Townsend Security Data Privacy Blog

Heartbleed Vulnerability and Townsend Security Products

Posted by Patrick Townsend on Apr 10, 2014 10:59:00 AM

heartbleedSecurity researchers have discovered a vulnerability in certain versions of the very popular OpenSSL application that can lead to the loss of critical sensitive information. The vulnerability is called Heartbleed because if affects the TLS heartbeat function in secure, connections. Because OpenSSL is used by so many web applications, and because this vulnerability can be exploited, the severity is very high.

Townsend Security does not use the affected version of OpenSSL for TLS session security in any of its products, and is not affected by the Heartbleed vulnerability.

For more information about the Heartbleed security vulnerability and what you can do, please visit the following site:

http://heartbleed.com/

While Townsend Security applications are not subject to this vulnerability, it is very important that you address other applications that are vulnerable. The loss of sensitive information in one application can lead to the compromise of an otherwise unaffected application. For example, the loss of passwords in one application can lead to the compromise of another application if the same password is used. And personally identifiable information lost from one application can be used for fraudulent impersonation in another application or web service.

Patrick

Topics: Data Security, Data Privacy, Data Breach

Key Connection - The First Drupal Encryption Key Management Module

Posted by Michelle Larson on Feb 21, 2014 3:38:00 PM

Securing Sensitive Data in Drupal made possible through partnerships!

The Drupal content management system may have started-out in a dorm room, but it has become a very successful open source platform that is being adopted at the Enterprise level. Drupal is running everything from small business websites, universities, robust e-commerce environments, Fortune 100 sites, to projects like WhiteHouse.gov! As Drupal developers build out these large-scale installations, the need to keep them secure becomes more apparent due to the volume of information being collected. Sensitive data such as credit card numbers and protected health information (PHI) fall under industry data security regulations such as PCI-DSS and HIPAA/HITECH and must be encrypted. Requirements for protecting information go beyond just credit card numbers & expiration dates, but includes names, email addresses, ZIP codes, usernames, passwords… any stored data that can personally identify an individual.

Securing Sensitive Data in Drupal Drupal developers and users who need to protect sensitive data know that storing encryption keys within the content management system puts data at risk for a breach, yet storing encryption keys locally in either a file protected on the server, in the database, or in the Drupal settings file has been the norm. None of these methods meet data security best practices or compliance regulations such as PCI DSS, HIPAA/HITECH, or state privacy laws.

While additional compliance regulations may apply depending on industry, this is a basic list of good practical guidance around web-based and virtual environments:

The Drupal community collaborates to develop modules for the platform, sharing knowledge, experience, and creativity. The developers try to avoid duplicate functionality, so the existing Drupal Encrypt module was used as the first step to protecting sensitive data, however the plug-ins for the Encrypt module did not provide secure key retrieval options as the encryption keys were all still found within that same server. Security best practices tell us that personally identifiable information needs to be protected with industry standard AES encryption and that protecting the encryption key away from the data is critical. It became apparent that a key management system that was outside of the Drupal installation was required.

Working together to solve the Drupal data security problem, the security experts at Townsend Security and Drupal developers at Cellar Door Media have released the Key Connection for Drupal solution, which addresses the need for strong encryption and encryption key management within the Drupal framework. Now personally identifiable information collected during e-commerce checkouts and user account that contain names and e-mail addresses can be easily encrypted, and the encryption keys properly managed, by organizations that collect and store that sensitive information.

Drupal developers and Drupal users share a concern about multiple compliance requirements and the liability that goes along with being audited for correctly protecting personally identifiable information. When designing an environment, there is a need to know what methods of encryption you are using, that the encryption key management is implemented correctly, and how secure will the data collection and storage processes be. The Key Connection for Drupal module allows designers to either retrieve a key and encrypt locally, or send the data to Alliance Key Manager (AKM) to perform on board encryption. They have the choice to use the Alliance Key Manager strictly as a key manager, or they can use it as an encryption service as well.

A few benefits of this new Key Connection for Drupal module are:

  • Access to remote key retrieval
  • NIST compliant on-board encryption
  • Encrypting data locally in your database
  • Using a built-in function to allow for PCI compliant encryption to be done off the web server

To learn more, I encourage you to listen to this special podcast to hear Chris Teitzel; CEO of Cellar Door Media, Rick Hawkins; owner of Alchemy Web Solutions, and Patrick Townsend; CEO of Townsend Security, talk about encrypting sensitive data in Drupal. They will also discuss how a Drupal site builder or developer gets access to Key Connection for Drupal, the Alliance Key Manager, and what options are available.

