Townsend Security Data Privacy Blog

Download Podcast: Securing Microsoft Windows Azure with Encryption & Key Management Listen to this podcast to learn about protecting sensitive data in Microsoft Azure with encryption and key management. Click Here to Download Now

Microsoft made a huge Windows Azure cloud announcement this June with their support for full Windows Server workloads including support for all major versions of SQL Server. Prior to the June announcement, Azure only supported Windows applications, and a simple database called SQL Azure.  Now you can deploy full production Windows server instances to Azure. That is a really big change.

However, study after study shows that the number one concern of organizations moving to the cloud is security. And the number one security issue is protecting sensitive data. And the number one problem in the area of data protection is how to manage encryption keys.

By now most of you know that we have a strong partnership with Microsoft around SQL Server encryption. For months we’ve been helping customers protect SQL Server data using Alliance Key Manager, our encryption key manager. We cover every version and edition of SQL Server for encryption with NIST-certified encryption key management. Whether you are using SQL Server Enterprise Edition with Transparent Data Encryption (TDE), or SQL Server Standard or Web Editions without the TDE support, or even older versions of SQL Server – we have encryption and key management solutions that help you meet compliance regulations.

So it is natural that we are hearing a lot from Microsoft customers about securing data in Azure. But how does all of this work in the Azure environment?

The short answer is – it works in Azure just like it works everywhere else. Regardless of the Azure platform you are using, our encryption key manager protects the encryption keys that protect your data. You can run full SQL Server TDE in Azure, or you can run SQL Server Cell Level Encryption, or you can use our Windows .NET assembly to protect data in your .NET applications.

In the same way that we protect SQL Server data in traditional IT environments, we protect it in every Microsoft Azure environment, too. And that means we protect SharePoint 2010 and Dynamics, too, when they are deployed on top of SQL Server with TDE.

When you protect SQL Server with Alliance Key Manager, you can host the key server in your own data center, or you can install it at your own favorite hosting provider, or you can use a key server in our hosting center. The choice is yours.

Moving applications to the cloud involves many challenges. Exposing your data without proper encryption does not have to be one of them.

Patrick

Download Podcast: Securing Microsoft Windows Azure with Encryption & Key Management Listen to this podcast to learn about protecting sensitive data in Microsoft Windows Azure with encryption and key management. Click Here to Download Now

When it comes to encrypting data in the cloud, encryption key management can get a little tricky. I sat down with Patrick Townsend, CEO and Founder of Townsend Security to ask: If key management is so important for compliance, how can organizations working in cloud platforms such as Microsoft Windows Azure be sure they’re deploying good key management?

First of all, when you’re encrypting data, you should never, ever store your encryption keys on the same server where your encrypted data is stored. When it comes to encryption key management for cloud applications, there are really 3 different models:

1. Use an external Hardware Security Module (HSM) as part of your own IT infrastructure.
This model allows applications running in Windows Azure to use encryption services or retrieve an encryption key through a secure connection to the key server placed in your own IT infrastructure. Using dual control and separation of duties, this is usually the best and easiest model for Cloud users and will help you to meet data security compliance regulations.

2. Outsource encryption key management to a physical hosting environment.
Rather than placing an encryption key management HSM in your own infrastructure, you can use a professional hosting company to hold your key management server in a high security hosting environment. With this model, your Windows Azure applications will communicate to the hosted key server off-site to perform encryption and key retrieval services.

3. Run Key Management in The Cloud.
Storing encryption keys in the cloud is generally considered a bad idea. The cloud is typically a less secure environment because its services are usually shared with other users. These services include disk space, memory, and other facilities that other companies may also be using. In a cloud environment there are more factors and complexities at play, and many unknowns about how the cloud provider protects the data. Even compliance regulations such as PCI-DSS mention these risks associated with the cloud. That’s why we recommend companies use an external HSM, ideally within their own infrastructure, to keep their encryption keys under their own control and eliminate unknown factors.

In the end, however, the model you use to store encryption keys isn’t the last step to protecting your data and meeting compliance. You must always, always, always, have a strategy for managing keys that includes dual control, separation of duties, and split knowledge. There are some companies using an external HSM for their keys and are still not meeting compliance regulations because they are managing their keys poorly.

Want to learn more? Check out the Podcast, “Securing Microsoft Windows Azure with Encryption and Key Management” to learn how to meet compliance regulations with encryption and key management, performance considerations, managing encryption keys, and what to look for when deciding on an encryption key management solution.

