Townsend Security Data Privacy Blog

Affordable Encryption Key Management?

Posted by Liz Townsend on Aug 23, 2013 8:47:00 AM

“Encryption and key management can’t become endemic the way it needs to be without being easy and affordable. That’s a fundamental fact.” - Patrick Townsend, Founder & CEO of Townsend Security

White Paper - Industry Must-Haves for Effective Encryption Key Management

Every day securing sensitive data becomes more and more important. With sensitive information being entered into databases, and many databases moving to the cloud, the risks associated with unprotected data increase exponentially. Data such as credit card information, social security numbers, financial information, and protected health information (PHI) gets dumped into internal IT networks as well as the the stratosphere of the cloud. Without adequate data security tools, businesses are sitting ducks when it comes to data loss.

Unfortunately for a lot of organizations, the security tools their IT departments have deemed “adequate” are mostly firewalls and other access prevention mechanisms. Today, however, it is widely acknowledged by security professionals that these mechanisms are easily breached by hackers. In fact, many data breaches are simply caused by employees mishandling data. Because firewalls don’t keep data secure, industry regulators such as the Payment Card Industry Security Standards Council and HIPAA/HITECH Act mandate or strongly recommended organizations use strong encryption and encryption key management to secure the data itself. If encrypted data is compromised, but the encryption keys are securely protected, then the data remains unreadable.

Recently Joan Ross, security expert, published a White Paper outlining critical encryption key management principles that will help organizations overcome one of the biggest barriers to implementing a strong encryption key management solution: The need for a solution that is affordable and quick to deploy.

Encryption Key Management Must HavesTime, money, compatibility, and hidden costs are issues every business struggles with. Almost every single successful, new innovative technology these days is designed to help individuals or businesses reduce time, save money, and increase compatibility between devices--unfortunately, the hidden costs sometimes persist. You see simplification driving down costs with tools such as virtualization and cloud computing, for example. These technologies are so effective at helping businesses reduce costs that more and more people are using them every day.

However, as businesses move more and more data into virtualized and cloud platforms, securing that data becomes even more difficult due to the inherent complexities of these environments. As this happens it’s important to remember that data security shouldn’t fall to the wayside.

With over 25 years in the data security industry, Ross addresses in her White Paper the issues of affordability and hidden costs in effective encryption key management systems. When choosing a key management vendor, Ross reiterates that hidden costs can quickly add up, resulting in a solution that that becomes too exorbitant to execute. Transparency, she urges, is critical to a successful relationship with a key management vendor. Achieving affordability and transparency is possible today because there are vendors today who want to work with customers--and who believe that cost should not be a barrier to good data security.

In Joan’s words: “Data security has come a long way within just the past few years.  Organizations no longer have to continue to maintain current patchwork methods because there are no available, cost-effective, or interoperable solutions that easily solve their problems.  Encryption and encryption key management are now industry standards and work across both legacy and newer business systems, multi-platform and multi-tenant networks, remote access workstations, geographical offices, data centers, and third-party business partners.”

Download the White Paper "Industry Must Haves for Effective Encryption Key Management" to learn more about must-haves in an encryption key manager and how to ensure your data is fully protected.

DOWNLOAD WHITE PAPER:  Industry Must-Haves for Effective  Encryption Key Management

Topics: Data Privacy, Encryption Key Management

Gambling with Data: Gaming Industry Must Protect Credit Cards

Posted by Liz Townsend on Aug 14, 2013 11:11:00 AM

More than any other industry, it is surprising that the gaming industry struggles with protecting customer credit card information. For businesses that deal in money, you’d think that protecting this asset would be their number one concern. However, just like every other industry, some casinos still lack many proper controls such as encryption and encryption key management to keep customer card data safe.

eBook - Encryption Key Management Simplified

The truth is, there are so many credit and debit card transaction points from the moment a customer walks into a casino. At every single point a customer swipes their card, that card information needs to be encrypted. This isn’t just a best practices--credit card encryption is mandated by the Payment Card Industry Security Standards Council (PCI-SSC). This means that at any point during any transaction, credit card numbers should never be transferred, processed, or stored “in the clear.” PCI also sets regulations around how businesses handling credit card data should manage encryption keys.

