Compliance regulations and security best practices require the encryption of sensitive financial data and the protection of encryption keys with proper key management.  

The financial industry includes banks, credit unions, and other financial organizations, including venture capital firms, private equity firms, investment banks, global investment firms, bank holding companies, mutual funds, exchanges, brokerages, and bank technology service providers, among others. In order to meet compliance regulations, information security programs must be in place to ensure customer information is kept confidential and secure, protected against potential threats or hazards to personal information (cyber-attack, identity theft) and protected against unauthorized access to or use of a customer's personal information. For business owners, database administrators, or developers who need to protect their customers’ sensitive data with encryption; storing the encryption keys within the same database puts that information at risk for a breach.

If you fall within the financial sector, the following will apply:

The Gramm-Leach-Bliley Act (GLBA) - 15 USC 6801 - of 1999 first established a requirement to protect consumer financial information.

TITLE 15 , CHAPTER 94 , SUBCHAPTER I , Sec. 6801. US CODE COLLECTION
Sec. 6801. - Protection of nonpublic personal information

(a) Privacy obligation policy
It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.

(b) Financial institutions safeguards
In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards.

The Federal Financial Institutions Examination Council (FFIEC) supports the GLBA mission by providing extensive, evolving guidelines for compliance and evaluating financial institutions. Financial services regulations on information security, initiated by the GLBA, require financial institutions in the United States to create an information security program to:

• Ensure the security and confidentiality of customer information
• Protect against any anticipated threats or hazards to the security or integrity of such information
• Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer

Federal Reserve Board Regulations - 12 CFR - CHAPTER II - PART 208 - Appendix D-2
-- Interagency Guidelines Establishing Standards For Safeguarding Customer Information--

… III. Development and Implementation of Information Security Program

… C. Manage and Control Risk

Each bank shall:

… c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access.

Enforcement of these financial industry compliance guidelines fall to five agencies: the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). In collaboration, these agencies have developed a series of handbooks that provide guidance, address significant technology changes and incorporate a risk-based approach for IT practices in the financial industry. The "Information Security Booklet" is one of several that comprise the FFIEC Information Technology Examination Handbooks, and references encryption in detail.

Summary: Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Encryption implementations should include:

• Encryption strength sufficient to protect the information from disclosure until such time as disclosure poses no material risk
• Effective key management practices
• Robust reliability
• Appropriate protection of the encrypted communications endpoints

To meet the growing need for NIST validated and FIPS 140-2 compliant encryption and key management, the data security experts at Townsend Security provide a certified key management system (Alliance Key Manager) which provides secure key storage and retrieval options for a variety of Enterprise and open source platforms.  Now when nonpublic personal and financial information is collected or stored in a database it can easily be encrypted and the encryption keys properly managed.

To learn more, download the ebook: Encryption Key Management Simplified

Additional Resources:

Federal Financial Institutions Examination Council (FFIEC)

FFIEC Information Technology Examination Handbooks

Gramm-Leach-Bliley Act (GLBA)

Federal Reserve System (FRB)

Federal Deposit Insurance Corporation (FDIC)

National Credit Union Administration (NCUA)

Office of the Comptroller of the Currency (OCC)

Office of Thrift Supervision (OTS)

Many compliance regulations and security best practices require the encryption of sensitive data and the protection of encryption keys with proper key management.

Security best practices and PCI DSS compliance regulations call for sensitive data to be protected with encryption and that data-encrypting keys (DEK) be physically or logically separated from the sensitive data and protected with strong key-encrypting keys (KEK). Anyone who needs to protect sensitive data in their database, needs to know that storing the encryption keys within the same location puts data at risk for a breach.  Depending on what type of information is being stored and what industry guidance your project/company falls under, compliance regulations in addition to PCI DSS may apply.

For any company that accepts credit card payments, the Payment Card Industry Data Security Standards (PCI DSS) issues 12 requirements that must be met in order to be compliant. It can seem overwhelming at first, but the PCI council that issues PCI DSS also provides detailed reference guides and instructions on each requirement.