Download Podcast: Securing Microsoft Windows Azure with Encryption & Key Management Listen to this podcast to learn about protecting sensitive data in Microsoft Windows Azure with encryption and key management. Click Here to Download Now

Sometimes when I think of the cloud, I still imagine all of my data floating around up in the sky. Which, of course, isn’t where the data lives at all. All of our data that we store in the cloud lives in massive data centers. How massive? I once heard one of these data centers described as so large that as you looked down the rows of servers you could see the curvature of the earth.

It’s clear that the cloud is growing, and becoming critical in how we work with data, which is why data security in the cloud is becoming a very hot topic. Because we’re beginning to work with more and more companies who want to protect their data in Microsoft Windows Azure, I particularly wanted to address concerns about encryption and encryption key management in the Microsoft Windows Azure Cloud platform. So I sat down with Patrick Townsend, CEO of Townsend Security and Data Privacy Expert, to discuss data privacy issues in Microsoft Windows Azure. Here are some of my questions and his answers.

Why is Data Security an Issue in Microsoft Windows Azure?

Overall, the number one concern of organizations moving to the cloud is security. Almost all core applications that run in an enterprise environment collect and store sensitive information. This information might be cardholder data, social security numbers, tax IDs, or any other personally identifiable information (PII). Properly protecting that data with encryption and key management is critical for enterprise customers to meet industry and state data privacy regulations as well as to prevent data breaches.

Microsoft Windows Azure is unique in that it actually has a few different facilities. The original Azure facilities were limited to .NET applications. This year Microsoft made a big jump to provide full Infrastructure-as-a-Service (IaaS) capability within Azure, to allow customers to run Windows, SQL Server, and almost any other Windows type of environment in Azure. Those capabilities opened the door to allow applications to move into Azure, and along with them came all of the issues of data protection.

Now, with all of those applications running in Windows Azure, the big challenge is getting a proper encryption and key management strategy in place to protect all of the sensitive data that those applications process.

Does Windows Azure provide customers with encryption capabilities?

Yes, Microsoft has really done a good job in terms of supporting encryption across all Azure platforms. In itself, Microsoft Windows has really good AES encryption capabilities in their .NET libraries. Azure and SQL Azure can leverage these .NET encryption capabilities. In fact, we’ve done a proof-of-concept where we show exactly how to do this in Azure. It’s actually very straightforward. In Azure you have the option to deploy either Transparent Data Encryption (TDE) to encrypt all data or Cell Level Encryption to encrypt data on a column-by-column basis.

Encryption key management can be implemented by leveraging Microsoft’s Extensible Key Manager (EKM) capabilities. Although Microsoft gives you the option to store the encryption keys locally in the same server where you store data, in order to be compliant with most data security regulations and avoid data breach notification, customers must use an external Hardware Security Module (HSM) to store their encryption keys and use best practices such as dual control and separation of duties.

Overall, I think Microsoft has truly done a great job with encryption performance. The greatest challenge people will have when protecting data is encryption key management, and doing it properly. It’s not just a challenge for Microsoft Windows Azure, but for all Cloud platforms. Luckily, we’ve developed a model to help companies do key management right.

Download our podcast "Securing Microsoft Windows Azure with Encryption & Key Management" for more information on protecting sensitive data in Microsoft Azure with encryption and key management, best practices for managing encryption keys, and what to look for when deciding on an encryption key management solution.

DOWNLOAD WHITE PAPER Download the white paper "Meet the Challenges of PCI Compliance" and learn more about ensuring the data you are protecting meets PCI compliance. Click Here to Download Now

Customers moving to a hosting provider or cloud provider are often confused about PCI DSS compliance regulations, and what their responsibilities are in that environment. Some companies feel that they can avoid compliance concerns by moving to a cloud service. Some feel that they are no longer under compliance regulations at all in that environment. I heard this comment just this week:

“I don’t need to worry about compliance because my hosting provider says they are PCI compliant.”

This is dangerously wrong.  Let’s sort this out.

First, hosting providers who say they are PCI compliant are usually talking about their own systems, not about yours. Their credit card payment application is PCI compliant, they run the required vulnerability assessments on their payment processing applications, they collect system logs, and so forth. All of these things are required by the hosting or cloud provider for their own systems to be PCI compliant. They aren’t talking about your applications and data.

