+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Case Study: The Seed Company

Posted by Luke Probasco on Nov 6, 2017 10:32:47 AM

SeedCompany_Primary_Tag.pngSecuring Data in MongoDB Enterprise with Alliance Key Manager


“When choosing a key management solution, it needed to be 1) KMIP compliant and 2) affordable. Alliance Key Manager was both..”

- Jonathan Ganucheau, System Architect

 
The Seed Company

The Seed Company Case studyFounded in 1993 by Wycliffe Bible Translators Inc., Seed Company became one of the fastest growing Bible translation organizations by developing innovative ways to more rapidly, efficiently and accurately translate Scripture for groups who don’t have it in their language.

Over a billion people worldwide don’t have the full Bible in the language they know best. More than 1,600 languages don’t have any Scripture at all. Seed Company’s goal is zero languages without Scripture by 2025. In this generation, the Bible will become available to all for church planting, evangelism and discipleship efforts led by the local Church.

The Challenge: Protecting Private Data in MongoDB with Encryption & Key Management

As Seed Company began to outgrow its on-premise data center, it knew that in order to transition services into the cloud, the security team needed to assure business leaders and partners that their data in the cloud would be safe. To meet internal security requirements, not only did the solution need to be cloud based, but encryption needed to live in a secondary cloud provider. By taking a hybrid cloud approach and deploying a service in a secondary cloud provider, Seed Company could securely manage encryption keys and protect data stored in MongoDB Enterprise.

While compliance wasn’t a requirement, meeting security best practices to protect the contact data for partners in the field was. With identities of partners in violent, oppressive countries at stake, a breach could literally mean the difference between life and death.

The Solution

Alliance Key Manager

Seed Company’s adoption of the cloud was reliant on the ability to adequately protect private data. Alliance Key Manager was essential to their transition. “After two months of discovery, we looked at all of the cloud encryption key management vendors and compared everything from features to price,” said Jonathan Ganucheau, System Architect. “Alliance Key Manager met all of our criteria - with KMIP compliance and affordability leading our decision.”

“If someone was able to hack into our primary cloud platform and extract our backups, they still wouldn’t be able to get the actual data because the key manager is in a secondary cloud provider. This provides us with another level of hardening,” continued Ganucheau.

By deploying Alliance Key Manager, Seed Company was able to meet their organization’s needs to protect partner data in MongoDB in the cloud.

Integration with MongoDB Enterprise

“Having invested in MongoDB Enterprise with KMIP encryption, there was no need to buy competing encryption solutions, adding to the overall expense of the project,” said Ganucheau. With a low total cost of ownership, Alliance Key Manager customers can leverage the built-in encryption engine in MongoDB, with no limits imposed to the number of servers or data that can be protected.

“During discovery, one thing that came as a surprise to us was the number of vendors who claimed to support KMIP, but actually didn’t. They maybe started with KMIP compliance, but then deviated off course and no longer met our requirement of being a true KMIP service,” continued Ganucheau.

With no client software to install, Alliance Key Manager offers unparalleled security, flexibility, and affordability for all users of MongoDB Enterprise.

Reliability

One of the top concerns organizations have when encrypting data is losing access to encryption keys. Alliance Key Manager mirrors keys between multiple load-balanced servers over a secure and mutually authenticated TLS connection for hot backup and disaster recovery support. “Uptime is critical for our organization. Alliance Key Manager has remained up 100% over the past year, which is a big deal for our organization. Set it and forget it. It just works,” finished Ganucheau.

“Between your cost structure and reliability, Alliance Key Manager has earned my highest recommendation.”

The Seed Company Case Study

 

Topics: Alliance Key Manager, Case Study, MongoDB

Case Study: Plaza Premium Lounge

Posted by Luke Probasco on Jun 19, 2017 8:29:59 AM

PPL-Logo.pngMeeting PCI DSS with Townsend Security's Alliance Key Manager Hardware Security Module (HSM)


“Alliance Key Manager is simple, reliable, and easy to use - as a result, has allowed us to meet PCI DSS compliance and expand our market.”

- Sandeep Tewatia, IT Director

 
Plaza Premium Lounge

Plaza Premium Lounge Case Study

Plaza Premium Lounge is a global service brand headquartered in Hong Kong and is the industry-leader in premium airport services. Their goal is to make your airport experience seamless and effortless and, through their hearty services, change the perception of travel at the airport. The company operates in more than 140 locations in 35 airports across the globe and counts over 3,500 employees. The success of their business model has prompted airport authorities around the world to offer independent lounge facilities and value-added airport services as part of a bid to enhance the overall traveler experience.