Let’s take a brief look at all twelve items:

Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do Not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data*

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Identify and authenticate access to system components

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that address information security for all personnel

Within the latest documentation by the PCI Security Standards Council (v3.0 released November 2013) specific testing procedures and guidance is given for Requirement 3 on pages 34-43. The PCI Security Standards Council (PCI SSC) website (http://www.pcisecuritystandards.org) contains this documentation along with a number of additional resources to assist organizations with their PCI DSS assessments and validations.

* Requirement 3 addresses the need for encryption and key management, stating:

“Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.”

The PCI Security Standards Council also issues their Cloud Computing Guidelines (https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf) and additional information around virtualization of data protection solutions so you can be PCI compliant with a cloud-based solution for encryption and key management.

Other compliance requirements for protecting information go beyond cardholder data (PCI focuses on PAN or the Primary Account Number specifically) and also require that personally identifiable information (PII) such as names, birthdates, email address, zip codes, usernames, or passwords be protected properly with encryption and key management. To meet the growing need for NIST validated and FIPS 140-2 compliant solutions, the data security experts at Townsend Security provide a certified key management system (Alliance Key Manager) which provides secure key storage and retrieval options for a variety of Enterprise and open source platforms.  Now sensitive information can easily be encrypted and the encryption keys properly managed. 

For more information on encryption, download the latest eBook, The Encryption Guide:

Turn Your Nightmares into a Peaceful Night’s Sleep... Even When Your Sensitive Data is Stored in the Cloud

Compliance regulations and security best practices can be enough to make most developers lose some sleep at night, but when the subjects of encryption & key management in the cloud are brought up… it seems like many of those restless heads start to twitch with other worries as well. It goes beyond what types of data need to be encrypted… to concerns about choosing the right encryption algorithm and properly managing the encryption keys. One of the most reported concerns about encryption is the fear of losing the encryption keys.  If keys are lost, the data remains forever shrouded from view… not only for hackers, but for the you too! Here are three important encryption & key management topics, and three excellent resources that will help you rest easy!

#1 Understand the Importance of Encryption and Key Management

Encrypting your sensitive data is critical to meeting compliance regulations and protecting your organization (and your customers) in the event of a data breach. If you are looking for a non-technical overview, then I highly recommend our most recent eBook, “The Encryption Guide” which covers the importance of encryption as well as critical implementation information such as:

• When to use encryption
• What data you should encrypt
• Where you should encrypt that data
• Encryption best practices
  (and an excellent summary of compliance regulations)
• The importance of encryption key management

In order to have a successful encryption solution you must deploy industry standard encryption methodologies, proper encryption key management (NIST validated solutions), and follow administrative and technological best practices such as dual control and separation of duties.

#2 Learn How to Never Lose an Encryption Key

Industry expert, Patrick Townsend addresses the following four topics in greater depth in his blog article “Never Lose an Encryption Key in Windows Azure” and I hope you will check out what he has to say regarding how Alliance Key Manager running in Windows Azure protects you from this potential problem.

• Backup / Restore
  The first line of defense is always to have a backup of your encryption keys and key access policies. Alliance Key Manager provides you with an option to securely back up your encryption keys, security policies, and server settings and to move this backup out of Windows Azure to your own secure storage...
• Key and Policy Mirroring
  Alliance Key Manager supports Active-Active (real-time key and security policy) mirroring so that you will always have a full set of your encryption keys available to you even after a failover...
• Windows Azure Availability Sets
  This is a feature that helps you avoid unplanned outages due to failures of the cloud infrastructure or planned maintenance activities, providing one more way to get the best reliability for your key management infrastructure in the Windows Azure cloud...
• Mirroring Outside the Windows Azure Cloud
  Lastly, if you are still worried about losing your encryption keys, you can always mirror the keys to a key manager located outside the Windows Azure cloud. We have hardware, hosted, and cloud options for you to choose from!

