By finding and following that breadcrumb trail, a security analyst can detect and hopefully prevent the attack.

Your encryption key management system is one of those critical system components that must be monitored and whose events should be aggregated into a unified view. Key management logs would include encryption key establishment and configuration, encryption key access and use, and operating system logs of every component of the key management service. You should be able to collect and monitor logs from all parts of your applications and cloud platform.

Unfortunately, current key management services from cloud providers only provide a very limited level of access to critical component logs. You might have access to a limited audit trail of your own access to encryption keys, but no access to the key service system logs, HSM access logs, HSM audit logs, or HSM operating system logs. Without access to the logs in these components it is not possible for you to implement an effective log collection and active monitoring strategy. You are working in the dark, and without full access to all logs on all components of your cloud key management service you can’t comply with security best practices for log collection, correlation, and active monitoring.

Since key management systems are always in scope for PCI audit and are extensions of your application environment it is difficult to see how these new cloud key management services can meet PCI DSS requirements for log collection and monitoring as currently implemented.

Does this mean you can’t implement security best practices for key management in the cloud? I don’t think so. There are multiple vendors, including us (see below), who offer cloud key management solutions that provide full access to key management, configuration, key usage, application, and operating system logs.  You can deploy a key management service that fully supports security best practices for log collection and monitoring.

In part 4 of this series we’ll look at the topic of key custody and multi-tenancy and how it affects the security of your key management solution in the cloud.

Patrick


Resources

Alliance Key Manager for AWS

Alliance Key Manager for Azure

Alliance Key Manager for VMware and vCloud

Alliance Key Manager for Drupal

 

Alliance Key Manager for IBM Power Sysems

Alliance Key Manager Colud

download the Whitepaper: Meet the Challenges of PCI Compliance

Topics: PCI DSS, Amazon Web Services (AWS), logging, cloud, Microsoft Azure

Understanding the Challenges of Data Protection in AWS

Posted by Michelle Larson on Mar 13, 2015 10:40:00 AM

An excerpt from the latest white paper “How to Meet Best Practices for Protecting Information in AWS” by Stephen Wynkoop, SQL Server MVP, Founder & Editor of SSWUG.org

How to Meet Best Practices for Protecting Information in AWS by Stephen Wynkoop Working in the cloud presents several challenges unique to that environment, including significant growth and change in the area of data protection and encryption. There is much confusion about what is - and is not - encrypted and protected.  This encryption of information, and the management of the keys and access controls is a core objective of this paper. If you can render information useless if accessed illegitimately, you have successfully addressed a whole host of regulations, compliance and best practices.

The very definition of protection by cloud providers is an important part of understanding the requirements and challenges of your configurations and information protection. AWS approaches data protection in several ways that impact your systems. The first is the configuration and design of your infrastructure. This consideration includes establishing Virtual Private Clouds (VPC) and providing for encryption of some information stores. The challenge exists in understanding the protection of these information stores and determining what you need to do to bring these protections in line with your requirements and compliance areas.

As you consider your systems, data protection will come down to several important areas:

  • Physical access controls – This refers to the doors, secure access controls and other protections at the physical server and server room level.
  • Logical access controls for your systems – These are the controls you put in place to prevent unwanted access to information.
  • Data access – Data access controls are typically enforced at the information stores level.
  • Protection of data in case of a breach – This is addressed by making the information in your systems unusable if accessed in a way that is unwanted.

Stephen’s white paper also covers the impact on data protection in public vs. private clouds, security fundamentals in AWS, and the best practices for deploying an encryption key management solution including:

  • Segregation of Duties
  • Dual Control and Split Knowledge
  • Key Creation (and understanding strong keys)
  • Key Rotation
  • Protection of Keys
  • Access Controls and Audits (Logging)

In his white paper, Stephen also discusses cloud-provider-based key management services and some of the important features, options, questions, and concerns that should be considered before selecting a service or a key management solution. Some important aspects to understand are:

  • Control, Ownership, and Access - By managing your own encryption services and providing for industry-compliant key management and data protection practices, you help ensure that your data remains managed by your own secure keys.
  • Multi-Tenancy and Key Management - In a worst case scenario it’s possible that keys could be compromised.
  • Access to Keys - Many systems and architectures are based on hybrid solutions. Cases where there are systems on-premises combined with systems in the cloud are areas that will be problematic with the AWS services. Systems not on the AWS hosted services will not have access to the key management services on AWS.