 

The Challenge: Meet PCI DSS Compliance with Encryption Key Management

PCI DSS 3.0 requires businesses to, “Protect stored cardholder data.” The Requirement 3 summary names encryption, truncation, masking, and hashing as “critical components of cardholder data protection” and places strong emphasis on key management: “If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.”

Storing encryption keys next to the data they protect is not considered a security best practice and won’t meet data security compliance requirements like PCI DSS.

Faced with designing a PCI DSS compliant environment to store and process credit cards, Plaza Premium Lounge understood the importance of deploying an encryption key manager and that it should be based on industry standards. The solution had to be FIPS 140-2 compliant, designed to scale with their business needs, and have easy integration with IT infrastructure.  Additionally, the chosen vendor needed to provide excellent developer and technical support.

 

The Solution

Alliance Key Manager HSM

“I looked at all of the encryption key management HSM vendors,” said Sandeep Tewatia, IT Director. “Not only is Alliance Key Manager available as a FIPS 140-2 compliant HSM, Townsend Security has the same technology available in the cloud - which is important as we scale.”  By deploying Alliance Key Manager HSM, Plaza Premium Lounge was able to meet their business needs with a FIPS 140-2 compliant solution that could not only deploy quickly, but was also easy to set up and configure.

Integration with IT Infrastructure

“Townsend Security’s integration with our existing IT infrastructure really set the company apart,” continued Tewatia. “Alliance Key Manager has helped us meet our business goals of meeting PCI DSS in record time.”

By combining Alliance Key Manager and Townsend Security’s client applications and SDKs, Plaza Premium Lounge experienced a seamless integration with their IT infrastrutucture. Alliance Key Manager includes an unlimited license to use the Key Connection for SQL Server software.

Meeting PCI DSS Compliance

By managing encryption keys separately from the encrypted data, meeting PCI DSS encryption key management requirements went from a long, difficult, developer project to an easy integration.

“Having a PCI compliant environment has allowed us to expand our market and Alliance Key Manager was essential to us meeting section 3 for protecting stored cardholder data,” finished Tewatia.

Plaz

 

Topics: Alliance Key Manager, Case Study

Case Study: Citizens Security Life Insurance

Posted by Luke Probasco on Mar 13, 2017 10:54:24 AM

CSLI-Logo.pngCompliance Made Easy - Protecting Private Information with Alliance AES/400 Encryption for IBM i and Alliance Key Manager for VMware


“Townsend Security was extremely easy to work with - from the sales process to deploying our proof of concept to post-sales support.”

- Adam Bell, Senior Director of IT

 
Citizens Security Life Insurance

MCitizens Security Life Insurance Company is a life and health insurance carrier. The company offers group benefits including dental and vision coverage, and individual ancillary insurance products. The company was founded in 1965 and is headquartered in Louisville, Kentucky.

The Challenge: Protect ePHI & PII on the IBM i

In order to meet growing partner requirements and pass a data security audit for protecting electronic Protected Health Information (ePHI) and Personally Identifiable Information (PII), Citizens Security Life Insurance (CSLI) needed to deploy an encryption solution on the IBM i. The solution needed to be easy to implement with excellent performance.

While FIELDPROC on the IBM i makes it very easy to encrypt data without application changes, CSLI also understood that for encrypted data to truly be secure, they would need to store and manage encryption keys with an external key manager.

By using a VMware-based encryption key manager, the company could meet encryption and key management best practices for separating encryption keys from the data they protect.

The Solutions

Alliance AES/400 Encryption

“The performance we are seeing with Alliance AES/400 encryption is excellent,” said Adam Bell, Senior Director of IT, Citizens Security Life Insurance. “The solution was easy to integrate and completely met our expectations.”

Alliance AES/400 FIELDPROC encryption is NIST-compliant and optimized for performance. The solution is up to 100x faster than equivalent IBM APIs on the IBM i platform.

With Alliance AES/400, businesses can encrypt and decrypt fields that store data such as credit card numbers, social security numbers, account numbers, ePHI, and other PII instantly without application changes.

Alliance Key Manager for VMware

Alliance Key Manager for VMWare was very easy to implement and the resources Townsend Security provided made deployment a smooth process,” continued Bell. By deploying Alliance Key Manager for VMware, CSLI was able to meet their business needs with a solution that could not only deploy quickly, but was also easy to set up and configure.