Securing Sensitive Data in Drupal with Key Connection for Drupal module

Topics: Data Security, Key Connection for Drupal, Encryption Key Management, Podcast, partners

Two Factor Authentication on the IBM i - Webinar Q & A Recap

Posted by Michelle Larson on Feb 7, 2014 8:10:00 AM

Two Factor Authentication (2FA) adds a critical layer of security to protect user accounts and prevent fraudulent access that goes beyond password logins.

Have you made time to watch our most recent webinar on Two Factor Authentication? If not, click here to learn more about how 2FA enables companies to increase their security without the high cost of hardware & software integration by using a technology that is already a part of every user’s life, offering a better user experience with little-to-no training required. Also by leveraging your mobile phone as an authentication device, Alliance Two Factor Authentication improves the security of user account access while reducing operating costs typically associated with traditional multi factor authentication methods.   Two Factor Authentication on the IBM i

Here is a summary of the questions asked after the 2FA webinar:

Q: Does two factor authentication integrate into an already existing single sign-on environment?

A: Yes, you can deploy two factor authentication in a single sign-on environment. Alliance Two Factor Authentication runs natively on the IBM i platform, which allows you to use a SSO solution in the IBM i environment and still deploy two factor authentication to the end-user. We implement the second factor authentication on the IBM i platform, which means that we’re not linked to the actual SSO application that might be running on Windows or using an LDAP or active directory implementation. This provides you with better security for those users who are accessing your IBM i platform as it is not possible to then hijack the authentication requests in a PC environment.

Q: What company did you partner with to deliver 2FA messages?

A: Having customers all over the globe, we were very selective in choosing to partner with another company familiar with terms of network availability of two factor authentication. We chose the TeleSign Corporation. Their infrastructure has the ability to detect when SMS text messages may not be delivered, and they will fail-over to other options and take action in other routes. With guaranteed enterprise-level uptime and industry-leading deliverability rates, TeleSign has conducted more than 2.5 billion phone-based authentications and voice verifications around the globe.

Q: In which countries is two factor authentication available?

A: Our partner TeleSign has a strong, mature infrastructure in the European zone, Latin America, Asia, and delivers authentication codes to over 200 countries and that supports 87 languages. They are constantly testing network connections and performance and they've had time to build this very powerful global infrastructure for our Alliance Two Factor Authentication solution.

Q: How long does it take to deploy Alliance Two Factor Authentication?

A: We suggest you test drive our Alliance Two Factor Authentication solution which is available to download from our website. We typically turn around requests for an evaluation license very quickly and can have you up and running the same day. With our complimentary trial, we also provide TeleSign credentials so that customers can actually evaluate two factor authentication on their own systems. We provide you a fully functional 30-day evaluation, yet proof of concept for this application can be done very quickly.

Request your complimentary 30-day evaluation here

Alliance Two Factor Authentication (2FA) 30-day evaluation

We look forward to hearing about how our 2FA solution works for you!

Topics: Data Security, 2FA, Webinar, Alliance Two Factor Authentication

Data Security New Years Resolution

Posted by Patrick Townsend on Jan 7, 2014 12:02:00 PM

If you don’t get the SANS newsletter it would be well worth your time to sign up now. It is a mix of the latest security news, available training classes from SANS, and commentary. This was the leader in the last newsletter of 2013 (emphasis mine):

eBook - Encryption Key Management Simplified

The top story at the end of 2013 could just as well have been the top
story ten years ago. Federal chief information security officers
continue to "admire the problem" by paying $250/hour consultants to
write reports about vulnerabilities rather than paying them to fix the
problem. Sadly most of the federal CISOs and more than 85% of the
consultants lack sufficient technical skills to do the forensics and
security engineering to find and fix the problems.  Paying the wrong
people to do the wrong job costs the U.S. taxpayer more than a billion
dollars each year in wasted spending plus all the costs of cleaning up
after the breaches.  How about a 2014 New Years resolution to spend
federal cybersecurity money usefully: either by ensuring all the
sensitive data is encrypted (at rest and in transit) and/or the
organization implements the Top 4 Controls on the way to implementing
the 20 Critical Security Controls?
- Alan Paller

The news of the Target data breach was tragic for both consumers and for the company. The story would have been quite different if the credit card numbers had been encrypted. But the sad truth is that many organizations, both public and private, are still vulnerable to the loss of unencrypted credit and debit cards.