There are many different considerations when thinking about the choices in your key management solution. Be sure to fully understand logs, key management, backups and other elements that provide the utility you require. Finally, be sure you’re checking for proper compliance and certification of the solutions you are considering. It is important that any solution you choose has been through a FIPS 140-2 validation, and that you have a full understanding of any PCI, HIPAA or other regulatory body requirements.

Please download the full document to learn more about protecting information in Amazon Web Services and how Townsend Security’s Alliance Key Manager for AWS provides a FIPS 140-2 compliant encryption key manager to AWS users who need to meet data privacy compliance regulations and security best practices.

How to Meet Best Practices for Protecting Information in AWS by Stephen Wynkoop

Topics: Best Practices, Amazon Web Services (AWS), Encryption Key Management, White Paper, SSWUG, Cloud Security

Our Top 10 Most Popular Data Security Blog Posts of 2014

Posted by Michelle Larson on Dec 31, 2014 10:37:00 AM

Encryption, Key Management, and Data Security…Oh My!

This has been a busy year at Townsend Security with the addition of 2FA, the introduction of Key Management in AWS, Azure, and Key Connection for Drupal. Looking back over our data security blog and the most-viewed topics, I wonder... Did you miss out on any of these?  Take some time to check them out!

Heartbleed

Heartbleed and the IBM i (AS/400)

by Patrick Townsend  (April 11, 2014)

Key take-away: It is important to understand that while the IBM i platform may not be directly vulnerable to the Heartbleed problem, you may have lost IBM i User IDs and passwords over VPN or other connections which are vulnerable. An exploit of Heartbleed can expose any information that you thought was being protected with session encryption.

From the blog article you can download additional content:  
Ebook: Turning  a Blind Eye to Data Security

What are the Differences Between DES and AES Encryption?

by Michelle Larson  (September 4, 2014)

Key take-away: Even Triple DES (3DES), a way of using DES encryption three times, proved ineffective against brute force attacks (in addition to slowing down the process substantially).

From the blog article you can download additional content:    
White Paper: AES Encryption & Related Concepts

Encryption & Key Management in Windows Azure

by Michelle Larson  (February 13, 2014)

Key take-away: In February 2014 we released the first encryption key manager to run in Microsoft Windows Azure. This blog highlights four of our most frequently asked questions about providing data security IN the Cloud.

From the blog article you can download additional content:    
Podcast: Key Management in Windows Azure 

Homomorphic Encryption is Cool, and You Should NOT Use It 

by Patrick Townsend  (October 6, 2014)

Key take-away: Homomorphic encryption is a promising new cryptographic method and hopefully the cryptographic community will continue to work on it. It has yet to achieve adoption by standards bodies with a proper validation processes.

From the blog article you can download additional content:  
eBook: the Encryption Guide

Authentication Called For By PCI DSS, HIPAA/HITECH, and GLBA/FFIEC

2FA Resource Kitby Michelle Larson  (March 24, 2014)    

Key take-away: Two-factor authentication (2FA) plays a critical role in both meeting compliance regulations and following data security best practices. This trend will only grow within various industries and throughout the overall data security environment.

From the blog article you can download additional content:  
2FA Resource Kit: White paper, Webinar, Podcast

Encrypting Data In Amazon Web Services (AWS)

by Patrick Townsend  (August 28, 2014)

Key take-away: Amazon Web Services is a deep and rich cloud platform supporting a wide variety of operating systems, AWS services, and third party applications and services. This blog explores some of the ways that our Alliance Key Manager solution helps AWS customers and partners protect this sensitive data.

From the blog article you can download additional content:  
Podcast:  Encrypting Data in AWS

Key Connection - The First Drupal Encryption Key Management Module

by Michelle Larson  (February 21, 2014)

Key Connection for Drupal

Key take-away:  Working together to solve the Drupal data security problem, the security experts at Townsend Security and Drupal developers at Cellar Door Media have released the Key Connection for Drupal solution, which addresses the need for strong encryption and encryption key management within the Drupal framework. Now personally identifiable information collected during e-commerce checkouts and user account that contain names and e-mail addresses can be easily encrypted, and the encryption keys properly managed, by organizations that collect and store that sensitive information.