Alliance Key Manager for VMware leverages the same FIPS 140-2 compliant technology found in Townsend Security’s hardware security module (HSM) and in use by over 3,000 customers. The solution brings a proven and mature encryption key management solution to VMware environments, with a lower total cost of ownership. Additionally, the key manager has been validated to meet PCI DSS in VMware environments.

Integration with the IBM i Platform

An encryption strategy is only as good as the key management strategy, and it can be difficult to get key management right. For companies doing encryption, the most common cause of an audit failure is an improper implementation of key management. The seamless integration between Alliance AES/400 and the external Alliance Key Manager for VMware allowed CSLI to pass their data security audit with flying colors.

“The relationship we developed with Townsend Security enabled us to have a painless sales and support process, and in turn, enabled us to easily pass our data security audit,” finished Bell.

Meeting HIPAA and protecting ePHI with encryption and key management.

 

Topics: Alliance Key Manager, Alliance AES/400, Case Study

SlimTrader Says: "Alliance Key Manager is a Godsend!"

Posted by Liz Townsend on Sep 8, 2014 1:59:00 PM

Protecting sensitive data stored in Amazon Web Services (AWS) is a major priority for SlimTrader, a company helping businesses and individuals in Africa complete secure transactions via mobile ecommerce solutions. SlimTrader chose AWS to host their extensive database of users based on their ability in AWS to reduce costs and scale up as their business grows. The challenge, however, was to find an encryption and encryption key management solution that also featured low initial costs and could scale as well.

Encryption Key Management AWSImplementing strong encryption and key management in the cloud has been a major challenge in the past. Recently, AWS released the AWS CloudHSM; however, the high startup costs for implementing this encryption key management solution as well as its limitations made this solution an impractical fit. That’s why SlimTrader chose Alliance Key Manager for AWS.  According to Martin Pagel, CTO of Slim Trader:

“Our main challenge is that we’re cloud based, so we can’t use an HSM because we don’t have a physical IT infrastructure. We want to do it the right way, and do it in the cloud. With Alliance Key Manager for AWS I can deploy encryption key management the way I want, and I don’t have to ask anyone in Amazon for help.”

Alliance Key Manager not only scales to meet your business needs, but also gives you complete administrative control over your own virtual key server. Having this level of control is critical in a cloud environment where you may not be sure who you are sharing resources with. Alliance Key Manager also uses the same FIPS 140-2-compliant encryption key management and NIST-validated AES encryption service found in Townsend Security’s HSMs so that you can provably meet compliance requirements for several industry security regulations. Meeting compliance requirements is important to SlimTrader and many of their larger customers.

Overall, Townsend Security helped SlimTrader achieve their security goals and overcome security challenges in four major ways:

  • Making encryption and key management in AWS easy. For many businesses, moving their data to the cloud is simply more practical than assembling an internal IT department. It is also significantly easier.  “The ease of firing up an AKM cloud instance and having control over it appeals to me,” said Pagel, “And I don’t have the limitations of needing to install a physical box.”
  • Making encryption and key management in AWS affordable. SlimTrader also chose AKM for AWS for affordability. With Alliance Key Manager for AWS, SlimTrader is taking advantage of Townsend Security’s no end-point license fee model that will allow them to grow without burdening their budget. For strong data security to become ubiquitous, and for data breaches to become fewer, encryption and key management must become affordable. With AKM for AWS, small businesses such as SlimTrader can lead the way in data breach prevention.
  • Providing encryption and key management that works with their applications. SlimTrader needed a key management solution that would work seamlessly with MySQL and Drupal in AWS. Alliance Key Manager is designed from the ground up to integrate with many platforms, applications, and databases and can protect encryption keys for data encrypted at the application level.
  • Certified Solutions. SlimTrader works with several banks and government agencies in Africa who consider PCI compliance important. “When we manage data on their behalf, we need to manage it securely,” says SlimTrader CTO Martin Pagel. FIPS 140-2 compliance is critical for many organizations who must meet government standards, and important for businesses that want provably defensible encryption key management.  Alliance Key Manager also provides onboard NIST-validated AES encryption service. This service allows you to provably meet compliance regulations for encryption.

To see for yourself how easy encryption and key management can be in Amazon Web Services, download a free 30-day evaluation.

