Townsend Security Data Privacy Blog

What Data Needs To Be Encrypted In Drupal?

Posted by Luke Probasco on Jul 10, 2014 9:20:00 AM

"I am collecting data in Drupal. What data do I need to encrypt?"

What Data Needs To Be Encrypted In Drupal? Organizations starting an encryption project always have this question on their minds. It is a simple question, but can be hard to answer. Generally speaking, you should encrypt any information that alone, or when combined with other information, can identify a unique, individual person. This is called Personally Identifying Information, or PII. This should be your starting point, but you may need to address other information depending on the compliance regulations you must meet.

Federal/State Laws and Personally Identifiable Information (PII)

Federal and State laws vary in terms of what they consider Personally Identifiable Information (PII), but there is a lot of commonality between them. PII is any information which either alone or when combined with other information, which can identify an individual person. Examples include email addresses, first name, last name and birth date.
[Download white paper for complete list]

Educational Information Covered by FERPA

Educational institutions who fall under the FERPA regulation must protect PII as well as information like student names, student ID numbers, and family member names.
[Download white paper for complete list]

Federal Agencies and FISMA

Federal Agencies must evaluate their systems for the presence of sensitive data and provide mechanisms to insure the confidentiality, integrity, and availability of the information.  Sensitive information is broadly defined, and includes PII, as well as other information classified as sensitive by the Federal agency.  Sensitive information might be defined in the following categories: medical, financial, proprietary, contractor sensitive, or security management.[Download white paper for complete list]

Medical Information for Covered Entities and HIPAA/HITECH

The HIPAA/HITECH Act defines Protected Health Information (PHI) to include PII in addition to the following PHI: Patient diagnostic information, payment information, health plan beneficiary numbers, full facial photographs, etc.
[Download white paper for complete list

Payment Card Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standards (PCI DSS) require that merchants protect sensitive cardholder information from loss and use good security practices to detect and protect against security breaches.  If you accept or process credit card or other payment cards, you must encrypt the Primary Account Number (PAN).

Financial Data for FFIEC

Banks, credit unions, and other financial institutions must protect Non-public Personal Information (NPI) which includes personally identifying financial information.  In addition, you should protect income, credit score, etc.
[Download white paper for complete list]

Encrypting Data in Drupal

Townsend Security is helping the Drupal community encrypt sensitive data and properly manage encryption keys. Developers who need to protect sensitive data know that storing their encryption keys within the content management system (CMS) puts their data at risk for a breach. With Key Connection for Drupal and Alliance Key Manager, administrators are now able to keep their encryption keys secure by storing them remotely and only accessing them when the encryption/decryption happens.

The Key Connection for Drupal module is a plugin for the Encrypt project that allows you to easily encrypt sensitive data with NIST-validated AES encryption and securely retrieve and manage encryption keys from Townsend Security’s FIPS 140-2 compliant Alliance Key Manager. With an easy to use interface and certifications to meet compliance requirements, you can rest assured knowing your data is secure.

What Data Needs Encrypted In Drupal?

Topics: Encryption, Higher Education, Drupal

Townsend Security Launches Developer Program for Drupal

Posted by Liz Townsend on Jun 16, 2014 10:55:00 AM

Townsend Security recently traveled down south to Austin, TX for the Drupal developer annual conference, DrupalCon 2014! In partnership with Cellar Door Media, Townsend Security recently released Key Connection for Drupal, the first encryption key management solution for Drupal. Key Connection for Drupal enables developers to use world NIST-validated AES encryption FIPS 140-2 compliant key management for data stored in Drupal.

At DrupalCon 2014 Townsend Security introduced our new Drupal Developer Program. The Drupal Developer Program puts encryption and key management in the hands of developers, free of charge, to implement and test.

Key Connection for Drupal
Key Connection for Drupal allows Drupal users to encrypt sensitive data and do it right. Historically, the Drupal encrypt module only allowed users to store encryption keys natively, or in other less secure ways. Key Connection for Drupal enables encryption keys to be stored off-site in a FIPS 140-2 compliant encryption key manager. Townsend Security’s Alliance Key Manager is available as an AWS, Microsoft Azure, or VMware instance; as a hosted appliance in the cloud; or as a physical HSM. Alliance Key Manager can also perform onboard encryption, meaning that developers can send sensitive data to the key manager to be encrypted with NIST validated AES encryption so that they can provably meet compliance regulations and their encryption keys never leave the key manager.

Developer Program
Drupal Developer ProgramAt Townsend Security, we know that encryption and encryption key management are critical to strong digital security and meeting several compliance regulations such as FISMA, PCI DSS, HIPAA, etc.  With Key Connection for Drupal we’ve made encrypting data and managing encryption keys easier than ever. We also know that for strong security to become ubiquitous, it must be easy to obtain and implement. That’s why we’ve begun a developer program that puts technology in the hands of the people who use it most. Drupal developers can now join our developer program, for no fee, and receive up to two free Alliance Key Manager licenses to test internally for non-production use. We hope that through the developer program we can help improve data security in Drupal and the community.