Too often the Payment Card Industry Data Security Standard (PCI-DSS) is treated like a check-box exercise, and not like an active, on-going call to arms. And too many merchants remain vulnerable to this type of loss even today.

I agree with Alan Paller - we need to step well beyond PCI DSS and other compliance regulations and take a far more active and aggressive stance on protecting sensitive data. Minimally this should include:

  • Encrypt all sensitive data with industry standard encryption (e.g. 256-bit AES)
  • Store encryption keys away from the data they secure
  • Protect encryption keys with an Enterprise Key Management system
  • Actively monitor encryption and key management systems

Encrypting sensitive data is only one thing you need to do as a part of a security strategy. But as recent events demonstrate, you don’t have a security strategy without encryption and proper key management.

Best wishes for 2014!

Patrick

Encryption Key Management Simplified eBook

Topics: Data Security, Best Practices

Encryption & Key Management & System Logging & Data Security & Partnerships

Posted by Michelle Larson on Jan 2, 2014 10:07:00 AM

Our Top Five Blogs of 2013

#1 top blog of 2013

As we start off 2014, take a look back at five of our most popular blogs from the past year. Great topics, great content… and more to come!

MySQL and Encryption Key Management - 3 Ways Alliance Key Manager Encrypts MySQL Database and Protects Encryption Keys

Summary: With a strong encryption key management solution you can encrypt data in a number of ways in MySQL databases to meet compliance regulations for proper encryption key management. MySQL is the most popular open source relational database system and is in wide use in commercial and non-commercial environments. It is natural that developers and security professionals want to know how to encrypt sensitive information stored in MySQL databases.
Download:  eBook – Encryption Key Management Simplified

 

#2 top blog of 2013AES vs PGP: What is the Difference?

Summary: AES is a symmetric key encryption algorithm, which essentially means that the same key is used for the encryption and decryption of the data. PGP uses symmetric and asymmetric keys to encrypt data being transferred across networks. The encryption PGP offers is just as strong as that of AES, but it adds the additional security that prevents anyone with just the public key from being able to decrypt data that was previously encrypted with it.  AES is fast and works best in closed systems and large databases; PGP should be used when sharing information across an open network, but it can be slower and works better for individual files.
Download:  Webinar – 4 solutions for Data Privacy Compliance

 

#3 top blog of 2013Understanding Log Management on the IBM i

Summary: System logging is important across all operating systems… Because the IBM i system can handle multiple applications, it doesn’t log information like others do.  The IBM i collects logs simultaneously from multiple sources and deal with large volumes: Up to 3,500 events per second…250 Million of events per day!  The essence of good reporting is externalizing the systems logs and collecting them in a central repository which helps remove the risk of tampering. Compliance regulations recognize the need to watch all users – including the most powerful users, because network originated threats to the IBM i are often not noticed or quickly responded to by IT security professionals without close monitoring of system logs.
Download:  Webinar – Understanding System Logging on the IBM i

 

#4 top blog of 2013Why Partner With Townsend Security? What To Look for in a Strong Technology Partner

Summary: Businesses only want to partner with a technology company that has a good reputation. Mark Foege (Business Development Consultant and Principal at the Colvos Group) recounted, “...and that’s why they were excited to partner with Townsend Security. We realize that everything we do impacts the reputation of our partners. That’s why it’s important to us to provide solid, high value products, to make sure we are offering consistently first class support, and we work with our partners to make sure that their customers are completely delighted." Watch the YouTube Video with Townsend Security CEO Patrick Townsend and Mark Foege, they outline the importance of building strong technology partnerships for success, and what to look for in a partner.

 

#5 top blog of 2013What is Encryption Key Management?
Key Lifecycle & Rotation Explained

Summary: Encryption key management refers to the ability of a system to administer an encryption key through the length of its crypto-cycle. From the creation of a key, through it’s use, and eventually to its deletion, an encryption key management system needs to be able to securely and efficiently handle the encryption keys.
Download:  eBook  - Encryption Key Management Simplified

 

Do you have topics you want to learn more about?  Let us know by leaving a comment here, we will get back to you with an answer... and probably blog about it too!