From the blog article you can download additional content:   
Podcast: Securing Sensitive Data in Drupal

Nine Guidelines for Choosing a Secure Cloud Provider

by Patrick Townsend  (July 8, 2014)

Key take-away:  Security professionals (CIOs, CISOs, compliance officers, auditors, etc.) and business executives can use the following set of key indicators as a way to quickly assess the security posture of a prospective cloud provider and cloud-based application or service. Significant failures or gaps in these nine areas should be a cause for concern and suggest the need for a more extensive security review 

From the blog article you can download additional content:  
eBook: The Encryption Guide 

Never Lose an Encryption Key in Windows Azure       

by Patrick Townsend  (March 7, 2014)

Key take-away: This blog discusses backup/restore, key and policy mirroring, availability sets, and mirroring outside the Windows Azure Cloud.  Alliance Key Manager in Windows Azure goes the distance to help ensure that you never lose an encryption key. You might be losing sleep over your move to the cloud, but you shouldn’t lose sleep over your encryption strategy.

From the blog article you can download additional content:    
Free 30-day Evaluation of Alliance Key Manager for Microsoft Azure

3 Ways Encryption Can Improve Your Bottom Line

by Michelle Larson  (May 20, 2014) 

Key take-away: In a business world that is moving more towards virtualization and cloud environments, the need for strong encryption and proper key management is critical. Due to all the recent and well-publicized data breaches, we all know about the ways your brand can be damaged if you don’t encrypt your data. This blog takes a look at the benefits of encryption, and three of the ways it can have a positive effect on your business.

Additional content:  You’ll also discover that this is the third time in this Top-10 list that the eBook: The Encryption Guide is offered… so if you haven’t read it yet… what are you waiting for?

The Encryption Guide eBook

Topics: Data Security, Encryption, Best Practices, Amazon Web Services (AWS), Encryption Key Management, Virtualized Encryption Key Management, two factor authentication, Microsoft Windows Azure

Protecting Sensitive Data in Amazon Web Services

Posted by Michelle Larson on Oct 29, 2014 1:40:00 PM

Best Practices for Deploying a Key Manager in AWS

Cloud Security With Encryption Key Management in AWSThe cloud has transformed the way most industries manage their data. With services that offer cost-effective, scalable, “pay-as-you-go” options, it is increasingly rare to find a company that doesn’t want to migrate business-critical applications from an in-house data center to the cloud. Companies will make different decisions based on industry risk assessment, their own tolerance for risk, and compliance regulations, however, some Enterprises have been holding back on their migration to the cloud until comfortable that they can properly protect their most vital information. Data security was a concern when we had a fully controlled hardware environment, and now that we are moving to shared, multi-tenant virtual environments it has become even more critical.

Data encryption has had a reputation of being the hardest security measure to achieve and yet it is the best way to secure digital information that needs protection. One of the most important elements of encryption is using encryption key management best practices to keep the encryption keys safely stored away from the data they protect. An Enterprise key management solution will also provide dual control, separation of duties, and proper rotation of encryption keys to ensure that you (and only you) control, manage, and have access to your encryption keys and the data they protect.

Encrypting Data in AWS

Any cloud platform brings with it an additional set of security concerns, including the ability to implement and demonstrate regulatory compliance, as applications and services move into the cloud. Whether Enterprises bring their own applications and operating systems into the AWS cloud, or use the variety of options and rich set of services supplied by Amazon, lets take a look at ways data can be encrypted and the use of appropriate technologies to protect those vital encryption keys.

Virtual machine migration:  Probably the most typical cloud deployment involves IaaS (infrastructure as a service) where the operating system, database, and everything is contained with an application. By using industry standard encryption and key management,  vulnerabilities are significantly reduced and organizations are able to enforce compliance requirements.

Data storage options: Whether you are encrypting an entire database, or using column-level encryption for a more granular approach, you have options for database (data-at-rest) encryption.

Amazon Relational Database Service (RDS) While RDS does not support encryption key retrieval and on device encryption services internally, it does to make it easy for applications to encrypt data going into and out of the RDS. You can retrieve encryption keys for application-level encryption or use on-device encryption before writing to, or reading data from, the RDS.

Amazon Simple Storage Service (S3) is very popular for video, audio, and large files now with server-side customer supplied encryption and key management support. Each file can have it’s own encryption key, or you can use the same key to encrypt multiple files. With recent enhancements by Amazon, you can easily “bring your own key” and integrate a key manager to encrypt data being stored in S3 and decrypt data that is retrieved from S3 storage.

Amazon Elastic Block Storage (EBS) is available for any virtual machine running in an Amazon context to retrieve encryption keys and encrypt data in very straightforward application environment.