Even though encryption key management is required by PCI, not every business manages their encryption keys, and if they do, not every business does it right. Just like in the financial world, there are several critical encryption key management “best practices” that should be put in use in order to manage encryption keys in the most secure way possible. The number one risk associated with not following best practices is data loss. A data breach of credit card numbers can be devastating, especially if your business relies on customer loyalty.

Whether you’re a casino, gaming vendor, or gaming ISV providing card processing applications to casinos, always look for an encryption key management solution with these 3 features:

  • Follows Best Practices - Your encryption key management vendor should have best practices integrated into their solution in order to guarantee your success. Best practices include having certified solutions, using industry standard encryption, and implementing controls such as dual control and separation of duties.
  • World Class Support - When protecting critical customer data, your reputation is only as good as your encryption key management vendor’s reputation for providing solid products and world class support. Choose a vendor that has a reputation for helping customers.
  • World Class Partner - If you’re a gaming ISV that sells applications that handle credit card data inside casino IT networks, you should be offering your customers encryption key management to protect that data. Choosing an encryption key management partner is a big decision, and you should look for one with a powerful solution that will grow with you and is focused on your success.

The gaming industry isn’t exempt from needing to protect sensitive data, although it is sometimes the industry that flies under the radar and has some of the biggest issues around data security. As we have seen, data breaches "are not a matter of if, but when."  Encryption key management is fundamental to protecting yourself from a data breach. By protecting yourself from a breach, you in turn will in turn maintain your customers' loyalty to your casino - because who wants to play at a casino who gambled with their personal information and lost.

Download eBooK: "Encryption Key Management Simplified"

Topics: Data Privacy, Encryption Key Management, Hospitality/Gaming

AES vs PGP: What is the Difference?

Posted by Victor Oprescu on Jul 9, 2013 12:04:00 PM

In the world of encryption there are many different names for encryption, but probably the two most common would have to be AES and PGP. But not everyone knows what these acronyms stand for. In today’s world of TLAs (Three Letter Acronyms) it’s easy to feel left behind in a data security conversation when they start replacing every other word. OMG!

First we’ll break both of them down a bit and then we’ll compare them to each other.

AES Encryption IBM i Encryption with FieldProc AES, or Advanced Encryption Standard, as we know it today is the dreamchild of two cryptographers’ proposal of a symmetric key encryption algorithm based on the Rijndael cipher. This algorithm was developed when NIST (National Institute of Standards and Technology) sent the call out to the cryptographic community to develop a new standard. NIST spent five years evaluating fifteen competing designs for the AES project and in 2001 announced the cipher developed by the two Belgians Joan Daemen and Vincent Rijmen as the adopted standard, known as FIPS-197, for electronic data encryption.

AES is a symmetric key encryption algorithm, which essentially means that the same key is used for the encryption and decryption of the data. A computer program takes clear text and processes it through an encryption key and returns ciphertext. If the data needs to be decrypted, the program processes it again with the same key and is able to reproduce the clear text. This method required less computational resources for the program to complete its cipher process, which means lower performance impact. AES encryption is a good method to protect sensitive data stored in large databases.

There is, however, a time when AES will not be your go-to encryption process. When you need to share sensitive information with trading partners or transfer information across networks, using AES has one downside when it comes to security: You would have to share your encryption key with your trading partners. Sure, they’d be able to decrypt the information you sent them, but they would also be able to decrypt anything else encrypted with that key, and if the key itself became compromised anyone in possession of it could decrypt your data.

PGP encryptionEnter PGP. PGP stands for Pretty Good Privacy, and before you get too distracted by the name, I can tell you it is actually much better than just pretty good. PGP uses symmetric and  asymmetric keys to encrypt data being transferred across networks. It was developed by the American computer scientist Phil Zimmerman, who made it available for non-commercial use for no charge in 1991. To encrypt data, PGP generates a symmetric key to encrypt data which is protected by the asymmetric key.  Podcast: PGP Encryption on the IBM i

Asymmetric encryption uses two different keys for the encryption and decryption processes of sensitive information. Both keys are derived from one another and created at the same time. They are divided into and referred to as a public and a private key, which makes up the key pair. Data is only encrypted with a public key and thus can only be decrypted with the matching private key. The encryption PGP offers is just as strong as that of AES, but it adds the additional security that prevents anyone with just the public key from being able to decrypt data that was previously encrypted with it. Another benefit of asymmetric encryption is that it allows for authentication. After you have exchanged public keys with your trading partners, the private keys can be used to digitally sign the encrypted content, allowing the decryptor to verify the authenticity of the sender.