#3 Know Your Compliance Regulations

Our website is a wealth of information on how encryption and key management meet compliance regulations, and it is frequently a topic in our blog articles!  Storing sensitive data in a multi-tenant environment comes with an additional set of concerns, so we suggest this Cloud Security Alliance (CSA) white paper Security Guidance for Critical Areas of Focus in Cloud Computing, v3 that focuses on the CSA guidance - Domain 11 - recommendations for encryption key management. Hardware and software redundancy insure that you will never lose encryption services or encryption keys. Reliability and redundancy is provided through:

• Dual RAID controlled disk drives and dual power supplies
• Real time, bi-directional key mirroring
• On demand and scheduled backups
• High availability hot failover
• Load balancing support

In the ever-changing, ever-evolving technical world that we live in, knowledge is power! Our goal is to constantly provide updated, educational content and the best solutions for protecting sensitive data with solid encryption & key management. So while you might be losing sleep over your plans for the summer, but you shouldn’t lose sleep over your encryption strategy!

Start sleeping better by downloading the Encryption Guide:

In a business world that is moving more towards virtualization and cloud environments, the need for strong encryption and proper key management is critical. Due to all the recent and well-publicized data breaches, we all know about the ways your brand can be damaged if you don’t encrypt your data. Let’s look at the benefits of encryption, and three of the ways it can have a positive effect on your business.

Customer Confidence = Loyalty: When it all boils down, building trust in your business is what will make or break relationships with your customers, business partners, and potential investors.  After major retail breaches in 2013, a study conducted on 700 consumers showed that the three occurrences that have the greatest impact on brand reputation are data breaches, poor customer service, and environmental disasters. These three incidents were selected ahead of publicized lawsuits, government fines, and labor or union disputes. By being transparent about the ways that you will store and protect their sensitive data (required to operate your business) you will build a level of confidence and trust with your current and potential clients and customers. Using encryption to protect your customers sensitive information is the best way to keep any unauthorized user from successfully using the data if it is accessed. Properly deploying encryption, means you will be sure to use an encryption key manager that separates and securely stores the encryption keys away from the encrypted data. Let your clients know you take data security seriously, and let the would-be thieves know “move along, there is nothing to see here”!

Cloud = Cost Savings: Encryption can help your business move successfully to cloud and virtual environments. Because of the multi-tenant nature, cloud solutions can offer a significant cost savings to most organizations… but what about those other “tenants”, are they able to gain access to your information? What about the treasure trove of information that is attracting more and more hackers? Encryption can make it possible to leverage the benefits and cost savings of the cloud while ensuring the privacy of your sensitive data.

• By using encryption, you can make sure your information is secure when it is “at rest” or “in motion”.
• By properly handling encryption keys with an encryption key manager, you make sure you are the only one able to access your encryption keys.
• By keeping your encrypted data and your encryption keys in separate locations, you remain in control even when your data has left the building.

Customer Compliance = Competitive Advantage: Keeping data secure is the law for many commercial and private organizations. If any sensitive information is stolen or lost, your company may suffer some serious consequences, especially if that information is not encrypted. Using industry standard encryption also helps you meet various compliance regulations and data security standards. Depending on what industry your business is in, different regulations will come into play. As an example, all companies that take credit card payments fall under the Payment Card Industry Data Security Standard (PCI DSS). We all use credit cards and we want assurance that our information is safe. Would you shop online with a company that didn’t take measures to protect your account information?

If a data breach occurs and personally identifiable information is lost, the breached company must notify all their customers who are impacted. Did you know that there are data breach notification laws in 46 of the 50 states? Some regulations have a safe harbor clause, protecting companies from public notification if the stolen data is encrypted and if the encryption keys are not compromised. Along with the frequency, the cost of these breaches continues to escalate: The average cost to an organization for a data breach is up 15% with an average cost of 3.5 million dollars (2014 Ponemon Report). So using encryption to protect data and properly handling key management could save you millions of dollars in the event of a breach. Given the high cost of breach notification doesn't encryption just make sense?