 

Topics: System Logging, Data Security, Best Practices, Encryption Key Management, Partner

Would Your Data Security Strategy Pass an Audit?

Posted by Michelle Larson on Dec 20, 2013 9:27:00 AM

Are You Confident You Are Meeting Compliance Requirements?

Why do we have so many different compliance regulations that affect our companies and our need to protect data? The fact is that there are people out there trying to access that sensitive information and devastating data breaches happen on a regular basis. While breaches are very difficult for companies that suffer the loss of customers, brand damage, and stiff financial penalties, it is the consumers and individuals who are most impacted by the loss of personal information, credit card numbers, or bank account numbers. Because these breaches happen and have such a catastrophic effect on individual people, state and federal and private regulations have been necessary to help motivate companies to try to protect that sensitive information and keep it out of the hands of those who would use it to commit the financial crime and fraud.

Webinar: Would your Data Security Strategy Pass an Audit?

Since most companies fall under a number of compliance regulations, here is recap of the most predominant points:

PCI Data Security Standard (PCI DSS) applies to merchants, public or private, who take credit cards for payment. While PCI DSS applies to payment cards, credit cards, and debit cards (anything to do with electronic payments) there are some core components of section 3.5 and 3.6 that require encryption and proper key management:

  • You must encrypt credit card numbers
  • You must use an industry standard encryption (AES)
  • You must provide proper management of encryption keys
  • You must have dual control, split knowledge, separation of duties

PCI section 10 requires logging:

  • Tracking user access to core resources
  • Collecting security events in an un-modifiable log
  • Consolidate the logs across all of our servers
  • Monitor them for potential breaches

HIPAA/HITECH Act covers the medical segment and any partner entity under thefederal law has to comply with data protection for protected health information (PHI) of patients and must meet requirements about protecting patient information and PHI. The most recent meaningful use guidance was very clear that organizations who fall under HIPAA/HITECH must protect patient health information and we must use proper key management as a part of any encryption strategy. They were quite blunt when they said ‘don't store encryption keys on the device with protected data’... there is no gray area there!

GLBA/FFIEC applies to the financial industry (bank, credit union, trading organization, credit reporting agency). Gramm Leach Bliley Act sets standards for protecting information and consumer information. The FFIEC is responsible for publishing guidance, actually performing audits, and enforcing the standards set by GLBA around encryption and key management best practices.

Sarbanes-Oxley (SOX) applies to public traded companies (section 404 - information technology and data protection for stakeholders). SOX provides detail around data protection, guidance around cryptographic key management, and security requirements for data management. They issue very strong guidance for encrypting sensitive data of personally identifiable information (PII) that is being managed by a publicly traded company. SOX closely mirrors the National Institute of Standards and Technology (NIST) which publishes best practices guidance for encryption key management, key management lifecycles, and logging.

In the United States we have a number of state privacy laws, some of them mandate encryption, others strongly recommended it. These laws apply to both public and private organizations of all sizes and provide guidance for breach notification and penalties around data loss. There is a wide recognition that protecting data using industry-standard encryption and proper key management is a basic common safe harbor from having to do breach notification. Additionally there is a proposed federal privacy law that will eventually replace the individual state laws.

What elements do all of these regulations have in common?

  • All are expecting organizations to secure personally identifiable information (anything that can be actually used to individually and specifically identify somebody) with encryption or tokenization and actively monitor their systems
  • Laptops, mobile devices, removable storage, tape archives, or backup archival files must be encrypted
  • Requirements that vendors, business associates, and service providers must meet the same regulations of the industry they are serving
  • Multiple regulations may apply to one company (ie: a doctors office that takes credit card payments would fall under PCI DSS and HIPAA/HITECH)

One of the biggest points of audit and compliance failure is around the encryption key management strategy. While compliance regulations do not mandate FIPS 140-2 validation on a key management solution, auditors will red flag encryption or key management that's not industry-standard. They're looking for certifications like NIST validation of AES libraries or other encryption components and FIPS 140-2 validation of key management solutions. Once you encrypt your data with AES, encryption keys are the secret that you must protect. The nature of an encryption key is that it is unique to you.  It cannot be easily detected or reverse engineered from the data itself. Look to NIST for recommendations about how to manage the creation and lifecycle of an encryption key (when it should be rotated or changed).