Choosing an Encryption Key Management Solution

Make sure your key management solution provides a rich set of SDKs and client-side libraries all of which run in cloud platforms and can be used through all of the storage services that Amazon provides. You should be able to choose to host the key manager in the AWS cloud as an Amazon Machine Instance (AMI), or in a hosted cloud HSM (which is gives you a dedicated HSM in a SOC 3 audited data center with a PCI DSS letter of attestation for compliance) or within a physical HSM under your full control within your own data center. Look for a key manager solution that runs exactly the same way in all of these environments, and ensures that you maintain ownership of your encryption keys at all times. So if you deploy in one location and then need to migrate, you can easily store your data in the appropriate locations. Also, using industry standard encryption and certified solutions for key management are critically important for meeting compliance regulations and following security best practices. Using a third party Cloud HSM gives you the assurance that your encryption keys are kept safely apart from your sensitive data. It is very important to make sure no one else has administrative access, because above all, encryption keys are the secret that must be protected within your encryption strategy.

With options for fee-based encryption key management services, as well as bring-your-own-license solutions, Townsend Security's Alliance Key Manager (AKM) for AWS allows Enterprises to properly manage their encryption keys while meeting security requirements in less time and at a lower cost. While it is not possible to perform FIPS 140-2 validation in a cloud service provider context, Alliance Key Manager uses the same FIPS 140-2 compliant key management technology available in Townsend Security's HSM and in use by over 3,000 customers worldwide. Alliance Key Manager for AWS provides full life-cycle management of encryption keys for a wide variety of applications to help organizations meet PCI DSS, HIPAA, and PII compliance at an affordable price.

To learn more about protecting your data in AWS, download this recent podcast by industry expert Patrick Townsend:

Encrypting Data in AWS

Topics: Amazon Web Services (AWS), Encryption Key Management, Alliance Key Manager Cloud HSM, Cloud Security

SlimTrader Says: "Alliance Key Manager is a Godsend!"

Posted by Liz Townsend on Sep 8, 2014 1:59:00 PM

Protecting sensitive data stored in Amazon Web Services (AWS) is a major priority for SlimTrader, a company helping businesses and individuals in Africa complete secure transactions via mobile ecommerce solutions. SlimTrader chose AWS to host their extensive database of users based on their ability in AWS to reduce costs and scale up as their business grows. The challenge, however, was to find an encryption and encryption key management solution that also featured low initial costs and could scale as well.

Encryption Key Management AWS Implementing strong encryption and key management in the cloud has been a major challenge in the past. Recently, AWS released the AWS CloudHSM; however, the high startup costs for implementing this encryption key management solution as well as its limitations made this solution an impractical fit. That’s why SlimTrader chose Alliance Key Manager for AWS.  According to Martin Pagel, CTO of Slim Trader:

“Our main challenge is that we’re cloud based, so we can’t use an HSM because we don’t have a physical IT infrastructure. We want to do it the right way, and do it in the cloud. With Alliance Key Manager for AWS I can deploy encryption key management the way I want, and I don’t have to ask anyone in Amazon for help.”

Alliance Key Manager not only scales to meet your business needs, but also gives you complete administrative control over your own virtual key server. Having this level of control is critical in a cloud environment where you may not be sure who you are sharing resources with. Alliance Key Manager also uses the same FIPS 140-2-compliant encryption key management and NIST-validated AES encryption service found in Townsend Security’s HSMs so that you can provably meet compliance requirements for several industry security regulations. Meeting compliance requirements is important to SlimTrader and many of their larger customers.

Overall, Townsend Security helped SlimTrader achieve their security goals and overcome security challenges in four major ways:

  • Making encryption and key management in AWS easy. For many businesses, moving their data to the cloud is simply more practical than assembling an internal IT department. It is also significantly easier.  “The ease of firing up an AKM cloud instance and having control over it appeals to me,” said Pagel, “And I don’t have the limitations of needing to install a physical box.”
  • Making encryption and key management in AWS affordable. SlimTrader also chose AKM for AWS for affordability. With Alliance Key Manager for AWS, SlimTrader is taking advantage of Townsend Security’s no end-point license fee model that will allow them to grow without burdening their budget. For strong data security to become ubiquitous, and for data breaches to become fewer, encryption and key management must become affordable. With AKM for AWS, small businesses such as SlimTrader can lead the way in data breach prevention.
  • Providing encryption and key management that works with their applications. SlimTrader needed a key management solution that would work seamlessly with MySQL and Drupal in AWS. Alliance Key Manager is designed from the ground up to integrate with many platforms, applications, and databases and can protect encryption keys for data encrypted at the application level.
  • Certified Solutions. SlimTrader works with several banks and government agencies in Africa who consider PCI compliance important. “When we manage data on their behalf, we need to manage it securely,” says SlimTrader CTO Martin Pagel. FIPS 140-2 compliance is critical for many organizations who must meet government standards, and important for businesses that want provably defensible encryption key management.  Alliance Key Manager also provides onboard NIST-validated AES encryption service. This service allows you to provably meet compliance regulations for encryption.