PGP does require more computational resources, which is why it is usually not recommended for encrypting data in large databases where information needs to be accessed frequently, and each record that you access needs to be ran through a cryptographic process.

When you are considering which encryption to use for your sensitive information choose whichever will suit your needs best. AES is fast and works best in closed systems and large databases; PGP should be used when sharing information across an open network, but it can be slower and works better for individual files.

 

IBM i Encryption with FieldProc

Topics: Encryption, PGP Encryption, Data Privacy, AES, PGP, Webinar, AES Encryption

3 Ways An Encryption Key Management Partner Will Make Your Life Easier

Posted by Liz Townsend on Jul 5, 2013 7:30:00 AM

If your company is an ISV, VAR, or OEM providing software or hardware to businesses who must meet data security compliance regulations (PCI, HIPAA/HITECH, GLBA/FFIEC, etc.), finding the right technology partners to offer your customers the best security available can be a difficult task.

eBook - Encryption Key Management Simplified

Technology partnerships have a reputation for being difficult and risky. Legal agreements, licensing models, and product performance are just a few examples of serious barriers. Unfortunately in today’s technology climate, there are many examples of technology partnerships that have reinforced this reputation.

When it comes to protecting sensitive information and meeting security compliance regulations, we don’t believe anything should get in the way of offering your customers the best data security tools available. Townsend Security helps businesses of all sizes protect sensitive data with powerful encryption and encryption key management that not only helps companies meet compliance requirements, but will protect them in the event of a data breach.

Here’s how Townsend Security makes partnering with a technology company easier than ever:

  1. Reduced Complexity to Lower Costs - Your technology partner’s product shouldn’t be so complicated that it takes outside consultants, drawn-out projects, and extra time and money to implement. In our eyes, a good partner works hard to make sure their product integrates seamlessly into your existing technology infrastructure. Townsend Security is able to accomplish this quickly and at a lower cost by having the capacity and functionality to specialize our solutions to meet our partners’ needs. We also ease the burden of implementation by providing our customers with a simple and cost-effective licensing model.
  2. Provide Powerful Products - With the staggering number of data breaches that happen every month, there is no excuse to using sub-standard encryption to protect sensitive data. Many companies try to cut corners or meet the minimum standard by using “home-grown” encryption and key management or cheap solutions that don’t adequately protect data. However, when businesses use these solutions, many end up having to re-do their encryption and key management projects in order to comply with data security regulations (which are always becoming more stringent), or even worse, they experience a data breach and realize they can no longer skate by with weak data security. Townsend Security offers powerful, NIST-certified encryption and FIPS 140-2 encryption key management for all legacy platforms and the cloud to help you exceed standards and prevent data loss.
  3. oem security partnerExcellent Back End Support - When it comes to back end support, the people you deal with on a day-to-day basis can make or break a partnership. Townsend Security works closely with our partners to ensure their success. We provide our partners with training, marketing materials, OEM options, as well as easy and cost effective licensing models to get our powerful solutions protecting your customers as soon as possible.

At the end of the day, the technology partner you choose should leverage your existing solutions by making them more powerful. It’s easy to secure data poorly, and it can be difficult to do it well, but Townsend Security has developed and scaled our encryption and encryption key management to eliminate the pains and obstacles of doing data security the right way.

Download eBooK: "Encryption Key Management Simplified"

Topics: Data Privacy, Encryption Key Management, partners, OEM

PGP Encryption 101: Should I Give My Trading Partner My Private Key?

Posted by Jared Mallory on Jun 20, 2013 4:48:00 PM

In the world of PGP encryption, we often hear from users who tell us, “My trading partner says they need my private key for encryption. Is it ok to send it to them?” The simple answer to this question is no. Your private key is aptly named “private” because it should never be shared with others. The key intended for distribution is also aptly named as the “public” key.