Community
Townsend Security firmly believes in giving back to the Drupal community. Through the Developer Program and our participation in the Drupal Association we hope to continue to bring strong security to the Drupal community as we move forward. To sign up for the Drupal Developer Program, contact us here. To learn more about Key Connection for Drupal, visit the Drupal.org project site here.

Drupal Developer Program Encryption Key Management

Topics: Encryption Key Management, Drupal

Drupal CMS and Higher Education Compliance

Posted by Michelle Larson on Jun 4, 2014 2:44:00 PM

Securing data with encryption and protecting the encryption keys with proper key management is enforced by many compliance regulations (and recommended as a security best practice).

New Call-to-Action When working with private schools, colleges, and universities, Drupal developers who need to protect their customers’ sensitive data with encryption know important compliance elements include the following:

  • Awareness of how records are managed by the institution.
    … (Do you know who will have access?)
  • Awareness of relevant regulations/laws.
    … (Do you know what they need to follow?)
  • Approach to complying with each item.
    … (Do you know what they should do to follow the law?)
  • Management of institutional records.
    … (Do you know what they need to keep and for how long?)

It is important to remember when developing a higher education framework, the ultimate core of higher education is information. Each institution gathers, stores, analyzes, retrieves, and secures the information necessary for proper functioning. Without continued and uninterrupted access to that information, as well as assurances that the information is secure and reliable, they would be unable to fulfill their educational, research, and service missions.

For entities in the education sector, it is important to note that data security and IT solutions for colleges and universities also fall under some of the more familiar compliance regulations due to the various programs offered by each institution:

  • PCI DSS will come into play with accepting payments from tuition, books, food services, and housing
  • GLBA/FFIEC covers the student loan and financial offices at most institutions
  • HIPAA/HITECH is also important to consider as most higher education institutions have their own health centers

Driven by student privacy concerns and the need to comply with regulations such as the Family Educational Rights and Privacy Act, educational institutions must also make sure to secure sensitive data and protect their networks from data loss even when that information must be shared.

Family Educational Rights and Privacy Act (FERPA)
Statute: 20 U.S.C. § 1232g Regulations: 34 CFR Part 99

The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to consent to the disclosure of personally identifiable information from education records, except as provided by law. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”).

The Higher Education Information Security Council (HEISC), actively develops and promotes awareness and understanding, effective practices and policies, and solutions for the protection of critical IT assets and infrastructures. HEISC also produces the Information Security Guide: Effective Practices and Solutions for Higher Education, an excellent resource for anyone involved in securing student information with encryption.

Drupal adoption in higher education has skyrocketed with over 71 of the top 100 US Universities and educators around the world publishing websites in Drupal. Arizona State University alone hosts over 800+ websites built in Drupal CMS!  To meet the growing need for NIST validated and FIPS 140-2 compliant encryption and key management, the data security experts at Townsend Security partnered with Chris Teizel, CEO of Cellar Door Media and Drupal developer to create the Key Connection plug-in for the Drupal Encrypt module. Key Connection for Drupal provides a secure key management system (Alliance Key Manager) outside of the Drupal installation in order to provide secure key storage and retrieval options. Now when personally identifiable information (PII) is collected or stored in a database it can easily be encrypted and the encryption keys properly managed. Key Connection for Drupal allows developers and users to choose whether they retrieve a key and encrypt/decrypt locally or to send the data to Alliance Key Manager to perform on board encryption.

For more information, download the Drupal Compliance Matrix:

Drupal Compliance Matrix

Topics: Alliance Key Manager, Encryption, Higher Education, Key Connection for Drupal, Encryption Key Management, Drupal

Drupal CMS and GLBA/FFIEC Compliance

Posted by Michelle Larson on May 7, 2014 12:47:00 PM

Securing data with encryption and protecting the encryption keys with proper key management is addressed in many compliance regulations and security best practices.  

For business owners, database administrators, or Drupal developers who need to protect their customers’ sensitive data with encryption; storing the encryption keys within the Drupal CMS puts that data at risk for a breach. Depending on your industry, different regulations and standards will require you to implement safeguards on some or all of the information contained within your applications. New Call-to-Action

The financial industry includes banks, credit unions, and other financial organizations, including venture capital firms, private equity firms, investment banks, global investment firms, bank holding companies, mutual funds, exchanges, brokerages, and bank technology service providers, among others. In order to meet compliance regulations, information security programs must be in place to ensure customer information is kept confidential and secure, protected against potential threats or hazards to personal information (cyber-attack, identity theft) and protected against unauthorized access to or use of a customer's personal information.