Whether you choose a designated hardware security module (HSM), something designed specifically for virtualized environments (VMware), or data storage in the cloud, encryption and key management solutions can help you:

• Gain competitive advantage and build loyalty by protecting your customers data against access by unauthorized users
• Reduce hardware costs by leveraging virtual environments in the cloud
• Significantly improve your data security strategy while satisfying data compliance and privacy requirements

Overall, data encryption offers many benefits and provides solid protection against potential threats or theft. In addition to the many benefits, encryption is also efficient, easy to use, and affordable! Want to learn more about encryption? Download our eBook “The Encryption Guide”:

Roadmap to a Strong Encryption Solution

We live in the time of the data breach. Data privacy experts no longer consider a data breach a matter of “if”, but “when”. That’s why organizations are asking themselves: How do I protect myself? How do I find out what data I’m supposed to protect? For most businesses, they can find out what data they need to protect based on industry data security standards that they fall under. The technology those regulations require or recommend can be difficult to implement, however, especially encryption.

Townsend Security has just released a new eBook, “The Encryption Guide,” to help IT professionals and business leaders alike navigate the steps to implementing a successful encryption solution. This eBook answers both basic and more difficult questions about encryption such as:

• What is encryption
• When should I use encryption?
• What data should I encrypt?
• Where can I encrypt data?
• What are encryption best practices?

Check out the excerpt below from the introduction, and download the full eBook to get answers to these questions and more.

“Data security today is a major problem. Security professionals, administrators, and executives know this because highly publicized data breaches occur on what seems to be a monthly, if not weekly, basis, and lesser-publicized data breaches happen nearly every day. Loss of customer trust, huge payouts in fines, damage to reputation, and business leaders losing their jobs are just some of the consequences associated with a data breach.

Most high profile data breaches result in a lot of finger pointing with little discussion about what actually went wrong, and how other companies can prevent suffering a similar fate. Unfortunately, it is often revealed that some of the largest data breaches could have been prevented had the organization used proper encryption and encryption key management where it was needed.

Unencrypted sensitive data is a dangerous reality for most businesses. It’s an issue complicated by the fact that sensitive data is typically processed and stored in many disparate, fragmented locations so that administrators and business leaders alike aren’t certain where their data is, if they’re handling unknown sensitive data, which data should be encrypted, or know if their data is being encrypted at all.

In this eBook designed for IT administrators and executives, we will discuss how critical encryption is to your business continuity, how a solid encryption plan can help protect your business in the event of a data breach, and encryption best practices that will ensure your data security plan is effective and defensible, and keep you and your customers safe.”

Securing data with encryption and protecting the encryption keys with proper key management is addressed in many compliance regulations and security best practices.

Let’s take a look at the Security Rule and Omnibus Rule (update to HIPAA/HITECH compliance regulations) that cover Protected Health Information (PHI) and the data security requirements that affect Drupal developers or users.  When dealing with the healthcare industry, Personally Identifiable Information (PII) is a subset of PHI, and refers to information that is uniquely identifying to a specific individual. Protected Health Information is specific to medical and health-related use and generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a healthcare professional to identify an individual and determine appropriate care. To better understand the recent changes in HIPAA/HITECH regulations, here are a few key rules that provide guidance:

The Security Rule

The Department of Health and Human Services (HHS) and the Centers for Medicare & Medicaid Services (CMS) provide guidance around the protection of sensitive data and PHI based on a security series of seven papers, each focused on a specific topic related to the Security Rule. The rule is officially titled “Security Standards for the Protection of Electronic Protected Health Information” (45 CFR Part 160 and Part 164, Subparts A and C) but is commonly known as the Security Rule.In the Security Rule standards on Technical Safeguards [164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”], encryption and decryption requirements regarding the transmission of health-related information are covered in sections 164.312(a)(2)(iv) and 164.312(e)(2)(ii).