PGP Encryption Trial IBM i

The longer and more technical explanation of why you shouldn’t give out your private key is a little more confusing.

The PGP process requires that encryption be performed with a public key that your trading partner gives to you to use, if you are going to send encrypted data to them. You cannot encrypt the data with a private key. If your partner requires that the file be signed as a part of the process, then you will use your private key as a signature. In order to read that signature you must give your trading partner your matching public key to your private key. You should never give them your private key.

On the other hand, if someone wishes to send encrypted data to you, you must provide them with your public key in order for them to send you files. Your system should automatically recognize the key that was used to encrypt the file and will select the appropriate private key for the decryption process. You only need to provide the passphrase for the key to validate that you are authorized to the unencrypted data.

Here’s an example: XYZ Productions uses the services of ABC Personnel Services for payroll management. Each month YXZ sends payroll files to ABC for processing. Due to the confidential nature of the information in the file, XYZ and ABC have agreed to use PGP encryption to protect the data. Both companies export their public keys and send them to one another. As the originator of the file, XYZ uses the ABC public key to encrypt the file before sending it.  By doing so, the file can only be decrypted by the holder of the private key. XYZ then uses their private key to sign the file as a means of verifying the origin of the encrypted file. When the file is received by ABC, they validate the signature by comparing it to the XYC public key they have been given, then use their private key to decrypt the file for processing.

The safety of the confidential data in the example is protected because the encrypted files can only be read using the private key, which has never left the trust of the key generator.      

Remember, when exporting a key to send to a customer, one should always remember that the key type identifies if the key should be shared. Public keys are for sharing; whereas a private key should always be kept close to home.

Topics: Encryption, Data Privacy, PGP

Data Protection - Who Knows Where Your Keys Are Hidden?

Posted by Michelle Larson on May 31, 2013 3:49:00 PM

When protecting your data in SQL Server, you need to be as informed as the hackers!

Whether you are the CEO or the database administrator of your company, you need to be aware of what data you are storing and the different compliance regulations that require encryption and key management.

encrytion key manageament simplified ebook Having a data breach can often go undetected for quite some time, but when it happens (and these days it is “when” not “if”) it can cause some serious issues for your company and your customers!

While “the bad guys” get more creative every day, being aware of their tactics and following security best practices can slow them down and hopefully thwart their attempts from being successful.  Research and “post-data breach” studies have shown that 80% of data breaches happen with a fairly low-tech “old school” type of attack known as SQL injection.  In fact, Injection is #1 on the “2013 Top 10 List” of simple security problems from OWASP (the Open Web Application Security Project).

While not the only method, SQL injections are still one of the most common ways of attacking web services by sending malicious SQL code in parameter fields, with the intent that the server will execute the code. When designing web applications or internal applications you need to remain aware of SQL injection opportunities beyond just the systems securing credit card data. So many people think “we don’t have that problem.” However, if your application is on the internet… you do. Features such as login pages, support or product request forms, shopping carts are all examples of web applications that can make your databases vulnerable. Hackers can gain entry through these other areas of your company website and navigate their way to more valuable data. Once inside your database, they can retrieve or delete sensitive information such as credit card numbers, clients personal information, or company records.  Safeguards such as encryption and key management can help prevent those losses only if they are in place.

Good practices to prevent or mitigate attacks like SQL injection and the loss of unencrypted data :

  • Analyze your website and web applications for vulnerabilities.
  • Look for it in your system logs, make monitoring a priority.
  • and remember,  internal apps are just as susceptible as public apps.

From a best practice point of view, as well as a regulatory compliance view, encrypting your data is a fundamental security step for any system. So even if the information is “retrieved”, it isn’t in a readable format and the hackers won’t be able to use it! While data encryption used to seem like a daunting task, that is no longer the case.  SQL Server 2008/2012 Enterprise Edition and above includes TDE offerings that allows for encryption without application changes.  You can now deploy key management that is easy to use and affordable with Alliance Key Manager, our FIPS 140-2 certified encryption key management HSM. 

Just keep in mind that the single biggest data security issue is failure to protect the encryption key. Always keep your keys off the server and out of the system that holds your encrypted data.  Think of it like the lock on your front door…  you wouldn’t lock up your house and then tape the key next to the handle… would you?