Encryption Key Management AWS

Topics: Amazon Web Services (AWS), Case Study

Case Study: Preventing Substitution of Cryptographic Keys

Posted by Kristie Edwards on Sep 26, 2012 9:19:00 AM

encryption key managementOne of our customers recently submitted a support ticket related to a question asked by their QSA Auditor.  Just a quick background on our customer - they have an all IBM i environment and are using AES/400, our NIST-certified AES encryption among other data privacy solutions we offer.  This customer needs to comply with PCI because they are accepting credit cards and store personally identifiable information (PII). The question was: How does your AES encryption software prevent unauthorized substitution of cryptographic keys?

At Townsend Security we stress the need for encryption any time you have sensitive data, but that is only half of the battle.  You also need to protect the encryption key with a key manager.  Did the question about substitution of cryptographic keys surprise us? No, it didn’t.  This is a great example of what is happening out in the business world.

If your encryption is weak (did you know there is weak encryption?), this is a legitimate concern. There is a “key store” on the IBM i that stores encryption keys, but it’s like putting your house key underneath the welcome mat to your front door.

If you are using our Alliance Key Manager (our encryption key management HSM), we use NIST FIPS 140-2 best practices for detecting key substitution or key corruption. This involves the use of an HMAC mechanism with each key stored in the key management appliance.

What kind of questions are your QSA Auditor’s asking?  We would love to hear from you, whether you are a current customer of ours or not.  If you are interested in hearing more download our podcast on compliance and encryption key management.

Click me

Topics: Encryption, Encryption Key Management, Case Study

Case Study: Encryption Key Management with SQL Server and Oracle

Posted by Luke Probasco on Feb 23, 2012 10:01:00 AM

sql server oracle encryption key managementAs a company that provides NIST-certified encryption and FIPS 140-2 encryption key management, we need to secure data on a number of different platforms. Lately we have been coming into several cases where a customer needs encryption and key management on both Microsoft SQL Server and Oracle databases. Below is an email exchange with a customer who came to us “looking for a product to store, generate and manage keys that we use to encrypt/decrypt credit card information inside both SQL Server and Oracle Databases on Windows and UNIX.” We hope this discussion helps with your encryption project.

Customers Environment:

1. Encryption key is generated on the Windows platform through custom software, but if we can move away from that to an automated approach all the better. The key is moved to Oracle manually and we want to replace this with automation.

2. Credit card information is interfaced to our system then automatically encrypted using the key and stored in a SQL 2008 Enterprise Edition server table (only the one column is encrypted).

3. The SQL Server data is then sent to our Oracle database as encrypted data where it is stored in one column of a table.  It is then decrypted and sent to a payment services company who send us back a billing code, which replaces the encrypted credit card number.  So most of the encrypted credit cards are only stored for a short period of time, but some with problems are stored much longer.

Questions Addressed:

Our Alliance Key Manager (AKM) Hardware Security Module (HSM) provides full life-cycle management of encryption keys for PCI DSS and PII compliance. It works with applications and databases on a variety of platforms including Windows, Linux, UNIX, and IBM mainframes. We support the Microsoft EKM architecture for automatic encryption of SQL Server using TDE or Cell Level Encryption. Our customers also use AKM to manage keys for Oracle database applications, and support for Oracle TDE (requires Oracle Enterprise Edition and Advanced Security) is in our product roadmap.

SQL Server:

Because you are running SQL Server Enterprise edition, you have two options. The first is to deploy Extensible Key Management (EKM), which is supported by our Alliance Key Manager. EKM gives you the ability to automate encryption through Transparent Data Encryption (TDE) or Cell Level Encryption. TDE is usually the choice people make as it is the easiest to deploy and does not require any programming. Cell Level Encryption requires a bit of programming, but still fully automates the storage of keys on the key server.

The second approach is to use our Windows .NET key retrieval assembly to retrieve an encryption key from our key server and perform encryption in your application. Since you are already doing an encryption with a local key, this would probably be a pretty simple task. It appears that you might need this type of granular approach to support your current integration between SQL Server and Oracle. We have C# and VBNET sample code that shows how to retrieve a key from the key server.

Additionally, we support Windows 2003 for either approach and both of these approaches will meet PCI DSS standards for key management.

Oracle:

Our customers are currently using our key manager to encrypt data in Oracle databases. We provide sample code in Java, Perl, PHP, and other languages to support this. We also provide a shared library that does secure key retrieval from a variety of platforms, and also sample code that shows how use the shared library in PL/SQL.

encryption key managementKey Generation:

Encryption keys are generated on the encryption key manager using a secure administrator's console installed on a Windows PC. The interface to the key manager is a wire protocol and you can drive it from any application platform that supports SSL/TLS. All of your OS's do so. Our business users attempting to meet PCI DSS requirements for Dual Control and Separation of Duties typically stick to using our secure key management console.