This does not make you automatically PCI compliant when you use their platforms or applications. You still bear the responsibility for meeting PCI compliance in your applications. Regardless of the hosting or cloud implementation (Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-Service, or a hybrid approach), you are always responsible for PCI compliance of your data.

What does the PCI Security Standards Council (PCI SSC) say about cloud environment?

The hosted entity (you) should be fully aware of any and all aspects of the cloud service, including specific system components and security controls, which are not covered by the provider and are therefore the entity’s responsibility to manage and assess.

And,

These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted (by you) only based on rigorous evidence of adequate controls.

As with all hosted services in scope for PCI DSS, the hosted entity (you) should request sufficient assurance from their cloud provider that the scope of the provider’s PCI DSS review is sufficient, and that all controls relevant to the hosted entity’s environment have been assessed and determined to be PCI DSS compliant.

Simply put, you are responsible for understanding which parts of PCI compliance a cloud vendor can help you with, and which parts they can’t.

There is no cloud implementation that relieves you of the responsibility of protecting your data. See section 4.3 in this PCI guidance.

What does this mean from a practical point of view?

This means that you must meet all of the PCI DSS requirements for your cloud implementation. You may be able to take advantage of some PCI compliant services provided by the hosting or cloud vendor, but you must have the cloud vendor provide you with guidance, documentation, and certification.  You are not off the hook for responsibility in these areas.

Please note the chart on page 23 of the PCI cloud guidance. There is no hosting or cloud implementation that covers your data. You are always responsible for protecting your customer’s cardholder data. This means complying with PCI DSS Section 3 requirements to encrypt the data and protect the encryption keys.

There is no magic bullet. You have to do this work.

Living through a data breach is no fun, and I would not wish this experience on anyone. In hosted and cloud environments, ignorance is not bliss.

Stay safe.  For more information, download our whitepaper Meet the Challenges of PCI Compliance and learn more about protecting sensitive data to meet PCI compliance requirements.

Patrick

We've been tracking the growing need for encryption and key management to secure the mass of data that is (or soon will be) residing in the Cloud. To address this issue, a security group was recently formed that is completely focused on Cloud security. If you’ve not visited the Cloud Security Alliance web site, it is well worth a visit at www.cloudsecurityalliance.org.

The alliance has attracted top tier talent in the security and audit communities, and has published guidance on issues that should concern anyone considering deploying Cloud solutions.

The guide covers three basic models of cloud deployment – IaaS (Infrastructure as a service), PaaS (Platform as a Service), and SaaS (Software as a Service). It goes on to discuss the necessary differences to approaching security in the Cloud. It’s a nicely done, high-level guide to security in the cloud.

Section 11 in the guide is on encryption and key management, which is the focus of our company and products. Their recommendations on encryption are spot-on. Because of co-tenancy and shared resource management on cloud platforms, security professionals recognize that there is an elevated risk of loss. Cloud users need to take extra steps to protect sensitive information. Encrypt data in motion, even between different applications and environments on the same cloud; Encrypt data at rest and in archival storage; Encrypt data on backup media and insure that you have access to the encryption keys in a non-cloud environment.

The recommendations on key management are also very interesting. The alliance has recognized that weak key management is much more of a problem in Cloud environments. Here is a sample and summary of some of their recommendations (you can get the full report at their web site):

Key stores must themselves be protected in storage, transit, and backup. Encryption keys should never be stored in the clear, and keys should never be stored on the platform where they are used.
Access to keys should be controlled, and the users of encryption keys should not be the ones storing and managing the keys. This means you should never use native operating system account management as the access control mechanism for key management.

Secure backup and recovery of key management systems is more important. There are special requirements for backing up key management systems.

Segregate key management from the cloud provider to avoid conflicts in the event of legal disclosure requirements. This will be a real challenge for companies that use Clouds for substantially all of their operations.

Insure that encryption adheres to industry and government standards. Of course, the only way to insure adherence to standards is to insist on NIST certification of encryption and key management solutions. For example, FIPS-140 certification should be a requirement for a key management solution.

These are just some of the recommendations in this important guidance. If you are considering the Cloud as a home for your applications and systems, this guide is definitely for you.

For further information, we have produced a podcast titled Key Management Best Practices: What New PCI Regulations Say.



Patrick