HHS offers the following guidance to render Protected Health Information as unusable, unreadable, or indecipherable to unauthorized individuals:

Electronic PHI has been encrypted as specified in the Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. 

The Omnibus Final Rule

On January 25, 2013, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services published the Omnibus Final Rule, entitled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act (GINA); Other Modifications to the HIPAA Rules” (Omnibus Rule), 78 Fed. Reg. 5566. The Omnibus Rule was effective on March 26, 2013, with a compliance period of 180 days, requiring compliance as of September 23, 2013.

The Omnibus Rule Summary:

• Finalizes modifications to the Privacy, Security, and Enforcement Rules to implement the Health Information Technology for Economic and Clinical Health (HITECH) Act, proposed in July 2010
• Finalizes modifications to the Privacy Rule, proposed in July 2010, to increase the workability of the Privacy Rule
• Modifies the Breach Notification Rule, adopted by interim final rule in August 2009
• Finalizes modifications to the Privacy Rule to implement the Genetic Information Nondiscrimination Act of 2008 (GINA), proposed in October 2009

Within the Omnibus Rule, HHS makes it clear that certain provisions of the HIPAA Rules are now applicable to business associates. HHS has expanded the definition of “business associate” (45 C.F.R. § 160.103) to include patient safety organizations (PSOs), health information organizations (HIOs) and subcontractors. Also included as business associates are health information entities, e-prescribing gateways, other persons that provide data transmission services or facilitate access to health records, and vendors of personal health records provided on behalf of covered entities. HHS considers this subcategory to encompass data transmission services requiring routine access to PHI and services that provide personal health records access on behalf of a covered entity. Also, subcontractors (or agents) that perform services for a business associate are also considered business associates to the extent their services require access to PHI. For example, a vendor providing data storage would be considered a business associate if the data included PHI. This would require subcontractors to have HIPAA compliant business associate agreements in place and under the Omnibus Rule, business associates are now directly liable for compliance with the Security Rule. This means they must comply with the Security Rule’s requirements for (1) administrative, physical and technical safeguards; (2) policies and procedures; and (3) documentation in the same manner as covered entities. The protection of PHI falls on a wider set of requirements and more businesses and organizations will be affected by the Security Rule and Omnibus Rule for HIPPA/HITECH compliance.

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.” [excerpt from 2013 HHS press release]

Another important change should be clarified around Safe Harbor. The Omnibus Rule eliminates the Safe Harbor Status, which previously protected a covered entity from a HIPAA violation based on misconduct by a business associate, now holding all parties liable. This is very different from Safe Harbor for Breach Notification that is still in effect if you encrypt sensitive data. As documented by the HHS “We encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health information pursuant to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740, 42742). If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information."

To address these changes, the security experts at Townsend Security partnered with Chris Teitzel, CEO of Cellar Door Media and Drupal developer to create Key Connection for Drupal in connection with the existing Drupal Encrypt module. In order to provide secure key storage and retrieval options, Key Connection for Drupal provides a secure key management system (Alliance Key Manager) outside of the Drupal installation. Now when protected health information is collected or stored in a database it can easily be encrypted and the encryption keys properly managed. Key Connection for Drupal allows developers and users to choose whether they need to retrieve a key and encrypt/decrypt locally or to send the data to Alliance Key Manager to perform NIST validated on board encryption.

Stay tuned for our next look at data privacy compliance regulations and security best practices that impact developers and users of the Drupal CMS open source platform in regards to protection of financial and educational information. For more information about encryption and key management, download our eBook Encryption Key Management Simplified.

Still Have Questions About Meeting Compliance Requirements?

The question “Would You Pass An Audit?” was posed in our last blog and companion webinar series.  We discussed compliance regulations and how protecting sensitive information was more than just a good security strategy. While the webinar title is directed at IBM i users, the content is really applicable to most all platforms! Hopefully you were able to watch the webinar resource provided (if not, you can request it HERE).  After the webinar, we had a number of questions asked by attendees and answered by security expert Patrick Townsend.  Here is a recap of that Q&A session:

Q: If I have my sensitive data stored off site with a hosting company or in the cloud am I responsible if they have a data breach?