What do auditors look for in certifications and standards?

  • Standards-based encryption (AES)
  • FIPS 140-2 validated key management
  • Security best practices of dual control, separation of duties, and split knowledge
  • Policy based security

In terms of developing a data protection strategy, apply the best and strongest data protections provably based on industry standards and security best practices to all sensitive data and remember:

  • Regulations are getting more stringent and specific… not less!
  • Fines and penalties are getting steeper… not cheaper!
  • Define personally identifiable information (PII) broadly…not narrowly!

Also crucial when you begin to consider a data protection strategy and your data is moving across multiple operating systems, databases, and platforms is to look for a common approach to encryption and key management, it will be very helpful in reducing costs and maintenance over the long-term.

I’ve included a link to our recently recorded webinar, which focuses on the IBM i system, but is applicable across most platforms.  There is a great deal of detail and information on how we can help you address compliance regulations and the four core components of a data protection strategy (on the IBM i, or Windows, or Oracle, or a number of other platforms) for which Townsend Security provides solutions:

  • Encryption
    • Data at rest – AES Encryption
    • Whole file encryption with PGP
  • Tokenization
  • Encryption Key Management
  • Secure System Logging

Webinar: Would your IBM i Pass an Audit?  

Please request the webinar download!

Topics: Compliance, Data Security, IBM i, Encryption Key Management, Webinar

The Importance of Computer Programming Education!

Posted by Michelle Larson on Dec 10, 2013 2:05:00 PM

The Hour of Code is Here!

Sometimes things are just so busy, especially with the holiday season in full swing, we miss hearing about really important, really interesting things going on around us. That is pretty much how I am feeling today. How did I make it to Tuesday, Dec 10th without paying attention to the fact that it is National Computer Science Education Week (Dec 9 - 15, 2013)?

“Computer science is a top paying college degree and computer programming jobs are growing at 2x the national average (csedweek.org/promote)”

The main focus this year is on an Hour of Code, a program where people of all ages (especially students) are encouraged to experience an introduction to computer science for at least one hour. It is a movement to get people of all ages to give coding a try, as the official site says, from ages 6 - 106. You can find out more information at http://www.csedweek.org

Technology and the computer sciences impact our lives in so many ways, yet the field is growing faster than the skilled workforce, especially in computer programming. In an effort to educate more young people about computer sciences, this Hour of Code project is gaining support. This is how I found out at 6am this morning; an email from my daughters math teacher that they would be taking the next two days away from regular curriculum to participate in the Hour of Code (code.org) challenge. What an amazing idea! This program, or call it a “movement”, is an exciting outreach within our local school system and I’m thankful that the teachers at her school are excited and taking the time to incorporate Hour of Code into their lesson plans.

Here is a fun (and short) video about the program – Learn what most schools don’t teach!

I am fortunate enough to work for an amazing technology company, so it seems normal to think everyone should learn how to program a computer… and I realize that if you are reading this blog, then I am probably preaching to the choir!   Please take some time to help promote National Computer Science Education Week and see what kind of spark you can help create in others!

There is a great (free) resource available at the Khan Academy's Hour of Code site that will let you share this skill set with other people. While I certainly want to learn more, I am especially excited that my daughters will be getting this experience in the classroom!

Topics: Data Security, Community

Encryption Key Management - Any Way You Want It…

Posted by Michelle Larson on Dec 5, 2013 9:23:00 AM

(That’s the Way) You Need it…

Now that you have the tune from Journey running through your head, let’s talk about how you are going to protect your data with encryption and key management.   eBook - Encryption Key Management Simplified

So you have all this sensitive data that you need to secure… how are you going to protect it? What kind of key management choices do you have? How do you decide what encryption to use? Just how do you decide what you need, and where you will put your key management device, and will it be hardware or virtual? In many cases, regulations require you to protect sensitive information. Beyond being a compliance requirement, it is also a responsibility to your business and your customers. We understand all those questions can be a bit daunting at first, but there are a variety of encryption key management options to choose from.

The main consideration that will be determined within each of the following factors is your Risk Tolerance. What kind of sensitive data are you storing? What will happen to that information if there is a data breach? What will the impact be to your company, to your customers, if that information gets accessed by the wrong people? What are your liabilities? No matter whether it lives in a single PC hard drive or a vast data center, or even in a shared cloud environment, the type of information you need to protect will have a large impact on what level of risk tolerance you have.  