To see for yourself how easy encryption and key management can be in Amazon Web Services, download a free 30-day evaluation.

Encryption Key Management AWS

Topics: Amazon Web Services (AWS), Case Study

Encrypting Data In Amazon Web Services (AWS)

Posted by Patrick Townsend on Aug 28, 2014 9:31:00 AM

Amazon Web Services is a deep and rich cloud platform supporting a wide variety of operating systems, AWS services, and third party applications and services. It is a bewildering array of capabilities with lots of places to store sensitive data. Let’s explore some of the ways that our Alliance Key Manager solution helps AWS customers and partners protect this data. This is a bird’s eye view, and we’ll dive into this in more depth in future blogs:

Amazon AWS Services

Encrypting data in AWS - What You Need to Know Amazon Relational Database Service (RDS)
Alliance Key Manager provides encryption key retrieval and an on-device encryption service to make it easy for your applications to encrypt data in RDS. Townsend Security SDKs can easily be used to provide encryption at the application layer.

Amazon Simple Storage Service (S3)
Alliance Key Manager lets you retrieve 256-bit AES keys in Base64 encoded format ready for use with RDS customer supplied encryption key services. You can easily deploy an AKM dedicated key management service to support encrypting and decrypting files in S3 storage.

Amazon Elastic Block Storage
Amazon Machine Instances (AMIs) provide access to EBS for simple unstructured storage requirements. Townsend Security SDKs can easily be used to provide encryption at the application layer.

Amazon DynamoDB (NoSQL)
The AWS NoSQL implementation does not provide encryption services, but you can easily implement encryption at the application layer using the Townsend Security SDKs. With support for many programming languages you can implement the encryption and key management services you need to meet compliance regulations.

Application Databases:

Microsoft SQL Server
Alliance Key Manager includes a license for Townsend Security’s Key Connection for SQL Server application that supports Transparent Data Encryption (TDE) and Cell Level Encryption for Enterprise edition. This EKM provider installs in your Windows SQL Server environment and enables encryption without any programming. For SQL Server Standard and Web Editions Alliance Key Manager includes a license for the Townsend Security Windows Client for snap-in encryption support.

Oracle Database
Oracle Database encryption support is provided through SDKs that are free of charge with Alliance Key Manager. Java, Perl, PHP, Python, Ruby and C# SDKs and sample code enable rapid deployment of encryption in Oracle environments. Sample PL/SQL code is also available for Oracle Linux platforms.

MySQL, SQLite, PostgreSQL, etc.
Open source database encryption support is provided through SDKs that are free of charge with Alliance Key Manager. Java, Perl, PHP, Python, Ruby and C# SDKs and sample code enable rapid deployment of encryption in these environments.

Software SDKs for Amazon Web Services:

A rich set of application SDKs are available for many programming languages. These SDKs provide support for Java, Microsoft .NET languages (C#, VB.NET, etc.), Perl, Ruby, Python, PHP, and others. These SDKs are provided at no charge to Alliance Key Manager customers.

Application Plugins for Amazon Web Services:

Drupal Encryption and Key Management
Alliance Key Manager integrates naturally with the Drupal web CMS using the Drupal Encrypt module and Townsend Security’s Key Connection for Drupal module available on Drupal.org. Drupal users can retrieve encryption keys for use with local encryption, or use the Alliance Key Manager Encryption Service to encrypt and decrypt data in the key manager with NIST-validated AES encryption.

SQL Server Transparent Data Encryption
Alliance Key Manager integrates directly into the Microsoft SQL Server Enterprise edition database to provide Transparent Data Encryption (TDE) support using the Townsend Security Key Connection for SQL Server application.

SQL Server Cell Level Encryption
Alliance Key Manager integrates directly into the Microsoft SQL Server Enterprise edition database to provide Cell Level Encryption support using the Townsend Security Key Connection for SQL Server application.

Encryption & Key Management in AWS

Topics: Alliance Key Manager, Encryption, Key Management, Amazon Web Services (AWS)


Subscribe to Email Updates

Posts by Topic

see all