We would like to offer you a complimentary copy of our eBook: “Encryption Key Management Simplified”, which is a fundamentals guide for both IT administrators and business executives alike.  

Download eBooK: "Encryption Key Management Simplified"


As always, your comments and questions are welcome!

 

Topics: Data Privacy, Encryption Key Management, SQL Server, Executive Leadership

How LivingSocial Could Have Avoided a Data Breach

Posted by Liz Townsend on May 1, 2013 3:15:00 PM

Lack of security around passwords, emails, usernames, and other personal information leads to another easily preventable, massive data breach.

LinkedIn Data Breach Last week we saw another major data breach of personal information due to a hacker who gained access to names, email addresses, dates of birth, and passwords protected using hashes and salt. When this story started to pop up in the news we were pretty surprised by what happened. Didn’t this exact same breach happen to LinkedIn nine months ago?

In June of last year LinkedIn suffered a similarly huge data breach and lost 6.5 million hashed passwords. The passwords were posted online and within a few hours over 60% of the passwords had been exposed. Why were these passwords so easy to crack? Because LinkedIn had been “protecting” user passwords using the hash algorithm SHA-1. SHA-1 is a known weak algorithm that is no longer recommended by the National Institute of Standards and Technology (NIST). Today it is a basic industry standard to use the stronger hash algorithm SHA-256 or SHA-512.

In the end, however, LinkedIn’s breach was really more of a headache than a disaster. A class action lawsuit brought against LinkedIn was thrown out due to lack of clear evidence that any real damage was caused by the breach. Where many consumers and data security experts had probably hoped that their breach had been a wake-up call to the e-commerce community, and anyone still using SHA-1 should have upgraded their data security practices immediately, it seems that many organizations have done nothing.

This is so surprising to us, not only because today using better data security such as strong hashing algorithms is considered to be trivially simple, but because in many states personal information such as first and last names, birthdates, and email addresses are considered to be personally identifiable information (PII) under state data security law. Most of these laws provide safe-harbor from data breach notification if a companies protect this information using industry standard tools.

In the end we hope that other businesses take note from this series of data breaches and update their data security.

How can you prevent a data breach of passwords and emails from happening to you?

  1. Use only an up-to-date hash method such as SHA-256 or SHA-512
  2. Use a hash based on industry standards - NIST publishes recommendations and standards. Always follow the most up-to-date standards.
  3. Use salt for an additional layer of security
  4. Protect the salt from loss or disclosure
  5. Use two-factor authentication

How can you prevent a data breach that compromises your customers very sensitive data such as credit card information, social security numbers, and private health information (PHI)?

  1. Use AES Standard Encryption to protect critical sensitive data such as credit card information and social security numbers.
  2. Use a FIPS 140-2 compliant key management system that implements key management best practices such as dual control, split knowledge, and separation of duties.
  3. Use a system monitoring tool that will alert you to important changes in your database such as unauthorized access in real time in order to stop suspicious activity before it’s too late.

To learn more about how companies such as LivingSocial and LinkedIn could have avoided a data breach, download the Podcast: How LinkedIn Could Have Avoided a Data Breach.

Click me

Topics: Data Privacy, Data Breach

Merchants Who Passed PCI-DSS Audit Last Year May Fail Next Time

Posted by Patrick Townsend on Apr 26, 2013 7:59:00 AM

In 2013 merchants should ask: Will we pass our PCI audit this year using the same technology and standards we used last year? The answer is possibly not.

PCI DSS Encryption Key Management Compliance Businesses that accept credit cards have to meet PCI-DSS compliance requirements and encrypt credit card numbers using industry standard encryption and good encryption key management practices. They are often shocked and surprised when, after passing a compliance audit for a number years, they suddenly fail an audit around encryption key management practices. Audit failure due to poor encryption key management has begun to happen more frequently within the past year.

Let’s take a look at one scenario of a customer we helped this year.

A large retailer with a Level 1 merchant designation processes tens of thousands of credit card transactions every year. Card transactions originate through point-of-sale (POS) terminals in stores, through web-based eCommerce applications, and telephone orders. A pretty typical retail operation in many ways. This Level 1 merchant had passed on-site QSA audits for several years. Suddenly, this year they failed their PCI-DSS audit.