Here are four factors you need to consider as you devise or revise your data security plan:

Infrastructure: Where your data lives (client side application) determines what kind of options you have. Is your data all in one location (on a PC, or in a data center)? or is it in the cloud? or a combination? Are there requirements that would limit where your key server could be located? How will data need to be transmitted from one location to another? Once you have a clear picture of the sensitive information you are responsible for then you can move on to the next set of questions.  

Compliance Regulations: If you are dealing with Personal Identifiable Information (PII) or Protected Health Information (PHI) or Payment Card Industry (PCI), you have a great responsibility to protect that information and meet different compliance regulations. Depending on what industry you are in and where you live, different regulations may come into play. If you take credit card payments, you will certainly fall under PCI-DSS and be required to encrypt that data. If you are a part of or even partner with the medical sector then you also need to comply with HIPAA/HITECH Act requirements for security of Protected Health Information (PHI). GLBA/FFIEC sets regulations for banks, credit unions, credit reporting agencies, and anyone in the financial industry. FISMA is for Federal US Government Agencies and businesses that partner with them. The Federal Trade Commission (FTC) also gets involved with anyone who issues a privacy statement. On top of those regulations, more than 45 states also have their own privacy rules that strongly recommend encryption of any personally identifiable information (PII).

Availability:  Beyond just the availability of your encryption key management options, think about how many people need access to your data. What kind of security procedures do you need in order to keep the wrong people out and yet allow the right people to do their jobs? Will you have a key management system that supports separation of duties and dual control of your encryption keys?  

Cost: Your budget will also determine what kind of key management system you use. While cloud options may present a cost savings, you would potentially need a higher risk tolerance in a shared environment.  

Once you have identified your level of risk tolerance and the other factors listed, you will need to consider what kind of encryption and key management options are available to you:

Data Center - Hardware Security Module (HSM) - This is probably the most common option for companies that have their own data centers. The HSM is “under your roof” and you provide the security and IT support for the device.  

Cloud HSM -  If your data lives in the cloud and in a variety of client side applications, perhaps hosting your key server in a cloud HSM makes more sense for you. In a cloud HSM, look for two dedicated redundant HSMs in geographically diverse locations that are managed for you. Options and access will vary depending on which cloud HSM solution you deploy. With Alliance Key Manager Cloud HSM, you maintain exclusive access to your key servers.

In the Cloud -  If your data lives primarily in the cloud, you may want to go with a key server deployed directly in the cloud. Ways to make that option more secure would be to locate your key server in a different cloud environment from your data or even in a virtual private cloud (VPC). Cloud options are certainly cost-effective and easy to deploy, just make sure that you have a high enough risk tolerance for a shared environment!

I know there are a lot of questions that each company needs to consider and answer for themselves during this security planning process. The good news is that we have solutions that can encrypt your data and protect your encryption keys in all of those locations. We offer affordable and easy to deploy solutions with what we feel is the best customer support in the industry.  

Check out this complimentary eBook on Key Management, then give us a call and let’s see how we can partner together to protect your data!
 

Encryption Key Management Simplified eBook

Topics: Alliance Key Manager, Data Security, eBook, Encryption Key Management, Alliance Key Manager Cloud HSM

Encryption & Key Management with Microsoft SQL Server

Posted by Michelle Larson on Nov 13, 2013 10:44:00 AM

After our latest webinar “Encryption & Key Management with Microsoft SQL Server” there were a number of great questions asked by attendees and answered by security expert Patrick Townsend. Download the Webinar - Just Click!

Here is an informative recap of that Q&A session:

Q: Are there any special considerations when deploying an encryption key manager in the cloud?

A: The cloud always presents some additional security challenges related to encryption and security in general and has the impression of being less secure and having some new challenges around security. In the cloud, the encryption key manager itself is only one component to consider, and you need a good FIPS 140-2 compliant solution like our Alliance Key Manager for SQL Server. You also need client side applications and libraries, so when you're thinking about moving to the cloud, paying attention to that particular issue is very important. Also know that not all libraries can easily migrate to cloud. We develop ours from the ground up with the cloud in mind, so all of our components that talk back to our key manager for encryption keys or encryption services are cloud-enabled and can be deployed there.