If you fall within the financial sector, the following will apply:

The Gramm-Leach-Bliley Act (GLBA) - 15 USC 6801 - of 1999 first established a requirement to protect consumer financial information.
TITLE 15 , CHAPTER 94 , SUBCHAPTER I , Sec. 6801. US CODE COLLECTION
Sec. 6801. - Protection of nonpublic personal information

(a) Privacy obligation policy

It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.

(b) Financial institutions safeguards

In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards.

The Federal Financial Institutions Examination Council (FFIEC) supports the GLBA mission by providing extensive, evolving guidelines for compliance and evaluating financial institutions. Financial services regulations on information security, initiated by the GLBA, require financial institutions in the United States to create an information security program to:

  • Ensure the security and confidentiality of customer information
  • Protect against any anticipated threats or hazards to the security or integrity of such information<
  • Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer

Federal Reserve Board Regulations - 12 CFR - CHAPTER II - PART 208 - Appendix D-2
-- Interagency Guidelines Establishing Standards For Safeguarding Customer Information--

… III. Development and Implementation of Information Security Program
… C. Manage and Control Risk
Each bank shall:
… c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access.

Enforcement of these financial industry compliance guidelines fall to five agencies: the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). In collaboration, these agencies have developed a series of handbooks that provide guidance, address significant technology changes and incorporate a risk-based approach for IT practices in the financial industry. The "Information Security Booklet" is one of several that comprise the FFIEC Information Technology Examination Handbooks, and references encryption in detail. (Resource Links listed below)

Summary: Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Encryption implementations should include:

  • Encryption strength sufficient to protect the information from disclosure until such time as disclosure poses no material risk
  • Effective key management practices
  • Robust reliability
  • Appropriate protection of the encrypted communications endpoints

To meet the growing need for NIST validated and FIPS 140-2 compliant encryption and key management, the data security experts at Townsend Security partnered with Chris Teizel, CEO of Cellar Door Media and Drupal developer to create the Key Connection plug-in for the Drupal Encrypt module. Key Connection for Drupal provides a secure key management system (Alliance Key Manager) outside of the Drupal installation in order to provide secure key storage and retrieval options. Now when nonpublic personal information is collected or stored in a database it can easily be encrypted and the encryption keys properly managed. Key Connection for Drupal allows developers and users to choose whether they retrieve a key and encrypt/decrypt locally or to send the data to Alliance Key Manager to perform on board encryption.

For more information, download the Drupal Compliance Matrix:

Drupal Compliance Matrix

 

Additional Resources:

Federal Financial Institutions Examination Council (FFIEC)

FFIEC Information Technology Examination Handbooks

Gramm-Leach-Bliley Act (GLBA)

Federal Reserve System (FRB)

Federal Deposit Insurance Corporation (FDIC)

National Credit Union Administration (NCUA)

Office of the Comptroller of the Currency (OCC)

Office of Thrift Supervision (OTS)

Topics: Alliance Key Manager, Compliance, Key Connection for Drupal, Encryption Key Management, Drupal

Drupal CMS and PCI DSS Compliance

Posted by Michelle Larson on Apr 2, 2014 11:14:00 AM

Securing data with encryption and protecting the encryption keys with proper key management is addressed in many compliance regulations and security best practices.

Download Whitepaper on PCI Data Security For Drupal developers who need to protect sensitive data in their (or their clients) content management system (CMS), storing the encryption keys within the Drupal CMS puts that data at risk for a breach. Security best practices and PCI DSS compliance regulations call for sensitive data to be protected with encryption and that data-encrypting keys (DEK) be physically or logically separated from the sensitive data and protected with strong key-encrypting keys (KEK).  Depending on what type of information is being stored and what industry guidance your project/company falls under, compliance regulations in addition to PCI DSS may apply.

For any company that accepts credit card payments, the Payment Card Industry Data Security Standards (PCI DSS) issues 12 requirements that must be met in order to be compliant. It can seem overwhelming at first, but the PCI council that issues PCI DSS also provides detailed reference guides and instructions on each requirement. Let’s take a high level look at all twelve items:

Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do Not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data*
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that address information security for all personnel

Within the latest documentation by the PCI Security Standards Council (v3.0 released November 2013) specific testing procedures and guidance is given for Requirement 3 on pages 34-43. The PCI Security Standards Council (PCI SSC) website contains this documentation along with a number of additional resources to assist organizations with their PCI DSS assessments and validations. PCI SSC also issues Cloud Computing Guidelines and additional information around virtualization of data protection solutions so you can be PCI compliant with a cloud-based solution for encryption and key management.

Requirement 3 addresses the need for encryption and key management, stating:

PCI requirement 3:Protect stored cardholder data

“Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.”