A: The short answer is yes you are. When you have sensitive data and are moving it into a cloud solution you are still ultimately responsible for protecting that data. This can be confusing because cloud vendors make a lot of statements about encryption and compliance, however you are responsible for your overall data protection strategy.  

When looking for a hosting vendor or to move applications outside of your environment, a part of the process should be assessing their ability to meet PCI or other compliance regulations. As part of your due diligence, ask for a QSA letter of attestation from a qualified QSA auditor to confirm the security of the infrastructure of that hosting company and that they are:

• Securing the data center to PCI standards
• Securing racks properly
• Placing proper controls and vulnerability scans in place for their own infrastructure

It is your responsibility to make sure your data security meets compliance regulations. Any loss will also be your responsibility, so it is worth the time to make sure you have a strong strategy in place and are using industry standard encryption and proper key management to protect your data wherever it resides. 

Q: A vendor told me that tokenizing data will make us PCI compliant is this true?

A: This is a more complex question to answer. Tokenization is a great technology and there has been a lot of work done in this field the past few years.  Personally, I believe it can be done well and can help you meet compliance regulations.  If you are planning to generate non-recoverable tokens (when the original data does not need to be recovered) using a separate token server, that can eliminate the need to store the original data in an encrypted format. Non-recoverable tokens can help minimize the impact of regulations such as HIPAA, PCI, HITECH , GLBA and individual state privacy laws by taking the server out of scope for compliance.  However if you plan to recover the data and are consolidating sensitive information into the tokenization solution, you must make sure the tokenization solution itself is PCI compliant and using industry standard encryption such as AES when using recoverable tokens. The basic concept for tokenization is that you replace the data in your database with a token that has no value; however, sensitive data (for retrieval) has been transferred into the tokenization solution.  Because all of this sensitive information has been consolidated into one place, it becomes even more of a high value target.  Tokenization is very effective as long as you are using industry standard encryption within that solution and also using best practices for encryption key management.  Make sure you are using a tokenization solution that integrates with a NIST validated and FIPS 140-2 compliant key management solution that will properly store your encryption keys on a designated hardware security module (HSM) and not in the same server as the pool of data. 

Q: A vendor we are considering for key management advertises an integrated key management solution, would this be PCI compliant?  

A: Only a QSA auditor can determine PCI compliance of vendor solutions, however being educated on industry best practices is very important.

Storing the key within the same server where the data is located is not a defensible practice, and security best practices recommend using an HSM to store encryption keys away from the data you are protecting. Best practices for encryption key management also recommend that you implement separation of duties and dual control.  I highly recommend that you look for NIST validations and make sure the approach to encryption and key management has been done correctly.

To help you plan your data security strategy, we’ve created a great How-to-Guide on Encryption Best Practices and you can download your complimentary copy by clicking on the link below.   

As always, we welcome your questions and comments!

(That’s the Way) You Need it…

Now that you have the tune from Journey running through your head, let’s talk about how you are going to protect your data with encryption and key management.  

So you have all this sensitive data that you need to secure… how are you going to protect it? What kind of key management choices do you have? How do you decide what encryption to use? Just how do you decide what you need, and where you will put your key management device, and will it be hardware or virtual? In many cases, regulations require you to protect sensitive information. Beyond being a compliance requirement, it is also a responsibility to your business and your customers. We understand all those questions can be a bit daunting at first, but there are a variety of encryption key management options to choose from.

The main consideration that will be determined within each of the following factors is your Risk Tolerance. What kind of sensitive data are you storing? What will happen to that information if there is a data breach? What will the impact be to your company, to your customers, if that information gets accessed by the wrong people? What are your liabilities? No matter whether it lives in a single PC hard drive or a vast data center, or even in a shared cloud environment, the type of information you need to protect will have a large impact on what level of risk tolerance you have.  