Why did this happen? Because the encryption key used to protect credit card numbers was stored on the same server as the protected data.

In the last year or so, failing PCI-DSS audit due to poor encryption key management is actually far more common than you might think. In this case a new QSA auditor was assigned to the merchant, and the auditor was quite knowledgeable about security practices in general, and key management in particular. The previous auditor had granted the merchant “compensating controls” for their encryption key management strategy - but the new auditor found that the compensating controls were inadequate for proper encryption key protection. Thus the audit failure and the need to remediate encryption key management.

Here are a few thoughts that might be helpful to merchants reviewing their encryption key management practices:

  • PCI DSS standards are not set in stone. The PCI Security Standards Council has been very transparent in letting merchants know that the standards can and will evolve as security threats evolve. What you are doing today may not be adequate to protect your systems tomorrow.
  • QSA auditors vary in their assessment of risk and requirements to meet the standards. And as the security threat environment changes, they can revise their assessment practices and requirements for merchants. Compensating controls that might have been appropriate in the past, may no longer be appropriate.
  • In the early years of PCI audits, the focus may have been more on basic compliance with high priority security tasks given priority. As time has gone by, attention is now more focused on tightening up critical components like encryption key management. Weak encryption key management practices and compensating controls are falling by the wayside.
  • QSA auditors are a lot more educated on the issues of Dual Control and Separation of Duties for encryption key management systems. It is almost impossible to implement a encryption key management system on the same platform as protected data, and meet these security requirements. Protecting encryption keys with purpose-built key management hardware security modules (HSM) is now a typical requirement for PCI DSS compliance.

So what can a merchant do if they want to make sure they will pas their PCI-DSS audit this year?

  • Review your encryption key management implementation now. If your implementation does not meet security best practices for encryption key management, start planning on what you will do to remediate the problem.
  • Ask yourself: Were we operating under compensating controls for encryption key management? It would be wise to assume these won’t be renewed at some point in the future.
  • Ask yourself: Are we storing our encryption keys on the same server as the credit card number? Start planning now on how you will respond in the event of an audit failure.

Good encryption key management is no longer a time-consuming, expensive proposition. Our Level 1 merchant was able to remediate the problem in under 30 days with their own IT team and without the need for on-site consultants from Townsend Security. To learn more about encryption key management and meeting PCI-DSS, download our White Paper, Encryption Key Management for PCI-DSS.

Click me

Topics: Data Privacy, PCI DSS

What the CEO Needs to Know About Data Security

Posted by Liz Townsend on Apr 22, 2013 8:23:00 AM

Townsend Security recently asked business executive and mid-market expert Todd Ostrander to contribute his expertise and thought leadership on C-level risk management to our most most recently published eBook, Turning a Blind Eye to Data Security (Mending the Breakdown of Communication Between CEOs and CIOs).

Data-Privacy-Ebook

In his article, Todd Ostrander discusses several key points around data security and business risk including:

  • The roles and responsibilities of a CEO around data security
  • The high costs associated with a data breach
  • How unencrypted data represents a significant business risk
  • Why proper encryption key management is needed to prevent a breach

In addressing these issues, Todd Ostrander urges us to implement the solution that many businesses have yet to adopt.

Read an excerpt from his article below:

“In any organization, the CEO has many jobs. At the macro level, a CEO’s job is to instill a high level of confidence in his or her stakeholders, including customers, investors, employees, suppliers and partners. To accomplish this, a CEO must establish a level of trust with these stakeholders in order to inspire, encourage, and engage them to take part in the entity’s vision and pursuits. Ultimately, the organization uses its stakeholders’ trust—their confidence in the CEO and his or her team’s ability to execute—to grow and build its value.

Every business has inherent risks in its execution—such as hiring dependable employees and maintaining financial stability. In order for a CEO to instill the kind of confidence that increases a business’ value, he or she must be able to identify and address each of the risks in the business.  Therefore, risk mitigation by nature becomes a core component of a CEO’s job.