From a compliance point of view, it is very important to take a look at the Cloud Security Alliance (CSA.org) document on cloud security - version 3.

We also provide a compliance brief about domain 11 which talks about encryption key management and issues around the security in the cloud.  

Q: Can you go a little more in-depth about what gets installed on SQL Server?

A: For the SQL Server platform (the client side software) Microsoft allows for Extensible Key Management (EKM) which allows vendors like Townsend Security to plug into their environment. Our Key Connection for SQL Server is an EKM provider and it is a GUI (Graphical User Interface)  install, so you load it on your own SQL Server platform and it walks you through some questions:

  • It will ask what SQL Server instances you want to protect
  • It will ask for your authentication credentials in order to execute the necessary commands  
  • It will allow you to install certificates into the Windows certificate store that are used to communicate with the key manager HSM
  • It allows you to define the location of your production and multiple high-availability failover key servers (most companies deploy one production and one HA key server. However, you can actually identify a more complex environment if needed)  
  • Then it allows you to actually test, right there in the install dialog, your connection to your key manager to confirm it is working the way it is supposed to

Side Note: We do not charge based on the number of endpoints that talk to our Alliance Key Manager. This is something that is unique to us as a vendor. We believe the encryption should be easy to do and affordable, so no additional license fees are required to actually use it. We want our customers to deploy encryption and use it to protect data.

Q: What are the minimum requirements for the key server?  

A: The Alliance Key Manager product is available as either a hardware security module (HSM) device or virtual appliance. As an HSM it has a 1U server footprint, so it looks like any normal 1U server in your data center. However if you use our Alliance Key Manager Cloud HSM implementation, the encryption key manager is installed for you in a secure data center. It is also our philosophy that these are customer install processes, so we don't have consulting fees because it is a user deployed device. The server administration is done through a secure web browser session with our Townsend Security technical experts. The encryption key management security functions are done through a specific Windows application that talks to one or more key servers to actually create and deploy encryption keys whether they’re for Oracle or SQL Server EKM.  

Also, we do provide our encryption key manager as a VMware virtual appliance, which allows you to deploy a key manager within your VMware infrastructure and we give you guidance on that process. With this option you don't have to purchase a hardware appliance, you can run it in your VM infrastructure or within a vCloud architecture. We strongly recommend that a review of the PCI Security Council's - Cloud Computing Guidelines as well as their guidance around virtualization when deploying a virtual encryption key manager.

Q:  Does your key manager handle encryption and decryption or just key management?

A: Our encryption key management appliance itself does support on-board encryption and decryption.

Q: Can the same EKM module be used to encrypt servers in both data centers and cloud environments?

A: Yes. You can mix and match these anyway you want. You can use the same encryption key management solution for applications running in either environment, and they can talk to each other. You should be aware of a good security practice guidance around using different encryption keys for different kinds of applications, or different user communities, even in a high-availability data center or disaster recovery centers.  

Q: What are the performance impacts on encryption?

A: Encryption always has performance impacts. Generally it can impose a penalty somewhere between 2% and 4% in terms of computing resources. Guidance from Microsoft regarding very large SQL Server databases show that performance can become an issue with certain operations. For example, encrypted indexes may require the entire index to be decrypted in order to be processed. Very large SQL Server databases can impose a bigger performance penalty than 4%. Sometimes, cell level encryption has been a better performing implementation than transparent data encryption. We support both TDE and cell level encryption, allowing our customers to use our product as needed.

We strongly recommend to our customers, especially those with larger more complex SQL Server applications, that they contact us and ask for a complimentary evaluation of our encryption key manager. The complimentary product trial is fully functional and allows an opportunity to do analysis of the performance impacts. We want you to give it a try and make sure you understand the impacts personally.

Q: Is there any limit to the number of servers that you can hook up to the key manager?

A: No. There's no license limit. If you're considering putting up multiple servers we recommend you engage our pre-sales support team and get some guidance on your project. You will never come to us for additional licensing fees around adding a new platform, new SQL Server, or any other application that talks to the encryption key management server. We are unique in the industry that way and is part of our philosophy; we believe encryption needs to go everywhere, data needs protection wherever it lives, and we should lower the barriers -not raise them- when it comes to getting data protection in place. You can connect as many client-side applications to the key server as you wish.

Q: How do you keep system administrators from getting at the data and the keys at the same time.