In order to address PCI DSS Requirement 3: Protect stored cardholder data; the security experts at Townsend Security partnered with Chris Teitzel, CEO of Cellar Door Media and Drupal developer to create Key Connection for Drupal in connection with the existing Drupal Encrypt module. In order to provide secure key storage and retrieval options, Key Connection for Drupal provides a secure key management system (Alliance Key Manager) outside of the Drupal installation. Now when cardholder information is collected or stored in a database it can easily be encrypted and the encryption keys properly managed. Key Connection for Drupal allows developers and users to choose whether they need to retrieve a key and encrypt/decrypt locally or to send the data to Alliance Key Manager to perform on board encryption.

Other compliance requirements for protecting information go beyond cardholder data (PCI focuses on PAN or the Primary Account Number specifically) and also require that personally identifiable information (PII) such as names, birthdates, email address, zip codes, usernames, or passwords be protected with encryption and key management. Check back as future blogs will cover additional data privacy compliance regulations and security best practices that impact developers and users of the Drupal CMS open source platform in regards to protected health information (PHI).

For more information on PCI Compliance, download the Whitepaper: "Meet the Challenges of PCI Compliance"

download the Whitepaper: Meet the Challenges of PCI Compliance

Topics: Compliance, PCI DSS, Encryption Key Management, White Paper, Drupal

University Websites Built on Drupal Should Encrypt Sensitive Data

Posted by Liz Townsend on Feb 25, 2014 1:11:00 PM

On February 19th the University of Maryland disclosed to the public a data breach exposing over 300,000 records of students, faculty, and alumni including names, social security numbers, and dates of birth.

Securing Sensitive Data in Drupal Universities and colleges using their website to communicate with students are aware of the fact that their website is a massive portal for student data. From the moment a potential student applies to a university through its website, up through each time a student submits financial and health information, thousands of personal records are being collected by the website and stored for internal use in databases.

Why is this data not being protected? That’s the big question asked by data security experts and concerned students alike, who are aware of the massive number of data breaches that occur yearly through websites. The information submitted on higher education websites includes nearly everything a hacker or malicious user wants including: home addresses, social security numbers, phone numbers, email addresses, passwords, parent names, credit card, and financial data. Many universities run teaching hospitals, not to mention their own student health services. Protected health information (PHI) entered through patient portals also poses a huge risk if the data isn’t protected.

This information should not only be encrypted to protect students, faculty, and patients alike, but it should be encrypted because the collection of financial data, credit card data, and PHI fall under industry regulations such as HIPAA/HITECH and PCI-DSS which require the encryption of this data.

Here’s the good news: Many college and university websites are built using the common content management system (CMS) Drupal. Drupal is one of the most widely used CMS platforms, and is used by both small start-ups and Fortune 100 enterprises. It is very commonly used for higher education sites. Drupal has a long history with addressing security in its modules, and in fact has even supported an Encrypt module to encrypt sensitive data. Although the Encrypt module made encrypting data easy for Drupal users, it lacked a very important component of successful encryption: encryption key management.

Encryption key management is the foundation of a successful encryption strategy. If the encryption key is stored locally with the encrypted data, then a hacker who gains access to the data can immediately decrypt the data, making the encryption useless. If the key is protected, away from the encrypted data, then the data remains safe, even if accessed by an attacker.

Ok, here’s the actual good news: Stronger encryption and encryption key management is now available for Drupal users. Chris Teitzel and Rick Hawkins, Drupal developers and owners of Cellar Door Media have recently teamed up with Townsend Security to create Key Connection for Drupal--a module that enables NIST-validated AES encryption and FIPS 140-2 compliant key management for data in Drupal.

Key Connection for Drupal offers these important features:

  • Encryption anywhere you want it - The Key Connection for Drupal APIs allow developers to encrypt data and protect encryption keys anywhere data is collected in a website from student enrollment applications to student health service portals.
  • Onboard encryption - While Drupal developers can still use the encrypt module to encrypt sensitive data, and protect the encryption keys to a cloud or physical key management module, they also have the option to do “onboard” encryption within the key manager using NIST validated AES encryption. This is a critical new feature for business who need to meet PCI-DSS compliance requirements.
  • Multiple key management options - Developers can choose from multiple key management options from key management in the cloud to a physical hardware security module (HSM) that they can rack up in their own IT infrastructure. Townsend Security also offers virtual and hosted options.

To learn more about Key Connection for Drupal and how you can encrypt sensitive data in Drupal using NIST validated AES encryption and protection of encryption keys using FIPS 140-2 compliant key management, listen to the podcast featuring the Key Connection for Drupal developers.

Encryption Key Management Drupal

Topics: Encryption, Higher Education, Encryption Key Management, Drupal