In a pre-internet world, the risk of data loss was limited to a physical breach of an actual building. Security guards, fences, and access control systems were established to keep people away from sensitive information. However, as today’s world has become electronically connected at virtually every level, businesses need to focus not only on preventing access to data but also on protecting the data itself. This is where a comprehensive data protection strategy comes in to play.

Most CEOs are well aware that encryption methodologies were created for their CIOs to be able to protect data in their networks. However, encryption is such a new field that few CEOs understand all of the risks associated with unprotected data as well as evolving industry-based regulations which they must comply with.

CEOs may not know that even if their data is encrypted, without proper encryption key management, they are still at risk and do not comply with many industry regulations. Without good key management practices, you are practically inviting hackers to break in to your system…"

todd ostranderTodd Ostrander is a professional with over 25 years of F1000, mid-market and emerging market startup experience. Throughout his career, he has been at the forefront of groundbreaking changes that create new markets and opportunities. While he has a broad range of skills from finance to procurement, strategic marketing and product strategy, his core functional expertise is in exploiting existing markets as well as identifying and creating new market opportunities with specific focus on go-to-market, intellectual property, and capitalization strategies. Within the technology industry, he has specific expertise in workflow management, Software as a Service (SaaS), wireless, digital marketing, and mobility.

Topics: Data Privacy, Business Risk

Should Solution Providers Offer Encryption Key Management?

Posted by Luke Probasco on Apr 18, 2013 4:36:00 PM

Like any business, for a solution provider to succeed they must meet the evolving needs of their customers.  In the IT world, we all know that data management is one of the most important, complex, and fast growing needs of businesses. From disk backups to managed hosting and cloud services, solution providers are moving towards offering more of these services and at lower costs. Unfortunately, with the amount of data storage and management growing at an exponential rate every year, a major need of most businesses that goes overlooked is data security.

Encryption Key Management Simplified

Today almost every business must adhere to data security regulations set forth by industry standards groups. In retail, these standards are Payment Card Industry Data Security Standards (PCI-DSS). In the medical vertical, HIPAA/HITECH Act mandates the protection of sensitive patient data. Other regulations such as SOX, FISMA, and GLBA/FFIEC cover most other entities. All of these regulations mandate or recommend the use of AES encryption and encryption key management.

We would all like to think that IT directors and executives of every business adhere to these standards and recommendations and choose solution providers that provide them with encryption key management. However, as we witness easily preventable data breaches every week in the news, we know that this is simply not true.  

What IT executives and solution providers don't seem to realize yet is that in the event of a major data breach, at least two parties will take the fall: The IT executive and the solution provider(s).

Take for example the Utah Department of Health data breach that occurred in March of last year. This highly publicized breach was caused by a hacker who accessed 280,000 social security numbers as well as other private health information (PHI) and personally identifiable information (PII) such as birth dates, home addresses, and taxpayer ID numbers.

This attack was considered easily preventable.

How are these kinds of attacks easily preventable? When encryption and key management best practices are used, this kind of data is rendered totally unusable by hackers. That's why encryption and key management are considered the highest standard of data security and why they are mandated by industry regulations such as PCI-DSS and GLBA/FFIEC. If AES standard encryption and encryption key management best practices were used in Utah's Department of Health IT center, it is unlikely that the data breach would have occurred.

In the end, Utah's CTO was pushed to resign and the technology used to process data totally overhauled.

Unfortunately, companies in general are pretty confused about when, where, and how to encrypt sensitive data, even though both encryption and encryption key management are recommended, if not mandated, by most industry regulations. Worst of all, many companies who know they should be encrypting their data don't do it because of budget (a direct indicator of priorities)! This results in a LOT of unprotected sensitive data.

Ultimately, consumers assume that the businesses they patron are protecting their personal data, but the truth is, not all of them are!

The threat of data breaches and cyber attacks is not going away. In fact, these events are increasing every year. Solution providers offering data management tools to companies in retail, healthcare, finance/banking, and many other industries should absolutely be offering their customers encryption and encryption key management. Several solution providers currently offering encryption and encryption key management are already at a competitive advantage to providers that don't.

To learn more about how easy encryption key management can be, download the podcast, “Simplifying Encryption and Key Management: Removing Complexity and Cost” featuring data privacy expert Patrick Townsend.

Topics: Data Privacy, Solution Integrators/Providers