A: Tasks such as the management of the server, putting it on the network, establishing system logging options, setting the timeservers - all network administration processes - are segmented from the actual management of the encryption keys. Good security practice says that those should be different people engaging in those activities. We provide completely different interfaces to simplify separation of duties.

If you are using our Cloud HSM environment, it is not administered, managed, or accessed by the cloud provider nor by Townsend Security. You have exclusive access and control over your encryption key managers. We even provide a path if you wish to take the encryption key manager out of the cloud environment and install it in your own data center. We believe strongly that a security device should be exclusively under your control, not under the control or management of the cloud provider.

I encourage you to download the recording of the entire webinar and Q&A session:

Encryption Key Management for Microsoft SQL Server

Topics: Alliance Key Manager, Data Security, Encryption Key Management, SQL Server, Alliance Key Manager Cloud HSM, Webinar

The Benefits of Encryption and Key Management Done Right!

Posted by Michelle Larson on Oct 31, 2013 3:41:00 PM

Make sure you don't turn a blind eye to data security!

The basic concept of converting sensitive data into a form that could not be easily understood if it was to be seen by the wrong audience goes back as far as 500 BC (Atbash Cipher), some would even argue that in 1900 BC a simple hieroglyphic substitution was the first form of cryptography. Dictionary descriptionsWhile technology has made great advancements in recent years, it has also created an even greater need for privacy of sensitive information. Whether you are the Chief Security Officer, IT personnel, or database administrator; you should know how your company is handling sensitive data. In fact, security is the responsibility of every business owner and employee. Not using secure passwords can lead to a data breach just as not following key management best practices can provide access to people with malicious intent. When awareness around data security reaches every department and individual, then the company can not only meet compliance regulations, but can benefit from effective data security. Compliance regulations require (or strongly recommend) all industries following best practices for encryption and key management . Do you know which of these apply to you and your company? For example, if you take credit cards for any reason, you fall under Payment Card Industry - Data Security Standards (PCI-DSS). Other common regulations are:

  • HIPAA/HITECH ACT requires security of Protected Health Information (PHI) in the medical sector.
  • GLBA/FFIEC sets regulations for banks, credit unions, credit reporting agencies, and anyone in the financial industry.
  • FISMA is for Federal US Government Agencies.
  • The Federal Trade Commission (FTC) also gets involved with anyone who issues a privacy statement.
  • More than 45 states also have their own privacy rules, in addition to the ones listed above, that strongly recommend encryption of any personally identifiable information (PII).

So, beyond compliance with regulations, why should you care about encryption… First of all, your customers, clients, and suppliers all expect you to protect their sensitive data. Effective encryption and key management can provide your company with a number of other benefits as well. Here are just a few basic benefits of effective encryption key management:

  • Peace of Mind - While hackers and identity thieves are getting smarter and regulations are getting more complex, data protection technology is also improving at a rapid rate. Encryption and key management options are now available in virtual machines and cloud environments as well as hardware security modules(HSMs). How well would you sleep at night if you kept your house key under your welcome mat?
  • Reputation - Whether information is lost due to a hacker or a hurricane, if a company loses all of it’s important data, the whole business could be ruined. However if sensitive data is lost because mechanisms for protecting it are not in place, then an organization has even bigger problems. The most effective way to secure data and ensure the integrity of a company is to deploy encryption and properly manage the encryption keys.
  • Credibility - Beyond audit requirements, organizations need to consider the security of their customers Personally Identifiable Information (PII). Being able to protect your clients with strong key management practices can add a level of trust and confidence that will help grow your business.

Mobility is also great benefit! As more people move their data to the cloud or virtualized environments the need for encryption increases, and the importance of key management becomes even more evident. In order to maintain control over your data, and the privacy of your customers, information must not only be encrypted but kept secure while in motion, in use, or at rest. By properly managing your encryption keys, you are still in control of your data no matter who is sharing your infrastructure.

In this complimentary eBook, "Turning a Blind Eye to Data Security”, authors Kevin Beaver, CISSP; Patrick Townsend, and Todd Ostrander will teach you about:

  • Tools and resources to begin the discussion about data security in your company
  • 5 Common misconceptions about data security
  • 6 Questions to ask your CIO

Turning a Blind Eye to Data Security eBook

Topics: Compliance, Data Security, eBook, PCI DSS, Encryption Key Management, Business Risk, Executive Leadership