Here are four factors you need to consider as you devise or revise your data security plan:

Infrastructure: Where your data lives (client side application) determines what kind of options you have. Is your data all in one location (on a PC, or in a data center)? or is it in the cloud? or a combination? Are there requirements that would limit where your key server could be located? How will data need to be transmitted from one location to another? Once you have a clear picture of the sensitive information you are responsible for then you can move on to the next set of questions.  

Compliance Regulations: If you are dealing with Personal Identifiable Information (PII) or Protected Health Information (PHI) or Payment Card Industry (PCI), you have a great responsibility to protect that information and meet different compliance regulations. Depending on what industry you are in and where you live, different regulations may come into play. If you take credit card payments, you will certainly fall under PCI-DSS and be required to encrypt that data. If you are a part of or even partner with the medical sector then you also need to comply with HIPAA/HITECH Act requirements for security of Protected Health Information (PHI). GLBA/FFIEC sets regulations for banks, credit unions, credit reporting agencies, and anyone in the financial industry. FISMA is for Federal US Government Agencies and businesses that partner with them. The Federal Trade Commission (FTC) also gets involved with anyone who issues a privacy statement. On top of those regulations, more than 45 states also have their own privacy rules that strongly recommend encryption of any personally identifiable information (PII).

Availability:  Beyond just the availability of your encryption key management options, think about how many people need access to your data. What kind of security procedures do you need in order to keep the wrong people out and yet allow the right people to do their jobs? Will you have a key management system that supports separation of duties and dual control of your encryption keys?  

Cost: Your budget will also determine what kind of key management system you use. While cloud options may present a cost savings, you would potentially need a higher risk tolerance in a shared environment.  

Once you have identified your level of risk tolerance and the other factors listed, you will need to consider what kind of encryption and key management options are available to you:

Data Center - Hardware Security Module (HSM) - This is probably the most common option for companies that have their own data centers. The HSM is “under your roof” and you provide the security and IT support for the device.  

Cloud HSM -  If your data lives in the cloud and in a variety of client side applications, perhaps hosting your key server in a cloud HSM makes more sense for you. In a cloud HSM, look for two dedicated redundant HSMs in geographically diverse locations that are managed for you. Options and access will vary depending on which cloud HSM solution you deploy. With Alliance Key Manager Cloud HSM, you maintain exclusive access to your key servers.

In the Cloud -  If your data lives primarily in the cloud, you may want to go with a key server deployed directly in the cloud. Ways to make that option more secure would be to locate your key server in a different cloud environment from your data or even in a virtual private cloud (VPC). Cloud options are certainly cost-effective and easy to deploy, just make sure that you have a high enough risk tolerance for a shared environment!

I know there are a lot of questions that each company needs to consider and answer for themselves during this security planning process. The good news is that we have solutions that can encrypt your data and protect your encryption keys in all of those locations. We offer affordable and easy to deploy solutions with what we feel is the best customer support in the industry.  

Check out this complimentary eBook on Key Management, then give us a call and let’s see how we can partner together to protect your data!
 

Make sure you don't turn a blind eye to data security!

The basic concept of converting sensitive data into a form that could not be easily understood if it was to be seen by the wrong audience goes back as far as 500 BC (Atbash Cipher), some would even argue that in 1900 BC a simple hieroglyphic substitution was the first form of cryptography. While technology has made great advancements in recent years, it has also created an even greater need for privacy of sensitive information. Whether you are the Chief Security Officer, IT personnel, or database administrator; you should know how your company is handling sensitive data. In fact, security is the responsibility of every business owner and employee. Not using secure passwords can lead to a data breach just as not following key management best practices can provide access to people with malicious intent. When awareness around data security reaches every department and individual, then the company can not only meet compliance regulations, but can benefit from effective data security. Compliance regulations require (or strongly recommend) all industries following best practices for encryption and key management . Do you know which of these apply to you and your company? For example, if you take credit cards for any reason, you fall under Payment Card Industry - Data Security Standards (PCI-DSS). Other common regulations are:

• HIPAA/HITECH ACT requires security of Protected Health Information (PHI) in the medical sector.
• GLBA/FFIEC sets regulations for banks, credit unions, credit reporting agencies, and anyone in the financial industry.
• FISMA is for Federal US Government Agencies.
• The Federal Trade Commission (FTC) also gets involved with anyone who issues a privacy statement.
• More than 45 states also have their own privacy rules, in addition to the ones listed above, that strongly recommend encryption of any personally identifiable information (PII).