Encryption on HSM:

Our Alliance Key Manager also supports encryption on the server. Rather than retrieving the key to your business application, you can send the data to the key manager with the name of the key you want to use, and it will return the encrypted or decrypted data back to your application on the secure connection. No key leaves the key server with this approach - just an alternative that is worth mentioning.

We hope that this case study can help you with your encryption project.  Listen to our podcast “Encryption Key Management with Microsoft SQL Server 2008 to learn how easy it is for your organization to start encrypting data on your SQL Server.

Click me

Topics: Alliance Key Manager, Oracle, SQL Server 2008, Encryption Key Management, Case Study

AES Encryption Performance

Posted by Luke Probasco on Apr 12, 2011 8:48:00 AM

AES Encryption Performance: Avoid the High Cost of Poorly Performing Encryption Solutions

AES EncryptionAES encryption has become the de facto standard for protecting data at rest in databases and unstructured data such as flat files, messages, EDI, and XML documents.  As enterprises deploy data security solutions to meet compliance requirements, they are frequently surprised by the performance impacts of encryption. Inadequate attention to encryption performance can lead to increased costs, delayed or failed projects, compliance failure, reduced flexibility to meet competitive challenges, and exposure to legal liability.

Whether you're evaluating an encryption solution or already encrypting data, these tips about encryption and performance will help ensure you have the right solution in place. 

Encryption - A Resource Hungry Application

By its very nature, encryption and decryption are resource intensive processes. Encrypting a simple credit card number requires many thousands of computer instructions. These instructions merge the input data with an encryption key using a large number of computer instructions to produce the secured data (called the “cipher text”). Because of the large number of computer instructions, an enterprise customer will experience increased utilization of computer resources and a need to consider adding additional capacity.

Ask for performance metrics

Armed with the knowledge that encryption performance is important, you can take action to avoid potential problems. Before acquiring an encryption solution, ask your data security vendor to provide performance metrics for their solution. How long does it take to encrypt one million credit card numbers? Can they provide you with source code and demonstrate this performance on your server?

The Hidden Costs of Encryption

Poorly performing encryption solutions can come with steep price tags as you secure more data in more places. You may have to add additional memory and increase the number of processors to handle the demands of encryption. As you upgrade your server hardware, the operating system vendor and application software vendors may increase the license fees they charge for their software. These cost increases may ripple through your backup and high availability systems. On top of increased hardware and software, your human resource costs also increase as you deploy larger and more powerful servers.

Are Network Encryption Devices a Good Idea?

Some security vendors provide encryption solutions on an external server as an encryption appliance. Each time your application needs to encrypt or decrypt data, a connection to the server is created and the data is transferred to the server for the encryption operation. Be sure to understand the maximum encryption rate of these types of appliances when doing a large number of operations. if it takes 5 milliseconds to transfer data to a server for encryption,
and 5 milliseconds to return the encrypted data, that 10 milliseconds can represent a performance problem.

Test Drive - not all AES encryption solutions are the same

Townsend Security's proven AES encryption solution encrypts data 94x times faster than the competition.   Request a free 30-day trial of our popular Alliance AES Encryption and see for yourself.

But don't just take our word for it, read what Staples has to say about their experience with our AES encpryption solution.

Case Study

AES PerformanceA large multi-brand retailer, that sells its products online and in traditional retail outlets needed to meet PCI Data Security Standards for protecting customer credit card information. After evaluating several different vendors for performance they decided on AES Encryption from Townsend Security.  They deployed the Alliance AES/400 Encryption solution to protect sensitive data in DB2 database files and in a variety of unstructured data files and were able to achieve PCI compliance in record time.

Townsend Security Can Help

The best way to secure sensitive information is with strong encryption and key management. Townsend Security provides NIST validated encryption and logging solutions for the enterprise. Our encryption, key management, tokenization, and logging solutions protect sensitive data from loss, whether it is at rest or in motion.  With NIST validated and FIPS 140-2 compliant certified solutions, Townsend Security meets or exceeds the standards in PCI, HIPAA/HITECH, and state privacy laws.  Click here to download a free 30-day trial of our popular Alliance AES Encryption.

Topics: NIST, Alliance AES/400, Encryption Key Management, Case Study, Performance, FIPS-140, AES Encryption

 

 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all