So, beyond compliance with regulations, why should you care about encryption… First of all, your customers, clients, and suppliers all expect you to protect their sensitive data. Effective encryption and key management can provide your company with a number of other benefits as well. Here are just a few basic benefits of effective encryption key management:

• Peace of Mind - While hackers and identity thieves are getting smarter and regulations are getting more complex, data protection technology is also improving at a rapid rate. Encryption and key management options are now available in virtual machines and cloud environments as well as hardware security modules(HSMs). How well would you sleep at night if you kept your house key under your welcome mat?
• Reputation - Whether information is lost due to a hacker or a hurricane, if a company loses all of it’s important data, the whole business could be ruined. However if sensitive data is lost because mechanisms for protecting it are not in place, then an organization has even bigger problems. The most effective way to secure data and ensure the integrity of a company is to deploy encryption and properly manage the encryption keys.
• Credibility - Beyond audit requirements, organizations need to consider the security of their customers Personally Identifiable Information (PII). Being able to protect your clients with strong key management practices can add a level of trust and confidence that will help grow your business.

Mobility is also great benefit! As more people move their data to the cloud or virtualized environments the need for encryption increases, and the importance of key management becomes even more evident. In order to maintain control over your data, and the privacy of your customers, information must not only be encrypted but kept secure while in motion, in use, or at rest. By properly managing your encryption keys, you are still in control of your data no matter who is sharing your infrastructure.

In this complimentary eBook, "Turning a Blind Eye to Data Security”, authors Kevin Beaver, CISSP; Patrick Townsend, and Todd Ostrander will teach you about:

• Tools and resources to begin the discussion about data security in your company
• 5 Common misconceptions about data security
• 6 Questions to ask your CIO

2 Ways Alliance Key Manager Encrypts MySQL Database and Protects Encryption Keys

MySQL is the most popular open source relational database system and is in wide use in commercial and non-commercial environments. It is natural that developers and security professionals want to know how to encrypt sensitive information stored in MySQL databases.

While MySQL does not implement a Transparent Data Encryption (TDE) solution like Microsoft SQL Server and Oracle Database, you still have options to get the data protected with strong encryption and use a defensible encryption key management strategy.

With a strong encryption key management solution you can encrypt data in two ways in MySQL databases to meet compliance regulations for proper encryption key management:

1. Column Level Encryption:

Alliance Key Manager provides shared libraries for Windows and Linux that provide the technical support for SQL Views and Triggers with User Defined Functions (UDFs). Using these shared libraries lets the developer fully automate the encryption tasks without changes to application code. Alliance Key Manager provides an example of how to do this in a Windows Server operating system context.

2. Encryption in Application Code

Second, Alliance Key Manager provides many shared libraries and application code examples if you need to implement encryption in your applications. The extensive library of code examples include Java, PHP, Ruby, Python, Perl, C/C++, C#, VBNET and others. You can encrypt data in your applications, or send the data to the key server for on-device encryption. The on-device encryption option is a favorite of web developers who don’t want to expose encryption keys in their web server application.

About Alliance Key Manager

Alliance Key Manager is a NIST validated, FIPS 140-2 compliant solution that meets PCI DSS and other compliance regulations for protecting encryption keys. You can deploy the key server as an HSM in your own data center or in our hosting center, or as a VMware instance, or as a cloud application running in PCI DSS certified infrastructure. Alliance Key Manager is available with a number of licensing options that will meet the budget constraints of any organization.